diff --git a/test/conformance/chainsaw/autogen/conditions/01-policy.yaml b/test/conformance/chainsaw/autogen/conditions/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/conditions/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/conditions/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml b/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml index ffdfc456b2..eb3e8864b0 100644 --- a/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/foreach-jsonpatch/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/none/01-policy.yaml b/test/conformance/chainsaw/autogen/none/01-policy.yaml index ccd7288422..6134698445 100644 --- a/test/conformance/chainsaw/autogen/none/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/none/01-policy.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml - assert: - file: policy-assert.yaml \ No newline at end of file + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml b/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml b/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml b/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml index 6c087165bc..d4f0ab909a 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml @@ -1,12 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: background-event.yaml - error: file: admission-event.yaml - catch: - - events: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md index cbc68bc783..8e7d11859b 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md @@ -6,5 +6,5 @@ Then it creates a resource that violates the policy. ## Expected Behavior The resource creates fine as the policy doesn't apply at admission time. -No admission ezvent is created. +No admission event is created. One background event is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml index 6ab8d0f56b..f417d28aed 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: report spec: + timeouts: {} try: - error: file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml index 3c31d1bdec..d4f0ab909a 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: background-event.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md index cbc68bc783..8e7d11859b 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md @@ -6,5 +6,5 @@ Then it creates a resource that violates the policy. ## Expected Behavior The resource creates fine as the policy doesn't apply at admission time. -No admission ezvent is created. +No admission event is created. One background event is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml index 6ab8d0f56b..f417d28aed 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: report spec: + timeouts: {} try: - error: file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml index 23a6d5c84e..e750d48225 100644 --- a/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml @@ -1,9 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml index 3408705f9b..36f4242fac 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/01-rbac.yaml @@ -8,5 +8,4 @@ spec: timeouts: {} try: - apply: - check: null file: rbac.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml index a8585605c2..b6172499fe 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/02-pod.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: pod.yaml - assert: file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml index 86b0ffe524..909c002ac4 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/03-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml index cad5fa9ed5..2dff05e1a5 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/cleanup-pod/04-sleep.yaml @@ -10,5 +10,4 @@ spec: - command: args: - "65" - check: null entrypoint: sleep diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml index 3408705f9b..36f4242fac 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/01-rbac.yaml @@ -8,5 +8,4 @@ spec: timeouts: {} try: - apply: - check: null file: rbac.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml index a8585605c2..b6172499fe 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/02-pod.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: pod.yaml - assert: file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml index 86b0ffe524..909c002ac4 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/03-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml index ee6e2dfceb..01d2ae5728 100644 --- a/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml +++ b/test/conformance/chainsaw/cleanup/clusterpolicy/context-cleanup-pod/04-sleep.yaml @@ -10,5 +10,4 @@ spec: - command: args: - "5" - check: null entrypoint: sleep diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml index 3408705f9b..36f4242fac 100644 --- a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/01-rbac.yaml @@ -8,5 +8,4 @@ spec: timeouts: {} try: - apply: - check: null file: rbac.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml index a8585605c2..b6172499fe 100644 --- a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/02-pod.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: pod.yaml - assert: file: pod-assert.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml index 86b0ffe524..909c002ac4 100644 --- a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/03-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml index cad5fa9ed5..2dff05e1a5 100644 --- a/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml +++ b/test/conformance/chainsaw/cleanup/policy/cleanup-pod/04-sleep.yaml @@ -10,5 +10,4 @@ spec: - command: args: - "65" - check: null entrypoint: sleep diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml index 86b0ffe524..909c002ac4 100644 --- a/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/01-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy.yaml diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml index b64136bfed..eabab883d3 100644 --- a/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/02-clusterpolicy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: clusterpolicy.yaml - assert: file: clusterpolicy.yaml diff --git a/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml b/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml index eea2711d03..82f61480a6 100644 --- a/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml +++ b/test/conformance/chainsaw/cleanup/validation/cron-format/03-invalidpolicy.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: invalidpolicy spec: + timeouts: {} try: - apply: - file: invalidpolicy.yaml check: - (error == null): false + (error != null): true + file: invalidpolicy.yaml diff --git a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml index b41dc3143a..03376582f1 100644 --- a/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml +++ b/test/conformance/chainsaw/cleanup/validation/no-user-info-in-match/01-cleanuppolicy.yaml @@ -1,18 +1,21 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: cleanuppolicy spec: + timeouts: {} try: - apply: + check: + (error != null): true file: cleanuppolicy-with-subjects.yaml - check: - (error == null): false - apply: + check: + (error != null): true file: cleanuppolicy-with-roles.yaml - check: - (error == null): false - apply: - file: cleanuppolicy-with-clusterroles.yaml check: - (error == null): false + (error != null): true + file: cleanuppolicy-with-clusterroles.yaml diff --git a/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml index 45cfa2cda7..d2f3742ab5 100644 --- a/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml +++ b/test/conformance/chainsaw/cleanup/validation/not-supported-attributes-in-context/01-cleanup-policy.yaml @@ -1,14 +1,17 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: cleanup-policy spec: + timeouts: {} try: - apply: + check: + (error != null): true file: cleanuppolicy-with-image-registry.yaml - check: - (error == null): false - apply: - file: cleanuppolicy-with-configmap.yaml check: - (error == null): false + (error != null): true + file: cleanuppolicy-with-configmap.yaml diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/01-manifest.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/01-manifest.yaml new file mode 100644 index 0000000000..1cde6b52f7 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/01-manifest.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-custom-sigstore +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: basic-sigstore-test-policy +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + context: + - name: tufvalues + configMap: + name: tufvalues + namespace: kyverno + verifyImages: + - imageReferences: + - "ttl.sh/*" + attestors: + - count: 1 + entries: + - keyless: + issuer: "https://kubernetes.default.svc.cluster.local" + subject: "*" + rekor: + url: "{{ tufvalues.data.REKOR_URL }}" + required: true \ No newline at end of file diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/02-assert.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/02-assert.yaml new file mode 100644 index 0000000000..d622499100 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: basic-sigstore-test-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/03-goodpod.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/03-goodpod.yaml new file mode 100644 index 0000000000..caacba4b13 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/03-goodpod.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: goodpod +spec: + timeouts: {} + try: + - command: + args: + - -n + - test-custom-sigstore + - run + - test-sigstore + - --image=$TEST_IMAGE_URL + entrypoint: kubectl diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/04-assert.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/04-assert.yaml new file mode 100644 index 0000000000..07d111e808 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/04-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-sigstore + namespace: test-custom-sigstore \ No newline at end of file diff --git a/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml b/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml index 89b3740fee..f2e49110e6 100644 --- a/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml +++ b/test/conformance/chainsaw/deferred/dependencies/01-apply-manifests.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: manifests.yaml - assert: file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml b/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml index de278cee68..62780ba600 100644 --- a/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml +++ b/test/conformance/chainsaw/deferred/dependencies/02-testcase.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: testcase spec: + timeouts: {} try: - apply: - file: deploy.yaml check: - (error == null): false + (error != null): true + file: deploy.yaml diff --git a/test/conformance/chainsaw/deferred/foreach/01-apply.yaml b/test/conformance/chainsaw/deferred/foreach/01-apply.yaml index 1f8d13010a..4139676ba0 100644 --- a/test/conformance/chainsaw/deferred/foreach/01-apply.yaml +++ b/test/conformance/chainsaw/deferred/foreach/01-apply.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: manifests.yaml - assert: file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml b/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml index 75ed639d90..cea6dfeb35 100644 --- a/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml +++ b/test/conformance/chainsaw/deferred/foreach/02-testcase.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: cm.yaml - assert: file: cm-assert.yaml diff --git a/test/conformance/chainsaw/deferred/recursive/01-policy.yaml b/test/conformance/chainsaw/deferred/recursive/01-policy.yaml index a7f04b9003..6134698445 100644 --- a/test/conformance/chainsaw/deferred/recursive/01-policy.yaml +++ b/test/conformance/chainsaw/deferred/recursive/01-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/recursive/02-resource.yaml b/test/conformance/chainsaw/deferred/recursive/02-resource.yaml index 0991baccf9..07a73f22a0 100644 --- a/test/conformance/chainsaw/deferred/recursive/02-resource.yaml +++ b/test/conformance/chainsaw/deferred/recursive/02-resource.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: resource.yaml - assert: file: resource-assert.yaml diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml index a7f04b9003..6134698445 100644 --- a/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/01-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml index 0991baccf9..07a73f22a0 100644 --- a/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/02-resource.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: resource.yaml - assert: file: resource-assert.yaml diff --git a/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml b/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml index a7f04b9003..6134698445 100644 --- a/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml +++ b/test/conformance/chainsaw/deferred/two-rules/01-policy.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: policy.yaml - assert: file: policy-assert.yaml diff --git a/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml b/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml index 0991baccf9..07a73f22a0 100644 --- a/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml +++ b/test/conformance/chainsaw/deferred/two-rules/02-resource.yaml @@ -8,7 +8,6 @@ spec: timeouts: {} try: - apply: - check: null file: resource.yaml - assert: file: resource-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml index 2020f4b7e7..36684ade76 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/01-crd.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: crd spec: + timeouts: {} try: - apply: file: crd.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/02-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/03-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-sleep.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/05-event.yaml similarity index 73% rename from test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-event.yaml rename to test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/05-event.yaml index f64bb341f7..f6a5c68a63 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/04-event.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-fail-generation/05-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: event.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml similarity index 79% rename from test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-event.yaml rename to test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml index 0caa659f29..f386e0fef6 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/03-event.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: policy-event.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml index 97e3d158d5..02b3d923aa 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml index b8a73812df..2455e58391 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - error: file: event.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-applied/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml b/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml index 8a89845d54..e750d48225 100644 --- a/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml +++ b/test/conformance/chainsaw/events/policy/policy-applied/02-resource.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: file: resource.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml b/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml index 97e3d158d5..02b3d923aa 100644 --- a/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml +++ b/test/conformance/chainsaw/events/policy/policy-applied/03-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-violation/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml b/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml index 64cdfafd61..36f9a5b5d3 100644 --- a/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml +++ b/test/conformance/chainsaw/events/policy/policy-violation/02-resource.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: - file: resource.yaml check: - (error == null): false + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml b/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml index 97e3d158d5..02b3d923aa 100644 --- a/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml +++ b/test/conformance/chainsaw/events/policy/policy-violation/03-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: event-assert.yaml diff --git a/test/conformance/chainsaw/flags/standard/emit-events/01-admission-controller-apply.yaml b/test/conformance/chainsaw/flags/standard/emit-events/01-admission-controller-apply.yaml new file mode 100644 index 0000000000..d5654449dc --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/01-admission-controller-apply.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: admission-controller-apply +spec: + timeouts: {} + try: + - apply: + file: admission-controller.yaml + - assert: + file: admission-controller-assert.yaml diff --git a/test/conformance/chainsaw/flags/standard/emit-events/02-policy.yaml b/test/conformance/chainsaw/flags/standard/emit-events/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/flags/standard/emit-events/03-resource.yaml b/test/conformance/chainsaw/flags/standard/emit-events/03-resource.yaml new file mode 100644 index 0000000000..5a80990db1 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/03-resource.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - apply: + check: + (error != null): true + file: resource-fail.yaml diff --git a/test/conformance/chainsaw/flags/standard/emit-events/04-event.yaml b/test/conformance/chainsaw/flags/standard/emit-events/04-event.yaml new file mode 100644 index 0000000000..963b7a95c2 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/04-event.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: event +spec: + timeouts: {} + try: + - apply: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/flags/standard/emit-events/05-script.yaml b/test/conformance/chainsaw/flags/standard/emit-events/05-script.yaml new file mode 100644 index 0000000000..aa4434224c --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/05-script.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: "if kubectl logs deployment/kyverno-admission-controller -n kyverno + | grep \"reason=\\\"PolicyViolation\\\"\" \nthen \n echo \"Test succeeded. + PolicyViolation event was not created.\"\n exit 0\nelse \n echo \"Tested + failed. PolicyViolation event should have been created.\"\n exit 1\nfi\n" diff --git a/test/conformance/chainsaw/flags/standard/emit-events/README.md b/test/conformance/chainsaw/flags/standard/emit-events/README.md new file mode 100644 index 0000000000..c1ea1245a4 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/README.md @@ -0,0 +1,18 @@ +## Description + +This test updates the deployment with flag `--omit-events=PolicyApplied` set +Then it creates a policy, and a resource. +The resource is expected to be accepted. +A `PolicyApplied` event should be created. +Then it creates a respource that is expected to be rejected +A `PolicyViolation` event should not be emitted as the flag does not include that. + +## Steps + +1. Update the deployment of admission controller to add this ar`--omit-events=PolicyApplied`. +2. - Create a policy + - Assert the policy becomes ready +3. - Create a resource, +4. - Asset a `PolicyApplied` event is created +5. Try creating a resource with a script that is expected to fail. +6. Exit the script with `0` if it returns an error diff --git a/test/conformance/chainsaw/flags/standard/emit-events/admission-controller-assert.yaml b/test/conformance/chainsaw/flags/standard/emit-events/admission-controller-assert.yaml new file mode 100644 index 0000000000..c12a6220a3 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/admission-controller-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-admission-controller + namespace: kyverno +status: + readyReplicas: 1 + updatedReplicas: 1 \ No newline at end of file diff --git a/test/conformance/chainsaw/flags/standard/emit-events/admission-controller.yaml b/test/conformance/chainsaw/flags/standard/emit-events/admission-controller.yaml new file mode 100644 index 0000000000..b935ed648e --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/admission-controller.yaml @@ -0,0 +1,170 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +spec: + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest + spec: + dnsPolicy: ClusterFirst + serviceAccountName: kyverno-admission-controller + initContainers: + - name: kyverno-pre + image: "ghcr.io/kyverno/kyvernopre:latest" + imagePullPolicy: IfNotPresent + args: + - --loggingFormat=text + - --v=2 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + env: + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_DEPLOYMENT + value: kyverno + containers: + - name: kyverno + image: "ghcr.io/kyverno/kyverno:latest" + imagePullPolicy: IfNotPresent + args: + - --omit-events=PolicyViolation + - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller + - --servicePort=443 + - --loggingFormat=text + - --v=2 + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --admissionReports=true + - --autoUpdateWebhooks=true + - --enableConfigMapCaching=true + - --dumpPayload=false + - --forceFailurePolicyIgnore=false + - --enablePolicyException=false + - --exceptionNamespace= + - --protectManagedResources=false + - --allowInsecureRegistry=false + - --registryCredentialHelpers=default,google,amazon,azure,github + resources: + limits: + memory: 384Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics-port + protocol: TCP + env: + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-admission-controller + - name: KYVERNO_SVC + value: kyverno-svc + - name: TUF_ROOT + value: /.sigstore + - name: KYVERNO_DEPLOYMENT + value: kyverno-admission-controller + startupProbe: + failureThreshold: 20 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 2 + periodSeconds: 6 + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /.sigstore + name: sigstore + volumes: + - name: sigstore + emptyDir: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/flags/standard/emit-events/event-assert.yaml b/test/conformance/chainsaw/flags/standard/emit-events/event-assert.yaml new file mode 100644 index 0000000000..f28405fb00 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/event-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Normal +reason: PolicyApplied +source: + component: kyverno-admission diff --git a/test/conformance/chainsaw/flags/standard/emit-events/policy-assert.yaml b/test/conformance/chainsaw/flags/standard/emit-events/policy-assert.yaml new file mode 100644 index 0000000000..bc25d0fdf8 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml new file mode 100644 index 0000000000..9ba84f9f23 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/flags/standard/emit-events/resource-fail.yaml b/test/conformance/chainsaw/flags/standard/emit-events/resource-fail.yaml new file mode 100644 index 0000000000..ccedfdeee1 --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/resource-fail.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bar + labels: + foo: bar + \ No newline at end of file diff --git a/test/conformance/chainsaw/flags/standard/emit-events/resource.yaml b/test/conformance/chainsaw/flags/standard/emit-events/resource.yaml new file mode 100644 index 0000000000..4777dd31fd --- /dev/null +++ b/test/conformance/chainsaw/flags/standard/emit-events/resource.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo + labels: + team: kyverno + \ No newline at end of file diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/01-policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/01-policy.yaml index cb209bd523..6134698445 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/01-policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/01-policy.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml - assert: - file: policy.yaml + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/02-webhooks.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/02-webhooks.yaml index 0b5f335f2d..3d3f6fd521 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/02-webhooks.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/02-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml index 05abab3d96..9ff674cfd7 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - assert: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml index 05abab3d96..9ff674cfd7 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - assert: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml index 05abab3d96..9ff674cfd7 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - assert: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml index 5e445918af..dcf7fff4ac 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: validatingadmissionpolicy spec: + timeouts: {} try: - error: file: validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/README.md new file mode 100644 index 0000000000..99979ca070 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/README.md @@ -0,0 +1,3 @@ +# Title + +Tests in the `cornercases` directory should typically correspond either to a specific Kyverno issue (please provide issue number or link) or a Slack conversation if no issue is logged. These are NOT standard tests for basic functionality but outliers or highly specific/esoteric combinations that have exposed a bug in the past. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/01-assert.yaml new file mode 100644 index 0000000000..28769ca2d8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: clone-list-sync-same-trigger-source-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/01-manifests.yaml new file mode 100644 index 0000000000..e314968e2b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: clone-list-sync-same-trigger-source-trigger-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: clone-list-sync-same-trigger-source-target-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: clone-list-sync-same-trigger-source-cpol +spec: + rules: + - name: sync-secret + match: + all: + - resources: + annotations: + myProj/cluster.addon.sync.targetNamespace: "?*" + kinds: + - Secret + namespaces: + - clone-list-sync-same-trigger-source-trigger-ns + generate: + namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}' + synchronize: true + cloneList: + namespace: clone-list-sync-same-trigger-source-trigger-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/02-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/02-check.yaml new file mode 100644 index 0000000000..e787edb697 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/02-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/03-delete.yaml new file mode 100644 index 0000000000..eab588495e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: mysecret + namespace: clone-list-sync-same-trigger-source-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/05-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/05-check.yaml new file mode 100644 index 0000000000..d11bf0188f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/README.md new file mode 100644 index 0000000000..21cc75e792 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure the downstream target is deleted when the source is deleted, for a generate cloneList type of policy. This is a corner case because the source and the trigger is the same resource. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7281 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/target.yaml new file mode 100644 index 0000000000..014e358764 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/target.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-target-ns + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret + namespace: clone-list-sync-same-trigger-source-target-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/trigger.yaml new file mode 100644 index 0000000000..fbc8d06da5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/trigger.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + allowedToBeCloned: "true" + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-target-ns + name: mysecret + namespace: clone-list-sync-same-trigger-source-trigger-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/01-assert.yaml new file mode 100644 index 0000000000..c545ebdb4f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: clone-list-sync-same-trigger-source-update-source-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/01-manifests.yaml new file mode 100644 index 0000000000..c4b18253b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/01-manifests.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: clone-list-sync-same-trigger-source-update-source-trigger-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: clone-list-sync-same-trigger-source-update-source-target-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: clone-list-sync-same-trigger-source-update-source-target-ns-2 +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: clone-list-sync-same-trigger-source-update-source-cpol +spec: + rules: + - name: sync-secret + match: + all: + - resources: + annotations: + myProj/cluster.addon.sync.targetNamespace: "?*" + kinds: + - Secret + namespaces: + - clone-list-sync-same-trigger-source-update-source-trigger-ns + generate: + namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}' + synchronize: true + cloneList: + namespace: clone-list-sync-same-trigger-source-update-source-trigger-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/02-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/02-check.yaml new file mode 100644 index 0000000000..e787edb697 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/02-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/03-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/03-update-trigger.yaml new file mode 100644 index 0000000000..891f851ff7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/03-update-trigger.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + allowedToBeCloned: "true" + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-2 + name: mysecret + namespace: clone-list-sync-same-trigger-source-update-source-trigger-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/05-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/05-check.yaml new file mode 100644 index 0000000000..72d051707f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: target-2.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/README.md new file mode 100644 index 0000000000..5c05a65ba9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a new downstream target is created when the source matches a different namespace, for a generate cloneList type of policy. This is a corner case because the source and the trigger is the same resource. + +## Expected Behavior + +The new downstream resource should be created after the trigger is updated. Otherwise the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7281 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/target-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/target-2.yaml new file mode 100644 index 0000000000..99445ad237 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/target-2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-2 + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret + namespace: clone-list-sync-same-trigger-source-update-source-target-ns-2 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/target.yaml new file mode 100644 index 0000000000..1c4945b81a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/target.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-1 + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret + namespace: clone-list-sync-same-trigger-source-update-source-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/trigger.yaml new file mode 100644 index 0000000000..8a6b400e74 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/trigger.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + allowedToBeCloned: "true" + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-list-sync-same-trigger-source-update-source-target-ns-1 + name: mysecret + namespace: clone-list-sync-same-trigger-source-update-source-trigger-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml new file mode 100644 index 0000000000..b19561440a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: gen-clone-role-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml new file mode 100644 index 0000000000..fd7e27fc14 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml @@ -0,0 +1,61 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: default + name: ns-role +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "watch", "list", "delete", "create"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ns-role-binding + namespace: default +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: minikube-userclone +roleRef: + kind: Role + name: ns-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: gen-clone-role-policy +spec: + background: false + rules: + - name: gen-role + match: + any: + - resources: + kinds: + - Namespace + generate: + kind: Role + name: ns-role + apiVersion: rbac.authorization.k8s.io/v1 + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + name: ns-role + namespace: default + - name: gen-role-binding + match: + any: + - resources: + kinds: + - Namespace + generate: + kind: RoleBinding + name: ns-role-binding + apiVersion: rbac.authorization.k8s.io/v1 + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + name: ns-role-binding + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml new file mode 100644 index 0000000000..f09957352b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: generate-clone-role-tests \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml new file mode 100644 index 0000000000..8ae6267cb2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ns-role + namespace: generate-clone-role-tests +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ns-role-binding + namespace: generate-clone-role-tests +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ns-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: minikube-userclone \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml new file mode 100644 index 0000000000..76dc94764f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml,02-ns.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md new file mode 100644 index 0000000000..edea18ec63 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the Kyverno can generate a Role and RoleBinding from a clone-type generate rule. This test does NOT require additional privileges granted to the Kyverno ServiceAccount. Because this is a test which covers generation of security-related constructs which the API server has special logic to block if it detects a possible privilege escalation attack, it is being considered a corner case. This test was migrated from e2e. + +## Expected Behavior + +The Role and RoleBinding should be generated as per the clone declaration in the ClusterPolicy. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/01-assert.yaml new file mode 100644 index 0000000000..f5149079e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-secret +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/01-manifests.yaml new file mode 100644 index 0000000000..0368e40c23 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-secret +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcred diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/02-assert.yaml new file mode 100644 index 0000000000..077577523f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: production diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/02-ns.yaml new file mode 100644 index 0000000000..9b8854c142 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/04-delete-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/04-delete-source.yaml new file mode 100644 index 0000000000..dbb8b9e328 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/04-delete-source.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-source +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcredregcred + namespace: default diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/06-error.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/06-error.yaml new file mode 100644 index 0000000000..5ef7a20dfd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/06-error.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: production +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/README.md new file mode 100644 index 0000000000..3675634183 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that the secret is cloned from a source resource name exceeds 63 characters limit. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8447 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/01-assert.yaml new file mode 100644 index 0000000000..7a4452c611 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: clone-sync-same-trigger-source-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/01-manifests.yaml new file mode 100644 index 0000000000..95a361e3e6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: clone-sync-same-trigger-source-trigger-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: clone-sync-same-trigger-source-target-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: clone-sync-same-trigger-source-cpol +spec: + rules: + - name: sync-secret + match: + all: + - resources: + annotations: + myProj/cluster.addon.sync.targetNamespace: "?*" + kinds: + - Secret + namespaces: + - clone-sync-same-trigger-source-trigger-ns + generate: + kind: Secret + apiVersion: v1 + namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}' + name: mysecret + synchronize: true + clone: + namespace: clone-sync-same-trigger-source-trigger-ns + name: mysecret + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/02-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/02-check.yaml new file mode 100644 index 0000000000..e787edb697 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/02-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/03-delete.yaml new file mode 100644 index 0000000000..dd4a010d8d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: mysecret + namespace: clone-sync-same-trigger-source-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/05-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/05-check.yaml new file mode 100644 index 0000000000..d11bf0188f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/README.md new file mode 100644 index 0000000000..999e4af9ab --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure the downstream target is deleted when the source is deleted, for a generate clone type of policy. This is a corner case because the source and the trigger is the same resource. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7281 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/target.yaml new file mode 100644 index 0000000000..ae5c9aed85 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/target.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-target-ns + labels: + location: europe + name: mysecret + namespace: clone-sync-same-trigger-source-target-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/trigger.yaml new file mode 100644 index 0000000000..241f7037eb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-target-ns + name: mysecret + namespace: clone-sync-same-trigger-source-trigger-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/01-assert.yaml new file mode 100644 index 0000000000..3742a6540f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: clone-sync-same-trigger-source-update-source-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/01-manifests.yaml new file mode 100644 index 0000000000..0470a0e183 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/01-manifests.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: clone-sync-same-trigger-source-update-source-trigger-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: clone-sync-same-trigger-source-update-source-target-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: clone-sync-same-trigger-source-update-source-target-ns-2 +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: clone-sync-same-trigger-source-update-source-cpol +spec: + rules: + - name: sync-secret + match: + all: + - resources: + annotations: + myProj/cluster.addon.sync.targetNamespace: "?*" + kinds: + - Secret + namespaces: + - clone-sync-same-trigger-source-update-source-trigger-ns + generate: + namespace: '{{ request.object.metadata.annotations."myProj/cluster.addon.sync.targetNamespace" }}' + kind: Secret + apiVersion: v1 + name: mysecret + synchronize: true + clone: + namespace: clone-sync-same-trigger-source-update-source-trigger-ns + name: mysecret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/02-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/02-check.yaml new file mode 100644 index 0000000000..e787edb697 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/02-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/03-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/03-update-trigger.yaml new file mode 100644 index 0000000000..cb0f75368a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/03-update-trigger.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + allowedToBeCloned: "true" + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-2 + name: mysecret + namespace: clone-sync-same-trigger-source-update-source-trigger-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/05-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/05-check.yaml new file mode 100644 index 0000000000..72d051707f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: target-2.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/README.md new file mode 100644 index 0000000000..8ba3ca9998 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a new downstream target is created when the source matches a different namespace, for a generate clone type of policy. This is a corner case because the source and the trigger is the same resource. + +## Expected Behavior + +The new downstream resource should be created after the trigger is updated. Otherwise the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7281 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/target-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/target-2.yaml new file mode 100644 index 0000000000..7457098f63 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/target-2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-2 + labels: + location: europe + name: mysecret + namespace: clone-sync-same-trigger-source-update-source-target-ns-2 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/target.yaml new file mode 100644 index 0000000000..abe8ebe385 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/target.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-1 + labels: + location: europe + name: mysecret + namespace: clone-sync-same-trigger-source-update-source-target-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/trigger.yaml new file mode 100644 index 0000000000..4c23977379 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + annotations: + myProj/cluster.addon.sync.targetNamespace: clone-sync-same-trigger-source-update-source-target-ns-1 + name: mysecret + namespace: clone-sync-same-trigger-source-update-source-trigger-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/01-assert.yaml new file mode 100644 index 0000000000..a87c3a2cad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-create-on-trigger-deletion +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/01-manifests.yaml new file mode 100644 index 0000000000..d6566ce156 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/01-manifests.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + downstream: "cpol-clone-create-on-trigger-deletion-manifest-ns" + name: cpol-clone-create-on-trigger-deletion-trigger-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-create-on-trigger-deletion-manifest-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-create-on-trigger-deletion-manifest-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-create-on-trigger-deletion +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + operations: + - DELETE + generate: + apiVersion: v1 + kind: Secret + name: cpol-clone-create-on-trigger-deletion-secret + namespace: "{{request.object.metadata.labels.downstream}}" + synchronize: true + clone: + namespace: cpol-clone-create-on-trigger-deletion-manifest-ns + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/02-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/02-delete.yaml new file mode 100644 index 0000000000..78b8349188 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/02-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Namespace + name: cpol-clone-create-on-trigger-deletion-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/04-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/04-assert.yaml new file mode 100644 index 0000000000..847ebedb28 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/04-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cpol-clone-create-on-trigger-deletion-secret + namespace: cpol-clone-create-on-trigger-deletion-manifest-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/README.md new file mode 100644 index 0000000000..2dd7cc20c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a generate clone rule can be triggered on the deletion of the trigger resource. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6398 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml new file mode 100644 index 0000000000..172ebb0e53 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/02-set-ownerreference.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: set-ownerreference +spec: + timeouts: {} + try: + - script: + content: | + kubectl -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns get configmap owner -o json | jq '{ + "metadata": { + "ownerReferences": [{ + "apiVersion": "v1", + "kind": "ConfigMap", + "name": "owner", + "uid": .metadata.uid + }] + } + }' | kubectl patch -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns secret cpol-clone-delete-ownerreferences-across-namespaces --patch-file=/dev/stdin diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml new file mode 100644 index 0000000000..abda8804b6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/03-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: created-secret.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml new file mode 100644 index 0000000000..0aad00b6ed --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/04-check-no-ownerreference.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check-no-ownerreference +spec: + timeouts: {} + try: + - script: + content: | + kubectl --namespace cpol-clone-delete-ownerreferences-across-namespaces-target-ns get secret cpol-clone-delete-ownerreferences-across-namespaces -o json | jq -e '.metadata.ownerReferences == null' diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md new file mode 100644 index 0000000000..16e6dc869c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/README.md @@ -0,0 +1,11 @@ +## Description + +This tests that the ownerReferences of cloned objects in different Namespaces are removed. Otherwise these objects will be immediately garbage-collected + +## Expected Behavior + +The background controller will strip the ownerReference when cloning between Namespaces, if it exists. + +## Reference Issue(s) + +- https://github.com/kyverno/kyverno/issues/2276 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml new file mode 100644 index 0000000000..64e2789fd0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/created-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-target-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml new file mode 100644 index 0000000000..087293808d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml new file mode 100644 index 0000000000..e95821be60 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: owner + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns + kind: Secret + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: clone-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml new file mode 100644 index 0000000000..04ad516c46 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/trigger.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces-target-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/01-assert.yaml new file mode 100644 index 0000000000..ec2273bcbd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-create-source-after-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/01-manifests.yaml new file mode 100644 index 0000000000..aca73c7197 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-create-source-after-policy +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/02-assert.yaml new file mode 100644 index 0000000000..7cc4b1fa3b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-create-source-after-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/02-ns.yaml new file mode 100644 index 0000000000..cbb32084c6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-create-source-after-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/README.md new file mode 100644 index 0000000000..374df95f8e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a clone rule is applied when the source is created after the ClusterPolicy. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5411 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/01-assert.yaml new file mode 100644 index 0000000000..53f672f4ce --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-reinstall-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/01-manifests.yaml new file mode 100644 index 0000000000..d06f1b63ff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-ns +--- +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns +type: Opaque +data: + foo: Zm9v +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-reinstall-policy +spec: + rules: + - name: sync-image-pull-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-single-source-multiple-targets-ns + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/02-trigger.yaml new file mode 100644 index 0000000000..bc52ac1d89 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/02-trigger.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/03-assert.yaml new file mode 100644 index 0000000000..247bfcf0cc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/03-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +type: Opaque +data: + foo: Zm9v +--- +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 +type: Opaque +data: + foo: Zm9v diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/04-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/04-delete.yaml new file mode 100644 index 0000000000..73ebf3ef2e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/04-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-clone-sync-reinstall-policy diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/05-update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/05-update-source.yaml new file mode 100644 index 0000000000..26c19c10cc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/05-update-source.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns +type: Opaque +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/06-recreate-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/06-recreate-policy.yaml new file mode 100644 index 0000000000..c56b01ed44 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/06-recreate-policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-reinstall-policy +spec: + generateExisting: true + rules: + - name: sync-image-pull-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-single-source-multiple-targets-ns + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/07-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/07-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/07-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/08-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/08-assert.yaml new file mode 100644 index 0000000000..bf37d75c00 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/08-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +type: Opaque +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +--- +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 +type: Opaque +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/09-update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/09-update-source.yaml new file mode 100644 index 0000000000..33a49db7a4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/09-update-source.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/10-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/10-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/10-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/11-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/11-assert.yaml new file mode 100644 index 0000000000..8f4e990d14 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/11-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +type: Opaque +data: + foo: YmFy +--- +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 +type: Opaque +data: + foo: YmFy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/README.md new file mode 100644 index 0000000000..843d354140 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/README.md @@ -0,0 +1,13 @@ +## Description + +This is a corner case test to ensure a generate clone rule can be triggered on the deletion of the trigger resource. It also ensures upgrades to 1.10 are successful for the same clone rule type. + +## Expected Behavior + +1. when the trigger is created, the corresponding downstream target secret should be generated +2. delete the policy, update the source, then re-install the policy with generateExisting=true, the change should be synced to the downstream target +3. update the source again, the change should be synced to the downstream target + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7170 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/01-assert.yaml new file mode 100644 index 0000000000..509cb19542 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-source-multiple-targets +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/01-manifests.yaml new file mode 100644 index 0000000000..20e4df7080 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-ns +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource + namespace: cpol-clone-sync-single-source-multiple-targets-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-source-multiple-targets +spec: + generateExisting: false + rules: + - name: rule-clone-sync-single-source-multiple-targets + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ConfigMap + name: footarget + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-single-source-multiple-targets-ns + name: foosource \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/02-triggers.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/02-triggers.yaml new file mode 100644 index 0000000000..bc52ac1d89 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/02-triggers.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/03-assert.yaml new file mode 100644 index 0000000000..6db90bec71 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/03-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/04-update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/04-update-source.yaml new file mode 100644 index 0000000000..6db64aace2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/04-update-source.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: foosource + namespace: cpol-clone-sync-single-source-multiple-targets-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/06-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/06-assert.yaml new file mode 100644 index 0000000000..6a3abcb63b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/06-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +--- +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/README.md new file mode 100644 index 0000000000..220aefaaca --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure the changes to the clone source can be synced to multiple targets. + +## Expected Behavior + +If the change from `foo=bar` to `foo=baz` is synced to downstream targets, the test passes. Otherwise fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7170 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/01-assert.yaml new file mode 100644 index 0000000000..82640f38c1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/01-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-trigger-source-multiple-targets-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-trigger-source-multiple-targets-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/01-manifests.yaml new file mode 100644 index 0000000000..e08ae4a58b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/01-manifests.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-trigger-source-multiple-targets-ns +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource + namespace: cpol-clone-sync-single-trigger-source-multiple-targets-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-trigger-source-multiple-targets-1 +spec: + rules: + - name: rule-sync-image-pull-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ConfigMap + name: footarget + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-single-trigger-source-multiple-targets-ns + name: foosource +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-trigger-source-multiple-targets-2 +spec: + rules: + - name: rule-sync-image-pull-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ConfigMap + name: bartarget + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-single-trigger-source-multiple-targets-ns + name: foosource \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/02-triggers.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/02-triggers.yaml new file mode 100644 index 0000000000..ff8a3e272f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/02-triggers.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-single-trigger-source-multiple-targets-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/03-assert.yaml new file mode 100644 index 0000000000..c0b1d5e201 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/03-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-single-trigger-source-multiple-targets-trigger-ns +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: bartarget + namespace: cpol-single-trigger-source-multiple-targets-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/04-update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/04-update-source.yaml new file mode 100644 index 0000000000..19705f3b95 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/04-update-source.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: foosource + namespace: cpol-clone-sync-single-trigger-source-multiple-targets-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/06-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/06-assert.yaml new file mode 100644 index 0000000000..4124b1cb53 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/06-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-single-trigger-source-multiple-targets-trigger-ns +--- +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: bartarget + namespace: cpol-single-trigger-source-multiple-targets-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/README.md new file mode 100644 index 0000000000..220aefaaca --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure the changes to the clone source can be synced to multiple targets. + +## Expected Behavior + +If the change from `foo=bar` to `foo=baz` is synced to downstream targets, the test passes. Otherwise fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7170 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/01-assert.yaml new file mode 100644 index 0000000000..a0847f258e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/01-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-create-on-trigger-deletion +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-create-on-trigger-deletion-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/01-manifests.yaml new file mode 100644 index 0000000000..240c10f327 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/01-manifests.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-create-on-trigger-deletion-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-create-on-trigger-deletion-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-create-on-trigger-deletion +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + operations: + - DELETE + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: "{{request.object.metadata.namespace}}" + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/02-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/02-delete.yaml new file mode 100644 index 0000000000..57b0091257 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/02-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: cpol-create-on-trigger-deletion-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/04-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/04-assert.yaml new file mode 100644 index 0000000000..a6ff3586fc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/04-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: cpol-create-on-trigger-deletion-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/README.md new file mode 100644 index 0000000000..dccb93bc0b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a generate data rule can be triggered on the deletion of the trigger resource. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6398 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/01-clusterpolicy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/01-clusterpolicy.yaml new file mode 100644 index 0000000000..69291cfc10 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/01-clusterpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: clusterpolicy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/02-ns.yaml new file mode 100644 index 0000000000..15f441a7a2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-remove-list-element-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/03-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/03-check.yaml new file mode 100644 index 0000000000..55abc50495 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/03-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: netpol.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/04-update-cpol.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/04-update-cpol.yaml new file mode 100644 index 0000000000..02837de67a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/04-update-cpol.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update-cpol +spec: + timeouts: {} + try: + - apply: + file: policy-remove-egress.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/06-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/06-checks.yaml new file mode 100644 index 0000000000..33b66eda69 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/06-checks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: netpol-new.yaml + - error: + file: netpol.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/README.md new file mode 100644 index 0000000000..fe1285287e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the removal of an array element is synced to the downstream resource correctly. + +## Expected Behavior + +When the `Egress` is removed from the data generate policy, this change should be synced to the downstream generated resource. The test passes if the `Egress` is removed from the networkpolicy `cpol-data-sync-remove-list-element-ns/default-netpol`, otherwise fails. + +## Reference Issue(s) + +n/a \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/netpol-new.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/netpol-new.yaml new file mode 100644 index 0000000000..1466a3bc0d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/netpol-new.yaml @@ -0,0 +1,8 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-netpol + namespace: cpol-data-sync-remove-list-element-ns +spec: + policyTypes: + - Ingress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/netpol.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/netpol.yaml new file mode 100644 index 0000000000..64de046744 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/netpol.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-netpol + namespace: cpol-data-sync-remove-list-element-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-ready.yaml new file mode 100644 index 0000000000..c0d310973a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-remove-list-element-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml new file mode 100644 index 0000000000..968c1b7634 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy-remove-egress.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Workload Management + policies.kyverno.io/description: By default, Kubernetes allows communications + across all pods within a cluster. Network policies and, a CNI that supports + network policies, must be used to restrict communinications. A default NetworkPolicy + should be configured for each namespace to default deny all ingress traffic + to the pods in the namespace. Application teams can then configure additional + NetworkPolicy resources to allow desired traffic to application pods from select + sources. + name: cpol-data-sync-remove-list-element-cpol +spec: + admission: true + background: true + rules: + - generate: + apiVersion: networking.k8s.io/v1 + data: + spec: + podSelector: {} + policyTypes: + - Ingress + kind: NetworkPolicy + name: default-netpol + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-remove-list-element-rule + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml new file mode 100644 index 0000000000..99b1ab97b1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-remove-list-element/policy.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Workload Management + policies.kyverno.io/description: By default, Kubernetes allows communications + across all pods within a cluster. Network policies and, a CNI that supports + network policies, must be used to restrict communinications. A default NetworkPolicy + should be configured for each namespace to default deny all ingress traffic + to the pods in the namespace. Application teams can then configure additional + NetworkPolicy resources to allow desired traffic to application pods from select + sources. + name: cpol-data-sync-remove-list-element-cpol +spec: + admission: true + background: true + rules: + - generate: + apiVersion: networking.k8s.io/v1 + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + kind: NetworkPolicy + name: default-netpol + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-remove-list-element-rule + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/01-clusterpolicy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/01-clusterpolicy.yaml new file mode 100644 index 0000000000..69291cfc10 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/01-clusterpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: clusterpolicy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/02-ns.yaml new file mode 100644 index 0000000000..001a9cb097 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-to-nosync-delete-rule-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/03-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/03-check.yaml new file mode 100644 index 0000000000..dcf0118adc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/03-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: secret.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/04-update-sync.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/04-update-sync.yaml new file mode 100644 index 0000000000..efe056725c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/04-update-sync.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-to-nosync-delete-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/05-delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/05-delete-rule.yaml new file mode 100644 index 0000000000..714d46270c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/05-delete-rule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-rule +spec: + timeouts: {} + try: + - apply: + file: delete-rule.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/06-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/07-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/07-checks.yaml new file mode 100644 index 0000000000..5f30a22f21 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/07-checks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: secret.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/README.md new file mode 100644 index 0000000000..80d73af201 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/README.md @@ -0,0 +1,10 @@ +## Description + +This test checks to ensure that deletion of a rule in a ClusterPolicy generate rule, data declaration, with sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to remain if the corresponding rule within a ClusterPolicy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/configmap.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/configmap.yaml new file mode 100644 index 0000000000..aae2b42313 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-to-nosync-delete-rule-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml new file mode 100644 index 0000000000..d24c7e4397 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +spec: + generateExisting: false + rules: + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..d6a7219a7b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-to-nosync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml new file mode 100644 index 0000000000..b2cb12d617 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-to-nosync-delete-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/secret.yaml new file mode 100644 index 0000000000..611a54d4d5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: cpol-data-sync-to-nosync-delete-rule-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml new file mode 100644 index 0000000000..61361d638c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: gen-role-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml new file mode 100644 index 0000000000..63801108fa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: gen-role-policy +spec: + background: false + rules: + - name: gen-role + match: + any: + - resources: + kinds: + - Namespace + generate: + kind: Role + name: ns-role + apiVersion: rbac.authorization.k8s.io/v1 + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] + - name: gen-role-binding + match: + any: + - resources: + kinds: + - Namespace + generate: + kind: RoleBinding + name: ns-role-binding + apiVersion: rbac.authorization.k8s.io/v1 + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: minikube-user + roleRef: + kind: Role + name: ns-role + namespace: "{{request.object.metadata.name}}" + apiGroup: rbac.authorization.k8s.io diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml new file mode 100644 index 0000000000..82164ae27a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: generate-role-tests \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml new file mode 100644 index 0000000000..c0844f4aca --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ns-role + namespace: generate-role-tests +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ns-role-binding + namespace: generate-role-tests +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ns-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: minikube-user \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml new file mode 100644 index 0000000000..76dc94764f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml,02-ns.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md new file mode 100644 index 0000000000..1b4ea5b28c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the Kyverno can generate a Role and RoleBinding from a data-type generate rule. This test does NOT require additional privileges granted to the Kyverno ServiceAccount. Because this is a test which covers generation of security-related constructs which the API server has special logic to block if it detects a possible privilege escalation attack, it is being considered a corner case. This test was migrated from e2e. + +## Expected Behavior + +The Role and RoleBinding should be generate as per the data declaration in the ClusterPolicy. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/01-clusterrole.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/01-clusterrole.yaml new file mode 100644 index 0000000000..aab9ec784c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/01-clusterrole.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + name: kyverno:generate-events +rules: +- apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - get + - update + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generate-events +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generate-events +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +- kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/02-assert.yaml new file mode 100644 index 0000000000..361982a6c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/02-assert.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/name: kyverno + name: kyverno:generate-events +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-event-upon-edit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/02-clusterpolicy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/02-clusterpolicy.yaml new file mode 100644 index 0000000000..e6cd812d5c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/02-clusterpolicy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-event-upon-edit +spec: + background: false + rules: + - name: generate-event-on-edit + match: + any: + - resources: + kinds: + - ConfigMap + preconditions: + any: + - key: "{{ request.operation }}" + operator: Equals + value: UPDATE + generate: + apiVersion: v1 + kind: Event + name: "edit.{{ random('[a-z0-9]{12}') }}" + namespace: "{{request.object.metadata.namespace}}" + synchronize: false + data: + firstTimestamp: "{{ time_now_utc() }}" + involvedObject: + apiVersion: v1 + kind: ConfigMap + name: "{{ request.name }}" + namespace: "{{ request.namespace }}" + uid: "{{request.object.metadata.uid}}" + lastTimestamp: "{{ time_now_utc() }}" + message: This resource was updated by {{ request.userInfo | to_string(@) }} + reason: Edit + source: + component: kyverno + type: Warning \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/03-configmap_orig.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/03-configmap_orig.yaml new file mode 100644 index 0000000000..72c6da4f56 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/03-configmap_orig.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: generate-event-on-edit-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: generate-event-on-edit-configmap + namespace: generate-event-on-edit-ns +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/04-configmap_edit_1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/04-configmap_edit_1.yaml new file mode 100644 index 0000000000..7a50fc705e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/04-configmap_edit_1.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: generate-event-on-edit-configmap + namespace: generate-event-on-edit-ns +data: + food: cheese + day: wednesday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/05-assert.yaml new file mode 100644 index 0000000000..916104ef50 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/05-assert.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: ConfigMap + name: generate-event-on-edit-configmap + namespace: generate-event-on-edit-ns +kind: Event +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + generate.kyverno.io/policy-name: generate-event-upon-edit + generate.kyverno.io/policy-namespace: "" + generate.kyverno.io/rule-name: generate-event-on-edit + generate.kyverno.io/trigger-version: v1 + generate.kyverno.io/trigger-group: "" + generate.kyverno.io/trigger-kind: ConfigMap + generate.kyverno.io/trigger-namespace: generate-event-on-edit-ns + namespace: generate-event-on-edit-ns +source: + component: kyverno diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/06-configmap_edit_2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/06-configmap_edit_2.yaml new file mode 100644 index 0000000000..bd45fc5959 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/06-configmap_edit_2.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: generate-event-on-edit-configmap + namespace: generate-event-on-edit-ns +data: + food: cheese + day: friday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/07-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/07-assert.yaml new file mode 100644 index 0000000000..17e10b0970 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/07-assert.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: ConfigMap + name: generate-event-on-edit-configmap + namespace: generate-event-on-edit-ns +kind: Event +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + generate.kyverno.io/policy-name: generate-event-upon-edit + generate.kyverno.io/policy-namespace: "" + generate.kyverno.io/rule-name: generate-event-on-edit + generate.kyverno.io/trigger-version: v1 + generate.kyverno.io/trigger-group: "" + generate.kyverno.io/trigger-kind: ConfigMap + generate.kyverno.io/trigger-namespace: generate-event-on-edit-ns + namespace: generate-event-on-edit-ns +source: + component: kyverno +--- +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: ConfigMap + name: generate-event-on-edit-configmap + namespace: generate-event-on-edit-ns +kind: Event +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + generate.kyverno.io/policy-name: generate-event-upon-edit + generate.kyverno.io/policy-namespace: "" + generate.kyverno.io/rule-name: generate-event-on-edit + generate.kyverno.io/trigger-version: v1 + generate.kyverno.io/trigger-group: "" + generate.kyverno.io/trigger-kind: ConfigMap + generate.kyverno.io/trigger-namespace: generate-event-on-edit-ns + namespace: generate-event-on-edit-ns +source: + component: kyverno \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/README.md new file mode 100644 index 0000000000..72f75ff3af --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/generate-event-upon-edit/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks an event should be created when updates a configmap. + +## Expected Behavior + +Total number of two events should be created at the end, one per UPDATE operation of the configmap. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6458 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/01-manifests.yaml new file mode 100644 index 0000000000..fa286a7dc1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/01-manifests.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: manifests +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - apply: + file: cluster-role.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/02-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/03-save-pod-name.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/03-save-pod-name.yaml new file mode 100644 index 0000000000..6396e6aff9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/03-save-pod-name.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: save-pod-name +spec: + timeouts: {} + try: + - script: + content: kubectl get po -n kube-state-metrics | awk 'NR==2{print $1}' > pod-name.txt diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/04-update-sc.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/04-update-sc.yaml new file mode 100644 index 0000000000..6e7dda9b5a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/04-update-sc.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: kube-state-metrics-crds + namespace: kube-state-metrics +data: + foo: bm90LWJhcg== \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/06-check-restart.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/06-check-restart.yaml new file mode 100644 index 0000000000..4c39caf445 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/06-check-restart.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check-restart +spec: + timeouts: {} + try: + - script: + content: if [ "$(kubectl get pods -n kyverno | sort --key 5 --numeric | awk + 'NR==2{print $1}')" != "$(cat pod-name.txt)" ];then exit;else (exit 1);fi diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/README.md new file mode 100644 index 0000000000..3be519f36d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks if a restart is triggered on a generated secret update + +## Expected Behavior + +Pod restarted after the generated secret is updated + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6605 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml new file mode 100644 index 0000000000..f8a1c99522 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:temp + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - update \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/manifests.yaml new file mode 100644 index 0000000000..06dd336459 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/manifests.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kube-state-metrics +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-state-metrics-source-cm + namespace: kube-state-metrics + labels: + kubestatemetrics.platform.example: source +data: + allowed: '"true"' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: kube-state-metrics + name: kube-state-metrics + labels: + app: busybox +spec: + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + command: + - sleep + - "36000" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy-ready.yaml new file mode 100644 index 0000000000..409d06e3c7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-cm-for-kube-state-metrics-crds +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml new file mode 100644 index 0000000000..a4aa067717 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml @@ -0,0 +1,68 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-cm-for-kube-state-metrics-crds + annotations: + policies.kyverno.io/description: >- + This policy generates and synchronizes a configmap for custom resource kube-state-metrics. +spec: + generateExisting: true + mutateExistingOnPolicyUpdate: false + schemaValidation: false + rules: + - name: generate-cm-for-kube-state-metrics-crds + match: + any: + - resources: + names: + - "*" + kinds: + - ConfigMap + namespaces: + - "kube-state-metrics" + selector: + matchLabels: + kubestatemetrics.platform.example: source + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: kube-state-metrics-crds + namespace: kube-state-metrics + data: + metadata: + labels: + generatedBy: kyverno + kubestatemetrics.platform.example: generated + data: + foo: YmFy + - name: restart-kube-state-metrics-on-sc-change + match: + any: + - resources: + kinds: + - Secret + names: + - "kube-state-metrics-crds" + namespaces: + - "kube-state-metrics" + preconditions: + all: + - key: "{{ request.object.metadata.labels.\"kubestatemetrics.platform.example\" || '' }}" + operator: NotEquals + value: source + - key: "{{request.operation || 'BACKGROUND'}}" + operator: Equals + value: UPDATE + mutate: + targets: + - apiVersion: apps/v1 + kind: Deployment + name: kube-state-metrics + namespace: kube-state-metrics + patchStrategicMerge: + spec: + template: + metadata: + annotations: + platform.cloud.allianz/triggerrestart: "{{request.object.metadata.resourceVersion}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/01-assert.yaml new file mode 100644 index 0000000000..53931268ae --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-network-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/01-policy.yaml new file mode 100644 index 0000000000..2e14db07b4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/01-policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-network-policy +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + names: + - my-configmapmy-configmapmy-configmapmy-configmapmy-configmapmy-configmap + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/02-trigger.yaml new file mode 100644 index 0000000000..b212d08087 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/02-trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: trigger-resource-name-exceeds-63-characters-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: my-configmapmy-configmapmy-configmapmy-configmapmy-configmapmy-configmap + namespace: trigger-resource-name-exceeds-63-characters-ns +data: + color: blue \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/04-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/04-delete.yaml new file mode 100644 index 0000000000..15666d1c14 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/04-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: my-configmapmy-configmapmy-configmapmy-configmapmy-configmapmy-configmap + namespace: trigger-resource-name-exceeds-63-characters-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/06-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/06-check.yaml new file mode 100644 index 0000000000..0beb279f87 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/06-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/README.md new file mode 100644 index 0000000000..f1b1cb2c96 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that generation of the downstream when the trigger resource name exceeds 63 characters limit. + +## Expected Behavior + +If the downstream resource is generated, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4675 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/downstream.yaml new file mode 100644 index 0000000000..ed9066c270 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/trigger-resource-name-exceeds-63-characters/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: trigger-resource-name-exceeds-63-characters-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/README.md new file mode 100644 index 0000000000..a822f444f4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/README.md @@ -0,0 +1,3 @@ +# Title + +Tests in the `standard` directory should only cover basic functionality of a feature. For testing of specific corner cases addressed as acknowledged bugs, please use the `cornercases` directory. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/01-create.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/01-create.yaml new file mode 100644 index 0000000000..43ac5d788f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/01-create.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - apply: + file: policy.yaml + - assert: + file: cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/02-trigger.yaml new file mode 100644 index 0000000000..5b6ebee405 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/02-trigger.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: trigger +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml + - error: + file: fail-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/README.md new file mode 100644 index 0000000000..5b5084b29e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test of the "clone multiple" feature that ensures resources are created as expected by selecting the sources based upon label. + +## Expected Behavior + +If the `citrine` Namespace receives a Secret named `opal-secret` and a ConfigMap named `opal-cm`, the test passes. If it either does not receive one of these or it additionally receives a Secret named `forbidden`, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/cluster-policy-ready.yaml new file mode 100644 index 0000000000..3e00e6df43 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: clone-multiple-basic-create-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/fail-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/fail-resources.yaml new file mode 100644 index 0000000000..1139d2218e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/fail-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + thisshouldnotbe: clonedanywhere +kind: ConfigMap +metadata: + name: forbidden + namespace: citrine \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/manifests.yaml new file mode 100644 index 0000000000..12def123f1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/manifests.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: opal +--- +apiVersion: v1 +data: + gemstone: b3BhbA== +kind: Secret +metadata: + name: opal-secret + namespace: opal + labels: + allowedToBeCloned: "true" +type: Opaque +--- +apiVersion: v1 +data: + gemstone: opal +kind: ConfigMap +metadata: + name: opal-cm + namespace: opal + labels: + allowedToBeCloned: "true" +--- +apiVersion: v1 +data: + thisshouldnotbe: clonedanywhere +kind: ConfigMap +metadata: + name: forbidden + namespace: opal \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/ns.yaml new file mode 100644 index 0000000000..06f423a99a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: citrine diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/policy.yaml new file mode 100644 index 0000000000..0779c702b4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: clone-multiple-basic-create-policy +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + namespace: opal + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/resource-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/resource-assert.yaml new file mode 100644 index 0000000000..c12923e02f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/resource-assert.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +data: + gemstone: b3BhbA== +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + name: opal-secret + namespace: citrine +type: Opaque +--- +apiVersion: v1 +data: + gemstone: opal +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: opal-cm + namespace: citrine diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-assert.yaml new file mode 100644 index 0000000000..bb748c5b1f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-manifests.yaml new file mode 100644 index 0000000000..f3713bb3bb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-ns.yaml new file mode 100644 index 0000000000..6825f39a12 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-create-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/02-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/03-assert.yaml new file mode 100644 index 0000000000..6fcc5490c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/03-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-create-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/README.md new file mode 100644 index 0000000000..ff3a2de1a2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure a cloned secret shows properly in the new Namespace. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-assert.yaml new file mode 100644 index 0000000000..bb748c5b1f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-manifests.yaml new file mode 100644 index 0000000000..f3713bb3bb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-assert.yaml new file mode 100644 index 0000000000..a2725c76c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-ns.yaml new file mode 100644 index 0000000000..cc8635ea3b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-assert.yaml new file mode 100644 index 0000000000..cc8635ea3b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/04-delete-secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/04-delete-secret.yaml new file mode 100644 index 0000000000..18663afad1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/04-delete-secret.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-secret +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcred + namespace: cpol-clone-nosync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/06-errors.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/06-errors.yaml new file mode 100644 index 0000000000..8395b9ce7e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/06-errors.yaml @@ -0,0 +1,6 @@ +### If this resource is found, create an error which fails the test. Since there is no timeout for this step, it will adopt the global defined in the TestSuite. +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/README.md new file mode 100644 index 0000000000..c36e7a4d75 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +Tests that the deletion of a downstream resource created with a generate rule, clone, and no synchronization remains deleted and is not recreated. + +## Expected Behavior + +The deleted resource is expected to not be recreated. If the downstream resource is regenerated, the test fails. If it is not regenerated, the test succeeds. + +## Reference Issue(s) + +4457 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/03-removepolicy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/03-removepolicy.yaml new file mode 100644 index 0000000000..8e5ad77af8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/03-removepolicy.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: removepolicy +spec: + timeouts: {} + try: + - assert: + file: check.yaml + - delete: + apiVersion: kyverno.io/v2beta1 + kind: ClusterPolicy + name: cpol-nosync-clone-delete-policy diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/README.md new file mode 100644 index 0000000000..9324ce6b13 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a whole policy, with a generate rule using clone and no-sync, does NOT cause the downstream resource to be deleted. + +## Expected Behavior + +Once the policy is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/check.yaml new file mode 100644 index 0000000000..2b2bfd7b57 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/check.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-policy +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/cloned.yaml new file mode 100644 index 0000000000..2b2bfd7b57 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-policy +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/ns.yaml new file mode 100644 index 0000000000..e663ff96bb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-delete-policy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..e7e2cf2bca --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone-delete-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/policy.yaml new file mode 100644 index 0000000000..e67b52381c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone-delete-policy +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/03-removerule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/03-removerule.yaml new file mode 100644 index 0000000000..b79f543e3f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/03-removerule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: removerule +spec: + timeouts: {} + try: + - apply: + file: singlerule.yaml + - assert: + file: check.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/README.md new file mode 100644 index 0000000000..8db10a7c04 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a rule within a policy containing multiple rules, with a generate rule using clone and no-sync, does NOT cause the downstream resource to be deleted. + +## Expected Behavior + +Once the rule is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/check.yaml new file mode 100644 index 0000000000..da215944ae --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/check.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-rule +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: cpol-clone-nosync-delete-rule + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/cloned.yaml new file mode 100644 index 0000000000..da215944ae --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/cloned.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-rule +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: cpol-clone-nosync-delete-rule + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/ns.yaml new file mode 100644 index 0000000000..d708a1ebd3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-delete-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..66a5d55f4d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/policy.yaml new file mode 100644 index 0000000000..e5c714132a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/policy.yaml @@ -0,0 +1,53 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred + - name: clone-configmap + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ConfigMap + name: mytestcm + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: mytestcm +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: default + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/singlerule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/singlerule.yaml new file mode 100644 index 0000000000..66fea0e255 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/singlerule.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/03-deletesource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/03-deletesource.yaml new file mode 100644 index 0000000000..da148b4f20 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/03-deletesource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deletesource +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcred diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/04-forcesleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/04-forcesleep.yaml new file mode 100644 index 0000000000..dcd4e3e8c6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/04-forcesleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: forcesleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/05-assert.yaml new file mode 100644 index 0000000000..7f5bec03a1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-source +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/README.md new file mode 100644 index 0000000000..ec9bf797bf --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a source (upstream) resource, using a generate policy with clone and no-sync, does NOT cause the downstream resource to be deleted. + +## Expected Behavior + +Once the upstream resource is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/cloned.yaml new file mode 100644 index 0000000000..185d28b47a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-delete-source +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/ns.yaml new file mode 100644 index 0000000000..19207caf74 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-delete-source \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/policy-ready.yaml new file mode 100644 index 0000000000..57aa75e934 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-delete-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/policy.yaml new file mode 100644 index 0000000000..a86c4b7124 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-delete-source +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..3f76903e7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-delete-trigger-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..0616618830 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-delete-trigger-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-nosync-delete-trigger-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-delete-trigger-policy +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: "{{request.object.metadata.namespace}}" + synchronize: false + clone: + namespace: cpol-clone-nosync-delete-trigger-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/02-create-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/02-create-trigger.yaml new file mode 100644 index 0000000000..3312b2441b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/02-create-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/03-delete.yaml new file mode 100644 index 0000000000..0e366bd41d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: cpol-clone-nosync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/05-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/05-downstream-deleted.yaml new file mode 100644 index 0000000000..70051ec60a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/05-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/README.md new file mode 100644 index 0000000000..60576185c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate clone declaration and sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test fails. If it remains, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/downstream.yaml new file mode 100644 index 0000000000..0a8a97a9b2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-nosync-delete-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/trigger.yaml new file mode 100644 index 0000000000..c71b90a882 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/trigger.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-clone-nosync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/03-modifydownstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/03-modifydownstream.yaml new file mode 100644 index 0000000000..a257f3db58 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/03-modifydownstream.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modifydownstream +spec: + timeouts: {} + try: + - apply: + file: changed-secret.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/04-forcesleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/04-forcesleep.yaml new file mode 100644 index 0000000000..dcd4e3e8c6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/04-forcesleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: forcesleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/05-assert.yaml new file mode 100644 index 0000000000..f9a4916e78 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-modify-downstream +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/README.md new file mode 100644 index 0000000000..708b737217 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of a downstream (generated) resource, using a generate policy with clone and no-sync, does NOT cause changes to be synchronized downstream. + +## Expected Behavior + +Once the downstream resource is modified, the downstream resource is expected to remain as-is. If it does remain as-is, the test passes. If the changes get reverted (synced), the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/changed-secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/changed-secret.yaml new file mode 100644 index 0000000000..f9a4916e78 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/changed-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-modify-downstream +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/cloned.yaml new file mode 100644 index 0000000000..82300056ab --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-nosync-modify-downstream +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/ns.yaml new file mode 100644 index 0000000000..cfcaa2e82c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-modify-downstream \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/policy-ready.yaml new file mode 100644 index 0000000000..bc58729bd4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-modify-downstream +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/policy.yaml new file mode 100644 index 0000000000..757cacb03c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-modify-downstream +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/03-modifysource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/03-modifysource.yaml new file mode 100644 index 0000000000..802139ec68 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/03-modifysource.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modifysource +spec: + timeouts: {} + try: + - apply: + file: changed-secret.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/04-forcesleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/04-forcesleep.yaml new file mode 100644 index 0000000000..dcd4e3e8c6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/04-forcesleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: forcesleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/05-assert.yaml new file mode 100644 index 0000000000..049ff2bcc2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-nosync-clone-modify-source +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/README.md new file mode 100644 index 0000000000..3cfcb5042b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of a source (upstream) resource, using a generate policy with clone and no-sync, does NOT cause changes to be synchronized downstream. + +## Expected Behavior + +Once the upstream resource is modified, the downstream resource is expected to remain as it was prior to the upstream modification. If it does remain, the test passes. If it gets modified (sync), the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/changed-secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/changed-secret.yaml new file mode 100644 index 0000000000..27dd50fe64 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/changed-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/cloned.yaml new file mode 100644 index 0000000000..414750df5e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-nosync-clone-modify-source +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/ns.yaml new file mode 100644 index 0000000000..2f356ca057 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-nosync-clone-modify-source \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/policy-ready.yaml new file mode 100644 index 0000000000..fe745b646e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone-modify-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/policy.yaml new file mode 100644 index 0000000000..ccd891acae --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-nosync-clone-modify-source +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: false + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..aa45e951ce --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-update-trigger-no-match-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..5250ee2130 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-nosync-update-trigger-no-match-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-nosync-update-trigger-no-match-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-nosync-update-trigger-no-match-policy +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-secret: "true" + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: "{{request.object.metadata.namespace}}" + synchronize: false + clone: + namespace: cpol-clone-nosync-update-trigger-no-match-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..7d6ba0b865 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "true" + name: test-org + namespace: cpol-clone-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..05fac66d24 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "false" + name: test-org + namespace: cpol-clone-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..70051ec60a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..d918933169 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate clone declaration and sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test fails. If it remains, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..f2279cc67c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-nosync-update-trigger-no-match-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/01-cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/01-cluster-policy.yaml new file mode 100644 index 0000000000..1fbe30dafb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/01-cluster-policy.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/02-trigger.yaml new file mode 100644 index 0000000000..1c5ea6bdb0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/02-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: trigger +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/README.md new file mode 100644 index 0000000000..acfc8d8ea8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that creation of a multiple target resource created by a ClusterPolicy `generate.cloneList` rule. If it is not generated, the test fails. + +## Expected Behavior + +The cloned Secret and ConfigMap from the default namespace should exists in newly created namespace. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy-ready.yaml new file mode 100644 index 0000000000..aa49cef010 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml new file mode 100644 index 0000000000..999776422d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/manifests.yaml new file mode 100644 index 0000000000..2761bf800e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/manifests.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: default + labels: + allowedToBeCloned: "true" +data: + initial_lives: "15" +--- +apiVersion: v1 +kind: Secret +metadata: + name: image-secret + namespace: default + labels: + allowedToBeCloned: "true" +type: kubernetes.io/basic-auth +stringData: + username: admin + password: t0p-Secret-super diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/ns.yaml new file mode 100644 index 0000000000..102035c1c4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prod-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml new file mode 100644 index 0000000000..e9a93ac5a1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/resource-assert.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +data: + password: dDBwLVNlY3JldC1zdXBlcg== + username: YWRtaW4= +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + name: image-secret + namespace: prod-1 +type: kubernetes.io/basic-auth +--- +apiVersion: v1 +data: + initial_lives: "15" +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: bootstrap-config + namespace: prod-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/01-assert.yaml new file mode 100644 index 0000000000..99600553d5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-list-sync-delete-source-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/01-manifests.yaml new file mode 100644 index 0000000000..bbdf5a2ac9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/01-manifests.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-list-sync-delete-source-existing-ns +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + allowedToBeCloned: "true" + name: mysecret-1 + namespace: cpol-clone-list-sync-delete-source-existing-ns +type: Opaque +data: + foo: YmFy +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + location: europe + allowedToBeCloned: "true" + name: mysecret-2 + namespace: cpol-clone-list-sync-delete-source-existing-ns +type: Opaque +data: + foo: YmFy +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-list-sync-delete-source-cpol +spec: + rules: + - name: sync-secret + match: + all: + - resources: + kinds: + - Namespace + generate: + namespace: '{{ request.object.metadata.name }}' + synchronize: true + cloneList: + namespace: cpol-clone-list-sync-delete-source-existing-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/02-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/02-check.yaml new file mode 100644 index 0000000000..919d62389c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/02-check.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: triggers.yaml + - assert: + file: target-1.yaml + - assert: + file: target-2.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/03-delete.yaml new file mode 100644 index 0000000000..4d449af05d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/03-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Namespace + name: cpol-clone-list-sync-delete-source-trigger-ns-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/05-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/05-check.yaml new file mode 100644 index 0000000000..88cad463fe --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/05-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: target-2.yaml + - error: + file: target-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/README.md new file mode 100644 index 0000000000..7f5041ad44 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure the corresponding downstream target is deleted when its trigger is deleted, for a generate cloneList type of policy. + +## Expected Behavior + +If the downstream resources `mysecret-1` and `mysecret-2` are remained in the namespace `cpol-clone-list-sync-delete-source-trigger-ns-2`, the test passes. If not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7535 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/target-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/target-1.yaml new file mode 100644 index 0000000000..8663f88993 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/target-1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-1 + namespace: cpol-clone-list-sync-delete-source-trigger-ns-1 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/target-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/target-2.yaml new file mode 100644 index 0000000000..3e20d2f08b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/target-2.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + location: europe + name: mysecret-2 + namespace: cpol-clone-list-sync-delete-source-trigger-ns-2 +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/triggers.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/triggers.yaml new file mode 100644 index 0000000000..0139406e2b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/triggers.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-list-sync-delete-source-trigger-ns-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-list-sync-delete-source-trigger-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/00-cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/00-cluster-policy.yaml new file mode 100644 index 0000000000..1fbe30dafb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/00-cluster-policy.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/01-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/01-trigger.yaml new file mode 100644 index 0000000000..1c5ea6bdb0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/01-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: trigger +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/02-update.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/02-update.yaml new file mode 100644 index 0000000000..e2885af86b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/02-update.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/03-update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/03-update-source.yaml new file mode 100644 index 0000000000..3889410949 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/03-update-source.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update-source +spec: + timeouts: {} + try: + - apply: + file: update-source.yaml + - assert: + file: synchronized-target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/README.md new file mode 100644 index 0000000000..4e6125e799 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies the synchronize behavior of generated resource, if the selected source resources using a matched label selector `allowedToBeCloned: "true"` gets changed, the update should be synchronized with the target resource as well. + +## Expected Behavior + +This test ensures that update of source resource(ConfigMap) match selected using `allowedToBeCloned: "true"` label get synchronized with target resource created by a ClusterPolicy `generate.cloneList` rule, otherwise the test fails. + +## Reference Issue(s) + +#4930 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy-ready.yaml new file mode 100644 index 0000000000..d0a67c43a0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone-update +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml new file mode 100644 index 0000000000..c245f8c5f5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone-update +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/manifests.yaml new file mode 100644 index 0000000000..2761bf800e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/manifests.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: default + labels: + allowedToBeCloned: "true" +data: + initial_lives: "15" +--- +apiVersion: v1 +kind: Secret +metadata: + name: image-secret + namespace: default + labels: + allowedToBeCloned: "true" +type: kubernetes.io/basic-auth +stringData: + username: admin + password: t0p-Secret-super diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/ns.yaml new file mode 100644 index 0000000000..f1ded585a8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prod \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml new file mode 100644 index 0000000000..e377632d08 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/resource-assert.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +data: + password: dDBwLVNlY3JldC1zdXBlcg== + username: YWRtaW4= +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + name: image-secret + namespace: prod +type: kubernetes.io/basic-auth +--- +apiVersion: v1 +data: + initial_lives: "15" +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: bootstrap-config + namespace: prod diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml new file mode 100644 index 0000000000..59428d2df1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/synchronized-target.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +data: + initial_lives: "50" +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: bootstrap-config + namespace: prod diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/update-source.yaml new file mode 100644 index 0000000000..91ed16a4fc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/update-source.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: default + labels: + allowedToBeCloned: "true" +data: + initial_lives: "50" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-assert.yaml new file mode 100644 index 0000000000..329e56b1d5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-sync-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-manifests.yaml new file mode 100644 index 0000000000..b546f153a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-sync-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-assert.yaml new file mode 100644 index 0000000000..25f231ce0a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-create-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-ns.yaml new file mode 100644 index 0000000000..1b9e079489 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-create-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/README.md new file mode 100644 index 0000000000..932103e65e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic generate test to ensure a cloned secret shows properly in the new Namespace. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-assert.yaml new file mode 100644 index 0000000000..329e56b1d5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-sync-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-manifests.yaml new file mode 100644 index 0000000000..fefc8b7f37 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-sync-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-assert.yaml new file mode 100644 index 0000000000..a2023835ff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-ns.yaml new file mode 100644 index 0000000000..73241aea81 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-assert.yaml new file mode 100644 index 0000000000..73241aea81 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/04-delete-secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/04-delete-secret.yaml new file mode 100644 index 0000000000..93aff7f38a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/04-delete-secret.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-secret +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcred + namespace: cpol-clone-sync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/06-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/06-assert.yaml new file mode 100644 index 0000000000..f73238f5bd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/06-assert.yaml @@ -0,0 +1,6 @@ +### If this resource is found, the step should pass. We expect the downstream resource to be recreated. +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/README.md new file mode 100644 index 0000000000..cca30e962d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a downstream resource created by a ClusterPolicy `generate` rule with sync enabled using a clone declaration causes it to be regenerated. If it is not regenerated, the test fails. + +## Expected Behavior + +The downstream resource, upon deletion, is expected to be recreated/recloned from the source resource. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/00-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/00-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/00-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/04-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/04-delete.yaml new file mode 100644 index 0000000000..cb54057806 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/04-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v2beta1 + kind: ClusterPolicy + name: cpol-clone-sync-delete-policy diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/06-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/06-assert.yaml new file mode 100644 index 0000000000..7da21508c7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/06-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/99-cleanup.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/99-cleanup.yaml new file mode 100644 index 0000000000..7e0004c066 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/99-cleanup.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - ur + - -A + - --all + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/README.md new file mode 100644 index 0000000000..d34fd362e0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a ClusterPolicy, with a generate rule using clone and sync, does NOT cause the downstream resource to be deleted. + +## Expected Behavior + +Once the ClusterPolicy is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/cloned.yaml new file mode 100644 index 0000000000..61ff2f02d2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/ns.yaml new file mode 100644 index 0000000000..f5d7996929 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: myfoons \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..2ec2c38df8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy.yaml new file mode 100644 index 0000000000..860dad9ac4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-policy +spec: + rules: + - name: cpol-clone-sync-delete-policy-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: default + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/00-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/00-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/00-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/03-removerule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/03-removerule.yaml new file mode 100644 index 0000000000..b79f543e3f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/03-removerule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: removerule +spec: + timeouts: {} + try: + - apply: + file: singlerule.yaml + - assert: + file: check.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/99-cleanup.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/99-cleanup.yaml new file mode 100644 index 0000000000..7e0004c066 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/99-cleanup.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - ur + - -A + - --all + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/README.md new file mode 100644 index 0000000000..c36b683e14 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a rule within a policy containing multiple rules, with a generate rule using clone and sync, does NOT cause the downstream resource to be deleted. + +## Expected Behavior + +Once the rule is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/check.yaml new file mode 100644 index 0000000000..5475ddf3a9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/check.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: myfoons + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/cloned.yaml new file mode 100644 index 0000000000..5475ddf3a9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/cloned.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: myfoons + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/ns.yaml new file mode 100644 index 0000000000..f5d7996929 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: myfoons \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..94b9a9a195 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy.yaml new file mode 100644 index 0000000000..1d0ffee139 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy.yaml @@ -0,0 +1,53 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-rule +spec: + rules: + - name: cpol-clone-sync-delete-rule-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred + - name: cpol-clone-sync-delete-rule-cm + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ConfigMap + name: mytestcm + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: mytestcm +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: v1 +data: + color: yellow +kind: ConfigMap +metadata: + namespace: default + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/singlerule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/singlerule.yaml new file mode 100644 index 0000000000..1ef3d097e1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/singlerule.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-rule +spec: + rules: + - name: cpol-clone-sync-delete-rule-cm + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: ConfigMap + name: mytestcm + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: mytestcm \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/00-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/00-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/00-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/03-deletesource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/03-deletesource.yaml new file mode 100644 index 0000000000..a0e15ceb9a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/03-deletesource.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deletesource +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcred + namespace: cpol-clone-sync-delete-source-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/05-errors.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/05-errors.yaml new file mode 100644 index 0000000000..ed3b4c0b30 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/05-errors.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-delete-source-trigger-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/README.md new file mode 100644 index 0000000000..2df8ddd1a2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of the source (upstream) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration DOES cause deletion of downstream/cloned resources. + +## Expected Behavior + +After the source is deleted, the downstream resources should be deleted. If the downstream resource remains, the test fails. If the downstream resource is deleted, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6266 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/cloned.yaml new file mode 100644 index 0000000000..ed3b4c0b30 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-delete-source-trigger-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/ns.yaml new file mode 100644 index 0000000000..008ce64767 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-delete-source-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy-ready.yaml new file mode 100644 index 0000000000..d9b939bd06 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy.yaml new file mode 100644 index 0000000000..19df0a7905 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-delete-source-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-delete-source-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-source +spec: + rules: + - name: cpol-clone-sync-delete-source-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-delete-source-ns + name: regcred +--- diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..06727f08f9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-trigger-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..982bbac9e6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/01-manifests.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-delete-trigger-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-sync-delete-trigger-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-delete-trigger-policy +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + names: + - test-org + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + clone: + namespace: cpol-clone-sync-delete-trigger-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/02-create-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/02-create-trigger.yaml new file mode 100644 index 0000000000..3312b2441b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/02-create-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/03-delete.yaml new file mode 100644 index 0000000000..a4e1594504 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: cpol-clone-sync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/05-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/05-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/05-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/06-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/06-assert.yaml new file mode 100644 index 0000000000..e04cd1c7c4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/06-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-sync-delete-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/README.md new file mode 100644 index 0000000000..4c81bb6239 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/downstream.yaml new file mode 100644 index 0000000000..2a2e72ece1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-sync-delete-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/trigger.yaml new file mode 100644 index 0000000000..5c47fb1ccf --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/trigger.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-clone-sync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/01-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/01-trigger.yaml new file mode 100644 index 0000000000..96f368aad2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/01-trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-existing-update-trigger-no-precondition-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create: "true" + name: test-org + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/02-assert.yaml new file mode 100644 index 0000000000..2edd4172cf --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-existing-update-trigger-no-precondition +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/02-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/02-manifests.yaml new file mode 100644 index 0000000000..e0db6cb30b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/02-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-existing-update-trigger-no-precondition +spec: + generateExisting: true + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + preconditions: + any: + - key: "{{ request.object.metadata.labels.create || '' }}" + operator: Equals + value: "true" + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + clone: + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns + name: source-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/04-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/04-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/04-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/05-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/05-update-trigger.yaml new file mode 100644 index 0000000000..514fea3c09 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/05-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create: "false" + name: test-org + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/06-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/07-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/07-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/07-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/README.md new file mode 100644 index 0000000000..0367ead91f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7481 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/downstream.yaml new file mode 100644 index 0000000000..3d17e04f10 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/00-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/00-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/00-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/03-modifydownstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/03-modifydownstream.yaml new file mode 100644 index 0000000000..029b5cfe9b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/03-modifydownstream.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modifydownstream +spec: + timeouts: {} + try: + - apply: + file: editeddownstream.yaml + - assert: + file: finalsecret.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/README.md new file mode 100644 index 0000000000..56b2c21bc4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of the downstream (cloned/generated) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration and server-side apply causes those changes to be merged from the state of the upstream/source. + +## Expected Behavior + +After the downstream resource is modified, the changes should be merged with the clone after synchronization occurs. If the downstream resource is synced with the state of the source resource, and also respects the modifications to other fields, the test passes. If the downstream resource doesn't retain the cloned fields and the directly modified fields, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/cloned.yaml new file mode 100644 index 0000000000..61ff2f02d2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/editeddownstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/editeddownstream.yaml new file mode 100644 index 0000000000..60c3c479ac --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/editeddownstream.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + foo: bm90YmFjaGhlcmU= + foo2: bm90YmFjaGhlcmU= +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/finalsecret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/finalsecret.yaml new file mode 100644 index 0000000000..f2a80beb17 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/finalsecret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + foo: YmFy + foo2: bm90YmFjaGhlcmU= +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/ns.yaml new file mode 100644 index 0000000000..f5d7996929 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: myfoons \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/policy-ready.yaml new file mode 100644 index 0000000000..2603a65a7e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-modify-downstream-apply +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/policy.yaml new file mode 100644 index 0000000000..6154b8639f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-modify-downstream-apply +spec: + rules: + - name: cpol-clone-sync-modify-downstream-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred + useServerSideApply: true +--- diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/00-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/00-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/00-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/03-modifydownstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/03-modifydownstream.yaml new file mode 100644 index 0000000000..422526b509 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/03-modifydownstream.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modifydownstream +spec: + timeouts: {} + try: + - apply: + file: editeddownstream.yaml + - assert: + file: origsecret.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/99-cleanup.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/99-cleanup.yaml new file mode 100644 index 0000000000..7e0004c066 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/99-cleanup.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - ur + - -A + - --all + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/README.md new file mode 100644 index 0000000000..54f7d0b02e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of the downstream (cloned/generated) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration causes those changes to be reverted and synchronized from the state of the upstream/source. + +## Expected Behavior + +After the downstream resource is modified, the changes should be reverted after synchronization occurs. If the downstream resource is synced with the state of the source resource, the test passes. If the downstream resource remains in a modified state, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/cloned.yaml new file mode 100644 index 0000000000..61ff2f02d2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/editeddownstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/editeddownstream.yaml new file mode 100644 index 0000000000..b5efc04ea9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/editeddownstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: bm90YmFjaGhlcmU= +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/ns.yaml new file mode 100644 index 0000000000..f5d7996929 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: myfoons \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/origsecret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/origsecret.yaml new file mode 100644 index 0000000000..61ff2f02d2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/origsecret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: myfoons +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy-ready.yaml new file mode 100644 index 0000000000..5e132b661a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-modify-downstream +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy.yaml new file mode 100644 index 0000000000..2456b1c5fc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-modify-downstream +spec: + rules: + - name: cpol-clone-sync-modify-downstream-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred +--- diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/02-resource.yaml new file mode 100644 index 0000000000..ddf88f9c39 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: cloned.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/03-modifysource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/03-modifysource.yaml new file mode 100644 index 0000000000..bd4e5a5a7f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/03-modifysource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modifysource +spec: + timeouts: {} + try: + - apply: + file: editedsource.yaml + - assert: + file: updatedsecret.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/README.md new file mode 100644 index 0000000000..6f1c7a48c1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of the source (upstream) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration causes those changes to be synced/propagated downstream. + +## Expected Behavior + +After the source is modified, the downstream resources should be synced to reflect those modifications. If the downstream resource reflects the changes made to the source, the test passes. If the downstream resource remains unsynced, the test fails. + +## Reference Issue(s) + +5411 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/cloned.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/cloned.yaml new file mode 100644 index 0000000000..9a9ea09e1f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/cloned.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-modify-source-trigger-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/editedsource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/editedsource.yaml new file mode 100644 index 0000000000..b254d33cea --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/editedsource.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWFyZXNvbWVjb29sY2hhbmdlcw== +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-modify-source-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/ns.yaml new file mode 100644 index 0000000000..662b1591e1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-modify-source-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy-ready.yaml new file mode 100644 index 0000000000..c32763ebe3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-modify-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy.yaml new file mode 100644 index 0000000000..c122ce5d2b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-modify-source-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-modify-source-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-modify-source +spec: + rules: + - name: cpol-clone-sync-modify-source-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: cpol-clone-sync-modify-source-ns + name: regcred +--- diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/updatedsecret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/updatedsecret.yaml new file mode 100644 index 0000000000..cf3bfe8066 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/updatedsecret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWFyZXNvbWVjb29sY2hhbmdlcw== +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-modify-source-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/01-assert.yaml new file mode 100644 index 0000000000..e27abe553d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-no-existing-update-trigger-no-precondition +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/01-manifests.yaml new file mode 100644 index 0000000000..ceda4d4f83 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/01-manifests.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-no-existing-update-trigger-no-precondition-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-sync-no-existing-update-trigger-no-precondition-ns +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-no-existing-update-trigger-no-precondition +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + preconditions: + any: + - key: "{{ request.object.metadata.labels.create || '' }}" + operator: Equals + value: "true" + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + clone: + namespace: cpol-clone-sync-no-existing-update-trigger-no-precondition-ns + name: source-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/02-trigger.yaml new file mode 100644 index 0000000000..e61b59c92c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create: "true" + name: test-org + namespace: cpol-clone-sync-no-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/04-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/04-update-trigger.yaml new file mode 100644 index 0000000000..c13fb19964 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create: "false" + name: test-org + namespace: cpol-clone-sync-no-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/06-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/README.md new file mode 100644 index 0000000000..0367ead91f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7481 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/downstream.yaml new file mode 100644 index 0000000000..d37f45a613 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-sync-no-existing-update-trigger-no-precondition-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..2ff776e073 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-update-trigger-no-match-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..d4a4a7a8b0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-update-trigger-no-match-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-sync-update-trigger-no-match-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-update-trigger-no-match-policy +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-secret: "true" + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + clone: + namespace: cpol-clone-sync-update-trigger-no-match-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..5cf922ae4e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "true" + name: test-org + namespace: cpol-clone-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..ee020f82ba --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "false" + name: test-org + namespace: cpol-clone-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..a749d3c470 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..3672307393 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-sync-update-trigger-no-match-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-assert.yaml new file mode 100644 index 0000000000..a74a39118d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-manifests.yaml new file mode 100644 index 0000000000..16f96b32f0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: true + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-assert.yaml new file mode 100644 index 0000000000..b8693e22e7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-ns.yaml new file mode 100644 index 0000000000..8ce484e8ff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/04-downstream-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/04-downstream-delete.yaml new file mode 100644 index 0000000000..787125c040 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/04-downstream-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: cpol-data-nosync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/05-errors.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/05-errors.yaml new file mode 100644 index 0000000000..c73c35e183 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/05-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: cpol-data-nosync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/README.md new file mode 100644 index 0000000000..e79931200a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/README.md @@ -0,0 +1,11 @@ +# Title + +This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace. + +## Expected Behavior + +If the generated (downstream) resource is not recreated, the test passes. If it is recreated from the definition in the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/02-resource.yaml new file mode 100644 index 0000000000..16f6688270 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/03-delete-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/03-delete-policy.yaml new file mode 100644 index 0000000000..0f66402150 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/03-delete-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-policy +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-nosync-delete-policy-policy diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/05-assert.yaml new file mode 100644 index 0000000000..09eb786efa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/05-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: wolfram-debug \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/README.md new file mode 100644 index 0000000000..592cd1e3cc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when the ClusterPolicy is deleted does NOT cause the generated resources to be deleted. + +## Expected Behavior + +If the downstream resource remains after deletion of the ClusterPolicy, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..318f65b126 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-policy-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml new file mode 100644 index 0000000000..cd628d18b7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-policy-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-delete-policy-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/resource-generated.yaml new file mode 100644 index 0000000000..09eb786efa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/resource-generated.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: wolfram-debug \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/resource.yaml new file mode 100644 index 0000000000..1cb9ac1a09 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wolfram-debug \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/02-resource.yaml new file mode 100644 index 0000000000..16f6688270 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/03-remove-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/03-remove-rule.yaml new file mode 100644 index 0000000000..bfa598f7b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/03-remove-rule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: remove-rule +spec: + timeouts: {} + try: + - apply: + file: policy-with-rule-removed.yaml + - assert: + file: both-resources-exist.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/README.md new file mode 100644 index 0000000000..0b2e9aa154 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted. + +## Expected Behavior + +If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/both-resources-exist.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/both-resources-exist.yaml new file mode 100644 index 0000000000..2ffa5486a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/both-resources-exist.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trench-splendid +--- +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: trench-splendid +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..1b643c1744 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-rule-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml new file mode 100644 index 0000000000..81d1b5c162 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-delete-rule-ruletwo + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml new file mode 100644 index 0000000000..652db29e13 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-delete-rule-ruleone + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: cpol-data-nosync-delete-rule-ruletwo + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/resource-generated.yaml new file mode 100644 index 0000000000..2ffa5486a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/resource-generated.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trench-splendid +--- +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: trench-splendid +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/resource.yaml new file mode 100644 index 0000000000..a2c9cf71f1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: trench-splendid \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..91bda28aac --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-trigger +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/01-policy.yaml new file mode 100644 index 0000000000..6937c46a02 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/01-policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-trigger +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: "{{request.object.metadata.namespace}}" + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/02-trigger.yaml new file mode 100644 index 0000000000..bed219508e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/02-trigger.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-nosync-delete-trigger-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-data-nosync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/04-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/04-delete.yaml new file mode 100644 index 0000000000..c1de4bfa4b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/04-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: cpol-data-nosync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/06-downstream-remained.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/06-downstream-remained.yaml new file mode 100644 index 0000000000..7f8c209394 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/06-downstream-remained.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-remained +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/README.md new file mode 100644 index 0000000000..4be40182fa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate data declaration and sync disabled, doesn't result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test fails. If it remains, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/downstream.yaml new file mode 100644 index 0000000000..b30107338e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-trigger/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: cpol-data-nosync-delete-trigger-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/02-resource.yaml new file mode 100644 index 0000000000..16f6688270 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/03-modify-downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/03-modify-downstream.yaml new file mode 100644 index 0000000000..4e3e87d478 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/03-modify-downstream.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modify-downstream +spec: + timeouts: {} + try: + - apply: + file: downstream-modified.yaml + - assert: + file: downstream-untouched.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/README.md new file mode 100644 index 0000000000..596e154032 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a downstream (generated) resource is modified this does NOT result in those modifications getting reverted based upon the definition in the rule. + +## Expected Behavior + +If the downstream resource is left in the modified state, the test passes. If the downstream resource is synced from the definition in the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/downstream-modified.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/downstream-modified.yaml new file mode 100644 index 0000000000..3de43c12f7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/downstream-modified.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: hereissomenewdataichanged + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: selected-beagle diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/downstream-untouched.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/downstream-untouched.yaml new file mode 100644 index 0000000000..3de43c12f7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/downstream-untouched.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: hereissomenewdataichanged + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: selected-beagle diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy-ready.yaml new file mode 100644 index 0000000000..138224923e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-downstream-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml new file mode 100644 index 0000000000..5af58dedb7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-downstream-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-downstream-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/resource-generated.yaml new file mode 100644 index 0000000000..e505b84cb1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/resource-generated.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: selected-beagle diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/resource.yaml new file mode 100644 index 0000000000..8e8591b4c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: selected-beagle \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/02-resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/02-resource.yaml new file mode 100644 index 0000000000..16f6688270 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/03-modify-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/03-modify-rule.yaml new file mode 100644 index 0000000000..6ee1b8c739 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/03-modify-rule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modify-rule +spec: + timeouts: {} + try: + - apply: + file: rule-modified.yaml + - assert: + file: downstream-untouched.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/README.md new file mode 100644 index 0000000000..2c677699cb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy is changed (under the data object) that this does NOT cause the downstream resource to be synced. + +## Expected Behavior + +If the downstream resource is NOT modified from its initial generation, the test passes. If the downstream resource is synced from the changes made to the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/downstream-untouched.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/downstream-untouched.yaml new file mode 100644 index 0000000000..c0a559ef8a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/downstream-untouched.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: stern-liquid diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy-ready.yaml new file mode 100644 index 0000000000..6e7c0e22b0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml new file mode 100644 index 0000000000..867b2c7747 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/resource-generated.yaml new file mode 100644 index 0000000000..c0a559ef8a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/resource-generated.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: stern-liquid diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/resource.yaml new file mode 100644 index 0000000000..e00ac16bc1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: stern-liquid \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml new file mode 100644 index 0000000000..731814074a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "ihavechangedthis" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..2fa3ce899c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-update-trigger-no-match +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..d5133df470 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-update-trigger-no-match +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-netpol: "true" + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: "{{request.object.metadata.namespace}}" + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..ada06d201f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-nosync-update-trigger-no-match-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "true" + name: test-org + namespace: cpol-data-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..d73dcbe834 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "false" + name: test-org + namespace: cpol-data-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..70051ec60a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..3ecef13843 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate data declaration and sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource remains, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..a2439cab5d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: cpol-data-nosync-update-trigger-no-match-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/01-cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/01-cluster-policy.yaml new file mode 100644 index 0000000000..4e2fad741a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/01-cluster-policy.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - apply: + file: namespace.yaml + - assert: + file: policy-ready.yaml + - assert: + file: namespace-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/02-script.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/02-script.yaml new file mode 100644 index 0000000000..689278bde3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/02-script.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - command: + args: + - run + - nginx + - --image=nginx + - -n + - test-generate-exec + entrypoint: kubectl + - command: + args: + - wait + - --for=condition=Ready + - pod/nginx + - -n + - test-generate-exec + entrypoint: kubectl + - command: + args: + - exec + - -n + - test-generate-exec + - nginx + - -it + - -- + - ls + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/03-assert.yaml new file mode 100644 index 0000000000..8078877234 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/03-assert.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + generate.kyverno.io/policy-name: zk-kafka-address + generate.kyverno.io/policy-namespace: "" + generate.kyverno.io/rule-name: k-kafka-address + generate.kyverno.io/trigger-version: v1 + generate.kyverno.io/trigger-group: "" + generate.kyverno.io/trigger-kind: PodExecOptions + generate.kyverno.io/trigger-namespace: test-generate-exec + somekey: somevalue + name: zk-kafka-address + namespace: test-generate-exec diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/99-cleanup.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/99-cleanup.yaml new file mode 100644 index 0000000000..4b1afb25b7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/99-cleanup.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - cpol + - zk-kafka-address + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + - command: + args: + - delete + - pod + - nginx + - -n + - test-generate-exec + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + - command: + args: + - delete + - cm + - zk-kafka-address + - -n + - test-generate-exec + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + - command: + args: + - delete + - ns + - test-generate-exec + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/README.md new file mode 100644 index 0000000000..b234ae5d3c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test assures generation of resource with a sub-resource acting as a trigger. + +## Expected Behavior + +The test passes and `configmap` `zk-kafka-address` is created. + +## Reference Issue(s) + +6399 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/namespace-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/namespace-ready.yaml new file mode 100644 index 0000000000..d6e0bec5d6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/namespace-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-generate-exec +status: + phase: Active diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/namespace.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/namespace.yaml new file mode 100644 index 0000000000..41144ca1ec --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-generate-exec diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy-ready.yaml new file mode 100644 index 0000000000..ff338c6bcf --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml new file mode 100644 index 0000000000..4171a6a719 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + # generateExisting does not work for sub-resources + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - "Pod/exec" + generate: + # synchronization does not work for sub-resources + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.namespace}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-assert.yaml new file mode 100644 index 0000000000..a74a39118d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-manifests.yaml new file mode 100644 index 0000000000..5b4506df9e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-assert.yaml new file mode 100644 index 0000000000..81e6d561a0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-create-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-ns.yaml new file mode 100644 index 0000000000..06bc648e89 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-create-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/README.md new file mode 100644 index 0000000000..1a6d9f9309 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure a generate policy using a data declaration with sync enabled creates a downstream ConfigMap when matching a new Namespace. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/01-assert.yaml new file mode 100644 index 0000000000..1dc2717dc1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-downstream-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/01-manifests.yaml new file mode 100644 index 0000000000..b7d54f7f32 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-downstream-policy +spec: + generateExisting: false + rules: + - name: cpol-data-sync-delete-downstream-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/02-assert.yaml new file mode 100644 index 0000000000..514c3314f8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/02-ns.yaml new file mode 100644 index 0000000000..e38924d1d0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/03-delete.yaml new file mode 100644 index 0000000000..eaf29f7030 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: cpol-data-sync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/05-assert.yaml new file mode 100644 index 0000000000..514c3314f8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/05-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/README.md new file mode 100644 index 0000000000..6c4c8bc164 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that when a standard generate policy with data type and sync enabled is used, deletion of the generated/downstream resource causes Kyverno to re-create the resource. + +## Expected Behavior + +If the resource is recreated, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/01-assert.yaml new file mode 100644 index 0000000000..4ef4ec7643 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-one-trigger +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/01-manifests.yaml new file mode 100644 index 0000000000..0ab119f67f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/01-manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-one-trigger-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-one-trigger +spec: + failurePolicy: Fail + validationFailureAction: Enforce + background: false + rules: + - name: replicate + match: + all: + - resources: + kinds: + - v1/ConfigMap + selector: + matchLabels: + replicate: "true" + generate: + apiVersion: v1 + kind: ConfigMap + name: "{{ request.object.metadata.name }}-replicated" + namespace: "{{ request.object.metadata.namespace }}" + synchronize: true + data: + data: "{{ request.object.data }}" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/02-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/02-check.yaml new file mode 100644 index 0000000000..9f3276d72b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/02-check.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: trigger-1.yaml + - apply: + file: trigger-others.yaml + - assert: + file: target-1.yaml + - assert: + file: target-others.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/03-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/03-delete.yaml new file mode 100644 index 0000000000..18ce624cdd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: foosource-1 + namespace: cpol-data-sync-delete-one-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/05-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/05-check.yaml new file mode 100644 index 0000000000..e5ea36a034 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: target-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/README.md new file mode 100644 index 0000000000..bfe80d3c35 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate data declaration and sync enabled, results in its corresponding downstream resource's deletion. + +## Expected Behavior + +If the downstream resource `foosource-1-replicated` is deleted while the other two `foosource-2-replicated` and `foosource-3-replicated` remain, the test passes. If not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7535 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/target-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/target-1.yaml new file mode 100644 index 0000000000..dbf16cce43 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/target-1.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource-1-replicated + namespace: cpol-data-sync-delete-one-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/target-others.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/target-others.yaml new file mode 100644 index 0000000000..de4baf136e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/target-others.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource-2-replicated + namespace: cpol-data-sync-delete-one-trigger-ns +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource-3-replicated + namespace: cpol-data-sync-delete-one-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/trigger-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/trigger-1.yaml new file mode 100644 index 0000000000..c7207adaa7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/trigger-1.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource-1 + namespace: cpol-data-sync-delete-one-trigger-ns + labels: + replicate: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/trigger-others.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/trigger-others.yaml new file mode 100644 index 0000000000..2d4efdb572 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-one-trigger/trigger-others.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource-2 + namespace: cpol-data-sync-delete-one-trigger-ns + labels: + replicate: "true" +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource-3 + namespace: cpol-data-sync-delete-one-trigger-ns + labels: + replicate: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-assert.yaml new file mode 100644 index 0000000000..daed8b6b35 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-manifests.yaml new file mode 100644 index 0000000000..9b199934d6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-policy +spec: + generateExisting: false + rules: + - name: cpol-data-sync-delete-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-assert.yaml new file mode 100644 index 0000000000..6dcd9775cb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-ns.yaml new file mode 100644 index 0000000000..3410a2282f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/03-assert.yaml new file mode 100644 index 0000000000..6dcd9775cb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/03-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-errors.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-errors.yaml new file mode 100644 index 0000000000..c2c9de8721 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-policy-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-policy-delete.yaml new file mode 100644 index 0000000000..6af5a6adcc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/04-policy-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy-delete +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-delete-policy diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/README.md new file mode 100644 index 0000000000..e4636d9dc5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/01-clusterpolicy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/01-clusterpolicy.yaml new file mode 100644 index 0000000000..69291cfc10 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/01-clusterpolicy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: clusterpolicy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/02-ns.yaml new file mode 100644 index 0000000000..0a93002b9a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/03-check.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/03-check.yaml new file mode 100644 index 0000000000..dcf0118adc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/03-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: secret.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/04-delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/04-delete-rule.yaml new file mode 100644 index 0000000000..714d46270c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/04-delete-rule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-rule +spec: + timeouts: {} + try: + - apply: + file: delete-rule.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/06-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/06-checks.yaml new file mode 100644 index 0000000000..3c423fa10a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/06-checks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: secret.yaml + - error: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/README.md new file mode 100644 index 0000000000..628111ceaa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a rule in a ClusterPolicy generate rule, data declaration, with sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to be deleted if the corresponding rule within a ClusterPolicy is deleted. If it is not deleted, the test fails. If it is deleted, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5744 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/configmap.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/configmap.yaml new file mode 100644 index 0000000000..860b6bb8f1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml new file mode 100644 index 0000000000..d24c7e4397 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +spec: + generateExisting: false + rules: + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..1a5b4fb467 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml new file mode 100644 index 0000000000..4176708f9a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/secret.yaml new file mode 100644 index 0000000000..5ca961ce2f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: cpol-data-sync-delete-rule +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..a99c1c7125 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/01-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-trigger +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-data-sync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..f602fab56a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-trigger-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: cpol-data-sync-delete-trigger-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-trigger +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/02-delete.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/02-delete.yaml new file mode 100644 index 0000000000..9dd0ba4696 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/02-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: cpol-data-sync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/04-errors.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/04-errors.yaml new file mode 100644 index 0000000000..57641d174e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/04-errors.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: cpol-data-sync-delete-trigger-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/README.md new file mode 100644 index 0000000000..2dee2bdee2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/01-rbac.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/01-rbac.yaml new file mode 100644 index 0000000000..8b080eed9e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/01-rbac.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:background-controller:pdb +rules: +- apiGroups: + - '*' + resources: + - poddisruptionbudgets + verbs: + - create + - update + - patch + - delete + - get + - list diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/01-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/01-trigger.yaml new file mode 100644 index 0000000000..b23c3d117a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/01-trigger.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-existing-update-trigger-no-precondition-ns +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/02-assert.yaml new file mode 100644 index 0000000000..91808cd3e9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-existing-update-trigger-no-precondition +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/02-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/02-manifests.yaml new file mode 100644 index 0000000000..ff7a18afc0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/02-manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-existing-update-trigger-no-precondition +spec: + generateExisting: true + rules: + - name: create-default-pdb + match: + all: + - resources: + kinds: + - Deployment + - StatefulSet + preconditions: + all: + - key: "{{ request.object.spec.replicas }}" + operator: GreaterThan + value: 1 + generate: + synchronize: true + apiVersion: policy/v1 + kind: PodDisruptionBudget + name: "{{request.object.metadata.name}}-default" + namespace: "{{request.object.metadata.namespace}}" + data: + spec: + minAvailable: 50% + selector: + matchLabels: >- + {{ not_null(request.object.spec.selector.matchLabels, request.object.spec.template.metadata.labels) }} diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/03-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/03-update-trigger.yaml new file mode 100644 index 0000000000..596df3a432 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/03-update-trigger.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + replicas: 2 + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/04-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/04-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/04-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/05-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/05-update-trigger.yaml new file mode 100644 index 0000000000..0b4264ff54 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/05-update-trigger.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/06-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/07-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/07-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/07-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/README.md new file mode 100644 index 0000000000..bc6af6d614 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7481 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/downstream.yaml new file mode 100644 index 0000000000..17cbd08458 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/downstream.yaml @@ -0,0 +1,11 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: test-default + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + minAvailable: 50% + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/01-assert.yaml new file mode 100644 index 0000000000..f16b1b504a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-downstream-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/01-manifests.yaml new file mode 100644 index 0000000000..01c7819971 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-downstream-policy +spec: + generateExisting: false + rules: + - name: cpol-data-sync-modify-downstream-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/02-assert.yaml new file mode 100644 index 0000000000..7cc37c9100 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/02-ns.yaml new file mode 100644 index 0000000000..6e40cd509b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: trainer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/03-modify.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/03-modify.yaml new file mode 100644 index 0000000000..ba4ccf2b64 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/03-modify.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: ichangedthis +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/05-assert.yaml new file mode 100644 index 0000000000..7cc37c9100 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/05-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/README.md new file mode 100644 index 0000000000..afc0164abd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that when a standard generate policy with data type and sync enabled is used, modification of the generated/downstream resource causes Kyverno to sync the resource from the definition in the rule. + +## Expected Behavior + +If the resource is synced from the definition in the rule, the test passes. If it is not and remains in the modified state, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-assert.yaml new file mode 100644 index 0000000000..95ad2710fb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml new file mode 100644 index 0000000000..5ce53b979a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/01-policy.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-policy +spec: + admission: true + background: true + rules: + - generate: + apiVersion: v1 + data: + spec: + hard: + limits.cpu: "8" + limits.memory: 16Gi + requests.cpu: "4" + requests.memory: 16Gi + kind: ResourceQuota + name: default-resourcequota + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - gemini-* + name: cpol-data-sync-modify-rule + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/02-ns.yaml new file mode 100644 index 0000000000..c9de1a467e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: gemini-ape diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/03-assert.yaml new file mode 100644 index 0000000000..da6cadb6d1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/03-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: default-resourcequota + namespace: gemini-ape +spec: + hard: + requests.cpu: '4' + requests.memory: '16Gi' + limits.cpu: '8' + limits.memory: '16Gi' \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-assert.yaml new file mode 100644 index 0000000000..564bdc4436 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-policy +spec: + rules: + - name: cpol-data-sync-modify-rule + generate: + data: + spec: + hard: + limits.cpu: '9' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml new file mode 100644 index 0000000000..e8624a4927 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/04-modify-policy.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-policy +spec: + admission: true + background: true + rules: + - generate: + apiVersion: v1 + data: + spec: + hard: + limits.cpu: "9" + limits.memory: 16Gi + requests.cpu: "4" + requests.memory: 16Gi + kind: ResourceQuota + name: default-resourcequota + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - gemini-* + name: cpol-data-sync-modify-rule + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/06-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/06-assert.yaml new file mode 100644 index 0000000000..48c62ecc95 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/06-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: default-resourcequota + namespace: gemini-ape +spec: + hard: + limits.cpu: "9" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/README.md new file mode 100644 index 0000000000..73b4b64373 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies the synchronize behavior of generated data resource, if the data pattern is modified in the policy rule, the changes should be synchronized to the downstream generated resource. + +## Expected Behavior + +This test ensures that update of the generate data rule gets synchronized to the downstream generated resource, otherwise the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4222 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-assert.yaml new file mode 100644 index 0000000000..a74a39118d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-manifests.yaml new file mode 100644 index 0000000000..3b64251bed --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: true + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-assert.yaml new file mode 100644 index 0000000000..911f9a96e5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-modify-rule-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-ns.yaml new file mode 100644 index 0000000000..6f10523849 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/02-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-modify-rule-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-assert.yaml new file mode 100644 index 0000000000..aac32e43f7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-modify-rule-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-policy-update.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-policy-update.yaml new file mode 100644 index 0000000000..66e42381a8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/03-policy-update.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: true + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/README.md new file mode 100644 index 0000000000..10c3b6432d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure a generate policy using a data declaration with sync enabled and modifying the policy/rule propagates those changes to a downstream ConfigMap. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/01-rbac.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/01-rbac.yaml new file mode 100644 index 0000000000..8b080eed9e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/01-rbac.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:background-controller:pdb +rules: +- apiGroups: + - '*' + resources: + - poddisruptionbudgets + verbs: + - create + - update + - patch + - delete + - get + - list diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/02-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/02-assert.yaml new file mode 100644 index 0000000000..336359be29 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-no-existing-update-trigger-no-precondition +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/02-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/02-manifests.yaml new file mode 100644 index 0000000000..df95a14deb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/02-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-no-existing-update-trigger-no-precondition +spec: + rules: + - name: create-default-pdb + match: + all: + - resources: + kinds: + - Deployment + - StatefulSet + preconditions: + all: + - key: "{{ request.object.spec.replicas }}" + operator: GreaterThan + value: 1 + generate: + synchronize: true + apiVersion: policy/v1 + kind: PodDisruptionBudget + name: "{{request.object.metadata.name}}-default" + namespace: "{{request.object.metadata.namespace}}" + data: + spec: + minAvailable: 50% + selector: + matchLabels: >- + {{ not_null(request.object.spec.selector.matchLabels, request.object.spec.template.metadata.labels) }} diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/03-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/03-trigger.yaml new file mode 100644 index 0000000000..475f98e920 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/03-trigger.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-no-existing-update-trigger-no-precondition-ns +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-no-existing-update-trigger-no-precondition-ns +spec: + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + replicas: 2 + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/04-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/04-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/04-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/05-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/05-update-trigger.yaml new file mode 100644 index 0000000000..6273247d87 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/05-update-trigger.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-no-existing-update-trigger-no-precondition-ns +spec: + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/06-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/07-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/07-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/07-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/README.md new file mode 100644 index 0000000000..bc6af6d614 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7481 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/downstream.yaml new file mode 100644 index 0000000000..e94f2c2b82 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-no-existing-update-trigger-no-precondition/downstream.yaml @@ -0,0 +1,11 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: test-default + namespace: cpol-data-sync-no-existing-update-trigger-no-precondition-ns +spec: + minAvailable: 50% + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..bc2b26e0f5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-update-trigger-no-match +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..d8b04b35d3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-update-trigger-no-match +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-netpol: "true" + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..67fc4f5b60 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-update-trigger-no-match-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "true" + name: test-org + namespace: cpol-data-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..ac0fe9f998 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "false" + name: test-org + namespace: cpol-data-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..677ad9e553 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..bcd095480d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: cpol-data-sync-update-trigger-no-match-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/01-existing.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/01-existing.yaml new file mode 100644 index 0000000000..744628914f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/01-existing.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: existing +spec: + timeouts: {} + try: + - apply: + file: existing-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/02-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/04-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/04-checks.yaml new file mode 100644 index 0000000000..98b5d7061e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/04-checks.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: netpol-blue.yaml + - error: + file: netpol-yellow.yaml + - error: + file: netpol-summer.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/05-add-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/05-add-rule.yaml new file mode 100644 index 0000000000..1598cbec40 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/05-add-rule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: add-rule +spec: + timeouts: {} + try: + - apply: + file: add-rule.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/06-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/07-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/07-checks.yaml new file mode 100644 index 0000000000..03d47dcd66 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/07-checks.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: netpol-blue.yaml + - assert: + file: netpol-yellow.yaml + - error: + file: netpol-summer.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/README.md new file mode 100644 index 0000000000..1ddf1dde73 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test for a "generate existing" policy. It checks that the basic functionality works whereby creation of a new rule causes correct evaluation of the match block resulting in generation of resources in only the matching result. + +## Expected Behavior + +If both `blue-ns` and `yellow-ns` Namespaces receive a generated NetworkPolicy, and `summer-ns` does not receive a NetworkPolicies, the test passes. Otherwise the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6471 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml new file mode 100644 index 0000000000..2bebbe7ce1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml @@ -0,0 +1,55 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-add-rule-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: existing-basic-add-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: yellow + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/existing-resources.yaml new file mode 100644 index 0000000000..e557f9b4be --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/existing-resources.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: blue-ns + labels: + color: blue +--- +apiVersion: v1 +kind: Namespace +metadata: + name: yellow-ns + labels: + color: yellow +--- +apiVersion: v1 +kind: Namespace +metadata: + name: summer-ns + labels: + season: summer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-blue.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-blue.yaml new file mode 100644 index 0000000000..9940a77b72 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-blue.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: blue-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-summer.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-summer.yaml new file mode 100644 index 0000000000..17817fb4a0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-summer.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: summer-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-yellow.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-yellow.yaml new file mode 100644 index 0000000000..f5530dd351 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/netpol-yellow.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: yellow-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy-ready.yaml new file mode 100644 index 0000000000..587423b2c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-add-rule-data +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml new file mode 100644 index 0000000000..fd47a1770b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-add-rule-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/01-existing.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/01-existing.yaml new file mode 100644 index 0000000000..744628914f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/01-existing.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: existing +spec: + timeouts: {} + try: + - apply: + file: existing-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/02-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/04-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/04-checks.yaml new file mode 100644 index 0000000000..77c1a0bad1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/04-checks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/README.md new file mode 100644 index 0000000000..b84820f916 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test for a "generate existing" policy. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match block resulting in generation of resources in only the matching result. + +## Expected Behavior + +If only the `red-ns` Namespace receives a generated NetworkPolicy, the test passes. If either it does not or `green-ns` or `winter-ns` receive NetworkPolicies, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/existing-resources.yaml new file mode 100644 index 0000000000..6825003a17 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/existing-resources.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green +--- +apiVersion: v1 +kind: Namespace +metadata: + name: winter-ns + labels: + season: winter \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/fail-generated-resources.yaml new file mode 100644 index 0000000000..70315eb977 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/fail-generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: winter-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/generated-resources.yaml new file mode 100644 index 0000000000..e6ae5538f2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/generated-resources.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy-ready.yaml new file mode 100644 index 0000000000..325e7aa152 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-data +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml new file mode 100644 index 0000000000..cb262bdbfc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: red + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/01-existing.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/01-existing.yaml new file mode 100644 index 0000000000..744628914f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/01-existing.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: existing +spec: + timeouts: {} + try: + - apply: + file: existing-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/02-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/03-sleep.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/04-checks.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/04-checks.yaml new file mode 100644 index 0000000000..77c1a0bad1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/04-checks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/README.md new file mode 100644 index 0000000000..35232d3c6e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test for a "generate existing" policy with preconditions. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match and preconditions blocks. + +## Expected Behavior + +If only the `jupiter` Namespace receives a generated ConfigMap, the test passes. If either it does not or `venus` receives a ConfigMap, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/existing-resources.yaml new file mode 100644 index 0000000000..51a708659c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/existing-resources.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jupiter +--- +apiVersion: v1 +kind: Service +metadata: + name: test-lb + namespace: jupiter +spec: + ports: + - name: web + port: 80 + protocol: TCP + targetPort: web + selector: + app.kubernetes.io/instance: jupiter-foobar + type: LoadBalancer +--- +apiVersion: v1 +kind: Namespace +metadata: + name: venus +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: redis + name: venus-clusterip-svc + namespace: venus +spec: + ports: + - name: tcp-redis + port: 6379 + protocol: TCP + targetPort: 6379 + selector: + app.kubernetes.io/name: venus-redis + type: ClusterIP diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/fail-generated-resources.yaml new file mode 100644 index 0000000000..e908e1a9d1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/fail-generated-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + doeshavesvclb: "true" +kind: ConfigMap +metadata: + name: mylb-cm + namespace: venus diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/generated-resources.yaml new file mode 100644 index 0000000000..24d219c6d7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/generated-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + doeshavesvclb: "true" +kind: ConfigMap +metadata: + name: mylb-cm + namespace: jupiter diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy-ready.yaml new file mode 100644 index 0000000000..f062f545d8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-preconditions-data +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml new file mode 100644 index 0000000000..077c830ccb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-preconditions-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-data-preconditions-rule + match: + any: + - resources: + kinds: + - Service + preconditions: + any: + - key: "{{request.object.spec.type}}" + operator: Equals + value: LoadBalancer + generate: + kind: ConfigMap + apiVersion: v1 + name: mylb-cm + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + data: + data: + doeshavesvclb: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/01-assert.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/01-assert.yaml new file mode 100644 index 0000000000..9e7800b54f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/01-assert.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-clone-create-on-trigger-deletion-policy + namespace: pol-clone-create-on-trigger-deletion-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pol-clone-create-on-trigger-deletion-configmap + namespace: pol-clone-create-on-trigger-deletion-ns diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/01-manifests.yaml new file mode 100644 index 0000000000..03d443fd09 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/01-manifests.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-create-on-trigger-deletion-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: pol-clone-create-on-trigger-deletion-configmap + namespace: pol-clone-create-on-trigger-deletion-ns +data: + foo: bar +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: pol-clone-create-on-trigger-deletion-source-netowrkpolicy + namespace: pol-clone-create-on-trigger-deletion-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-clone-create-on-trigger-deletion-policy + namespace: pol-clone-create-on-trigger-deletion-ns +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + operations: + - DELETE + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: pol-clone-create-on-trigger-deletion-target-netowrkpolicy + namespace: pol-clone-create-on-trigger-deletion-ns + synchronize: true + clone: + namespace: pol-clone-create-on-trigger-deletion-ns + name: pol-clone-create-on-trigger-deletion-source-netowrkpolicy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/02-delete.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/02-delete.yaml new file mode 100644 index 0000000000..1e43d840a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/02-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: pol-clone-create-on-trigger-deletion-configmap + namespace: pol-clone-create-on-trigger-deletion-ns diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/03-sleep.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/04-assert.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/04-assert.yaml new file mode 100644 index 0000000000..372c42e449 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/04-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: pol-clone-create-on-trigger-deletion-target-netowrkpolicy + namespace: pol-clone-create-on-trigger-deletion-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/README.md b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/README.md new file mode 100644 index 0000000000..9e4c770b09 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-create-on-trigger-deletion/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a generate clone rule, with sync enabled, can be triggered on the deletion of the trigger resource. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6398 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/01-assert.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/01-assert.yaml new file mode 100644 index 0000000000..92ae0cc530 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-create-source-after-policy + namespace: pol-clone-sync-create-source-after-policy-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/01-manifests.yaml new file mode 100644 index 0000000000..5ae065d89e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-sync-create-source-after-policy-ns +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-create-source-after-policy + namespace: pol-clone-sync-create-source-after-policy-ns +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: mynewsecret + namespace: pol-clone-sync-create-source-after-policy-ns + synchronize: true + clone: + namespace: pol-clone-sync-create-source-after-policy-ns + name: regcred +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-clone-sync-create-source-after-policy-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/02-assert.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/02-assert.yaml new file mode 100644 index 0000000000..c6722dee3e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mynewsecret + namespace: pol-clone-sync-create-source-after-policy-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/02-configmap.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/02-configmap.yaml new file mode 100644 index 0000000000..387481152a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/02-configmap.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: pol-clone-sync-create-source-after-policy-ns +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/README.md b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/README.md new file mode 100644 index 0000000000..374df95f8e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-clone-sync-create-source-after-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a clone rule is applied when the source is created after the ClusterPolicy. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5411 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/01-assert.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/01-assert.yaml new file mode 100644 index 0000000000..8c927b10b3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/01-assert.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-create-on-trigger-deletion + namespace: pol-create-on-trigger-deletion-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-create-on-trigger-deletion-ns diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/01-manifests.yaml new file mode 100644 index 0000000000..6f6de250a3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/01-manifests.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-create-on-trigger-deletion-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-create-on-trigger-deletion-ns +data: + foo: bar +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-create-on-trigger-deletion + namespace: pol-create-on-trigger-deletion-ns +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + operations: + - DELETE + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: pol-create-on-trigger-deletion-ns + synchronize: true + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/02-delete.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/02-delete.yaml new file mode 100644 index 0000000000..72b0f8c98c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/02-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: pol-create-on-trigger-deletion-ns diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/03-sleep.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/04-assert.yaml b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/04-assert.yaml new file mode 100644 index 0000000000..6f49ddf828 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/04-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: pol-create-on-trigger-deletion-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/README.md b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/README.md new file mode 100644 index 0000000000..6923caf9e7 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/cornercases/pol-data-create-on-trigger-deletion/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure a generate data rule, with sync enabled, can be triggered on the deletion of the trigger resource. + +## Expected Behavior + +If the downstream resource is created, the test passes. If it is not created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6398 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/99-cleanup.yaml new file mode 100644 index 0000000000..d1de729516 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/99-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - script: + content: | + kubectl delete ur -A --all + kubectl delete -f cloned-secret.yaml --ignore-not-found=true diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/README.md new file mode 100644 index 0000000000..73011b98bf --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the basic creation behavior of a generate rule in a Policy (Namespaced) using a clone declaration with synchronize disabled. + +## Expected Behavior + +A resource should be generated via clone in the same Namespace as where the Policy is created. If the resource is created, the test passes. If the resource is not, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/manifests.yaml new file mode 100644 index 0000000000..77603373c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-create-policy + namespace: default +spec: + rules: + - name: pol-clone-nosync-create-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/policy-ready.yaml new file mode 100644 index 0000000000..c409b525c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-create-policy + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/03-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/04-delete-downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/04-delete-downstream.yaml new file mode 100644 index 0000000000..c68533ff7b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/04-delete-downstream.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-downstream +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/06-errors.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/06-errors.yaml new file mode 100644 index 0000000000..1a47c4a978 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/06-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: newsecret + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/99-cleanup.yaml new file mode 100644 index 0000000000..d1de729516 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/99-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - script: + content: | + kubectl delete ur -A --all + kubectl delete -f cloned-secret.yaml --ignore-not-found=true diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/README.md new file mode 100644 index 0000000000..626e15b24f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a downstream (generated) resource resulting from a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result the downstream resource's recreation. + +## Expected Behavior + +The deleted downstream resource should remain deleted. If it is not recreated, the test passes. If it is cloned again from source, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/manifests.yaml new file mode 100644 index 0000000000..77603373c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-create-policy + namespace: default +spec: + rules: + - name: pol-clone-nosync-create-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/policy-ready.yaml new file mode 100644 index 0000000000..c409b525c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-create-policy + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/03-delete-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/03-delete-policy.yaml new file mode 100644 index 0000000000..9eff3ac1ba --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/03-delete-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-policy +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v2beta1 + kind: Policy + name: pol-clone-nosync-delete-policy + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/05-assert.yaml new file mode 100644 index 0000000000..1a47c4a978 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/05-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: newsecret + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/99-cleanup.yaml new file mode 100644 index 0000000000..d1de729516 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/99-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - script: + content: | + kubectl delete ur -A --all + kubectl delete -f cloned-secret.yaml --ignore-not-found=true diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/README.md new file mode 100644 index 0000000000..60d37df22f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to remain if the Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/manifests.yaml new file mode 100644 index 0000000000..6f42adcc0b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-policy + namespace: default +spec: + rules: + - name: pol-clone-nosync-delete-policy-cm + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..e4fa585828 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-policy + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/02-resource.yaml new file mode 100644 index 0000000000..edaf96dcbe --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/02-resource.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml + - assert: + file: cloned-limitrange.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/03-delete-rule.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/03-delete-rule.yaml new file mode 100644 index 0000000000..316634fe88 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/03-delete-rule.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-rule + namespace: default +spec: + rules: + - name: pol-clone-nosync-delete-rule-lr + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: LimitRange + name: genlr + namespace: default + synchronize: false + clone: + name: sourcelr + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/05-assert.yaml new file mode 100644 index 0000000000..ca3309e3e1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/05-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: newsecret + namespace: default +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: genlr + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/99-cleanup.yaml new file mode 100644 index 0000000000..3796fd90b1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/99-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - script: + content: | + kubectl delete ur -A --all + kubectl delete -f cloned-secret.yaml,cloned-limitrange.yaml --ignore-not-found=true diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/README.md new file mode 100644 index 0000000000..fc3b9954e4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to remain if the corresponding rule within a Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-limitrange.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-limitrange.yaml new file mode 100644 index 0000000000..be140a8db5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-limitrange.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: genlr + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/manifests.yaml new file mode 100644 index 0000000000..cd8218d904 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/manifests.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: sourcelr + namespace: default +spec: + limits: + - type: Container + default: + cpu: 500m + defaultRequest: + cpu: 500m + max: + cpu: "1" + min: + cpu: 100m +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-rule + namespace: default +spec: + rules: + - name: pol-clone-nosync-delete-rule-cm + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: default + - name: pol-clone-nosync-delete-rule-lr + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: LimitRange + name: genlr + namespace: default + synchronize: false + clone: + name: sourcelr + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..5534aa22a9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-rule + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/03-delete-source.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/03-delete-source.yaml new file mode 100644 index 0000000000..dd05e85e60 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/03-delete-source.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-source +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/05-assert.yaml new file mode 100644 index 0000000000..1a47c4a978 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/05-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: newsecret + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/99-cleanup.yaml new file mode 100644 index 0000000000..d1de729516 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/99-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - script: + content: | + kubectl delete ur -A --all + kubectl delete -f cloned-secret.yaml --ignore-not-found=true diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/README.md new file mode 100644 index 0000000000..3d7fed49bb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of the source (upstream) resource used by a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in the downstream resource's deletion. + +## Expected Behavior + +The deleted downstream resource should remain in place. If it is still present after the source deletion, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/manifests.yaml new file mode 100644 index 0000000000..9fb19e969a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-source + namespace: default +spec: + rules: + - name: pol-clone-nosync-create-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/policy-ready.yaml new file mode 100644 index 0000000000..7d37827fa4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-source + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..bf6dc7277d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-trigger-policy + namespace: pol-clone-nosync-delete-trigger-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..1a2e687e60 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-nosync-delete-trigger-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: pol-clone-nosync-delete-trigger-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-delete-trigger-policy + namespace: pol-clone-nosync-delete-trigger-ns +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: pol-clone-nosync-delete-trigger-ns + synchronize: false + clone: + namespace: pol-clone-nosync-delete-trigger-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/02-create-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/02-create-trigger.yaml new file mode 100644 index 0000000000..3312b2441b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/02-create-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/03-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/03-delete.yaml new file mode 100644 index 0000000000..fd815c11eb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: pol-clone-nosync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/05-downstream-deleted.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/05-downstream-deleted.yaml new file mode 100644 index 0000000000..70051ec60a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/05-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/README.md new file mode 100644 index 0000000000..60576185c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate clone declaration and sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test fails. If it remains, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/downstream.yaml new file mode 100644 index 0000000000..0a9db32042 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: pol-clone-nosync-delete-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/trigger.yaml new file mode 100644 index 0000000000..7e0f799f0d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/trigger.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-clone-nosync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/01-script-try-create1.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/01-script-try-create1.yaml new file mode 100644 index 0000000000..221abcdb7f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/01-script-try-create1.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-try-create1 +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f policy1.yaml\nthen \n echo \"Tested failed. Policy + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Policy was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/02-script-try-create2.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/02-script-try-create2.yaml new file mode 100644 index 0000000000..0b857bb098 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/02-script-try-create2.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-try-create2 +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f policy2.yaml\nthen \n echo \"Tested failed. Policy + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Policy was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/README.md new file mode 100644 index 0000000000..1e19e73a7c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/README.md @@ -0,0 +1,11 @@ +## Description + +This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace clone a resource, is blocked from creation. The first variant attempts to clone a Secret from an outside Namespace into the Namespace where the Policy is defined. The second variant inverts this to try and clone a Secret co-located in the same Namespace as the Policy to an outside Namespace. Both of these are invalid and must be blocked. + +## Expected Behavior + +Both "bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails. + +## Reference Issue(s) + +5099 diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy1.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy1.yaml new file mode 100644 index 0000000000..dd42c4ad01 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-invalid + namespace: default +spec: + rules: + - name: pol-clone-nosync-invalid-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: foo diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy2.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy2.yaml new file mode 100644 index 0000000000..f9b3a7d5a3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy2.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-invalid + namespace: default +spec: + rules: + - name: pol-clone-nosync-invalid-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: foo + synchronize: false + clone: + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/03-modify-downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/03-modify-downstream.yaml new file mode 100644 index 0000000000..ab643bbdab --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/03-modify-downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: dGhpc2hhc2JlZW5tb2RpZmllZA== +kind: Secret +metadata: + name: newsecret + namespace: pol-clone-nosync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/05-assert.yaml new file mode 100644 index 0000000000..ab643bbdab --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: dGhpc2hhc2JlZW5tb2RpZmllZA== +kind: Secret +metadata: + name: newsecret + namespace: pol-clone-nosync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/README.md new file mode 100644 index 0000000000..c3438579dc --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that modification of a downstream (generated) resource resulting from a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in those modifications being reverted with the contents of the source resource. + +## Expected Behavior + +The downstream resource, once modified, should remain as-is. If it remains as-is based on the last modification, the test passes. If it is anything else than how it was last modified, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/cloned-secret.yaml new file mode 100644 index 0000000000..f3608ddfe0 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: pol-clone-nosync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/create-cm.yaml new file mode 100644 index 0000000000..ba58d17236 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: pol-clone-nosync-modify-downstream-ns +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/manifests.yaml new file mode 100644 index 0000000000..52939836df --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-nosync-modify-downstream-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-clone-nosync-modify-downstream-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-modify-downstream + namespace: pol-clone-nosync-modify-downstream-ns +spec: + rules: + - name: pol-clone-nosync-modify-downstream-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: pol-clone-nosync-modify-downstream-ns + synchronize: false + clone: + name: regcred + namespace: pol-clone-nosync-modify-downstream-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/policy-ready.yaml new file mode 100644 index 0000000000..996bb20067 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-modify-downstream + namespace: pol-clone-nosync-modify-downstream-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/03-modify-source.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/03-modify-source.yaml new file mode 100644 index 0000000000..05b1bd94dc --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/03-modify-source.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: dGhpc2hhc2JlZW5tb2RpZmllZA== +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/05-assert.yaml new file mode 100644 index 0000000000..9dd6e1fb31 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: pol-clone-nosync-modify-source-newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/99-cleanup.yaml new file mode 100644 index 0000000000..d1de729516 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/99-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - script: + content: | + kubectl delete ur -A --all + kubectl delete -f cloned-secret.yaml --ignore-not-found=true diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/README.md new file mode 100644 index 0000000000..9d6ba53a3d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that modification of a source (upstream) resource used by a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in those modifications being synced to the downstream resource. + +## Expected Behavior + +The source resource, once modified, should not cause any cloned (downstream) resources to be changed. If the downstream resource remains as-is, the test passes. If it is anything else other than how it looked when originally created, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/cloned-secret.yaml new file mode 100644 index 0000000000..9dd6e1fb31 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: pol-clone-nosync-modify-source-newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/manifests.yaml new file mode 100644 index 0000000000..a44025774b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-modify-source + namespace: default +spec: + rules: + - name: pol-clone-nosync-modify-source-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: pol-clone-nosync-modify-source-newsecret + namespace: default + synchronize: false + clone: + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/policy-ready.yaml new file mode 100644 index 0000000000..3d901fecac --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-modify-source + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..a8658f105c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-update-trigger-no-match-policy + namespace: pol-clone-nosync-update-trigger-no-match-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..a7c3e6fed8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-nosync-update-trigger-no-match-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: pol-clone-nosync-update-trigger-no-match-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-nosync-update-trigger-no-match-policy + namespace: pol-clone-nosync-update-trigger-no-match-ns +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-secret: "true" + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: pol-clone-nosync-update-trigger-no-match-ns + synchronize: false + clone: + namespace: pol-clone-nosync-update-trigger-no-match-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..ea5b238885 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "true" + name: test-org + namespace: pol-clone-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..cc01c9ece8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "false" + name: test-org + namespace: pol-clone-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..70051ec60a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..d918933169 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate clone declaration and sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test fails. If it remains, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..be5639ef73 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: pol-clone-nosync-update-trigger-no-match-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/01-assert.yaml new file mode 100644 index 0000000000..deabee81cc --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/01-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-sync-clone-delete-downstream +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-sync-clone-delete-downstream +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/01-manifests.yaml new file mode 100644 index 0000000000..deabee81cc --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/01-manifests.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-sync-clone-delete-downstream +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-sync-clone-delete-downstream +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/02-assert.yaml new file mode 100644 index 0000000000..83228cc522 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-sync-clone-delete-downstream + namespace: pol-sync-clone-delete-downstream +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/02-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/02-policy.yaml new file mode 100644 index 0000000000..c901aaddfb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/02-policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-sync-clone-delete-downstream + namespace: pol-sync-clone-delete-downstream +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: myclonedsecret + namespace: pol-sync-clone-delete-downstream + synchronize: true + clone: + namespace: pol-sync-clone-delete-downstream + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/03-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/03-trigger.yaml new file mode 100644 index 0000000000..218574ff7b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/03-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foo + namespace: pol-sync-clone-delete-downstream \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/04-downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/04-downstream.yaml new file mode 100644 index 0000000000..773de86ff2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/04-downstream.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/05-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/05-delete.yaml new file mode 100644 index 0000000000..e79dba2b2f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/05-delete.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: myclonedsecret + namespace: pol-sync-clone-delete-downstream +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/06-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/07-downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/07-downstream.yaml new file mode 100644 index 0000000000..773de86ff2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/07-downstream.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/README.md new file mode 100644 index 0000000000..5102f7c150 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of a downstream resource created by a Policy `generate` rule with sync enabled using a clone declaration causes it to be regenerated. If it is not regenerated, the test fails. + +## Expected Behavior + +The downstream resource, upon deletion, is expected to be recreated/recloned from the source resource. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/downstream.yaml new file mode 100644 index 0000000000..e79dba2b2f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: myclonedsecret + namespace: pol-sync-clone-delete-downstream +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/03-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/04-delete-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/04-delete-policy.yaml new file mode 100644 index 0000000000..2c14201eaa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/04-delete-policy.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-policy +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v2beta1 + kind: Policy + name: pol-clone-sync-delete-policy + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/06-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/06-assert.yaml new file mode 100644 index 0000000000..1a47c4a978 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/06-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: newsecret + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/99-cleanup.yaml new file mode 100644 index 0000000000..7e0004c066 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/99-cleanup.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - ur + - -A + - --all + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/README.md new file mode 100644 index 0000000000..da0d821594 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a Policy (Namespaced) generate rule, clone declaration, with sync enabled, does NOT result in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to remain if the Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/manifests.yaml new file mode 100644 index 0000000000..1099a0cf08 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/manifests.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-policy + namespace: default +spec: + rules: + - name: pol-clone-sync-delete-policy-cm + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: true + clone: + name: regcred + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..6c825ebe2d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-policy + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/01-create.yaml new file mode 100644 index 0000000000..1790d8c759 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/01-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/02-resource.yaml new file mode 100644 index 0000000000..edaf96dcbe --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/02-resource.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml + - assert: + file: cloned-limitrange.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/03-delete-rule.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/03-delete-rule.yaml new file mode 100644 index 0000000000..92892e5e23 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/03-delete-rule.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-rule + namespace: default +spec: + rules: + - name: pol-clone-sync-delete-rule-lr + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: LimitRange + name: genlr + namespace: default + synchronize: true + clone: + name: sourcelr + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/05-assert.yaml new file mode 100644 index 0000000000..ca3309e3e1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/05-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: newsecret + namespace: default +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: genlr + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/99-cleanup.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/99-cleanup.yaml new file mode 100644 index 0000000000..7e0004c066 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/99-cleanup.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - ur + - -A + - --all + entrypoint: kubectl diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/README.md new file mode 100644 index 0000000000..7fa8b9a985 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, clone declaration, with sync enabled, does NOT result in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to remain if the corresponding rule within a Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-limitrange.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-limitrange.yaml new file mode 100644 index 0000000000..be140a8db5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-limitrange.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: genlr + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-secret.yaml new file mode 100644 index 0000000000..9cbe3d6457 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/create-cm.yaml new file mode 100644 index 0000000000..088e22e931 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: default +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml new file mode 100644 index 0000000000..6170cdb090 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: default +type: Opaque +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: sourcelr + namespace: default +spec: + limits: + - type: Container + default: + cpu: 500m + defaultRequest: + cpu: 500m + max: + cpu: "1" + min: + cpu: 100m +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-rule + namespace: default +spec: + rules: + - name: pol-clone-sync-delete-rule-cm + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: true + clone: + name: regcred + namespace: default + - name: pol-clone-sync-delete-rule-lr + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: LimitRange + name: genlr + namespace: default + synchronize: true + clone: + name: sourcelr + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..b8912b6196 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-rule + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/02-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/02-resource.yaml new file mode 100644 index 0000000000..41ca0c2ab8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: create-cm.yaml + - assert: + file: cloned-secret.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/03-deletesource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/03-deletesource.yaml new file mode 100644 index 0000000000..512bd80e43 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/03-deletesource.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deletesource +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Secret + name: regcred + namespace: pol-clone-sync-delete-source diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/05-errors.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/05-errors.yaml new file mode 100644 index 0000000000..73d8431d86 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/05-errors.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: pol-clone-sync-delete-source +type: Opaque diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/README.md new file mode 100644 index 0000000000..91fd2bfb4e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that deletion of the source (upstream) resource used by a Policy `generate` rule with sync enabled using a clone declaration DOES cause deletion of downstream/cloned resources. + +## Expected Behavior + +After the source is deleted, the downstream resources should be deleted. If the downstream resource remains, the test fails. If the downstream resource is deleted, the test passes. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/cloned-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/cloned-secret.yaml new file mode 100644 index 0000000000..33259284fe --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/cloned-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: newsecret + namespace: pol-clone-sync-delete-source +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/create-cm.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/create-cm.yaml new file mode 100644 index 0000000000..106138d13b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/create-cm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: mycm + namespace: pol-clone-sync-delete-source +data: + food: cheese + day: monday + color: red \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/policy-ready.yaml new file mode 100644 index 0000000000..e3efbf79fa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-source + namespace: pol-clone-sync-delete-source +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/policy.yaml new file mode 100644 index 0000000000..d989af6f8f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-sync-delete-source +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-clone-sync-delete-source +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-source + namespace: pol-clone-sync-delete-source +spec: + rules: + - name: pol-clone-sync-delete-source-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: pol-clone-sync-delete-source + synchronize: true + clone: + namespace: pol-clone-sync-delete-source + name: regcred diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..d36d7dcefe --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-trigger-policy + namespace: pol-clone-sync-delete-trigger-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..0dbaaf6bd4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-sync-delete-trigger-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: pol-clone-sync-delete-trigger-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-delete-trigger-policy + namespace: pol-clone-sync-delete-trigger-ns +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: pol-clone-sync-delete-trigger-ns + synchronize: true + clone: + namespace: pol-clone-sync-delete-trigger-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/02-create-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/02-create-trigger.yaml new file mode 100644 index 0000000000..3312b2441b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/02-create-trigger.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/03-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/03-delete.yaml new file mode 100644 index 0000000000..f413781963 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: pol-clone-sync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/05-downstream-deleted.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/05-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/05-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/06-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/06-assert.yaml new file mode 100644 index 0000000000..57495d829f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/06-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: pol-clone-sync-delete-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/README.md new file mode 100644 index 0000000000..4c81bb6239 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/downstream.yaml new file mode 100644 index 0000000000..2ef8268192 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: pol-clone-sync-delete-trigger-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/trigger.yaml new file mode 100644 index 0000000000..ba814764c6 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/trigger.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-clone-sync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/01-script-try-create1.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/01-script-try-create1.yaml new file mode 100644 index 0000000000..221abcdb7f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/01-script-try-create1.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-try-create1 +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f policy1.yaml\nthen \n echo \"Tested failed. Policy + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Policy was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/02-script-try-create2.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/02-script-try-create2.yaml new file mode 100644 index 0000000000..0b857bb098 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/02-script-try-create2.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-try-create2 +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f policy2.yaml\nthen \n echo \"Tested failed. Policy + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Policy was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/README.md new file mode 100644 index 0000000000..c1ab36115d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/README.md @@ -0,0 +1,13 @@ +## Description + +This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace clone a resource, is blocked from creation. The first variant attempts to clone a Secret from an outside Namespace into the Namespace where the Policy is defined. The second variant inverts this to try and clone a Secret co-located in the same Namespace as the Policy to an outside Namespace. Both of these are invalid and must be blocked. + +This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness. + +## Expected Behavior + +Both "bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails. + +## Reference Issue(s) + +5099 diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy1.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy1.yaml new file mode 100644 index 0000000000..0644a1025c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-invalid + namespace: default +spec: + rules: + - name: pol-clone-sync-invalid-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: default + synchronize: true + clone: + name: regcred + namespace: foo diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy2.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy2.yaml new file mode 100644 index 0000000000..906f0a7d5a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy2.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-invalid + namespace: default +spec: + rules: + - name: pol-clone-sync-invalid-rule + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newsecret + namespace: foo + synchronize: true + clone: + name: regcred + namespace: default diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/01-assert.yaml new file mode 100644 index 0000000000..581eb5a11b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/01-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-sync-modify-downstream-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-clone-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/01-manifests.yaml new file mode 100644 index 0000000000..581eb5a11b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/01-manifests.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-sync-modify-downstream-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: pol-clone-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/02-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/02-assert.yaml new file mode 100644 index 0000000000..9346fccb3b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/02-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-modify-downstream-policy + namespace: pol-clone-sync-modify-downstream-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/02-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/02-policy.yaml new file mode 100644 index 0000000000..59e4c752a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/02-policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-modify-downstream-policy + namespace: pol-clone-sync-modify-downstream-ns +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: myclonedsecret + namespace: pol-clone-sync-modify-downstream-ns + synchronize: true + clone: + namespace: pol-clone-sync-modify-downstream-ns + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/03-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/03-trigger.yaml new file mode 100644 index 0000000000..6e927d56d1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/03-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foo + namespace: pol-clone-sync-modify-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/04-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/04-assert.yaml new file mode 100644 index 0000000000..6761f13eaa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/04-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: myclonedsecret + namespace: pol-clone-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/05-modify.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/05-modify.yaml new file mode 100644 index 0000000000..90f06d6e91 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/05-modify.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: Ymx1ZQ== +kind: Secret +metadata: + name: myclonedsecret + namespace: pol-clone-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/06-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/07-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/07-assert.yaml new file mode 100644 index 0000000000..6761f13eaa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/07-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: myclonedsecret + namespace: pol-clone-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/README.md new file mode 100644 index 0000000000..48b3d48083 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of the downstream (cloned) resource used by a Policy `generate` rule with sync enabled using a clone declaration causes those changes to be reverted and synchronized from the state of the upstream/source. + +## Expected Behavior + +After the downstream resource is modified, the changes should be reverted after synchronization occurs. If the downstream resource is synced with the state of the source resource, the test passes. If the downstream resource remains in a modified state, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5100 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/downstream.yaml new file mode 100644 index 0000000000..6761f13eaa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: myclonedsecret + namespace: pol-clone-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/01-assert.yaml new file mode 100644 index 0000000000..ca94aab071 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-sync-clone + namespace: poltest +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/01-manifests.yaml new file mode 100644 index 0000000000..8adbdd7837 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: poltest +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: poltest +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-sync-clone + namespace: poltest +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: myclonedsecret + namespace: poltest + synchronize: true + clone: + namespace: poltest + name: regcred diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/02-trigger.yaml new file mode 100644 index 0000000000..4a6457c1cb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + sj: js +kind: ConfigMap +metadata: + name: cm-2 + namespace: poltest \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/03-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/03-assert.yaml new file mode 100644 index 0000000000..b609a3311d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/03-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: myclonedsecret + namespace: poltest +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/04-modifysource.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/04-modifysource.yaml new file mode 100644 index 0000000000..c9bb004521 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/04-modifysource.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: poltest +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/05-assert.yaml new file mode 100644 index 0000000000..3eb44f8ed1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: myclonedsecret + namespace: poltest +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/README.md new file mode 100644 index 0000000000..e5a7064c3a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that modification of the source (upstream) resource used by a Policy `generate` rule with sync enabled using a clone declaration causes those changes to be synced/propagated downstream. + +## Expected Behavior + +After the source is modified, the downstream resources should be synced to reflect those modifications. If the downstream resource reflects the changes made to the source, the test passes. If the downstream resource remains unsynced, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5277 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..673ab9464b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-update-trigger-no-match-policy + namespace: pol-clone-sync-update-trigger-no-match-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..2d037cd39a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-clone-sync-update-trigger-no-match-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: pol-clone-sync-update-trigger-no-match-ns +type: Opaque +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-clone-sync-update-trigger-no-match-policy + namespace: pol-clone-sync-update-trigger-no-match-ns +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-secret: "true" + generate: + apiVersion: v1 + kind: Secret + name: downstream-secret + namespace: pol-clone-sync-update-trigger-no-match-ns + synchronize: true + clone: + namespace: pol-clone-sync-update-trigger-no-match-ns + name: source-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..80e5a0f561 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "true" + name: test-org + namespace: pol-clone-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..2b7559ed79 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-secret: "false" + name: test-org + namespace: pol-clone-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..a749d3c470 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..e102da454d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: pol-clone-sync-update-trigger-no-match-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/01-create.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/01-create.yaml new file mode 100644 index 0000000000..01472eee4c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/01-create.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/README.md new file mode 100644 index 0000000000..e1fe6e7857 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a "bad" Policy (Namespaced) cannot be created which attempts to generate a resource into a different Namespace from that in which the Policy exists. + +## Expected Behavior + +If the Policy cannot be created, the test passes. If it is allowed to be created, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/ns.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/ns.yaml new file mode 100644 index 0000000000..0c3fa0cc96 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: indigiored \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/policy.yaml new file mode 100644 index 0000000000..e122bf9f08 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-create-policy-invalid/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-nosync-create-policy-invalid-policy + namespace: indigiored +spec: + rules: + - name: pol-data-nosync-create-policy-invalid-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: kindbrown + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/02-create-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/02-create-secret.yaml new file mode 100644 index 0000000000..a832bf5a48 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/02-create-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-secret +spec: + timeouts: {} + try: + - apply: + file: secret.yaml + - assert: + file: generated-configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/03-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/03-delete.yaml new file mode 100644 index 0000000000..2bd699fad4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: hammer diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/05-errors.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/05-errors.yaml new file mode 100644 index 0000000000..0519f6792c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/05-errors.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: hammer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/README.md new file mode 100644 index 0000000000..9a74c1a452 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test makes sure that a Policy (Namespaced) with a generate rule, data type, and sync NOT enabled, when the downstream (generated) resource is deleted causes it to NOT be recreated. + +## Expected Behavior + +If the resource remains in a deleted state, the test passes. If it remains is recreated according to the definition in the rule, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/generated-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/generated-configmap.yaml new file mode 100644 index 0000000000..0519f6792c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/generated-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: hammer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/policy-ready.yaml new file mode 100644 index 0000000000..57b3afa1df --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-downstream-policy + namespace: hammer +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/policy.yaml new file mode 100644 index 0000000000..4d014ece4c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hammer +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-downstream-policy + namespace: hammer +spec: + rules: + - name: pol-data-nosync-delete-downstream-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: hammer + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/secret.yaml new file mode 100644 index 0000000000..d6a4508c6b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-downstream/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: mytestsecret + namespace: hammer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/02-create-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/02-create-secret.yaml new file mode 100644 index 0000000000..a832bf5a48 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/02-create-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-secret +spec: + timeouts: {} + try: + - apply: + file: secret.yaml + - assert: + file: generated-configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/03-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/03-delete.yaml new file mode 100644 index 0000000000..f7f39f820c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: Policy + name: pol-data-nosync-delete-policy-policy + namespace: manta diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/05-assert.yaml new file mode 100644 index 0000000000..7be0bd9fd9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: manta \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/README.md new file mode 100644 index 0000000000..97fb3c6c81 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test makes sure that a Policy (Namespaced) with a generate rule, data type, and sync NOT enabled, when the policy is deleted does NOT cause the downstream (generated) resource to also be deleted. + +## Expected Behavior + +If the resource is retained after the Policy is deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/generated-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/generated-configmap.yaml new file mode 100644 index 0000000000..7be0bd9fd9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/generated-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: manta \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..5dcde869bd --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-policy-policy + namespace: manta +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/policy.yaml new file mode 100644 index 0000000000..136a1e0cf2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: manta +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-policy-policy + namespace: manta +spec: + rules: + - name: pol-data-nosync-delete-policy-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: manta + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/secret.yaml new file mode 100644 index 0000000000..61db613157 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-policy/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: mytestsecret + namespace: manta \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/02-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/02-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/02-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/03-resource.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/03-resource.yaml new file mode 100644 index 0000000000..16f6688270 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/03-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/04-remove-rule.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/04-remove-rule.yaml new file mode 100644 index 0000000000..bfa598f7b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/04-remove-rule.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: remove-rule +spec: + timeouts: {} + try: + - apply: + file: policy-with-rule-removed.yaml + - assert: + file: both-resources-exist.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/README.md new file mode 100644 index 0000000000..acf3217f1f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule in a Policy (Namespaced) with a data declaration and NO synchronization, when a rule within the Policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted. + +## Expected Behavior + +If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/both-resources-exist.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/both-resources-exist.yaml new file mode 100644 index 0000000000..56b4ec706c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/both-resources-exist.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: otter +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: otter +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-ready.yaml new file mode 100644 index 0000000000..2f4e0c7a8b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-rule-policy + namespace: otter +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml new file mode 100644 index 0000000000..97b48c5a44 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: otter +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-rule-policy + namespace: otter +spec: + generateExisting: false + rules: + - name: pol-data-nosync-delete-rule-policy-ruleone + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: otter + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml new file mode 100644 index 0000000000..8f944a16ff --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: otter +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-rule-policy + namespace: otter +spec: + generateExisting: false + rules: + - name: pol-data-nosync-delete-rule-policy-ruleone + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: otter + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: pol-data-nosync-delete-rule-policy-ruletwo + match: + any: + - resources: + kinds: + - Service + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: otter + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/resource-generated.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/resource-generated.yaml new file mode 100644 index 0000000000..56b4ec706c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/resource-generated.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: otter +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: otter +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/resource.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/resource.yaml new file mode 100644 index 0000000000..e0b7e54340 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/resource.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret + namespace: otter +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: engsvcclusip + name: engsvcclusip + namespace: otter +spec: + ports: + - name: 80-80 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: engsvcclusip + sessionAffinity: None + type: ClusterIP diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..632273004f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-nosync-delete-trigger + namespace: pol-data-nosync-delete-trigger-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..144c2838fb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-nosync-delete-trigger-ns +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-trigger + namespace: pol-data-nosync-delete-trigger-ns +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: pol-data-nosync-delete-trigger-ns + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/02-trigger.yaml new file mode 100644 index 0000000000..821288b5ff --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/02-trigger.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-data-nosync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/03-downstream-created.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/04-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/04-delete.yaml new file mode 100644 index 0000000000..7af553272e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/04-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: pol-data-nosync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/06-downstream-remained.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/06-downstream-remained.yaml new file mode 100644 index 0000000000..7f8c209394 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/06-downstream-remained.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-remained +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/README.md new file mode 100644 index 0000000000..4be40182fa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate data declaration and sync disabled, doesn't result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test fails. If it remains, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/downstream.yaml new file mode 100644 index 0000000000..ddedd3b448 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-trigger/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: pol-data-nosync-delete-trigger-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/02-create-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/02-create-secret.yaml new file mode 100644 index 0000000000..a832bf5a48 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/02-create-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-secret +spec: + timeouts: {} + try: + - apply: + file: secret.yaml + - assert: + file: generated-configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/03-modify.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/03-modify.yaml new file mode 100644 index 0000000000..ff6ac70814 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/03-modify.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modify +spec: + timeouts: {} + try: + - apply: + file: modified-downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/05-assert.yaml new file mode 100644 index 0000000000..2f9c6f63eb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: iamfixingsomedatainthiskey:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: lionfish \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/README.md new file mode 100644 index 0000000000..13559ace3f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test makes sure that a Policy (Namespaced) with a generate rule, data type, and sync NOT enabled, when the downstream (generated) resource is modified this does NOT result in those modifications being reverted based upon the definition stored in the rule. + +## Expected Behavior + +If the generated resource remains in the modified state, the test passes. If it is synced with the contents in the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/generated-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/generated-configmap.yaml new file mode 100644 index 0000000000..4fb0e5ed34 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/generated-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: lionfish \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/modified-downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/modified-downstream.yaml new file mode 100644 index 0000000000..2f9c6f63eb --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/modified-downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: iamfixingsomedatainthiskey:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: lionfish \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/policy-ready.yaml new file mode 100644 index 0000000000..2926e49598 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-modify-downstream-policy + namespace: lionfish +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/policy.yaml new file mode 100644 index 0000000000..7c893b9e36 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: lionfish +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-modify-downstream-policy + namespace: lionfish +spec: + rules: + - name: pol-data-nosync-modify-downstream-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: lionfish + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/secret.yaml new file mode 100644 index 0000000000..0ad25a0e3c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-downstream/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: mytestsecret + namespace: lionfish \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/02-create-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/02-create-secret.yaml new file mode 100644 index 0000000000..a832bf5a48 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/02-create-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-secret +spec: + timeouts: {} + try: + - apply: + file: secret.yaml + - assert: + file: generated-configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/03-modify.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/03-modify.yaml new file mode 100644 index 0000000000..d08c87d3ac --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/03-modify.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: modify +spec: + timeouts: {} + try: + - apply: + file: modified-rule.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/05-assert.yaml new file mode 100644 index 0000000000..a87cbc51a1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: hawksbill \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/README.md new file mode 100644 index 0000000000..c76c6b78d2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test makes sure that a Policy (Namespaced) with a generate rule, data type, and sync NOT enabled, when the rule definition (under the data object) is modified this does NOT cause those changes to be propagated to downstream (generated) resources. + +## Expected Behavior + +If the resource is not synced from the changes made to the rule, the test passes. If it is synced, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/generated-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/generated-configmap.yaml new file mode 100644 index 0000000000..a87cbc51a1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/generated-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: hawksbill \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/modified-rule.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/modified-rule.yaml new file mode 100644 index 0000000000..ec9922efda --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/modified-rule.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-modify-rule-policy + namespace: hawksbill +spec: + rules: + - name: pol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: hawksbill + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "thisrepresentssomechangeddata" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/policy-ready.yaml new file mode 100644 index 0000000000..868ffbd075 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-modify-rule-policy + namespace: hawksbill +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/policy.yaml new file mode 100644 index 0000000000..ba8be73dd4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: hawksbill +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-modify-rule-policy + namespace: hawksbill +spec: + rules: + - name: pol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: hawksbill + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/secret.yaml new file mode 100644 index 0000000000..46176e8864 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-modify-rule/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: mytestsecret + namespace: hawksbill \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..880006081e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-nosync-update-trigger-no-match + namespace: pol-data-nosync-update-trigger-no-match-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..06651e3030 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-nosync-update-trigger-no-match-ns +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-update-trigger-no-match + namespace: pol-data-nosync-update-trigger-no-match-ns +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-netpol: "true" + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: pol-data-nosync-update-trigger-no-match-ns + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..d6cc463866 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "true" + name: test-org + namespace: pol-data-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..e072feb77c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "false" + name: test-org + namespace: pol-data-nosync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..70051ec60a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..3ecef13843 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate data declaration and sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource remains, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..97aeb906c0 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: pol-data-nosync-update-trigger-no-match-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/01-script-try-create.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/01-script-try-create.yaml new file mode 100644 index 0000000000..24bc7f0720 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/01-script-try-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-try-create +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f policy.yaml\nthen \n echo \"Tested failed. Policy + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Policy was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/README.md new file mode 100644 index 0000000000..cd81d6e893 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/README.md @@ -0,0 +1,13 @@ +## Description + +This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace generate a resource, is blocked from creation. + +This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness. + +## Expected Behavior + +"bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails. + +## Reference Issue(s) + +5099 diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/policy.yaml new file mode 100644 index 0000000000..8848eec422 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-invalid/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-sync + namespace: poltest +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: test + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/01-script-try-create.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/01-script-try-create.yaml new file mode 100644 index 0000000000..27fcd29d25 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/01-script-try-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-try-create +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f policy.yaml\nthen\n echo \"Test succeeded. Policy + was created as intended.\"\n exit 0 \nelse \n echo \"Tested failed. Policy + was not created when it should have been.\"\n exit 1\nfi\n" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/README.md new file mode 100644 index 0000000000..231be8b064 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/README.md @@ -0,0 +1,13 @@ +## Description + +This test performs a check to ensure that a "good" Policy, one in which a user may attempt to in-Namespace generate a resource, is allowed to be created. + +This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness. + +## Expected Behavior + +"good" (valid) Policy should be successfully created. If the creations is blocked, the test failed. If any creation is allowed, the test succeeds. + +## Reference Issue(s) + +5099 diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/policy.yaml new file mode 100644 index 0000000000..70df88a12b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-create-policy-valid/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: poltest +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-sync + namespace: poltest +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: poltest + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/02-create-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/02-create-secret.yaml new file mode 100644 index 0000000000..a832bf5a48 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/02-create-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-secret +spec: + timeouts: {} + try: + - apply: + file: secret.yaml + - assert: + file: generated-configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/03-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/03-delete.yaml new file mode 100644 index 0000000000..0582a1c7c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: exeter diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/04-sleep.yaml new file mode 100644 index 0000000000..fadf2fb80e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "6" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/05-assert.yaml new file mode 100644 index 0000000000..4cbb4be8c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/05-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: exeter \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/README.md new file mode 100644 index 0000000000..d07c39c3c8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test makes sure that a Policy (Namespaced) with a generate rule, data type, and sync enabled, when the downstream (generated) resource is deleted causes it to be recreated with the definition of the resource stored in the rule. + +## Expected Behavior + +If the resource is re-created according to the definition in the rule, the test passes. If it remains in a deleted state, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/generated-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/generated-configmap.yaml new file mode 100644 index 0000000000..4cbb4be8c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/generated-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: exeter \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/policy-ready.yaml new file mode 100644 index 0000000000..73eb7b6a38 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-delete-downstream-policy + namespace: exeter +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/policy.yaml new file mode 100644 index 0000000000..3523e08449 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: exeter +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-delete-downstream-policy + namespace: exeter +spec: + rules: + - name: pol-data-sync-delete-downstream-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: exeter + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/secret.yaml new file mode 100644 index 0000000000..63656ec6fe --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-downstream/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: mytestsecret + namespace: exeter \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/02-create-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/02-create-secret.yaml new file mode 100644 index 0000000000..a832bf5a48 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/02-create-secret.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-secret +spec: + timeouts: {} + try: + - apply: + file: secret.yaml + - assert: + file: generated-configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/03-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/03-delete.yaml new file mode 100644 index 0000000000..328f19e7f4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: Policy + name: pol-data-sync-delete-policy-policy + namespace: manasis diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/05-errors.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/05-errors.yaml new file mode 100644 index 0000000000..a96cd1bc76 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/05-errors.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: manasis \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/README.md new file mode 100644 index 0000000000..90d2713bd8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test makes sure that a Policy (Namespaced) with a generate rule, data type, and sync enabled, when the policy is deleted causes the downstream (generated) resource to also be deleted. + +## Expected Behavior + +If the resource is deleted after the Policy is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +5753 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/generated-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/generated-configmap.yaml new file mode 100644 index 0000000000..a96cd1bc76 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/generated-configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: manasis \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/policy-ready.yaml new file mode 100644 index 0000000000..c1e19b575d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-delete-policy-policy + namespace: manasis +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/policy.yaml new file mode 100644 index 0000000000..738c386a04 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: manasis +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-delete-policy-policy + namespace: manasis +spec: + rules: + - name: pol-data-sync-delete-policy-rule + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: manasis + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/secret.yaml new file mode 100644 index 0000000000..0da7104809 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-policy/secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: mytestsecret + namespace: manasis \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/01-assert.yaml new file mode 100644 index 0000000000..9cd68a01c7 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/01-manifests.yaml new file mode 100644 index 0000000000..4e9da6fc27 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/01-manifests.yaml @@ -0,0 +1,56 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-delete-rule +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + names: + - trigger-secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-delete-rule + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: super-configmap + match: + any: + - resources: + kinds: + - Secret + names: + - trigger-secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: superconfigmap + namespace: pol-data-sync-delete-rule + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + key: superconfigmap \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/02-trigger.yaml new file mode 100644 index 0000000000..d34c5e509a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/02-trigger.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + org: kyverno + name: trigger-secret + namespace: pol-data-sync-delete-rule +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/03-check.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/03-check.yaml new file mode 100644 index 0000000000..636f896e15 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/03-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: configmap.yaml + - assert: + file: configmap-remain.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/04-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/04-assert.yaml new file mode 100644 index 0000000000..9cd68a01c7 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/04-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/04-delete-rule.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/04-delete-rule.yaml new file mode 100644 index 0000000000..fd97ab5bec --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/04-delete-rule.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +spec: + generateExisting: false + rules: + - name: super-configmap + match: + any: + - resources: + kinds: + - Secret + names: + - trigger-secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: superconfigmap + namespace: pol-data-sync-delete-rule + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + key: superconfigmap diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/06-checks.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/06-checks.yaml new file mode 100644 index 0000000000..efc053fc7e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/06-checks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: checks +spec: + timeouts: {} + try: + - assert: + file: configmap-remain.yaml + - error: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/README.md new file mode 100644 index 0000000000..75255c9be8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, data declaration, with sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to be deleted if the corresponding rule within a Policy is deleted. If it is not deleted, the test fails. If it is deleted, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5744 diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/configmap-remain.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/configmap-remain.yaml new file mode 100644 index 0000000000..17607f464f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/configmap-remain.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + key: superconfigmap +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: superconfigmap + namespace: pol-data-sync-delete-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/configmap.yaml new file mode 100644 index 0000000000..e97ab78537 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/01-assert.yaml new file mode 100644 index 0000000000..1715d402b3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-delete-trigger + namespace: pol-data-sync-delete-trigger-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/01-manifests.yaml new file mode 100644 index 0000000000..7ea047b97b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/01-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-delete-trigger-ns +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-delete-trigger + namespace: pol-data-sync-delete-trigger-ns +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: pol-data-sync-delete-trigger-ns + synchronize: true + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/02-configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/02-configmap.yaml new file mode 100644 index 0000000000..4a3d303ee8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/02-configmap.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-data-sync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/03-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/04-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/04-assert.yaml new file mode 100644 index 0000000000..44b5e19659 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/04-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: pol-data-sync-delete-trigger-ns +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: pol-data-sync-delete-trigger-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/05-delete.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/05-delete.yaml new file mode 100644 index 0000000000..b571c46a26 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/05-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: test-org + namespace: pol-data-sync-delete-trigger-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/06-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/07-errors.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/07-errors.yaml new file mode 100644 index 0000000000..4982697bc0 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/07-errors.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: pol-data-sync-delete-trigger-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/README.md new file mode 100644 index 0000000000..2dee2bdee2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a trigger resource, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2229 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/01-policy.yaml new file mode 100644 index 0000000000..0062deb79c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/01-policy.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-modify-downstream-ns +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync + namespace: pol-data-sync-modify-downstream-ns +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-modify-downstream-ns + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/02-secret.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/02-secret.yaml new file mode 100644 index 0000000000..464dcb75a6 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/02-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test + namespace: pol-data-sync-modify-downstream-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/03-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/03-assert.yaml new file mode 100644 index 0000000000..e74a642483 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/03-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/04-modify.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/04-modify.yaml new file mode 100644 index 0000000000..c09fe4dd91 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/04-modify.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: modified +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/04-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/05-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/05-assert.yaml new file mode 100644 index 0000000000..e74a642483 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/05-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-downstream-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/README.md new file mode 100644 index 0000000000..bd11ee94e7 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-downstream/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the downstream (cloned/generated) resource used by a Policy `generate` rule with sync enabled using a data declaration causes those changes to be reverted and synchronized from the state of the upstream/source. + +## Expected Behavior + +After the downstream resource is modified, the changes should be reverted after synchronization occurs. If the downstream resource is synced with the state of the source resource, the test passes. If the downstream resource remains in a modified state, the test fails. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5764 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/01-assert.yaml new file mode 100644 index 0000000000..f76e4f71f5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: zk-kafka-address + namespace: pol-data-sync-modify-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/01-manifests.yaml new file mode 100644 index 0000000000..f6274fa6a0 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/01-manifests.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-modify-rule +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: zk-kafka-address + namespace: pol-data-sync-modify-rule +spec: + generateExisting: true + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-modify-rule + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/02-trigger.yaml new file mode 100644 index 0000000000..81ba840078 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/02-trigger.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + org: kyverno + name: trigger-secret + namespace: pol-data-sync-modify-rule +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/03-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/03-assert.yaml new file mode 100644 index 0000000000..4f48cf29a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/03-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/03-policy-update.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/03-policy-update.yaml new file mode 100644 index 0000000000..e8a412a3db --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/03-policy-update.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: zk-kafka-address + namespace: pol-data-sync-modify-rule +spec: + generateExisting: true + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-modify-rule + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/04-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/04-assert.yaml new file mode 100644 index 0000000000..4f48cf29a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/04-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/README.md new file mode 100644 index 0000000000..7effee6d5e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This is a generate test to ensure a generate Policy using a data declaration with sync enabled and modifying the policy/rule propagates those changes to a downstream ConfigMap. + +## Expected Behavior + +The downstream (generated) resource is expected to be synced from the corresponding rule within a Policy is modified. If it is not sync, the test fails. If it is synced, the test passes. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/01-assert.yaml new file mode 100644 index 0000000000..390ae5fdc0 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-sync-update-trigger-no-match + namespace: pol-data-sync-update-trigger-no-match-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/01-manifests.yaml new file mode 100644 index 0000000000..10486d63c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/01-manifests.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-update-trigger-no-match-ns +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-sync-update-trigger-no-match + namespace: pol-data-sync-update-trigger-no-match-ns +spec: + rules: + - name: default-deny + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + create-netpol: "true" + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: pol-data-sync-update-trigger-no-match-ns + synchronize: true + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/02-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/02-trigger.yaml new file mode 100644 index 0000000000..1fa481d9b1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/02-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "true" + name: test-org + namespace: pol-data-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/03-downstream-created.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/03-downstream-created.yaml new file mode 100644 index 0000000000..e515801d11 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/03-downstream-created.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-created +spec: + timeouts: {} + try: + - assert: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/04-update-trigger.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/04-update-trigger.yaml new file mode 100644 index 0000000000..543902ad74 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/04-update-trigger.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create-netpol: "false" + name: test-org + namespace: pol-data-sync-update-trigger-no-match-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/05-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/05-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/05-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/06-downstream-deleted.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/06-downstream-deleted.yaml new file mode 100644 index 0000000000..f01c4fabad --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/06-downstream-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: downstream-deleted +spec: + timeouts: {} + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/README.md new file mode 100644 index 0000000000..677ad9e553 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match the rule, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6507 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/downstream.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/downstream.yaml new file mode 100644 index 0000000000..0ca79e036e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-update-trigger-no-match/downstream.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: pol-data-sync-update-trigger-no-match-ns +spec: + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/01-assert.yaml new file mode 100644 index 0000000000..48acf967ae --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: match-trigger-namespace + namespace: match-trigger-namespace-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/01-manifests.yaml new file mode 100644 index 0000000000..a6365916f8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/01-manifests.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: match-trigger-namespace-ns +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + example.com/sm-sync: "true" + name: regcred + namespace: match-trigger-namespace-ns +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: match-trigger-namespace + namespace: match-trigger-namespace-ns +spec: + generateExisting: true + rules: + - name: get-synced-secrets + match: + resources: + kinds: + - Secret + selector: + matchLabels: + example.com/sm-sync: "true" + generate: + apiVersion: v1 + kind: ConfigMap + name: "{{request.object.metadata.name}}-modify" + namespace: match-trigger-namespace-ns + synchronize: true + data: + data: + modify: Zm9v \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/02-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/02-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/02-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/03-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/03-assert.yaml new file mode 100644 index 0000000000..fd6051f3d3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + modify: Zm9v +kind: ConfigMap +metadata: + name: regcred-modify + namespace: match-trigger-namespace-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/README.md b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/README.md new file mode 100644 index 0000000000..85df447fb7 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the generateExisting namespaced policy is applied when the trigger is found in the same namespace as the policy. + +## Expected Behavior + +If the resource secret is created, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6519 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/01-assert.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/01-assert.yaml new file mode 100644 index 0000000000..4445c4cb25 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: non-match-trigger-namespace + namespace: non-match-trigger-namespace-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/01-manifests.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/01-manifests.yaml new file mode 100644 index 0000000000..ee3ff8a54c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/01-manifests.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: non-match-trigger-namespace-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: non-match-trigger-namespace-ns-2 +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + example.com/sm-sync: "true" + name: regcred + namespace: non-match-trigger-namespace-ns-2 +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: non-match-trigger-namespace + namespace: non-match-trigger-namespace-ns +spec: + generateExisting: true + rules: + - name: get-synced-secrets + match: + resources: + kinds: + - Secret + selector: + matchLabels: + example.com/sm-sync: "true" + generate: + apiVersion: v1 + kind: ConfigMap + name: "{{request.object.metadata.name}}-modify" + namespace: non-match-trigger-namespace-ns + synchronize: true + data: + data: + modify: Zm9v \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/02-sleep.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/02-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/02-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/03-errors.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/03-errors.yaml new file mode 100644 index 0000000000..a4a3008633 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/03-errors.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + modify: Zm9v +kind: ConfigMap +metadata: + name: regcred-modify + namespace: non-match-trigger-namespace-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/README.md b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/README.md new file mode 100644 index 0000000000..05eb9aaaf8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the generateExisting namespaced policy is not applied when the trigger is not found in the same namespace as the policy. + +## Expected Behavior + +If the resource secret is not created, the test passes. If it is created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6519 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml new file mode 100644 index 0000000000..15a18f4f8d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:manage-clusterrole + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - update + - delete + - get \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/02-check.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/02-check.yaml new file mode 100644 index 0000000000..dac64d3a80 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/02-check.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: policy-pass.yaml + - apply: + check: + (error != null): true + file: policy-fail-1.yaml + - apply: + check: + (error != null): true + file: policy-fail-2.yaml + - apply: + check: + (error != null): true + file: policy-fail-3.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/README.md new file mode 100644 index 0000000000..2f48997b96 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/README.md @@ -0,0 +1,15 @@ +## Description + +This test validate cloneList sources scopes and the namespace settings. + +## Expected Behavior + +These tests checks: +1. the mixed scoped of clone sources cannot be defined +2. the namespace must be set if clone namespaced resources +3. the namespace must not be set if clone cluster-wide resources + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7801 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml new file mode 100644 index 0000000000..ef0575594d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-target-scope-validation-fail-1 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + # mixed scope + kinds: + - v1/Secret + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml new file mode 100644 index 0000000000..5b29fa76c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-target-scope-validation-fail-2 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + # ns is forbidden for cluster-wide resource + namespace: default + kinds: + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml new file mode 100644 index 0000000000..c246207fa5 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-target-scope-validation-fail-3 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + # missing ns for namespaced resource + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-pass.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-pass.yaml new file mode 100644 index 0000000000..c22ec4e3e5 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/policy-pass.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-scope-validation-pass-1 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + namespace: default + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-scope-validation-pass-2 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + kinds: + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-scope-validation-pass-3 +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/01-cluster-policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/01-cluster-policy.yaml new file mode 100644 index 0000000000..93bea49ced --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/01-cluster-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/02-update.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/02-update.yaml new file mode 100644 index 0000000000..3848a17f86 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/02-update.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-name.yaml + - apply: + check: + (error != null): true + file: update-namespace.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/README.md new file mode 100644 index 0000000000..2cb7151702 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the clone source defined in a generate ClusterPolicy is disallowed. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +6326 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/policy-ready.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/policy-ready.yaml new file mode 100644 index 0000000000..9448ada4bc --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-update-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/policy.yaml new file mode 100644 index 0000000000..6482429f30 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-update-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/update-name.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/update-name.yaml new file mode 100644 index 0000000000..107decdc90 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/update-name.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-update-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: ichangethis diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/update-namespace.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/update-namespace.yaml new file mode 100644 index 0000000000..0e2ac9c698 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/update-namespace.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate-update-clone +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: ichangethis + name: regcred diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/01-cluster-policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/01-cluster-policy.yaml new file mode 100644 index 0000000000..e8e70ecd4a --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/01-cluster-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/02-update.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/02-update.yaml new file mode 100644 index 0000000000..02fe0d69e0 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/02-update.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-ns.yaml + - apply: + check: + (error != null): true + file: update-kinds.yaml + - apply: + check: + (error != null): true + file: update-selector.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/README.md new file mode 100644 index 0000000000..d2661f8b54 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the cloneList source defined in a generate ClusterPolicy is disallowed. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +6326 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/cluster-policy-ready.yaml new file mode 100644 index 0000000000..03cb62d2cb --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-clonelist +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/cluster-policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/cluster-policy.yaml new file mode 100644 index 0000000000..8c8699c88b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/cluster-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-clonelist +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-kinds.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-kinds.yaml new file mode 100644 index 0000000000..21fed6290e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-kinds.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-clonelist +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-ns.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-ns.yaml new file mode 100644 index 0000000000..f92579da4c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-ns.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-clonelist +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: update-clonelist-ns + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-selector.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-selector.yaml new file mode 100644 index 0000000000..e7bf93c953 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clonelist/update-selector.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-clonelist +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + foo: "bar" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/01-assert.yaml new file mode 100644 index 0000000000..7b0dcdf1e4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-downstream-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/01-policy.yaml new file mode 100644 index 0000000000..903a133914 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/01-policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-downstream-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/02-update.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/02-update.yaml new file mode 100644 index 0000000000..4861d6a93e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/02-update.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-name.yaml + - apply: + check: + (error != null): true + file: update-apiversion.yaml + - apply: + check: + (error != null): true + file: update-namespace.yaml + - apply: + check: + (error != null): true + file: update-kind.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/README.md new file mode 100644 index 0000000000..f263e5d7a0 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the downstream resource defined in a generate ClusterPolicy is disallowed. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +6326 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-apiversion.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-apiversion.yaml new file mode 100644 index 0000000000..8f15f26f03 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-apiversion.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-downstream-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v2beta1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-kind.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-kind.yaml new file mode 100644 index 0000000000..f4527f5a5f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-kind.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-downstream-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-name.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-name.yaml new file mode 100644 index 0000000000..7dd19b764c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-name.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-downstream-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: i-changed-this + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-namespace.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-namespace.yaml new file mode 100644 index 0000000000..b824c6d45c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-downstream/update-namespace.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-downstream-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.namespace}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/01-assert.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/01-assert.yaml new file mode 100644 index 0000000000..469825657e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/01-policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/01-policy.yaml new file mode 100644 index 0000000000..b6a127a3df --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/01-policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/02-update.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/02-update.yaml new file mode 100644 index 0000000000..613f58950f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/02-update.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-rule-name.yaml + - apply: + check: + (error != null): true + file: update-rule-match.yaml + - apply: + check: + (error != null): true + file: update-rule-exclude.yaml + - apply: + check: + (error != null): true + file: update-rule-preconditions.yaml + - apply: + file: update-rule-generate-synchronize.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/README.md new file mode 100644 index 0000000000..058357b4f5 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the rule spec fields defined in a generate ClusterPolicy is disallowed except `spec.generate.synchronize`. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6440 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-exclude.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-exclude.yaml new file mode 100644 index 0000000000..1f104e8e07 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-exclude.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-generate-synchronize.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-generate-synchronize.yaml new file mode 100644 index 0000000000..4782cbfde3 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-generate-synchronize.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-match.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-match.yaml new file mode 100644 index 0000000000..154d4fd7be --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-match.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + - Secret + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-name.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-name.yaml new file mode 100644 index 0000000000..36bb320478 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-name.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + generateExisting: false + rules: + - name: i-changed-this + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml new file mode 100644 index 0000000000..548013e960 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-rule-spec/update-rule-preconditions.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-rule-spec +spec: + admission: true + background: true + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: default + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/01-fail-no-permission.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/01-fail-no-permission.yaml new file mode 100644 index 0000000000..241f77887c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/01-fail-no-permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: fail-no-permission +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/02-clusterrole.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/02-clusterrole.yaml new file mode 100644 index 0000000000..b7cc486047 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/02-clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:temp + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - create + - update + - patch + - delete + - get + - list \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/03-pass.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/03-pass.yaml new file mode 100644 index 0000000000..a6fe7e06e5 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/03-pass.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/04-delete.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/04-delete.yaml new file mode 100644 index 0000000000..3cc6bcc3fa --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/04-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-validate-create-sa-permission diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/05-pass.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/05-pass.yaml new file mode 100644 index 0000000000..783ad0db47 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/05-pass.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy-with-var.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/README.md new file mode 100644 index 0000000000..574d53f793 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a generate policy is denied when it does not have corresponding permissions to generate the downstream resource. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6584 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy-assert.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy-assert.yaml new file mode 100644 index 0000000000..eeef1d440f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-validate-create-sa-permission +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy-with-var.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy-with-var.yaml new file mode 100644 index 0000000000..7fff2a9167 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy-with-var.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-validate-create-sa-permission +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: ServiceAccount + name: cpol-validate-create-sa-permission-sa + namespace: "{{ request.object.metadata.namespace }}" + synchronize: true + clone: + namespace: default + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy.yaml new file mode 100644 index 0000000000..a8d6636ff3 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/no-permission/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-validate-create-sa-permission +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: ServiceAccount + name: cpol-validate-create-sa-permission-sa + namespace: default + synchronize: true + clone: + namespace: default + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/01-clusterrole.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/01-clusterrole.yaml new file mode 100644 index 0000000000..a7bfdac24d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/01-clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:manage-policy + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - kyverno.io + resources: + - policies + verbs: + - create + - update + - delete + - get \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/01-crd.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/01-crd.yaml new file mode 100644 index 0000000000..2b88f75337 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/01-crd.yaml @@ -0,0 +1,321 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.4 + name: policies.k8s.nginx.org +spec: + conversion: + strategy: None + group: k8s.nginx.org + names: + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Current state of the Policy. If the resource has a valid status, + it means it has been validated and accepted by the Ingress Controller. + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + basicAuth: + description: 'BasicAuth holds HTTP Basic authentication configuration + policy status: preview' + properties: + realm: + type: string + secret: + type: string + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressClassName: + type: string + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + crlFileName: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + jwksURI: + type: string + keyCache: + type: string + realm: + type: string + secret: + type: string + token: + type: string + type: object + oidc: + description: OIDC defines an Open ID Connect policy. + properties: + accessTokenEnable: + type: boolean + authEndpoint: + type: string + authExtraArgs: + items: + type: string + type: array + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + zoneSyncLeeway: + type: integer + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + waf: + description: WAF defines an WAF policy. + properties: + apBundle: + type: string + apPolicy: + type: string + enable: + type: boolean + securityLog: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + securityLogs: + items: + description: SecurityLog defines the security log of a WAF policy. + properties: + apLogConf: + type: string + enable: + type: boolean + logDest: + type: string + type: object + type: array + type: object + type: object + status: + description: PolicyStatus is the status of the policy resource + properties: + message: + type: string + reason: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute + resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes + multiple fields, where each field represents a different policy. Only + one policy (field) is allowed. + properties: + accessControl: + description: AccessControl defines an access policy based on the source + IP of a request. + properties: + allow: + items: + type: string + type: array + deny: + items: + type: string + type: array + type: object + egressMTLS: + description: EgressMTLS defines an Egress MTLS policy. + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + type: object + ingressMTLS: + description: IngressMTLS defines an Ingress MTLS policy. + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + type: object + jwt: + description: JWTAuth holds JWT authentication configuration. + properties: + realm: + type: string + secret: + type: string + token: + type: string + type: object + rateLimit: + description: RateLimit defines a rate limit policy. + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + type: object + type: object + type: object + served: true + storage: false diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/02-assert.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/02-assert.yaml new file mode 100644 index 0000000000..e610d86806 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.k8s.nginx.org +spec: {} +status: + acceptedNames: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/03-check.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/03-check.yaml new file mode 100644 index 0000000000..b051d10ee4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/03-check.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: policy-1.yaml + - apply: + file: policy-1-subresource.yaml + - apply: + check: + (error != null): true + file: policy-2.yaml + - apply: + check: + (error != null): true + file: policy-2-subresource.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/README.md new file mode 100644 index 0000000000..0a83715969 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that the auth checks for generate policy is performed against given the APIVersion and the subresource. + +## Expected Behavior + +The test fails if the policy that generates `k8s.nginx.org/v1/policy` and its subresource can be created, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7618 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-1-subresource.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-1-subresource.yaml new file mode 100644 index 0000000000..a154db1812 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-1-subresource.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-same-kind-pol-1 +spec: + rules: + - name: generate-add-labels-policy + match: + all: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: kyverno.io/v1 + kind: Policy/status + name: add-labels-policy + namespace: '{{request.object.metadata.name}}' + data: + spec: + rules: + - name: add-labels + match: + all: + - resources: + kinds: + - Pod + - Service + - PersistentVolumeClaim + mutate: + patchStrategicMerge: + metadata: + labels: + AppID: '{{request.object.metadata.labels.AppID}}' \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-1.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-1.yaml new file mode 100644 index 0000000000..6b2eb9db83 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-1.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-same-kind-pol-2 +spec: + rules: + - name: generate-add-labels-policy + match: + all: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: kyverno.io/v1 + kind: Policy + name: add-labels-policy + namespace: '{{request.object.metadata.name}}' + data: + spec: + rules: + - name: add-labels + match: + all: + - resources: + kinds: + - Pod + - Service + - PersistentVolumeClaim + mutate: + patchStrategicMerge: + metadata: + labels: + AppID: '{{request.object.metadata.labels.AppID}}' \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-2-subresource.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-2-subresource.yaml new file mode 100644 index 0000000000..68f546b503 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-2-subresource.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-same-kind-pol-3 +spec: + rules: + - name: generate-add-labels-policy + match: + all: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: k8s.nginx.org/v1 + kind: Policy/status + name: add-labels-policy + namespace: '{{request.object.metadata.name}}' + data: + spec: + rules: + - name: add-labels + match: + all: + - resources: + kinds: + - Pod + - Service + - PersistentVolumeClaim + mutate: + patchStrategicMerge: + metadata: + labels: + AppID: '{{request.object.metadata.labels.AppID}}' \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-2.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-2.yaml new file mode 100644 index 0000000000..e4de253ac9 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/permissions/same-kind/policy-2.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-same-kind-pol-4 +spec: + rules: + - name: generate-add-labels-policy + match: + all: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: k8s.nginx.org/v1 + kind: Policy + name: add-labels-policy + namespace: '{{request.object.metadata.name}}' + data: + spec: + rules: + - name: add-labels + match: + all: + - resources: + kinds: + - Pod + - Service + - PersistentVolumeClaim + mutate: + patchStrategicMerge: + metadata: + labels: + AppID: '{{request.object.metadata.labels.AppID}}' \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml new file mode 100644 index 0000000000..4d18430c4e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/01-pass.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/README.md new file mode 100644 index 0000000000..de89752734 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a generate policy is allowed to have the same kind defined in the trigger and the target resources. The flag `--backgroundServiceAccountName` was added to prevent endless loop. + +## Expected Behavior + +The test passes if the policy creation is allowed, otherwise fails. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7280 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/policy.yaml new file mode 100644 index 0000000000..c502951688 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/prevent-loop/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-generate-prevent-loop +spec: + rules: + - name: cpol-generate-prevent-loop + match: + any: + - resources: + kinds: + - ConfigMap + operations: + - CREATE + generate: + apiVersion: v1 + kind: ConfigMap + name: corp-{{ random('[0-9a-z]{8}') }} + namespace: "{{request.namespace}}" + synchronize: false + data: + data: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/01-clusterrole.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/01-clusterrole.yaml new file mode 100644 index 0000000000..2d6cd750d3 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/01-clusterrole.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:manage-ns-crossplane-role + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - "" + - "iam.aws.crossplane.io" + resources: + - namespaces + - roles + verbs: + - create + - update + - delete + - get +- apiGroups: + - "kyverno.io" + resources: + - clustercleanuppolicies + verbs: + - create + - update + - delete + - get diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/01-crd.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/01-crd.yaml new file mode 100644 index 0000000000..7b4fcae4f4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/01-crd.yaml @@ -0,0 +1,234 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: roles.iam.aws.crossplane.io +spec: + group: iam.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: Role + listKind: RoleList + plural: roles + shortNames: + - iamrole + singular: role + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: An Role is a managed resource that represents an AWS IAM Role. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An RoleSpec defines the desired state of an Role. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: RoleParameters define the desired state of an AWS IAM + Role. + properties: + assumeRolePolicyDocument: + description: AssumeRolePolicyDocument is the the trust relationship + policy document that grants an entity permission to assume the + role. + type: string + description: + description: Description is a description of the role. + type: string + maxSessionDuration: + description: 'MaxSessionDuration is the duration (in seconds) + that you want to set for the specified role. The default maximum + of one hour is applied. This setting can have a value from 1 + hour to 12 hours. Default: 3600' + format: int32 + type: integer + path: + description: 'Path is the path to the role. Default: /' + type: string + permissionsBoundary: + description: PermissionsBoundary is the ARN of the policy that + is used to set the permissions boundary for the role. + type: string + tags: + description: Tags. For more information about tagging, see Tagging + IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + items: + description: Tag represents user-provided metadata that can + be associated with a IAM role. For more information about + tagging, see Tagging IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + description: The key name that can be used to look up or + retrieve the associated value. For example, Department + or Cost Center are common choices. + type: string + value: + description: "The value associated with this tag. For example, + tags with a key name of Department could have values such + as Human Resources, Accounting, and Support. Tags with + a key name of Cost Center might have values that consist + of the number associated with the different cost centers + in your company. Typically, many resources have tags with + the same key name but with different values. \n AWS always + interprets the tag Value as a single string. If you need + to store an array, you can store comma-separated values + in the string. However, you must interpret the value in + your code." + type: string + required: + - key + type: object + type: array + required: + - assumeRolePolicyDocument + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An RoleStatus represents the observed state of an Role. + properties: + atProvider: + description: RoleExternalStatus keeps the state for the external resource + properties: + arn: + description: ARN is the Amazon Resource Name (ARN) specifying + the role. For more information about ARNs and how to use them + in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide guide. + type: string + roleID: + description: RoleID is the stable and unique string identifying + the role. For more information about IDs, see IAM Identifiers + (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the Using IAM guide. + type: string + required: + - arn + - roleID + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: + - v1beta1 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/02-check.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/02-check.yaml new file mode 100644 index 0000000000..dad6acffa0 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/02-check.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-fail-1-no-ns-namespaced-target.yaml + - apply: + check: + (error != null): true + file: policy-fail-2-ns-cluster-target.yaml + - apply: + file: policy-pass-1-ns-namespaced-target.yaml + - apply: + file: policy-pass-2-no-ns-cluster-target.yaml + - apply: + file: policy-pass-3.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/README.md new file mode 100644 index 0000000000..d7835127f4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/README.md @@ -0,0 +1,14 @@ +## Description + +This test ensures that the target namespace must be set for namespace-scoped target resource, and must not be set for cluster-wide target resources. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7038 +https://github.com/kyverno/kyverno/issues/7470 +https://github.com/kyverno/kyverno/issues/7750 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-1-no-ns-namespaced-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-1-no-ns-namespaced-target.yaml new file mode 100644 index 0000000000..9faa6aab0a --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-1-no-ns-namespaced-target.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml new file mode 100644 index 0000000000..10821ad2a7 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-namespace-scope-pass-1 +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: iam.aws.crossplane.io/v1beta1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: "{{request.object.metadata.name}}" + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - dev-* + name: role-per-namespace \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml new file mode 100644 index 0000000000..8908257a95 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: user-per-namespace-pass-2 +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: rbac.authorization.k8s.io/v1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: "{{request.object.metadata.name}}" + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - dev-* + name: role-per-namespace \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml new file mode 100644 index 0000000000..bd8c77fe62 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-namespace-scope-pass-1 +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: iam.aws.crossplane.io/v1beta1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + names: + - dev-* + name: role-per-namespace \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml new file mode 100644 index 0000000000..9474a233f4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: expiration-for-policyexceptions + annotations: + policies.kyverno.io/title: Expiration for PolicyExceptions + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: PolicyException + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + In situations where Ops/Platform teams want to allow exceptions on a + temporary basis, there must be a way to remove the PolicyException once the + expiration time has been reached. After the exception is removed, the rule(s) + for which the exception is granted go back into full effect. This policy generates + a ClusterCleanupPolicy with a four hour expiration time after which the PolicyException + is deleted. It may be necessary to grant both the Kyverno as well as cleanup controller + ServiceAccounts additional permissions to operate this policy. +spec: + rules: + - name: expire-four-hours + match: + any: + - resources: + kinds: + - PolicyException + generate: + apiVersion: kyverno.io/v2beta1 + kind: ClusterCleanupPolicy + name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }} + synchronize: false + data: + metadata: + labels: + kyverno.io/automated: "true" + spec: + schedule: "{{ time_add('{{ time_now_utc() }}','4h') | time_to_cron(@) }}" + match: + any: + - resources: + kinds: + - PolicyException + namespaces: + - "{{ request.namespace }}" + names: + - "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/01-ns.yaml b/test/conformance/chainsaw/generate/validation/policy/cloneList/01-ns.yaml new file mode 100644 index 0000000000..37fe3d1121 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/01-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: target-scope-validation-fail-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/02-check.yaml b/test/conformance/chainsaw/generate/validation/policy/cloneList/02-check.yaml new file mode 100644 index 0000000000..dac64d3a80 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/02-check.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: policy-pass.yaml + - apply: + check: + (error != null): true + file: policy-fail-1.yaml + - apply: + check: + (error != null): true + file: policy-fail-2.yaml + - apply: + check: + (error != null): true + file: policy-fail-3.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/README.md b/test/conformance/chainsaw/generate/validation/policy/cloneList/README.md new file mode 100644 index 0000000000..22c8a51c17 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/README.md @@ -0,0 +1,15 @@ +## Description + +This test validate clone sources scopes and the namespace settings. + +## Expected Behavior + +These tests checks: +1. the mixed scoped of clone sources cannot be defined +2. a namespace policy cannot clone a cluster-wide resource +3. the clone source namespace must be set for a namespaced policy + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7801 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-1.yaml b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-1.yaml new file mode 100644 index 0000000000..08fb73fde4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-1.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-fail-1 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + # mixed scope of resources + kinds: + - v1/Secret + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-2.yaml b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-2.yaml new file mode 100644 index 0000000000..7bfadd6806 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-2.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-fail-2 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + # namespace policy cannot generate cluster scoped resources + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-3.yaml b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-3.yaml new file mode 100644 index 0000000000..20de6dc89f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-fail-3.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-fail-3 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + # missing namespace for npol + # namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-pass.yaml new file mode 100644 index 0000000000..76bb87849f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/cloneList/policy-pass.yaml @@ -0,0 +1,73 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-pass-1 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-pass-2 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-pass-3 + namespace: target-scope-validation-fail-ns +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + namespace: target-scope-validation-fail-ns + synchronize : true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/01-policy.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/02-update.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/02-update.yaml new file mode 100644 index 0000000000..6213c2864a --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/02-update.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-namespace.yaml + - apply: + check: + (error != null): true + file: update-name.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/README.md b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/README.md new file mode 100644 index 0000000000..f1ba50a49e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the clone source defined in a generate Policy is disallowed. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +6326 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/policy-ready.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/policy-ready.yaml new file mode 100644 index 0000000000..ca0354c811 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: generate-update-clone + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/policy.yaml new file mode 100644 index 0000000000..800bc6d59d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: generate-update-clone + namespace: default +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: newregcred + namespace: default + synchronize: true + clone: + namespace: default + name: regcred diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/update-name.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/update-name.yaml new file mode 100644 index 0000000000..bbcfb82075 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/update-name.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: generate-update-clone + namespace: default +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: default + synchronize: true + clone: + namespace: default + name: ichangethis diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clone/update-namespace.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/update-namespace.yaml new file mode 100644 index 0000000000..848b485c50 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clone/update-namespace.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: generate-update-clone + namespace: default +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: default + synchronize: true + clone: + namespace: ichangethis + name: regcred diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/01-policy.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/02-update.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/02-update.yaml new file mode 100644 index 0000000000..02fe0d69e0 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/02-update.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-ns.yaml + - apply: + check: + (error != null): true + file: update-kinds.yaml + - apply: + check: + (error != null): true + file: update-selector.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/README.md b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/README.md new file mode 100644 index 0000000000..b86f5bd62b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the cloneList source defined in a generate Policy is disallowed. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +6326 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/policy-ready.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/policy-ready.yaml new file mode 100644 index 0000000000..a46efabc07 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-clonelist + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/policy.yaml new file mode 100644 index 0000000000..e5b4787831 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-clonelist + namespace: default +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + namespace: default + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-kinds.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-kinds.yaml new file mode 100644 index 0000000000..62bc618921 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-kinds.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-clonelist + namespace: default +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + namespace: default + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-ns.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-ns.yaml new file mode 100644 index 0000000000..8681d01c05 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-ns.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-clonelist + namespace: default +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + namespace: default + synchronize : true + cloneList: + namespace: update-clonelist-ns + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-selector.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-selector.yaml new file mode 100644 index 0000000000..8ef1934da1 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-clonelist/update-selector.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-clonelist + namespace: default +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - + generate: + namespace: default + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + foo: "bar" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/01-assert.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/01-assert.yaml new file mode 100644 index 0000000000..6009c7396e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-downstream-rule + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/01-policy.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/01-policy.yaml new file mode 100644 index 0000000000..6bc7f61054 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/01-policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-downstream-rule + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/02-update.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/02-update.yaml new file mode 100644 index 0000000000..4861d6a93e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/02-update.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-name.yaml + - apply: + check: + (error != null): true + file: update-apiversion.yaml + - apply: + check: + (error != null): true + file: update-namespace.yaml + - apply: + check: + (error != null): true + file: update-kind.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/README.md b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/README.md new file mode 100644 index 0000000000..52253577e3 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the downstream resource defined in a generate Policy is disallowed. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +6326 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-apiversion.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-apiversion.yaml new file mode 100644 index 0000000000..024c5822a0 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-apiversion.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-downstream-rule + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - ConfigMap + generate: + synchronize: true + apiVersion: v2beta1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-kind.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-kind.yaml new file mode 100644 index 0000000000..ca97e5bf2b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-kind.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-downstream-rule + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - ConfigMap + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-name.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-name.yaml new file mode 100644 index 0000000000..442bff6e88 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-name.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-downstream-rule + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - ConfigMap + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: i-changed-this + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-namespace.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-namespace.yaml new file mode 100644 index 0000000000..5df8e89d4b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-downstream/update-namespace.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-downstream-rule + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - ConfigMap + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: ichangedthis + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/01-assert.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/01-assert.yaml new file mode 100644 index 0000000000..0bc6b8b3b1 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/01-policy.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/01-policy.yaml new file mode 100644 index 0000000000..4edac1d0e7 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/01-policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/02-update.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/02-update.yaml new file mode 100644 index 0000000000..613f58950f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/02-update.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: update-rule-name.yaml + - apply: + check: + (error != null): true + file: update-rule-match.yaml + - apply: + check: + (error != null): true + file: update-rule-exclude.yaml + - apply: + check: + (error != null): true + file: update-rule-preconditions.yaml + - apply: + file: update-rule-generate-synchronize.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/README.md b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/README.md new file mode 100644 index 0000000000..974cfe8432 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that modification of the rule spec fields defined in a generate Policy is disallowed except `spec.generate.synchronize`. + +## Expected Behavior + +The test fails if the modification is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6440 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-exclude.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-exclude.yaml new file mode 100644 index 0000000000..1fb8cdb6b8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-exclude.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + names: + - test + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-generate-synchronize.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-generate-synchronize.yaml new file mode 100644 index 0000000000..9388f2082e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-generate-synchronize.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-match.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-match.yaml new file mode 100644 index 0000000000..953dc3aeb7 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-match.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Secret + - ServiceAccount + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-name.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-name.yaml new file mode 100644 index 0000000000..23028fd9c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-name.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + generateExisting: false + rules: + - name: i-changed-this + match: + any: + - resources: + kinds: + - Secret + exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: default + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml new file mode 100644 index 0000000000..c8705c8edc --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/immutable-rule-spec/update-rule-preconditions.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-update-rule-spec + namespace: default +spec: + admission: true + background: true + rules: + - exclude: + any: + - resources: + kinds: + - NetworkPolicy + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: default + synchronize: true + match: + any: + - resources: + kinds: + - Secret + name: k-kafka-address + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/01-ns.yaml b/test/conformance/chainsaw/generate/validation/policy/permissions/01-ns.yaml new file mode 100644 index 0000000000..1b823288de --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/01-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-validate-create-sa-permission-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/02-fail-no-permission.yaml b/test/conformance/chainsaw/generate/validation/policy/permissions/02-fail-no-permission.yaml new file mode 100644 index 0000000000..241f77887c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/02-fail-no-permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: fail-no-permission +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/03-clusterrole.yaml b/test/conformance/chainsaw/generate/validation/policy/permissions/03-clusterrole.yaml new file mode 100644 index 0000000000..b7cc486047 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/03-clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:temp + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - create + - update + - patch + - delete + - get + - list \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/04-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/permissions/04-pass.yaml new file mode 100644 index 0000000000..a6fe7e06e5 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/04-pass.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/README.md b/test/conformance/chainsaw/generate/validation/policy/permissions/README.md new file mode 100644 index 0000000000..574d53f793 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a generate policy is denied when it does not have corresponding permissions to generate the downstream resource. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6584 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/policy-assert.yaml b/test/conformance/chainsaw/generate/validation/policy/permissions/policy-assert.yaml new file mode 100644 index 0000000000..69ca221c0c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-validate-create-sa-permission + namespace: pol-validate-create-sa-permission-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/permissions/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/permissions/policy.yaml new file mode 100644 index 0000000000..6040a9e027 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/permissions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-validate-create-sa-permission + namespace: pol-validate-create-sa-permission-ns +spec: + rules: + - name: clone-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + apiVersion: v1 + kind: ServiceAccount + name: cpol-validate-create-sa-permission-sa + namespace: pol-validate-create-sa-permission-ns + synchronize: true + clone: + namespace: pol-validate-create-sa-permission-ns + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/prevent-loop/01-ns.yaml b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/01-ns.yaml new file mode 100644 index 0000000000..d30f4dab16 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/01-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-generate-prevent-loop-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/prevent-loop/02-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/02-pass.yaml new file mode 100644 index 0000000000..4d18430c4e --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/02-pass.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/prevent-loop/README.md b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/README.md new file mode 100644 index 0000000000..de89752734 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a generate policy is allowed to have the same kind defined in the trigger and the target resources. The flag `--backgroundServiceAccountName` was added to prevent endless loop. + +## Expected Behavior + +The test passes if the policy creation is allowed, otherwise fails. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7280 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/prevent-loop/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/policy.yaml new file mode 100644 index 0000000000..a2a6616560 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/prevent-loop/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-generate-prevent-loop + namespace: pol-generate-prevent-loop-ns +spec: + rules: + - name: pol-generate-prevent-loop + match: + any: + - resources: + kinds: + - ConfigMap + operations: + - CREATE + generate: + apiVersion: v1 + kind: ConfigMap + name: corp-{{ random('[0-9a-z]{8}') }} + namespace: pol-generate-prevent-loop-ns + synchronize: false + data: + data: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/01-crd.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/01-crd.yaml new file mode 100644 index 0000000000..7b4fcae4f4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/01-crd.yaml @@ -0,0 +1,234 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: roles.iam.aws.crossplane.io +spec: + group: iam.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: Role + listKind: RoleList + plural: roles + shortNames: + - iamrole + singular: role + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: An Role is a managed resource that represents an AWS IAM Role. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: An RoleSpec defines the desired state of an Role. + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: RoleParameters define the desired state of an AWS IAM + Role. + properties: + assumeRolePolicyDocument: + description: AssumeRolePolicyDocument is the the trust relationship + policy document that grants an entity permission to assume the + role. + type: string + description: + description: Description is a description of the role. + type: string + maxSessionDuration: + description: 'MaxSessionDuration is the duration (in seconds) + that you want to set for the specified role. The default maximum + of one hour is applied. This setting can have a value from 1 + hour to 12 hours. Default: 3600' + format: int32 + type: integer + path: + description: 'Path is the path to the role. Default: /' + type: string + permissionsBoundary: + description: PermissionsBoundary is the ARN of the policy that + is used to set the permissions boundary for the role. + type: string + tags: + description: Tags. For more information about tagging, see Tagging + IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + items: + description: Tag represents user-provided metadata that can + be associated with a IAM role. For more information about + tagging, see Tagging IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) + in the IAM User Guide. + properties: + key: + description: The key name that can be used to look up or + retrieve the associated value. For example, Department + or Cost Center are common choices. + type: string + value: + description: "The value associated with this tag. For example, + tags with a key name of Department could have values such + as Human Resources, Accounting, and Support. Tags with + a key name of Cost Center might have values that consist + of the number associated with the different cost centers + in your company. Typically, many resources have tags with + the same key name but with different values. \n AWS always + interprets the tag Value as a single string. If you need + to store an array, you can store comma-separated values + in the string. However, you must interpret the value in + your code." + type: string + required: + - key + type: object + type: array + required: + - assumeRolePolicyDocument + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: An RoleStatus represents the observed state of an Role. + properties: + atProvider: + description: RoleExternalStatus keeps the state for the external resource + properties: + arn: + description: ARN is the Amazon Resource Name (ARN) specifying + the role. For more information about ARNs and how to use them + in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the IAM User Guide guide. + type: string + roleID: + description: RoleID is the stable and unique string identifying + the role. For more information about IDs, see IAM Identifiers + (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) + in the Using IAM guide. + type: string + required: + - arn + - roleID + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: + - v1beta1 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/02-check.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/02-check.yaml new file mode 100644 index 0000000000..ac2c3c9fa7 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/02-check.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - apply: + file: policy-pass.yaml + - apply: + check: + (error != null): true + file: policy-fail-0.yaml + - apply: + check: + (error != null): true + file: policy-fail-1.yaml + - apply: + check: + (error != null): true + file: policy-fail-2.yaml + - apply: + check: + (error != null): true + file: policy-fail-3.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/03-delete.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/03-delete.yaml new file mode 100644 index 0000000000..8afa2edc7f --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/03-delete.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: roles.iam.aws.crossplane.io diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/README.md b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/README.md new file mode 100644 index 0000000000..2b6df7311d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that the target namespace must be set for the namespaced policy. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7038 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-0.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-0.yaml new file mode 100644 index 0000000000..9bb8bc2870 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-0.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-cluster-target +spec: + generateExisting: false + rules: + - name: pol-cluster-target + match: + any: + - resources: + kinds: + - ConfigMap + generate: + synchronize: false + apiVersion: v1 + kind: Secret + name: cpol-cluster-target-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml new file mode 100644 index 0000000000..2291bdd1aa --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-target-namespace-scope-fail-1 + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: iam.aws.crossplane.io/v1beta1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: default + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - dev-* + name: role-per-namespace diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml new file mode 100644 index 0000000000..81d76143de --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-target-namespace-scope-fail-2 + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: rbac.authorization.k8s.io/v1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: "{{request.object.metadata.name}}" + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - dev-* + name: role-per-namespace diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml new file mode 100644 index 0000000000..41c369ce2d --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-target-namespace-scope-fail-3 + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: rbac.authorization.k8s.io/v1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: test + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - dev-* + name: role-per-namespace \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml new file mode 100644 index 0000000000..ec0d97e11c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: user-per-namespace-pass + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - generate: + apiVersion: rbac.authorization.k8s.io/v1 + data: + rules: + - verbs: + - "*" + apiGroups: + - "*" + resources: + - "*" + kind: Role + name: superuser + namespace: default + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - dev-* + name: role-per-namespace diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/01-policy.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/02-configmap.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/02-configmap.yaml new file mode 100644 index 0000000000..20376f5967 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/02-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap.yaml + - assert: + file: configmap-assert.yaml diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/README.md b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/README.md new file mode 100644 index 0000000000..61c6284e8c --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with two mutation rules. +The second rule depends on the mutation in the first rule. +To succeed, the changes in the first mutation rule need to cascade correctly to get the second rule to execute correctly. + +## Related issue + +https://github.com/kyverno/kyverno/issues/6210 diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/configmap-assert.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/configmap-assert.yaml new file mode 100644 index 0000000000..2edf1170b2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/configmap-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + annotations: + mutation1: '1' + mutation2: 'found mutation1: 1' diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/configmap.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/configmap.yaml new file mode 100644 index 0000000000..0b8bf83e62 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/configmap.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy-assert.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy-assert.yaml new file mode 100644 index 0000000000..607796aab5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-chain +status: + conditions: + - reason: Succeeded + status: 'True' + type: Ready diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml new file mode 100644 index 0000000000..d94cbeb7f8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-chain +spec: + background: false + validationFailureAction: Enforce + rules: + - name: mutation1 + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + foreach: + - list: "['dummy']" + patchStrategicMerge: + metadata: + annotations: + # value is a counter in case K8s decides for multiple mutation rounds + mutation1: "{{ not_null(request.object.metadata.annotations.mutation1, '0') | add(@, '1') }}" + - name: mutation2 + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + patchStrategicMerge: + metadata: + annotations: + mutation2: "found mutation1: {{ request.object.metadata.annotations.mutation1 || '' }}" diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/01-policy.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/02-configmap.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/02-configmap.yaml new file mode 100644 index 0000000000..20376f5967 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/02-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap.yaml + - assert: + file: configmap-assert.yaml diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/README.md b/test/conformance/chainsaw/mutate/cascading/no-foreach/README.md new file mode 100644 index 0000000000..61c6284e8c --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with two mutation rules. +The second rule depends on the mutation in the first rule. +To succeed, the changes in the first mutation rule need to cascade correctly to get the second rule to execute correctly. + +## Related issue + +https://github.com/kyverno/kyverno/issues/6210 diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/configmap-assert.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/configmap-assert.yaml new file mode 100644 index 0000000000..2edf1170b2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/configmap-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + annotations: + mutation1: '1' + mutation2: 'found mutation1: 1' diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/configmap.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/configmap.yaml new file mode 100644 index 0000000000..0b8bf83e62 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/configmap.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/policy-assert.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy-assert.yaml new file mode 100644 index 0000000000..607796aab5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-chain +status: + conditions: + - reason: Succeeded + status: 'True' + type: Ready diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml new file mode 100644 index 0000000000..69baa7b93b --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-chain +spec: + background: false + validationFailureAction: Enforce + rules: + - name: mutation1 + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + patchStrategicMerge: + metadata: + annotations: + # value is a counter in case K8s decides for multiple mutation rounds + mutation1: "{{ not_null(request.object.metadata.annotations.mutation1, '0') | add(@, '1') }}" + - name: mutation2 + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + patchStrategicMerge: + metadata: + annotations: + mutation2: "found mutation1: {{ request.object.metadata.annotations.mutation1 || '' }}" diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/01-policy.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/02-configmap.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/02-configmap.yaml new file mode 100644 index 0000000000..20376f5967 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/02-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap.yaml + - assert: + file: configmap-assert.yaml diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/README.md b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/README.md new file mode 100644 index 0000000000..61c6284e8c --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with two mutation rules. +The second rule depends on the mutation in the first rule. +To succeed, the changes in the first mutation rule need to cascade correctly to get the second rule to execute correctly. + +## Related issue + +https://github.com/kyverno/kyverno/issues/6210 diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/configmap-assert.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/configmap-assert.yaml new file mode 100644 index 0000000000..2edf1170b2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/configmap-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + annotations: + mutation1: '1' + mutation2: 'found mutation1: 1' diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/configmap.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/configmap.yaml new file mode 100644 index 0000000000..0b8bf83e62 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/configmap.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy-assert.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy-assert.yaml new file mode 100644 index 0000000000..607796aab5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-chain +status: + conditions: + - reason: Succeeded + status: 'True' + type: Ready diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml new file mode 100644 index 0000000000..11d393a9c8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-chain +spec: + background: false + validationFailureAction: Enforce + rules: + - name: mutation1 + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + foreach: + - list: "['dummy']" + patchStrategicMerge: + metadata: + annotations: + # value is a counter in case K8s decides for multiple mutation rounds + mutation1: "{{ not_null(request.object.metadata.annotations.mutation1, '0') | add(@, '1') }}" + - name: mutation2 + match: + all: + - resources: + kinds: + - v1/ConfigMap + mutate: + foreach: + - list: "['dummy']" + patchStrategicMerge: + metadata: + annotations: + mutation2: "found mutation1: {{ request.object.metadata.annotations.mutation1 || '' }}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/01-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/02-resource.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/02-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/README.md new file mode 100644 index 0000000000..4fafeed94c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that cascading mutation (a combined mutation resulting from two or more rules which have a dependency) with strategic merge patches results in correct output. + +## Expected Behavior + +If the Cassandra Pod has labels `type=database` and `backup-needed="yes"` assigned, the test passes. If it is missing either one, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/policy-ready.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/policy-ready.yaml new file mode 100644 index 0000000000..ec1d9487fa --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: database-protection +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/policy.yaml new file mode 100644 index 0000000000..93276fc3dc --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: database-protection +spec: + rules: + - name: assign-type-database + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + labels: + type: database + spec: + (containers): + - (image): "*cassandra* | *mongo*" + - name: assign-backup-database + match: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + type: database + mutate: + patchStrategicMerge: + metadata: + labels: + +(backup-needed): "yes" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/resource-mutated.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/resource-mutated.yaml new file mode 100644 index 0000000000..569814bf7c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/resource-mutated.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + backup-needed: "yes" + type: database + name: cassandra + namespace: default +spec: + containers: + - image: cassandra:latest + imagePullPolicy: Always + name: cassandra \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/resource.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/resource.yaml new file mode 100644 index 0000000000..b514a04eeb --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/cascading-mutation/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: cassandra + namespace: default +spec: + containers: + - image: cassandra:latest + imagePullPolicy: Always + name: cassandra \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/01-assert.yaml new file mode 100644 index 0000000000..8150b81d4c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: propagate-cost-labels-from-namespace +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/01-manifests.yaml new file mode 100644 index 0000000000..01f9296295 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/01-manifests.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: propagate-cost-labels-from-namespace +spec: + failurePolicy: Fail + rules: + - name: add-cost-labels + context: + - name: namespaceLabels + apiCall: + urlPath: "/api/v1/namespaces/{{request.namespace}}" + jmesPath: metadata.labels + match: + any: + - resources: + kinds: + - Pod + - Deployment + - StatefulSet + - DaemonSet + - Job + - CronJob + mutate: + patchStrategicMerge: + metadata: + labels: + cost.starfleet.evtech/project: "{{namespaceLabels.\"cost.starfleet.evtech/project\"}}" + cost.starfleet.evtech/application: "{{request.object.metadata.labels.\"cost.starfleet.evtech/application\" || namespaceLabels.\"cost.starfleet.evtech/application\"}}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/02-script.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/02-script.yaml new file mode 100644 index 0000000000..a80449c757 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/02-script.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f resource.yaml\nthen \n echo \"Tested failed. + Resource was allowed.\"\n exit 1 \nelse \n echo \"Test succeeded. Resource + was blocked.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/03-errors.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/03-errors.yaml new file mode 100644 index 0000000000..d321f81e98 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/03-errors.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/04-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/04-manifests.yaml new file mode 100644 index 0000000000..11013d6d91 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/04-manifests.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: propagate-cost-labels-from-namespace +spec: + failurePolicy: Fail + rules: + - name: add-cost-labels + context: + - name: namespaceLabels + apiCall: + urlPath: "/api/v1/namespaces/{{request.namespace}}" + jmesPath: metadata.labels + match: + any: + - resources: + kinds: + - Pod + - Deployment + - StatefulSet + - DaemonSet + - Job + - CronJob + mutate: + patchStrategicMerge: + metadata: + labels: + cost.starfleet.evtech/project: "{{namespaceLabels.\"cost.starfleet.evtech/project\" || 'empty'}}" + cost.starfleet.evtech/application: "{{request.object.metadata.labels.\"cost.starfleet.evtech/application\" || namespaceLabels.\"cost.starfleet.evtech/application\" || 'empty'}}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/05-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/05-assert.yaml new file mode 100644 index 0000000000..067b6d0ef6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/05-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver + labels: + cost.starfleet.evtech/project: empty + cost.starfleet.evtech/application: empty diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/05-pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/05-pod.yaml new file mode 100644 index 0000000000..e3c498af49 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/05-pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/99-cleanup.yaml new file mode 100644 index 0000000000..acf6b4a6dd --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml,resource.yaml,05-pod.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/README.md new file mode 100644 index 0000000000..6d5d9f3cca --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/README.md @@ -0,0 +1,13 @@ +## Description + +This tests checks that if namespace labels used in a policy are not present the resource is NOT created. +If the expected labels are defaulted in the policy the resource creation should work fine. + +## Expected Behavior + +The first part of the test checks that the resource fails to create if namespace labels are not present. +Then the policy is updated to use default values when namespace labels are missing, then the resource should be created without issue. + +## Reference Issue(s) + +5136 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/resource.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/resource.yaml new file mode 100644 index 0000000000..e3c498af49 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/defaulting-namespace-labels/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/00-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/00-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/00-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/01-deployment.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/01-deployment.yaml new file mode 100644 index 0000000000..b834867a41 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/01-deployment.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deployment +spec: + timeouts: {} + try: + - apply: + file: resources.yaml + - assert: + file: resources-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/README.md new file mode 100644 index 0000000000..3c948b9615 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks that document references with special characters in their names are supported. + +## Expected Behavior + +JMESPath references generated when documents are traversed are escaped properly according to the JMESPath standard. + +## Reference Issue(s) + +3578 +3616 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy-assert.yaml new file mode 100644 index 0000000000..85dd54eef7 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: jmespath-with-special-chars-demo +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy.yaml new file mode 100644 index 0000000000..ce91a05aeb --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: jmespath-with-special-chars-demo +spec: + rules: + - name: format-deploy-zone + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + labels: + deploy-zone: "{{ to_upper('{{@}}') }}" + - name: retention-adjust + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + labels: + corp.com/retention: "{{ regex_replace_all('([0-9])([0-9])', '{{ @ }}', '${1}0') }}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources-assert.yaml new file mode 100644 index 0000000000..0505829a40 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox + labels: + deploy-zone: FRANKFURT + corp.com/retention: days_30 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources.yaml new file mode 100644 index 0000000000..63f79ab966 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/jmespath-with-special-chars/resources.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox + labels: + deploy-zone: frankfurt + corp.com/retention: days_37 +spec: + containers: + - name: busybox + image: busybox:stable + command: ["sleep", "600"] diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md new file mode 100644 index 0000000000..71a15821b2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks that the `default` field in a context variable should replace nil results in mutateExisting policies. + +## Expected Behavior + +With the mutateExisting policy, the context variable `podName` will assume the value of `empty` since there is no pod whose name is starting with `good-`, and the pod should get created as preconditions matching as the value of the variable is set to default which is `empty` is equal to `empty`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7148 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml new file mode 100644 index 0000000000..878c824de5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: 'bad-box' + labels: + foo: bar +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:latest + command: ["sleep", "9999"] \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml new file mode 100644 index 0000000000..524dde67e6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: 'bad-box' +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:latest + command: ["sleep", "9999"] + diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml new file mode 100644 index 0000000000..b0bac17455 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-add-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml new file mode 100644 index 0000000000..6cf9e5ee3b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-add-labels +spec: + rules: + - name: foo + match: + any: + - resources: + kinds: + - Pod + context: + - name: podName + variable: + jmesPath: request.object.metadata.name[?starts_with(@, 'good-')] | [0] + default: empty + preconditions: + all: + - key: "{{podName}}" + operator: Equals + value: empty + mutate: + patchStrategicMerge: + metadata: + labels: + +(foo): bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/01-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/02-pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/README.md new file mode 100644 index 0000000000..6220bb7e84 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks that the mutate policy does not fail because of 404 in API Call when failure policy is set to `Ignore`. + +## Expected Behavior + +The failure policy in the policy is set to Ignore and the API Call refers to a non existent URL. Mutation should not happen and error should not be thrown. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8936 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/pod-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/pod-assert.yaml new file mode 100644 index 0000000000..ccb73f4a08 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mutate-404-api-call-example + namespace: default diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/pod.yaml new file mode 100644 index 0000000000..521fbfaa95 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mutate-404-api-call-example + namespace: default +spec: + containers: + - name: example + image: busybox + args: ["sleep", "infinity"] diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/policy-assert.yaml new file mode 100644 index 0000000000..3a5cb6bb42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/policy-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-404-api-call diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/policy.yaml new file mode 100644 index 0000000000..1d85202026 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/mutate-with-404-api-call/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-404-api-call +spec: + failurePolicy: Ignore + rules: + - name: mutate-404-api-call + context: + - name: val + apiCall: + service: + url: "https://www.google.com/404" + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + labels: + foo: "{{ val }}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml new file mode 100644 index 0000000000..e8ffe05a08 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: reload +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml new file mode 100644 index 0000000000..cea8c6bb60 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/01-policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: reload +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: trigger + match: + any: + - resources: + kinds: + - ConfigMap + selector: + matchLabels: + kyverno.io/watch: "true" + preconditions: + all: + - key: "{{ request.operation }}" + operator: Equals + value: UPDATE + mutate: + targets: + - apiVersion: v1 + kind: Pod + namespace: "{{ request.namespace }}" + patchStrategicMerge: + metadata: + annotations: + corp.org/random: "{{ request.object.data.fookey }}" + spec: + volumes: + - configMap: + <(name): "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml new file mode 100644 index 0000000000..f7559ecae3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-assert.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + fookey: fakeval +kind: ConfigMap +metadata: + name: mycm + namespace: foo + labels: + kyverno.io/watch: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: foo \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml new file mode 100644 index 0000000000..3209e361b9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/02-resources.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foo +--- +apiVersion: v1 +data: + fookey: fakeval +kind: ConfigMap +metadata: + name: mycm + namespace: foo + labels: + kyverno.io/watch: "true" +--- +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: foo +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "1d"] + volumeMounts: + - name: mycm + mountPath: /etc/mycm + volumes: + - name: mycm + configMap: + name: mycm +--- +apiVersion: v1 +kind: Pod +metadata: + name: unwatched + namespace: foo +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "1d"] + volumeMounts: + - name: othercm + mountPath: /etc/fooconfig + volumes: + - name: othercm + configMap: + name: othercm +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: othercm + namespace: foo +data: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml new file mode 100644 index 0000000000..a865dbf43c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/03-update-cm.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update-cm +spec: + timeouts: {} + try: + - apply: + file: update-mycm.yaml + - assert: + file: update-mycm.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml new file mode 100644 index 0000000000..0e7ab156a2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/04-cm-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + fookey: bar +kind: ConfigMap +metadata: + name: mycm + namespace: foo \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/05-pod-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/05-pod-assert.yaml new file mode 100644 index 0000000000..312b9d05fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/05-pod-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: foo + annotations: + corp.org/random: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/06-errors.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/06-errors.yaml new file mode 100644 index 0000000000..88fa64f828 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/06-errors.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: unwatched + namespace: foo + annotations: + corp.org/random: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml new file mode 100644 index 0000000000..3e1accc507 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-policy.yaml,02-resources.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md new file mode 100644 index 0000000000..be1452c2f4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks that variable `request.object` always references the admission request object data in mutateExisting policies. + +## Expected Behavior + +With the mutateExisting policy, the variable `request.object` should always be substituted to the matching configmap's name `mycm`, not any pod's name. When the test finishes, the annotation `corp.org/random=bar` should be added to the pod `foo/mypod`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5820 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml new file mode 100644 index 0000000000..d9c273541d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing/update-mycm.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + fookey: bar +kind: ConfigMap +metadata: + name: mycm + namespace: foo + labels: + kyverno.io/watch: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/01-assert.yaml new file mode 100644 index 0000000000..7e9f14965b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml new file mode 100644 index 0000000000..5fdf48af86 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/01-manifests.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar + name: add-labels + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/02-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/02-assert.yaml new file mode 100644 index 0000000000..dcb47a5770 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/02-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: testingsecret + namespace: default + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/02-secret.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/02-secret.yaml new file mode 100644 index 0000000000..cfafb7c22b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/02-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: testingsecret + namespace: default +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/99-cleanup.yaml new file mode 100644 index 0000000000..bb92fb0517 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml,02-secret.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/README.md new file mode 100644 index 0000000000..7ca7b77a9e --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/README.md @@ -0,0 +1,3 @@ +# Title + +This is a basic mutation test. diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml new file mode 100644 index 0000000000..46908e1174 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-privileged-existing-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml new file mode 100644 index 0000000000..dc2a5732fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-privileged-existing-namespaces + annotations: + policies.kyverno.io/title: Add Privileged Label to Existing Namespaces + policies.kyverno.io/category: Pod Security Admission + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Namespace + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file + which sets either baseline or restricted, for example in many PaaS CIS profiles, it may + be necessary to relax this to privileged on a per-Namespace basis so that more + granular control can be provided. This policy labels new and existing Namespaces, except + that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label. +spec: + mutateExistingOnPolicyUpdate: true + background: false + rules: + - name: label-privileged-namespaces + match: + any: + - resources: + kinds: + - Namespace + mutate: + targets: + - apiVersion: v1 + kind: Namespace + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml new file mode 100644 index 0000000000..a4a2785149 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: default + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml new file mode 100644 index 0000000000..2eccd177b1 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/README.md new file mode 100644 index 0000000000..965f2d1110 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/README.md @@ -0,0 +1,11 @@ +## Description + +This is a test for mutation of existing resources when background is set to false. + +## Expected Behavior + +The mutateExisting policy does not require `.spec.background=true` to be applied. + +## Reference Issue(s) + +5430 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml new file mode 100644 index 0000000000..408b0e16e6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml new file mode 100644 index 0000000000..80cf0e4b05 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/01-manifests.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging-4 + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-4 + namespace: staging-4 +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-update + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-4 + namespaces: + - staging-4 + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-4 + namespace: "{{ request.object.metadata.namespace }}" + patchesJson6902: |- + - op: add + path: "/metadata/labels/env" + value: "{{ request.object.metadata.namespace }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml new file mode 100644 index 0000000000..45450b350f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/02-create-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-4 + namespace: staging-4 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml new file mode 100644 index 0000000000..3bfa536220 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-4 + namespace: staging-4 + labels: + env: staging-4 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md new file mode 100644 index 0000000000..e84be6698f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability, using a JSON patch, which ensures that creating a triggering resource results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-4` ConfigMap is created, this should result in the mutation of the Secret named `test-secret-4` within the same Namespace to add the label `env` with value set to the name of the triggering resource's Namespace, `staging-4`. If the Secret is mutated so that the label `env: staging-4` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create-patchesJson6902/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/01-assert.yaml new file mode 100644 index 0000000000..450edc769b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-secret +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml new file mode 100644 index 0000000000..dfe8dfbaf1 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/01-manifests.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: secret-1 + namespace: staging +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-secret +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-create + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-1 + namespaces: + - staging + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: secret-1 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml new file mode 100644 index 0000000000..b458868bc4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/02-create-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-1 + namespace: staging diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/03-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/03-assert.yaml new file mode 100644 index 0000000000..5e7a224346 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret-1 + namespace: staging + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/README.md new file mode 100644 index 0000000000..8e0d03f4f6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that creating a triggering resource results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-1` ConfigMap is created, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-create/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml new file mode 100644 index 0000000000..0ac1ea7dcc --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-delete-trigger +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml new file mode 100644 index 0000000000..706fb39f53 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/01-manifests.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging-2 + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-2 + namespace: staging-2 +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-2 + namespace: staging-2 +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-delete-trigger +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-delete + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-2 + namespaces: + - staging-2 + preconditions: + any: + - key: "{{ request.operation }}" + operator: Equals + value: DELETE + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-2 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml new file mode 100644 index 0000000000..4fcba59476 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/02-delete-cm.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-cm +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: ConfigMap + name: dictionary-2 + namespace: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml new file mode 100644 index 0000000000..fc44140bd6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-2 + namespace: staging-2 + labels: + foo: dictionary-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/README.md new file mode 100644 index 0000000000..9abd9c3007 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that specifically deleting a triggering resource, via a precondition, results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-2` ConfigMap is deleted, this should result in the mutation of the Secret named `test-secret-2` within the same Namespace to add the label `foo` with value set to the name or `dictionary-2` in this case. If the Secret is mutated so that the label `foo: dictionary-2` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-delete/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml new file mode 100644 index 0000000000..450edc769b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-secret +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml new file mode 100644 index 0000000000..ac233b57d3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/01-manifests.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-1 + namespace: staging +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: secret-1 + namespace: staging +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-secret +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: mutate-secret-on-configmap-event + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-1 + namespaces: + - staging + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: secret-1 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/02-edit-cm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/02-edit-cm.yaml new file mode 100644 index 0000000000..ca18559545 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/02-edit-cm.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: bar + dog: dory +kind: ConfigMap +metadata: + name: dictionary-1 + namespace: staging \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml new file mode 100644 index 0000000000..5e7a224346 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secret-1 + namespace: staging + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/README.md new file mode 100644 index 0000000000..7afed002ff --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that modifying (updating) a triggering resource results in the correct mutation of a different resource. + +## Expected Behavior + +When the `dictionary-1` ConfigMap is updated, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/basic-update/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/01-assert.yaml new file mode 100644 index 0000000000..4f66697c6b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-multiple-rules-match-exclude +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/01-manifests.yaml new file mode 100644 index 0000000000..8570a4e8cd --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/01-manifests.yaml @@ -0,0 +1,91 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:update-pods +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - update +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ns-multiple-rules-match-exclude + labels: + policy.lan/flag: 'true' +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx-a + namespace: ns-multiple-rules-match-exclude +spec: + containers: + - name: nginx + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx-b + namespace: ns-multiple-rules-match-exclude +spec: + containers: + - name: nginx + image: nginx +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-multiple-rules-match-exclude +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: apply-flag + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + policy.lan/flag: 'true' + mutate: + targets: + - kind: Pod + apiVersion: v1 + namespace: "{{ request.object.metadata.name }}" + patchStrategicMerge: + metadata: + labels: + policy.lan/apply-flag: 'true' + - name: remove-flag + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + policy.lan/flag: 'true' + mutate: + targets: + - kind: Pod + apiVersion: v1 + namespace: "{{ request.object.metadata.name }}" + patchStrategicMerge: + metadata: + labels: + policy.lan/remove-flag: 'true' diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/02-script.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/02-script.yaml new file mode 100644 index 0000000000..9a708f2ebc --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/02-script.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - command: + args: + - label + - ns + - ns-multiple-rules-match-exclude + - policy.lan/flag- + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/03-check.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/03-check.yaml new file mode 100644 index 0000000000..8cee3f77ff --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/03-check.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: pod-good.yaml + - error: + file: pod-bad.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/README.md new file mode 100644 index 0000000000..25fd392564 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/README.md @@ -0,0 +1,21 @@ +## Description + +This test ensures that match and exclude are applied to the incoming resource correctly, and only the matched rule gets applied. + +## Expected Behavior + +Both pod `nginx-a` and `nginx-b` has label `policy.lan/remove-flag: 'true'` added but not `policy.lan/apply-flag: "true"`. + +## Steps + +### Test Steps + +1. Create `ClusterRole` that grants the proper permission to apply the mutateExisting policy. +2. Create `Namespace` and two pods in the namespace. +3. Create the `ClusterPolicy` with two mutate existing rules. +4. Remove the label on the `Namespace` to trigger the policy. +5. Verify that the desired label is added to both pods, and undesired label is not added. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7192 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/pod-bad.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/pod-bad.yaml new file mode 100644 index 0000000000..eb1a4cb84c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/pod-bad.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + policy.lan/apply-flag: "true" + name: nginx-a + namespace: ns-multiple-rules-match-exclude +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + policy.lan/apply-flag: "true" + name: nginx-b + namespace: ns-multiple-rules-match-exclude diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/pod-good.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/pod-good.yaml new file mode 100644 index 0000000000..08e66cb27a --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-rules-match-exclude/pod-good.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + policy.lan/remove-flag: 'true' + name: nginx-a + namespace: ns-multiple-rules-match-exclude +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + policy.lan/remove-flag: 'true' + name: nginx-b + namespace: ns-multiple-rules-match-exclude \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-assert.yaml new file mode 100644 index 0000000000..48e2262e17 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: advertise-resource +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-manifests.yaml new file mode 100644 index 0000000000..839740038a --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/01-manifests.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: advertise-resource +spec: + background: false + rules: + - name: advertise-resource + match: + resources: + kinds: + - Node + mutate: + targets: + - apiVersion: v1 + kind: Node/status + name: kind-control-plane + namespace: "" + patchStrategicMerge: + status: + capacity: + example.com/dongle: "41" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:modify-nodes +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - create + - update + - patch + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/02-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/02-assert.yaml new file mode 100644 index 0000000000..84bae92ab8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/02-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Node +metadata: + name: kind-control-plane +status: + capacity: + example.com/dongle: "41" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/02-script.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/02-script.yaml new file mode 100644 index 0000000000..0455ad378f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/02-script.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: ./modify-resource-filters.sh removeNode + - command: + args: + - label + - nodes + - kind-control-plane + - abc=xyz + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/99-cleanup.yaml new file mode 100644 index 0000000000..11dbdd6ed4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/99-cleanup.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - cpol + - advertise-resource + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + - script: + content: ./modify-resource-filters.sh addNode + - script: + content: ./clear-modified-node-status.sh + - command: + args: + - label + - nodes + - kind-control-plane + - abc- + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/README.md new file mode 100644 index 0000000000..f43fab4660 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/README.md @@ -0,0 +1,22 @@ +## Description + +This test validates that an incoming request to `Node` triggers mutating the existing `Node/status` subresource. + +## Expected Behavior + +The existing `Node/status` subresource is mutated. + +## Steps + +### Test Steps + +1. Create a `ClusterPolicy` that matches on `Node` and mutates `Node/status` object. +2. Create `ClusterRole` for allowing modifications to `Node/status` subresource. +3. Modify kyverno `resourceFilters` to allow mutating requests for `Node` resource. +4. Send a update request to `Node`. +5. Mutate the existing `Node/status` subresource. +6. Verify that the existing `Node/status` object is mutated. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2843 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/clear-modified-node-status.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/clear-modified-node-status.sh new file mode 100755 index 0000000000..818caada82 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/clear-modified-node-status.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -eu + +kubectl proxy & +proxy_pid=$! +echo $proxy_pid + +function cleanup { + echo "killing kubectl proxy" >&2 + kill $proxy_pid +} + +attempt_counter=0 +max_attempts=5 + +until curl --output /dev/null -fsSL http://localhost:8001/; do + if [ ${attempt_counter} -eq ${max_attempts} ]; then + echo "Max attempts reached" + exit 1 + fi + + attempt_counter=$((attempt_counter + 1)) + sleep 5 +done + +curl --header "Content-Type: application/json-patch+json" \ + --request PATCH \ + --output /dev/null \ + --data '[{"op": "remove", "path": "/status/capacity/example.com~1dongle"}]' \ + http://localhost:8001/api/v1/nodes/kind-control-plane/status + +kubectl annotate node kind-control-plane policies.kyverno.io/last-applied-patches- +trap cleanup EXIT \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/modify-resource-filters.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/modify-resource-filters.sh new file mode 100755 index 0000000000..9594d5a6d2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-existing-node-status/modify-resource-filters.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +set -eu + +if [ $# -ne 1 ]; then + echo "Usage: $0 [addNode|removeNode]" + exit 1 +fi + +if [ "$1" = "removeNode" ]; then + resource_filters=$(kubectl get ConfigMap kyverno -n kyverno -o json | jq .data.resourceFilters) + resource_filters="${resource_filters//\[Node,\*,\*\]/}" + resource_filters="${resource_filters//\[Node\/\*,\*,\*\]/}" + + kubectl patch ConfigMap kyverno -n kyverno --type='json' -p="[{\"op\": \"replace\", \"path\": \"/data/resourceFilters\", \"value\":""$resource_filters""}]" +fi + +if [ "$1" = "addNode" ]; then + resource_filters=$(kubectl get ConfigMap kyverno -n kyverno -o json | jq .data.resourceFilters) + resource_filters="${resource_filters%?}" + + resource_filters="${resource_filters}""[Node,*,*][Node/*,*,*]\"" + kubectl patch ConfigMap kyverno -n kyverno --type='json' -p="[{\"op\": \"replace\", \"path\": \"/data/resourceFilters\", \"value\":""$resource_filters""}]" +fi diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/01-assert.yaml new file mode 100644 index 0000000000..32127417a5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/01-assert.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-pod-on-binding-request +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns +status: + phase: Active diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/01-manifests.yaml new file mode 100644 index 0000000000..69d7889431 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/01-manifests.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-ns +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-pod-on-binding-request +spec: + background: false + rules: + - name: mutate-pod-on-binding-request + match: + any: + - resources: + kinds: + - Pod/binding + names: + - nginx-pod + preconditions: + all: + - key: "{{node}}" + operator: NotEquals + value: "" + - key: "{{ request.operation }}" + operator: AnyIn + value: + - CREATE + - UPDATE + context: + - name: node + variable: + jmesPath: request.object.target.name + default: '' + - name: foolabel + apiCall: + urlPath: "/api/v1/nodes/{{node}}" + jmesPath: metadata.labels.foo || 'empty' + mutate: + targets: + - apiVersion: v1 + kind: Pod + name: "{{ request.name }}" + namespace: "{{ request.namespace}}" + patchStrategicMerge: + metadata: + labels: + foo: "{{ foolabel }}" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:modify-pods +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - update + - patch diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/02-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/02-assert.yaml new file mode 100644 index 0000000000..fc4c2a292c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/02-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: empty + name: nginx-pod + namespace: test-ns diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/02-script.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/02-script.yaml new file mode 100644 index 0000000000..a386ef43de --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/02-script.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: ./modify-resource-filters.sh removeBinding + - command: + args: + - run + - nginx-pod + - --image=nginx + - -n + - test-ns + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/99-cleanup.yaml new file mode 100644 index 0000000000..a5ebfd2912 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/99-cleanup.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - pod + - nginx-pod + - -n + - test-ns + - --force + - --wait=true + entrypoint: kubectl + - command: + args: + - delete + - -f + - 01-manifests.yaml + - --force + - --wait=true + entrypoint: kubectl + - script: + content: ./modify-resource-filters.sh addBinding diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/README.md new file mode 100644 index 0000000000..693727892b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/README.md @@ -0,0 +1,22 @@ +## Description + +This test validates that an incoming request to `Pod/binding` subresource can act as a trigger for mutation of an existing `Pod` object. + +## Expected Behavior + +The `Pod` `nginx-pod` is labelled with `foo: empty` label. + +## Steps + +### Test Steps + +1. Create a `ClusterPolicy` that matches on `Pod/binding` and mutates `Pod` object. +2. Create `ClusterRole` for allowing modifications to `Pod` resource. +3. Modify kyverno `resourceFilters` to allow mutating incoming requests to `Pod/binding` subresource. +4. Modify kyverno `resourceFilters` to allow mutating incoming requests from `kube-system` namespace. +5. Create a `Pod` object. +6. Verify that the `Pod` object is labelled with `foo: empty` label. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6503 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/modify-resource-filters.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/modify-resource-filters.sh new file mode 100755 index 0000000000..9260e2e065 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/mutate-pod-on-binding-request/modify-resource-filters.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +set -eu + +if [ $# -ne 1 ]; then + echo "Usage: $0 [addBinding|removeBinding]" + exit 1 +fi + +if [ "$1" = "removeBinding" ]; then + resource_filters=$(kubectl get ConfigMap kyverno -n kyverno -o json | jq .data.resourceFilters) + resource_filters="${resource_filters//\[Pod\/binding,\*,\*\]/}" + + kubectl patch ConfigMap kyverno -n kyverno --type='json' -p="[{\"op\": \"replace\", \"path\": \"/data/resourceFilters\", \"value\":""$resource_filters""}]" +fi + +if [ "$1" = "addBinding" ]; then + resource_filters=$(kubectl get ConfigMap kyverno -n kyverno -o json | jq .data.resourceFilters) + resource_filters="${resource_filters%?}" + + resource_filters="${resource_filters}""[Pod/binding,*,*]\"" + kubectl patch ConfigMap kyverno -n kyverno --type='json' -p="[{\"op\": \"replace\", \"path\": \"/data/resourceFilters\", \"value\":""$resource_filters""}]" +fi diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/01-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/02-pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/02-pod.yaml new file mode 100644 index 0000000000..15561a69db --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/03-configmap.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/03-configmap.yaml new file mode 100644 index 0000000000..574255eeea --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/03-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml new file mode 100644 index 0000000000..8fa12c2eac --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/04-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + org: kyverno-test + name: test-org + namespace: org-label-inheritance-existing-standard-ns diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/README.md new file mode 100644 index 0000000000..a2935c8bfe --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/README.md @@ -0,0 +1,19 @@ +## Description + +The `namespaceSelector` should applies to mutateExisting policies upon admission reviews. + +## Expected Behavior +The pod is mutated with annotation `org: kyverno-test`. + +## Steps + +### Test Steps + +1. Create a `ClusterPolicy` that mutates existing pod upon configmap operations in namespaces with label `org`. +2. Create a pod in `test` namespace labeled by `org: kyverno-test`. +3. Create a configmap in `test` namespace. +4. The pod should be mutated with the annotation `org: kyverno-test`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6176 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml new file mode 100644 index 0000000000..d2dd3388ef --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/configmap.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: org-label-inheritance-existing-standard-ns diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml new file mode 100644 index 0000000000..da42eb1369 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-org + namespace: org-label-inheritance-existing-standard-ns +spec: + containers: + - image: nginx:latest + name: test-org diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml new file mode 100644 index 0000000000..c399e38816 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: org-label-inheritance-existing-standard +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml new file mode 100644 index 0000000000..ea01b1ceb3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/namespaceselector/policy.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: org-label-inheritance-existing-standard + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + mutateExistingOnPolicyUpdate: false + validationFailureAction: Enforce + rules: + - name: propagate org label from namespace + match: + any: + - resources: + kinds: + - ConfigMap + namespaceSelector: + matchExpressions: + - key: org + operator: Exists + context: + - name: org + apiCall: + urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }} + jmesPath: metadata.labels.org + mutate: + targets: + - apiVersion: v1 + kind: Pod + namespace: "{{ request.object.metadata.namespace }}" + name: "{{ request.object.metadata.name }}" + patchStrategicMerge: + metadata: + annotations: + org: "{{ org }}" +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + org: kyverno-test + name: org-label-inheritance-existing-standard-ns diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/01-manifests.yaml new file mode 100644 index 0000000000..cb4d8995f2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/01-manifests.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: staging-3 + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-3 + namespace: staging-3 +type: Opaque +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-3 + namespace: staging-3 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/02-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/02-assert.yaml new file mode 100644 index 0000000000..b70ab41388 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/02-create-clusterpolicy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/02-create-clusterpolicy.yaml new file mode 100644 index 0000000000..567c245479 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/02-create-clusterpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: mutate-secret-on-policy-create + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-3 + namespaces: + - staging-3 + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-3 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: "{{ request.object.metadata.name }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/03-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/03-assert.yaml new file mode 100644 index 0000000000..75ab23d4d5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/03-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: test-secret-3 + namespace: staging-3 + labels: + foo: dictionary-3 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/README.md new file mode 100644 index 0000000000..c5cd9fb8c8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic test for the mutate existing capability which ensures that creating of a Kyverno ClusterPolicy causes immediate mutation of downstream targets by setting `mutateExistingOnPolicyUpdate: true`. + +## Expected Behavior + +When the ClusterPolicy is created, at that time it should mutate the `test-secret-3` Secret in the `staging-3` Namespace to add a label with key `foo` the value of which should be the name of the defined triggering resource, `dictionary-3`. If this mutation is done, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/cleanup.yaml new file mode 100644 index 0000000000..15c3c49051 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/basic-create-policy/cleanup.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml new file mode 100644 index 0000000000..b13165d73d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-assert.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + org: kyverno-test + name: org-label-inheritance-existing-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: org-label-inheritance-existing-ns +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-org + namespace: org-label-inheritance-existing-ns +spec: + containers: + - image: nginx:latest + name: test-org \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml new file mode 100644 index 0000000000..b13165d73d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/01-manifests.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + org: kyverno-test + name: org-label-inheritance-existing-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-org + namespace: org-label-inheritance-existing-ns +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-org + namespace: org-label-inheritance-existing-ns +spec: + containers: + - image: nginx:latest + name: test-org \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/02-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/03-sleep.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/03-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml new file mode 100644 index 0000000000..e26f93d9c2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/04-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + org: kyverno-test + name: test-org + namespace: org-label-inheritance-existing-ns diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md new file mode 100644 index 0000000000..98706c7ae7 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/README.md @@ -0,0 +1,19 @@ +## Description + +This test ensures that the `namespaceSelector` applies to mutateExisting policies upon policy events, in this case creation of the ClusterPolicy. + +## Expected Behavior + +The pod is mutated with annotation `org: kyverno-test`. + +## Steps + +### Test Steps + +1. Create a pod and a configmap in the `org-label-inheritance-existing-ns` namespace labeled by `org: kyverno-test`. +2. Create a `ClusterPolicy` that mutates existing pods. +3. The pod should be mutated with the annotation `org: kyverno-test` present on the parent namespace. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6176 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/policy-assert.yaml new file mode 100644 index 0000000000..11ec9368ec --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: org-label-inheritance-existing +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/policy.yaml new file mode 100644 index 0000000000..2bb429f32c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/namespaceselector/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: org-label-inheritance-existing + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + mutateExistingOnPolicyUpdate: true + validationFailureAction: Enforce + rules: + - name: propagate org label from namespace + match: + any: + - resources: + kinds: + - ConfigMap + namespaceSelector: + matchExpressions: + - key: org + operator: Exists + context: + - name: org + apiCall: + urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }} + jmesPath: metadata.labels.org + mutate: + targets: + - apiVersion: v1 + kind: Pod + namespace: "{{ request.object.metadata.namespace }}" + name: "{{ request.object.metadata.name }}" + patchStrategicMerge: + metadata: + annotations: + org: "{{ org }}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/01-resources.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/01-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/01-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/02-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/03-trigger.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/03-trigger.yaml new file mode 100644 index 0000000000..4e0e87a77f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/03-trigger.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/04-verify.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/04-verify.yaml new file mode 100644 index 0000000000..94ec6cfa09 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/04-verify.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: verify +spec: + timeouts: {} + try: + - assert: + file: resources-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/README.md new file mode 100644 index 0000000000..c2706fe413 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/README.md @@ -0,0 +1,21 @@ +## Description + +This test creates one `ConfigMap` named `target`. + +It then creates a `ClusterPolicy` with a mutate existing rule targeting the previously created `ConfigMap`. + +The policy rule uses `context` on the trigger resource to create a variable containing the value of `data.content`. +The policy rule uses `context` on the target resource to create a variable containing the value of `data.content`. +The policy mutates target resource, setting `data.content` to the value of the trigger resource level variable and `data.targetContent` to the value of the target resource level variable. + +Finally, the test creates the trigger config map. + +## Expected Behavior + +The target config map should contain: + +```yaml +data: + content: trigger + targetContent: target +``` \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/policy-assert.yaml new file mode 100644 index 0000000000..36e4e29d43 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-targets +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/policy.yaml new file mode 100644 index 0000000000..faa83268c2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-targets +spec: + background: false + rules: + - name: update-targets + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: triggerContent + variable: + jmesPath: request.object.data.content + preconditions: + all: + - key: "{{ request.object.metadata.name }}" + operator: Equals + value: trigger + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + namespace: "{{ request.object.metadata.namespace }}" + name: target* + context: + - name: targetContent + variable: + jmesPath: target.data.content + patchStrategicMerge: + data: + content: "{{ triggerContent }}" + targetContent: "{{ targetContent }}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/resources-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/resources-assert.yaml new file mode 100644 index 0000000000..b41ee4b3e5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/resources-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: target +data: + content: trigger + targetContent: target diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/resources.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/resources.yaml new file mode 100644 index 0000000000..57164dc146 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/resources.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: target +data: + content: target diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/trigger.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/trigger.yaml new file mode 100644 index 0000000000..ec0e34dd5d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-context/trigger.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trigger +data: + content: trigger diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/01-resources.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/01-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/01-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/02-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/03-trigger.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/03-trigger.yaml new file mode 100644 index 0000000000..4e0e87a77f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/03-trigger.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: trigger +spec: + timeouts: {} + try: + - apply: + file: trigger.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/04-verify.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/04-verify.yaml new file mode 100644 index 0000000000..94ec6cfa09 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/04-verify.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: verify +spec: + timeouts: {} + try: + - assert: + file: resources-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/README.md new file mode 100644 index 0000000000..2fce39203a --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/README.md @@ -0,0 +1,18 @@ +## Description + +This test creates three `ConfigMap`s: +- one without labels +- one with label `foo: bar` +- one with label `foo: not_bar` + +It then creates a `ClusterPolicy` with a mutate existing rule targeting the previously created `ConfigMap`s. + +The policy rule uses preconditions on the trigger resource to match only `ConfigMap`s with the `trigger` name. +The policy rule also uses preconditions on target resources to match only `ConfigMap`s with he label `foo: bar`. +The policy mutates target resources passing preconditions by copying the `data.content` from the trigger `ConfigMap` to the target `ConfigMap`. + +Finally, the test creates the trigger config map. + +## Expected Behavior + +Only the target config map with label `foo: bar` should have its content updated. \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/policy-assert.yaml new file mode 100644 index 0000000000..36e4e29d43 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-targets +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/policy.yaml new file mode 100644 index 0000000000..dcc3001107 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-targets +spec: + background: false + rules: + - name: update-targets + match: + any: + - resources: + kinds: + - ConfigMap + preconditions: + all: + - key: "{{ request.object.metadata.name }}" + operator: Equals + value: trigger + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + namespace: "{{ request.object.metadata.namespace }}" + preconditions: + all: + - key: "{{ target.metadata.labels.foo || '' }}" + operator: Equals + value: bar + patchStrategicMerge: + data: + content: "{{ request.object.data.content }}" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/resources-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/resources-assert.yaml new file mode 100644 index 0000000000..fc1f80b1f6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/resources-assert.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: target-1 +data: + content: trigger +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: target-2 +data: + content: abc +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: target-3 +data: + content: abc diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/resources.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/resources.yaml new file mode 100644 index 0000000000..cd00e45340 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/resources.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: target-1 + labels: + foo: bar +data: + content: abc +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: target-2 + labels: + foo: not_bar +data: + content: abc +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: target-3 +data: + content: abc diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/trigger.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/trigger.yaml new file mode 100644 index 0000000000..ec0e34dd5d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/target-preconditions/trigger.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trigger +data: + content: trigger diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/01-fail-no-permission.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/01-fail-no-permission.yaml new file mode 100644 index 0000000000..241f77887c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/01-fail-no-permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: fail-no-permission +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md new file mode 100644 index 0000000000..eded9c4daa --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a mutate existing policy is denied when the target has the namespace defined as variable. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7213 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml new file mode 100644 index 0000000000..026ffffcae --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-namespace-variable/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-namespace-variable +spec: + mutateExistingOnPolicyUpdate: false + rules: + - name: apply-flag + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + policy.lan/flag: 'true' + mutate: + targets: + - kind: PersistentVolumeClaim + apiVersion: v1 + namespace: "{{ request.object.metadata.name }}" + patchStrategicMerge: + metadata: + labels: + policy.lan/apply-flag: 'true' \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml new file mode 100644 index 0000000000..241f77887c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/01-fail-no-permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: fail-no-permission +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/02-clusterrole.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/02-clusterrole.yaml new file mode 100644 index 0000000000..b7cc486047 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/02-clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:temp + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - create + - update + - patch + - delete + - get + - list \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/03-pass.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/03-pass.yaml new file mode 100644 index 0000000000..a6fe7e06e5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/03-pass.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/README.md new file mode 100644 index 0000000000..6132143dde --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a mutate existing policy is denied when it does not have corresponding permissions to generate the downstream resource. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6584 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy-assert.yaml new file mode 100644 index 0000000000..c66662295b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-mutate-existing-auth-check +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy.yaml new file mode 100644 index 0000000000..bf728b0642 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/auth-check/cpol-standard-auth-check/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-mutate-existing-auth-check +spec: + mutateExistingOnPolicyUpdate: true + background: false + rules: + - name: label-privileged-namespaces + match: + any: + - resources: + kinds: + - Namespace + mutate: + targets: + - apiVersion: v1 + kind: ServiceAccount + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/01-no-targets-fail.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/01-no-targets-fail.yaml new file mode 100644 index 0000000000..872433061c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/01-no-targets-fail.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: no-targets-fail +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-no-targets.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/02-targets-pass.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/02-targets-pass.yaml new file mode 100644 index 0000000000..e45756fcc7 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/02-targets-pass.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: targets-pass +spec: + timeouts: {} + try: + - apply: + file: policy-targets.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/README.md new file mode 100644 index 0000000000..a24787a85d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a mutate existing policy has to have `mutate.targets` defined if `mutateExistingOnPolicyUpdate` is true. + +## Expected Behavior + +With `mutateExistingOnPolicyUpdate` set to true, the policy should be rejected if the `mutate.targets` is not defined, and allowed if `mutate.targets` is specified. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6593 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/policy-no-targets.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/policy-no-targets.yaml new file mode 100644 index 0000000000..e049ea43e3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/policy-no-targets.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-require-targets-policy-no-targets +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: mutate-secret-on-configmap-create + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-1 + namespaces: + - staging + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/policy-targets.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/policy-targets.yaml new file mode 100644 index 0000000000..4963f3b681 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/mutate-existing-require-targets/policy-targets.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-require-targets-policy-targets +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: mutate-secret-on-configmap-create + match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-1 + namespaces: + - staging + mutate: + targets: + - apiVersion: v1 + kind: Secret + name: secret-1 + namespace: "{{ request.object.metadata.namespace }}" + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/01-policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/01-policy.yaml new file mode 100644 index 0000000000..d718935bdf --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/01-policy.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-bad.yaml + - apply: + file: policy-good.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/README.md new file mode 100644 index 0000000000..41cbef57c8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures the variable `target` is allowed in a mutateExisting rule, except resource's spec definition under `mutate.targets`. + +## Expected Behavior + +The good policy should be allowed to create while the bad policy that contains `target.metadata.annotations.dns` cannot be created as it's invalid. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7379 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/policy-bad.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/policy-bad.yaml new file mode 100644 index 0000000000..208c1b9f7f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/policy-bad.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-variable-validation-cpol +spec: + mutateExistingOnPolicyUpdate: true + schemaValidation: false + background: true + rules: + - name: target-variable-validation-rule + match: + any: + - resources: + kinds: + - Secret + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + name: server-external + namespace: "{{target.metadata.annotations.dns}}" + - apiVersion: v1 + kind: ConfigMap + name: server-internal + namespace: external-dns + patchesJson6902: |- + - op: replace + path: "/spec/endpoints/1/targets/0" + value: "{{ request.object.data.prefix6 }}{{ target.metadata.annotations.dns_suffix }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/policy-good.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/policy-good.yaml new file mode 100644 index 0000000000..4e18e9e385 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/validation/target-variable-validation/policy-good.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-variable-validation-cpol +spec: + mutateExistingOnPolicyUpdate: true + schemaValidation: false + background: true + rules: + - name: target-variable-validation-rule + match: + any: + - resources: + kinds: + - Secret + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + name: server-external + # namespace: "{{target.metadata.annotations.dns}}" + namespace: external-dns + - apiVersion: v1 + kind: ConfigMap + name: server-internal + namespace: external-dns + patchesJson6902: |- + - op: replace + path: "/spec/endpoints/1/targets/0" + value: "{{ request.object.data.prefix6 }}{{ target.metadata.annotations.dns_suffix }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/01-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/01-assert.yaml new file mode 100644 index 0000000000..48e2262e17 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: advertise-resource +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml new file mode 100644 index 0000000000..6863da19eb --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/01-manifests.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: advertise-resource +spec: + admission: true + background: false + rules: + - match: + any: + - resources: + kinds: + - Node/status + mutate: + patchesJson6902: |- + - op: add + path: "/status/capacity/example.com~1dongle" + value: "4" + name: advertise-resource + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/02-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/02-assert.yaml new file mode 100644 index 0000000000..9a493ab1c9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/02-assert.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Node +metadata: + name: kind-control-plane +status: + capacity: + example.com/dongle: "4" diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/02-script.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/02-script.yaml new file mode 100644 index 0000000000..ffe9f29e82 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/02-script.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: ./modify-resource-filters.sh removeNode + - script: + content: ./send-request-to-status-subresource.sh diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/99-cleanup.yaml new file mode 100644 index 0000000000..9e13f66684 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/99-cleanup.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - cpol + - advertise-resource + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + - script: + content: ./modify-resource-filters.sh addNode + - script: + content: ./clear-modified-node-status.sh diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/README.md new file mode 100644 index 0000000000..0e463b339a --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/README.md @@ -0,0 +1,22 @@ +## Description + +This test validates that an incoming request to `Node/status` is mutated by the mutation policy matching +on `Node/status`. + +## Expected Behavior + +The request is mutated. + +## Steps + +### Test Steps + +1. Create a `ClusterPolicy` that matches on `Node/status` and mutates the request. +2. Modify kyverno `resourceFilters` to allow mutating requests for `Node` resource. +3. Send a update request to `Node/status`. +4. Mutate the incoming request (done by kyverno). +5. Verify that the request is mutated. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/2843 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/clear-modified-node-status.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/clear-modified-node-status.sh new file mode 100755 index 0000000000..818caada82 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/clear-modified-node-status.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -eu + +kubectl proxy & +proxy_pid=$! +echo $proxy_pid + +function cleanup { + echo "killing kubectl proxy" >&2 + kill $proxy_pid +} + +attempt_counter=0 +max_attempts=5 + +until curl --output /dev/null -fsSL http://localhost:8001/; do + if [ ${attempt_counter} -eq ${max_attempts} ]; then + echo "Max attempts reached" + exit 1 + fi + + attempt_counter=$((attempt_counter + 1)) + sleep 5 +done + +curl --header "Content-Type: application/json-patch+json" \ + --request PATCH \ + --output /dev/null \ + --data '[{"op": "remove", "path": "/status/capacity/example.com~1dongle"}]' \ + http://localhost:8001/api/v1/nodes/kind-control-plane/status + +kubectl annotate node kind-control-plane policies.kyverno.io/last-applied-patches- +trap cleanup EXIT \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/modify-resource-filters.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/modify-resource-filters.sh new file mode 100755 index 0000000000..9594d5a6d2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/modify-resource-filters.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +set -eu + +if [ $# -ne 1 ]; then + echo "Usage: $0 [addNode|removeNode]" + exit 1 +fi + +if [ "$1" = "removeNode" ]; then + resource_filters=$(kubectl get ConfigMap kyverno -n kyverno -o json | jq .data.resourceFilters) + resource_filters="${resource_filters//\[Node,\*,\*\]/}" + resource_filters="${resource_filters//\[Node\/\*,\*,\*\]/}" + + kubectl patch ConfigMap kyverno -n kyverno --type='json' -p="[{\"op\": \"replace\", \"path\": \"/data/resourceFilters\", \"value\":""$resource_filters""}]" +fi + +if [ "$1" = "addNode" ]; then + resource_filters=$(kubectl get ConfigMap kyverno -n kyverno -o json | jq .data.resourceFilters) + resource_filters="${resource_filters%?}" + + resource_filters="${resource_filters}""[Node,*,*][Node/*,*,*]\"" + kubectl patch ConfigMap kyverno -n kyverno --type='json' -p="[{\"op\": \"replace\", \"path\": \"/data/resourceFilters\", \"value\":""$resource_filters""}]" +fi diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/send-request-to-status-subresource.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/send-request-to-status-subresource.sh new file mode 100755 index 0000000000..c2d69327cf --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/mutate-node-status/send-request-to-status-subresource.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +set -eu + +kubectl proxy & +proxy_pid=$! +echo $proxy_pid + +function cleanup { + echo "killing kubectl proxy" >&2 + kill $proxy_pid +} + +attempt_counter=0 +max_attempts=5 + +until curl --output /dev/null -fsSL http://localhost:8001/; do + if [ ${attempt_counter} -eq ${max_attempts} ];then + echo "Max attempts reached" + exit 1 + fi + + attempt_counter=$((attempt_counter+1)) + sleep 5 +done + +if curl --header "Content-Type: application/json-patch+json" \ + --request PATCH \ + --output /dev/null \ + --data '[{"op": "add", "path": "/status/capacity/example.com~1dongle", "value": "1"}]' \ + http://localhost:8001/api/v1/nodes/kind-control-plane/status; then + echo "Successfully sent request to status subresource." + trap cleanup EXIT + exit 0 +else + echo "Failed to send request to status subresource." + trap cleanup EXIT + exit 1 +fi diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/01-manifests.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/01-manifests.yaml new file mode 100644 index 0000000000..db1e70c8b3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/01-manifests.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: qa +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: chip +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chip-qa-rolebinding + namespace: qa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chip +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: chip +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: chip-special-role + namespace: qa +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - create + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: chip-qa-specialrb + namespace: qa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chip-special-role +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: chip +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: record-creation-details +spec: + background: false + rules: + - name: add-userinfo + match: + any: + - resources: + kinds: + - ConfigMap + preconditions: + any: + - key: "{{request.operation || 'BACKGROUND'}}" + operator: Equals + value: CREATE + mutate: + patchStrategicMerge: + metadata: + annotations: + kyverno.io/created-by: "{{ request.userInfo | to_string(@) }}" + kyverno.io/roles: "{{ request.roles | sort(@) | to_string(@) }}" + kyverno.io/clusterroles: "{{ request.clusterRoles | sort(@) | to_string(@) }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/02-script.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/02-script.yaml new file mode 100644 index 0000000000..ba017d587f --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/02-script.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: | + #!/bin/bash + set -eu + + export USERNAME=chip + export NAMESPACE=qa + export CA=ca.crt + #### + #### Get CA certificate from kubeconfig assuming it's the first in the list. + kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ca.crt + #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. + CLUSTER_SERVER=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}') + #### Set CLUSTER from kubeconfig assuming it's the first in the list. + CLUSTER=$(kubectl config view --raw -o jsonpath='{.clusters[0].name}') + #### Generate private key + openssl genrsa -out $USERNAME.key 2048 + #### Create CSR + openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=mygroup/CN=$USERNAME" + #### Send CSR to kube-apiserver for approval + cat < $USERNAME.crt + #### + #### Create the credential object and output the new kubeconfig file + kubectl --kubeconfig=$USERNAME-kubeconfig config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs + #### Set the cluster info + kubectl --kubeconfig=$USERNAME-kubeconfig config set-cluster $CLUSTER --server=$CLUSTER_SERVER --certificate-authority=$CA --embed-certs + #### Set the context + kubectl --kubeconfig=$USERNAME-kubeconfig config set-context $USERNAME-$NAMESPACE-$CLUSTER --user=$USERNAME --cluster=$CLUSTER --namespace=$NAMESPACE + #### Use the context + kubectl --kubeconfig=$USERNAME-kubeconfig config use-context $USERNAME-$NAMESPACE-$CLUSTER + ### Clean up the approved CSR + kubectl delete certificatesigningrequest chip diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/03-create-as-chip.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/03-create-as-chip.yaml new file mode 100644 index 0000000000..ee6cdf0305 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/03-create-as-chip.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-as-chip +spec: + timeouts: {} + try: + - command: + args: + - -n + - qa + - create + - cm + - foo + - --from-literal=foo=bar + - --kubeconfig + - chip-kubeconfig + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/04-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/04-assert.yaml new file mode 100644 index 0000000000..180e861149 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/04-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + annotations: + kyverno.io/clusterroles: '["chip","system:basic-user","system:discovery","system:public-info-viewer"]' + kyverno.io/created-by: '{"groups":["mygroup","system:authenticated"],"username":"chip"}' + kyverno.io/roles: '["qa:chip-special-role"]' + name: foo + namespace: qa \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/99-cleanup.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/99-cleanup.yaml new file mode 100644 index 0000000000..2eccd177b1 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/README.md new file mode 100644 index 0000000000..c14baaac90 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/README.md @@ -0,0 +1,3 @@ +# Title + +This test verifies that Kyverno is able to pick up and write the `request.userInfo` information from the AdmissionReview payload correctly, as well as the pre-defined vars `request.roles` and `request.clusterRoles` by creating and then performing an action as a new user in the system. The expectation is the custom group and username are both being reflected correctly in a mutation. Similar tests exist for validation flows. diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/script.sh b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/script.sh new file mode 100644 index 0000000000..b3c5709f93 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/userInfo-roles-clusterRoles/script.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -euo pipefail + +export USERNAME=chip +export NAMESPACE=qa +export CA=ca.crt +#### +#### Get CA certificate from kubeconfig assuming it's the first in the list. +kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ca.crt +#### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. +CLUSTER_SERVER=$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}') +#### Set CLUSTER from kubeconfig assuming it's the first in the list. +CLUSTER=$(kubectl config view --raw -o jsonpath='{.clusters[0].name}') +#### Generate private key +openssl genrsa -out $USERNAME.key 2048 +#### Create CSR +openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=mygroup/CN=$USERNAME" +#### Send CSR to kube-apiserver for approval +cat < $USERNAME.crt +#### +#### Create the credential object and output the new kubeconfig file +kubectl --kubeconfig=$USERNAME-kubeconfig config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs +#### Set the cluster info +kubectl --kubeconfig=$USERNAME-kubeconfig config set-cluster $CLUSTER --server=$CLUSTER_SERVER --certificate-authority=$CA --embed-certs +#### Set the context +kubectl --kubeconfig=$USERNAME-kubeconfig config set-context $USERNAME-$NAMESPACE-$CLUSTER --user=$USERNAME --cluster=$CLUSTER --namespace=$NAMESPACE +#### Use the context +kubectl --kubeconfig=$USERNAME-kubeconfig config use-context $USERNAME-$NAMESPACE-$CLUSTER +### Clean up the approved CSR +kubectl delete certificatesigningrequest chip \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/01-manifests.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/01-manifests.yaml new file mode 100644 index 0000000000..bd785469fb --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/01-manifests.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foreach-patchstrategicmerge-context-ns +--- +apiVersion: v1 +data: + image: nginx +kind: ConfigMap +metadata: + name: foreach-patchstrategicmerge-context-configmap + namespace: foreach-patchstrategicmerge-context-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/02-assert.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/02-assert.yaml new file mode 100644 index 0000000000..f8af584a54 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-patchstrategicmerge-context-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml new file mode 100644 index 0000000000..03561f6dcd --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/02-policy.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: foreach-patchstrategicmerge-context-policy +spec: + admission: true + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - context: + - configMap: + name: foreach-patchstrategicmerge-context-configmap + namespace: foreach-patchstrategicmerge-context-ns + name: dictionary + list: request.object.spec.containers + patchStrategicMerge: + spec: + containers: + - image: '{{ dictionary.data.image }}' + name: '{{ element.name }}' + name: resolve-image-containers + preconditions: + all: + - key: '{{request.operation}}' + operator: AllIn + value: + - CREATE + - UPDATE + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/03-assert.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/03-assert.yaml new file mode 100644 index 0000000000..78031686e9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/03-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foreach-patchstrategicmerge-context-pod + namespace: foreach-patchstrategicmerge-context-ns +spec: + containers: + - image: nginx + name: foreach-patchstrategicmerge-context-container \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/03-pod.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/03-pod.yaml new file mode 100644 index 0000000000..e53c9606f1 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/03-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foreach-patchstrategicmerge-context-pod + namespace: foreach-patchstrategicmerge-context-ns +spec: + containers: + - image: busybox + name: foreach-patchstrategicmerge-context-container \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/README.md b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/README.md new file mode 100644 index 0000000000..baab403c4c --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that context look up works for mutate foreach. + +## Expected Behavior + +The pod image should be mutated to `nginx`. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md new file mode 100644 index 0000000000..92b1a44e9d --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It tests that preconditions inside a foreach loop are substituted properly. Preconditions, in this case, use predefined variables from image registries and so this is a secondary aspect to the test. + +## Expected Behavior + +The containers with images from `docker.io` should be mutated so the value of the `image` field with respect to the registry is replaced with `my-private-registry`. Therefore, the input image `nginx:1.14.2` (which implicitly is equal to `docker.io/nginx:1.14.2`) is mutated so the output is `my-private-registry/nginx:1.14.2`. If this occurs, the test passes. If this is not done, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml new file mode 100644 index 0000000000..ad1a1e1f5a --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: replace-docker-hub +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml new file mode 100644 index 0000000000..caca23b03f --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/policy.yaml @@ -0,0 +1,32 @@ +apiVersion : kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: replace-docker-hub +spec: + rules: + - name: replace-docker-hub + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.operation}}" + operator: AnyIn + value: + - CREATE + - UPDATE + mutate: + foreach: + - list: "request.object.spec.containers" + preconditions: + all: + - key: '{{images.containers."{{element.name}}".registry}}' + operator: Equals + value: 'docker.io' + patchStrategicMerge: + spec: + containers: + - name: "{{ element.name }}" + image: 'my-private-registry/{{images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}' diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml new file mode 100644 index 0000000000..7697fb359c --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource-mutated.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: my-private-registry/nginx:1.14.2 diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml new file mode 100644 index 0000000000..72ec5a2292 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-preconditions/resource.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/01-manifests.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/01-manifests.yaml new file mode 100644 index 0000000000..09c668d032 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/01-manifests.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: manifests +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml + - assert: + file: policy-one-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/02-resource-one.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/02-resource-one.yaml new file mode 100644 index 0000000000..dd06be5ccf --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/02-resource-one.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource-one +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/03-policy-two.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/03-policy-two.yaml new file mode 100644 index 0000000000..dd4f8b3ba2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/03-policy-two.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-policy +spec: + rules: + - name: gen-role + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: labelValue + apiCall: + urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps" + jmesPath: "items[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0]" + mutate: + patchStrategicMerge: + metadata: + labels: + +(kyverno.key/copy-me): "{{ labelValue }}" diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/04-resource-two.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/04-resource-two.yaml new file mode 100644 index 0000000000..fdf311fd00 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/04-resource-two.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource-two +spec: + timeouts: {} + try: + - apply: + file: resource-two.yaml + - assert: + file: resource-two-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/README.md b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/README.md new file mode 100644 index 0000000000..3b283f1498 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/README.md @@ -0,0 +1,11 @@ +## Description + +This is test migrated from e2e which roughly tests that mutations are successful when the value of key being mutated contains both a context variable as well as a context variable plus additional JMESPath filtering in that variable reference. The test migrated here to kuttl represents a condensed version of the original test to eliminate minor redundancy. + +## Expected Behavior + +The mutated ConfigMap should have a label written to it `kyverno.key/copy-me: sample-value`. If this is so, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/manifests.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/manifests.yaml new file mode 100644 index 0000000000..bd043f2628 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/manifests.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mutate-jmespath +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-policy +spec: + rules: + - name: gen-role + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: labelValue + apiCall: + urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps" + jmesPath: "items[*]" + mutate: + patchStrategicMerge: + metadata: + labels: + +(kyverno.key/copy-me): "{{ labelValue[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0] }}" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: source + namespace: mutate-jmespath + labels: + kyverno.key/copy-me: sample-value +data: + data.yaml: | + some: data diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/policy-one-ready.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/policy-one-ready.yaml new file mode 100644 index 0000000000..d2e0f36f4a --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/policy-one-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-mutated.yaml new file mode 100644 index 0000000000..cdf67411a2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-mutated.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + kyverno.key/copy-from: source + kyverno.key/copy-me: sample-value + name: target + namespace: mutate-jmespath \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-two-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-two-mutated.yaml new file mode 100644 index 0000000000..ef40ed5963 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-two-mutated.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + kyverno.key/copy-from: source + kyverno.key/copy-me: sample-value + name: targettwo + namespace: mutate-jmespath \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-two.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-two.yaml new file mode 100644 index 0000000000..61ff26c769 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource-two.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: targettwo + namespace: mutate-jmespath + labels: + kyverno.key/copy-from: source +data: + data.yaml: | + some: data \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource.yaml b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource.yaml new file mode 100644 index 0000000000..a8c927cd19 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/jmespath-logic/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: target + namespace: mutate-jmespath + labels: + kyverno.key/copy-from: source +data: + data.yaml: | + some: data \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml new file mode 100644 index 0000000000..e734589f8b --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource01.yaml + - assert: + file: resource01-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml new file mode 100644 index 0000000000..a7e1222e95 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/03-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource02.yaml + - assert: + file: resource02-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md new file mode 100644 index 0000000000..50d4c96551 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migration from e2e. It tests for a combination of the global anchor plus the add-if-not-present anchor in a patchStrategicMerge mutate policy with two rules. + +## Expected Behavior + +Two tests are conducted. In the first, if a Pod contains an emptyDir volume, it should have an annotation added. In the second, the Pod has a hostPath volume and should also receive an annotation. If either one of these Pods does not have the annotation `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` added the test fails. If this annotation is present, the test passes. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml new file mode 100644 index 0000000000..480c95f0fc --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-safe-to-evict +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml new file mode 100644 index 0000000000..60d386f37f --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-safe-to-evict +spec: + rules: + - name: annotate-empty-dir + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true" + spec: + volumes: + - <(emptyDir): {} + - name: annotate-host-path + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + annotations: + +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true" + spec: + volumes: + - hostPath: + <(path): "*" diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml new file mode 100644 index 0000000000..1842dbd53b --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01-mutated.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-emptydir + namespace: default + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml new file mode 100644 index 0000000000..f671a4f6fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource01.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-emptydir + namespace: default + labels: + foo: bar +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /cache + name: cache-volume + volumes: + - name: cache-volume + emptyDir: {} diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml new file mode 100644 index 0000000000..150f37b8a0 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02-mutated.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-hostpath + namespace: default + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml new file mode 100644 index 0000000000..5904977c0a --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global-addifnotpresent/resource02.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-hostpath + namespace: default + labels: + foo: bar +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /usr/share/nginx/html + name: test-volume + volumes: + - hostPath: + path: /var/local/aaa + type: DirectoryOrCreate + name: test-volume diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/02-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/README.md b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/README.md new file mode 100644 index 0000000000..81c61e210f --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It checks that the global anchor works in tandem with a patchStrategicMerge policy. + +## Expected Behavior + +If a container image is prefaced with `registry.corp.com` then it should be mutated to add an imagePullSecret named `regcred`. If this is done, the test passes. If this is not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml new file mode 100644 index 0000000000..ec9f47c302 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-image-pull-secret +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/policy.yaml new file mode 100644 index 0000000000..607c07663d --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-image-pull-secret +spec: + background: false + rules: + - name: set-image-pull-secret + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + containers: + - <(image): "registry.corp.com/*" + imagePullSecrets: + - name: regcred diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml new file mode 100644 index 0000000000..1e01dfebfc --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/resource-mutated.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: registry.corp.com/nginx:1.14.2 + imagePullSecrets: + - name: regcred diff --git a/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/resource.yaml new file mode 100644 index 0000000000..0789f6bbec --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchStrategicMerge-global/resource.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + namespace: default +spec: + containers: + - name: nginx + image: registry.corp.com/nginx:1.14.2 diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/02-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/README.md b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/README.md new file mode 100644 index 0000000000..7a9661ab95 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It checks that a simple JSON patch `replace` operation works with a variable from AdmissionReview as a component of the `value` field. + +## Expected Behavior + +An Ingress's first rule should have the value of the `host` field appended to it `mycompany.com`. If this value has been replaced properly, the test passes. If not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/policy-ready.yaml new file mode 100644 index 0000000000..ba7571c941 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-ingress-host +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/policy.yaml new file mode 100644 index 0000000000..4fdd62c4ec --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-ingress-host +spec: + rules: + - name: mutate-rules-host + match: + any: + - resources: + kinds: + - Ingress + mutate: + patchesJson6902: |- + - op: replace + path: /spec/rules/0/host + value: "{{request.object.spec.rules[0].host}}.mycompany.com" diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml new file mode 100644 index 0000000000..c8a4d0103f --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/resource-mutated.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuard-v1 + namespace: default + labels: + app: kuard +spec: + rules: + - host: kuard.mycompany.com + http: + paths: + - backend: + service: + name: kuard + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - kuard \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/resource.yaml new file mode 100644 index 0000000000..03f8c9c517 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesJson6902-replace/resource.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuard-v1 + namespace: default + labels: + app: kuard +spec: + rules: + - host: kuard + http: + paths: + - backend: + service: + name: kuard + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - kuard \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/02-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/README.md b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/README.md new file mode 100644 index 0000000000..6e808bfeb4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It checks that simple JSON patches function properly when mutating array slices. + +## Expected Behavior + +If the Pod has a second environment variable added with the name `K8S_IMAGE` with value equal to `busybox:1.11` then the test succeeds. If it does not, the test fails. Note that there is an initContainer present which based upon the policy definition should NOT be mutated. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/policy-ready.yaml new file mode 100644 index 0000000000..da767ab21e --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-image-as-env-var +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/policy.yaml b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/policy.yaml new file mode 100644 index 0000000000..f6d309f4d4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/policy.yaml @@ -0,0 +1,77 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-image-as-env-var + # env array needs to exist (least one env var is present) +spec: + background: false + schemaValidation: false + rules: + # One Pod + - name: pod-containers-1-inject-image + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 1 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/containers/0/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"} + # Two or more Pods + - name: pod-containers-2-inject-image + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 2 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/containers/1/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"} + # Deployment with one Pod + - name: deploy-containers-1-inject-image + match: + any: + - resources: + kinds: + - Deployment + preconditions: + all: + - key: "{{request.object.spec.template.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 1 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/template/spec/containers/0/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[0].image}}"} + # Deployment with two or more Pods + - name: deploy-containers-2-inject-image + match: + any: + - resources: + kinds: + - Deployment + preconditions: + all: + - key: "{{request.object.spec.template.spec.containers[] | length(@)}}" + operator: GreaterThanOrEquals + value: 2 + mutate: + patchesJson6902: |- + - op: add + path: "/spec/template/spec/containers/1/env/-" + value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[1].image}}"} diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml new file mode 100644 index 0000000000..8d1da7023a --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/resource-mutated.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo-patchesjson6902-simple + namespace: default +spec: + containers: + - command: + - sleep infinity + env: + - name: FOO + value: bar + - name: K8S_IMAGE + value: busybox:1.11 + image: busybox:1.11 + name: busybox + securityContext: + capabilities: + drop: + - SETUID + initContainers: + - command: + - sleep infinity + image: nginx:1.14 + name: nginx + securityContext: + capabilities: + drop: + - SETUID \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/resource.yaml b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/resource.yaml new file mode 100644 index 0000000000..ee48c171c3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/patchesjson6902-simple/resource.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo-patchesjson6902-simple + namespace: default +spec: + containers: + - command: + - sleep infinity + env: + - name: FOO + value: bar + image: busybox:1.11 + name: busybox + securityContext: + capabilities: + drop: + - SETUID + initContainers: + - command: + - sleep infinity + image: nginx:1.14 + name: nginx + securityContext: + capabilities: + drop: + - SETUID diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/02-resource.yaml new file mode 100644 index 0000000000..5f38c6cd40 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: pod1.yaml + - assert: + file: pod1-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/03-resource.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/03-resource.yaml new file mode 100644 index 0000000000..bdb3e2e61c --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/03-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: pod2.yaml + - assert: + file: pod2-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/README.md b/test/conformance/chainsaw/mutate/e2e/simple-conditional/README.md new file mode 100644 index 0000000000..5c749646c6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/README.md @@ -0,0 +1,11 @@ +## Description + +This is a test migrated from e2e. It tests that simple conditional anchors (multiple) are working properly using a patchStrategicMerge mutation rule. + +## Expected Behavior + +For a Pod with only `containers[]`, the `securityContext.runAsNonRoot=true` should be written to each container as well as to the `spec`. For a Pod with an added `initContainers[]` entry, the same should occur for the initContainer as well. If both of these happen as expected, the test passes. If any one does not, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod1-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod1-mutated.yaml new file mode 100644 index 0000000000..7b2de278a9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod1-mutated.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: foo + name: foo + namespace: default +spec: + containers: + - image: abc:1.28 + name: busybox + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod1.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod1.yaml new file mode 100644 index 0000000000..82f0232bde --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default + labels: + app: foo +spec: + containers: + - image: abc:1.28 + name: busybox \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod2-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod2-mutated.yaml new file mode 100644 index 0000000000..607856472c --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod2-mutated.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: foo + name: footwo + namespace: default +spec: + containers: + - image: abc:1.28 + name: busybox + securityContext: + runAsNonRoot: true + initContainers: + - image: bcd:1.29 + name: nginx + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod2.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod2.yaml new file mode 100644 index 0000000000..8146aa3a55 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/pod2.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: footwo + namespace: default + labels: + app: foo +spec: + containers: + - image: abc:1.28 + name: busybox + initContainers: + - image: bcd:1.29 + name: nginx diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/policy-ready.yaml new file mode 100644 index 0000000000..11667b7057 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-runasnonroot-true +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/simple-conditional/policy.yaml b/test/conformance/chainsaw/mutate/e2e/simple-conditional/policy.yaml new file mode 100644 index 0000000000..22d270f868 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/simple-conditional/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: set-runasnonroot-true +spec: + rules: + - name: set-runasnonroot-true + match: + any: + - resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + securityContext: + runAsNonRoot: true + initContainers: + - (name): "*" + securityContext: + runAsNonRoot: true + containers: + - (name): "*" + securityContext: + runAsNonRoot: true diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/01-policy.yaml b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/02-resource.yaml b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/02-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/README.md b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/README.md new file mode 100644 index 0000000000..36a5800b81 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. It tests that variable substitution is occurring properly in the key of a patchStrategicMerge rule. + +## Expected Behavior + +The annotation `fluentbit.io/exclude-busybox: "true"` is expected to be written to the Deployment. If it is, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/policy-ready.yaml b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/policy-ready.yaml new file mode 100644 index 0000000000..5395eb4672 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: structured-logs-sidecar +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/policy.yaml b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/policy.yaml new file mode 100644 index 0000000000..0d3831f1b6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: structured-logs-sidecar +spec: + background: false + rules: + - name: add-annotations + match: + any: + - resources: + kinds: + - Deployment + annotations: + structured-logs: "true" + mutate: + patchStrategicMerge: + metadata: + annotations: + "fluentbit.io/exclude-{{request.object.spec.template.spec.containers[0].name}}": "true" diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/resource-mutated.yaml b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/resource-mutated.yaml new file mode 100644 index 0000000000..6ed59b88bf --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/resource-mutated.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: busybox + namespace: default + annotations: + structured-logs: "true" + fluentbit.io/exclude-busybox: "true" + labels: + color: red + animal: bear + food: pizza + car: jeep + env: qa +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.28 + name: busybox + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 10Mi + - image: busybox:1.28 + name: busybox1 + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 20Mi diff --git a/test/conformance/chainsaw/mutate/e2e/variables-in-keys/resource.yaml b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/resource.yaml new file mode 100644 index 0000000000..268acc4e43 --- /dev/null +++ b/test/conformance/chainsaw/mutate/e2e/variables-in-keys/resource.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: busybox + namespace: default + annotations: + structured-logs: "true" + labels: + color: red + animal: bear + food: pizza + car: jeep + env: qa +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: busybox:1.28 + name: busybox + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 10Mi + - image: busybox:1.28 + name: busybox1 + command: ["sleep", "9999"] + resources: + requests: + cpu: 100m + memory: 10Mi + limits: + cpu: 100m + memory: 20Mi diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/01-resources.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/01-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/01-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/02-policy.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/03-resources-assert.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/03-resources-assert.yaml new file mode 100644 index 0000000000..0ec5d70967 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/03-resources-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources-assert +spec: + timeouts: {} + try: + - assert: + file: resources-assert.yaml diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/04-resources-error.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/04-resources-error.yaml new file mode 100644 index 0000000000..298816e382 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/04-resources-error.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources-error +spec: + timeouts: {} + try: + - error: + file: resources-error.yaml diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/README.md b/test/conformance/chainsaw/mutate/existing/preconditions/README.md new file mode 100644 index 0000000000..b0f59939a0 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates pods and a policy to add a label to existing pods with per target preconditions based on the target annotations. + +## Expected Behavior + +Only the pod with `policy.lan/value: foo` annotation has the label `policy-applied: 'true'` added. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7174 diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/policy-ready.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/policy-ready.yaml new file mode 100644 index 0000000000..73a5d1395d --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/policy.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/policy.yaml new file mode 100644 index 0000000000..4f07e67d48 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: test + match: + any: + - resources: + kinds: + - Namespace + names: + - default + mutate: + targets: + - kind: Pod + apiVersion: '*' + name: '*' + namespace: "{{ request.object.metadata.name }}" + preconditions: + all: + - key: "{{ target.metadata.annotations.\"policy.lan/value\" }}" + operator: Equals + value: foo + patchStrategicMerge: + metadata: + labels: + policy-applied: 'true' diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/resources-assert.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/resources-assert.yaml new file mode 100644 index 0000000000..c08bf67aa6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/resources-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-a + namespace: default + labels: + policy-applied: 'true' + annotations: + policy.lan/value: foo diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/resources-error.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/resources-error.yaml new file mode 100644 index 0000000000..bbec93684c --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/resources-error.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-b + namespace: default + labels: + policy-applied: 'true' +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx-c + namespace: default + labels: + policy-applied: 'true' diff --git a/test/conformance/chainsaw/mutate/existing/preconditions/resources.yaml b/test/conformance/chainsaw/mutate/existing/preconditions/resources.yaml new file mode 100644 index 0000000000..069c62bb65 --- /dev/null +++ b/test/conformance/chainsaw/mutate/existing/preconditions/resources.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-a + namespace: default + annotations: + policy.lan/value: foo +spec: + containers: + - name: nginx + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx-b + namespace: default +spec: + containers: + - name: nginx + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx-c + namespace: default + annotations: + policy.lan/value: bar +spec: + containers: + - name: nginx + image: nginx diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/01-policy.yaml b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/02-pod.yaml b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/README.md b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/README.md new file mode 100644 index 0000000000..7d651ae9fa --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks if multiple elements are successfully removed while using foreach. + +## Expected Behavior + +The two `hostPath` volumes should be removed from the `busybox` pod and only the `emptyDir` volume and service account volume should remain. + + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/pod-assert.yaml b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/pod-assert.yaml new file mode 100644 index 0000000000..980b3e1d39 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/pod-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + volumes: + - name: vault-secret + emptyDir: + medium: Memory + - projected: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/pod.yaml b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/pod.yaml new file mode 100644 index 0000000000..97a5758606 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + volumes: + - name: socket + hostPath: + path: "/var/run/foo" + - name: vault-secret + emptyDir: + medium: Memory + - name: bar + hostPath: + path: "/var/run/bar" \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/policy-assert.yaml b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/policy.yaml b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/policy.yaml new file mode 100644 index 0000000000..a2d91a776c --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/cornercases/foreach-remove-elements/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: remove-elements + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.volumes[] + order: Descending + preconditions: + all: + - key: hostPath + operator: AnyIn + value: "{{ element.keys(@) }}" + patchesJson6902: |- + - path: /spec/volumes/{{elementIndex}} + op: remove \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/01-ns.yaml b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/01-ns.yaml new file mode 100644 index 0000000000..40e75cbb78 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/01-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-mutate-existing-auth-check-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/02-fail-no-permission.yaml b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/02-fail-no-permission.yaml new file mode 100644 index 0000000000..241f77887c --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/02-fail-no-permission.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: fail-no-permission +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/03-clusterrole.yaml b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/03-clusterrole.yaml new file mode 100644 index 0000000000..b7cc486047 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/03-clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:temp + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - create + - update + - patch + - delete + - get + - list \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/04-pass.yaml b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/04-pass.yaml new file mode 100644 index 0000000000..a6fe7e06e5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/04-pass.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pass +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/README.md b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/README.md new file mode 100644 index 0000000000..6132143dde --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a mutate existing policy is denied when it does not have corresponding permissions to generate the downstream resource. + +## Expected Behavior + +The test fails if the policy creation is allowed, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6584 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/policy-assert.yaml b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/policy-assert.yaml new file mode 100644 index 0000000000..01c703dd57 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-mutate-existing-auth-check + namespace: pol-mutate-existing-auth-check-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/policy.yaml b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/policy.yaml new file mode 100644 index 0000000000..8152bf85b9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/policy/standard/existing/validation/auth-check/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-mutate-existing-auth-check + namespace: pol-mutate-existing-auth-check-ns +spec: + mutateExistingOnPolicyUpdate: true + background: false + rules: + - name: label-privileged-namespaces + match: + any: + - resources: + kinds: + - ConfigMap + mutate: + targets: + - apiVersion: v1 + kind: ServiceAccount + namespace: pol-mutate-existing-auth-check-ns + patchStrategicMerge: + metadata: + labels: + foo: bar \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/NOTE.md b/test/conformance/chainsaw/mutate/refactor/NOTE.md new file mode 100644 index 0000000000..ba7006d553 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/NOTE.md @@ -0,0 +1,14 @@ +All of the following tests in this directory have been copied (for now) to kyverno/policies where they rightfully belong. +Once we are executing tests from that repo in this one, we can remove all the cases. + +- add-emptydirsizelimit +- add-external-secret-prefix +- add-image-as-env-var +- add-node-affinity +- add-pod-priorityclassname +- add-tolerations +- add-volume-deployment +- annotate-base-images +- inject-env-var-from-image-label +- k10-minimum-retention +- replace-ingress-hosts \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/README.md b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/README.md new file mode 100644 index 0000000000..d4ce0de70e --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/README.md @@ -0,0 +1,11 @@ +## Description + +This test adds an element to an array and removes it. + +## Expected Behavior + +After mutation, the array is expected to be the same as the original array. + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/pod-assert.yaml new file mode 100644 index 0000000000..13e4c5e395 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/pod-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: ENV_ONE + value: "one" + - name: ENV_TWO + value: "two" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/pod.yaml new file mode 100644 index 0000000000..13e4c5e395 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: ENV_ONE + value: "one" + - name: ENV_TWO + value: "two" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/policy.yaml new file mode 100644 index 0000000000..b19e5cbe41 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/add-and-remove/policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: dummy-1 + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers[0].env + order: Ascending + patchesJson6902: |- + - path: /spec/containers/0/env/{{elementIndex}} + op: add + value: + name: DUMMY + value: "dummy" + - path: /spec/containers/0/env/{{elementIndex}} + op: remove + - name: dummy-2 + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers[0].env + order: Descending + patchesJson6902: |- + - path: /spec/containers/0/env/{{elementIndex}} + op: add + value: + name: DUMMY + value: "dummy" + - path: /spec/containers/0/env/{{elementIndex}} + op: remove diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/README.md b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/README.md new file mode 100644 index 0000000000..660299b665 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/README.md @@ -0,0 +1,11 @@ +## Description + +This test removes an element from an array and adds one, effectively replacing it. + +## Expected Behavior + +After mutation, the array is expected to contained only replaced elements. + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/pod-assert.yaml new file mode 100644 index 0000000000..e512796fdd --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/pod-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: DUMMY_2 + value: "dummy-2" + - name: DUMMY_2 + value: "dummy-2" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/pod.yaml new file mode 100644 index 0000000000..13e4c5e395 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: ENV_ONE + value: "one" + - name: ENV_TWO + value: "two" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/policy.yaml new file mode 100644 index 0000000000..04fe979c0d --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-and-add/policy.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: dummy-1 + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers[0].env + order: Ascending + patchesJson6902: |- + - path: /spec/containers/0/env/{{elementIndex}} + op: remove + - path: /spec/containers/0/env/{{elementIndex}} + op: add + value: + name: DUMMY + value: "dummy" + - name: dummy-2 + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers[0].env + order: Descending + patchesJson6902: |- + - path: /spec/containers/0/env/{{elementIndex}} + op: remove + - path: /spec/containers/0/env/{{elementIndex}} + op: add + value: + name: DUMMY_2 + value: "dummy-2" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/README.md b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/README.md new file mode 100644 index 0000000000..cf047935e8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/README.md @@ -0,0 +1,11 @@ +## Description + +This test removes multiple elements from an array iterating in ascending order. + +## Expected Behavior + +Element at index 0 is removed but element at index 1 is not (because when we removed element at index 0, the element at index 1 moved to index 0 and there's nothing to remove at index 1 anymore). + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/pod-assert.yaml new file mode 100644 index 0000000000..fe00900f58 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/pod-assert.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + # first element was removed, second env var became index 0 + # next patch is supposed to remove element at index 1 but it doesn't exist anymore + - name: ENV_TWO + value: "two" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/pod.yaml new file mode 100644 index 0000000000..13e4c5e395 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: ENV_ONE + value: "one" + - name: ENV_TWO + value: "two" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/policy.yaml new file mode 100644 index 0000000000..022c29828c --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-ascending-order/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: remove-elements + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers[0].env + patchesJson6902: |- + - path: /spec/containers/0/env/{{elementIndex}} + op: remove diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/02-pod.yaml new file mode 100644 index 0000000000..4664caece5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/02-pod.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml + - error: + file: pod-error.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/README.md b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/README.md new file mode 100644 index 0000000000..197be5bbd8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/README.md @@ -0,0 +1,11 @@ +## Description + +This test removes multiple elements from an array iterating in descending order. + +## Expected Behavior + +Element at index 1 is removed then element at index 0 is removed, the array becomes empty. + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod-assert.yaml new file mode 100644 index 0000000000..655c6a39d8 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod-error.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod-error.yaml new file mode 100644 index 0000000000..07c7eaf5cc --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod-error.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: null \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod.yaml new file mode 100644 index 0000000000..13e4c5e395 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + env: + - name: ENV_ONE + value: "one" + - name: ENV_TWO + value: "two" diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/policy.yaml b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/policy.yaml new file mode 100644 index 0000000000..0f926b313c --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/foreach/remove-multiple-elements-in-descending-order/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: remove-elements + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers[0].env + order: Descending + patchesJson6902: |- + - path: /spec/containers/0/env/{{elementIndex}} + op: remove diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/01-crd.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/01-crd.yaml new file mode 100644 index 0000000000..36684ade76 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/01-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/02-policy.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/03-resource.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/03-resource.yaml new file mode 100644 index 0000000000..b0ba0d3b42 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/03-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/README.md b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/README.md new file mode 100644 index 0000000000..1e9be3bf91 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/README.md @@ -0,0 +1,11 @@ +## Description + +This is a test of the policy in this folder. + +## Expected Behavior + +The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/crd-assert.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/crd-assert.yaml new file mode 100644 index 0000000000..7c5977cd96 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/crd-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.config.kio.kasten.io +status: + acceptedNames: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + storedVersions: + - v1alpha1 diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/crd.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/crd.yaml new file mode 100644 index 0000000000..8d66ccb902 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/crd.yaml @@ -0,0 +1,70 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + generation: 1 + name: policies.config.kio.kasten.io +spec: + conversion: + strategy: None + group: config.kio.kasten.io + names: + kind: Policy + listKind: PolicyList + plural: policies + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.validation + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: Policy is the Schema for the policies API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + description: PolicyStatus defines the observed state of Policy + properties: + error: + description: List of errors with the policy (for example, due to validation + failures) + items: + type: string + type: array + hash: + description: Hash of Spec + format: int32 + type: integer + specModifiedTime: + description: Timestamp when spec last changed + format: date-time + type: string + validation: + description: Validation status + type: string + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/policy-ready.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/policy-ready.yaml new file mode 100644 index 0000000000..99fd5a77ed --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-minimum-retention +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/policy.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/policy.yaml new file mode 100644 index 0000000000..296f683049 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/policy.yaml @@ -0,0 +1,78 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: k10-minimum-retention +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: k10-minimum-retention + annotations: + policies.kyverno.io/title: Minimum Backup Retention + policies.kyverno.io/category: Kasten K10 by Veeam + kyverno.io/kyverno-version: 1.6.2 + policies.kyverno.io/minversion: 1.6.2 + kyverno.io/kubernetes-version: "1.21-1.22" + policies.kyverno.io/subject: Policy + policies.kyverno.io/description: >- + K10 Policy resources can be validated to adhere to common compliance retention standards. + Uncomment the regulation/compliance standards you want to enforce for according to GFS retention. + This policy deletes the retention value in the backup operation and replaces it with the specified retention. + Note: K10 Policy uses the GFS retention scheme and export operations default to use the retention of the backup operation. + To use different + This policy can also be used go reduce retentions lengths to enforce cost optimization. +spec: + schemaValidation: false + rules: + - name: k10-minimum-retention + match: + any: + - resources: + kinds: + - config.kio.kasten.io/v1alpha1/Policy + mutate: + # Federal Information Security Management Act (FISMA): 3 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} + + # Health Insurance Portability and Accountability Act (HIPAA): 6 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":6} + + # National Energy Commission (NERC): 3 to 6 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} + + # Basel II Capital Accord: 3 to 7 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":3} + + # Sarbanes-Oxley Act of 2002 (SOX): 7 Years + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":12,"yearly":7} + + # National Industrial Security Program Operating Manual (NISPOM): 6 to 12 Months + #patchesJson6902: |- + # - path: "/spec/retention" + # op: replace + # value: {"hourly":24,"daily":30,"weekly":4,"monthly":6} + + # Cost Optimization (Maximum Retention: 3 Months) + patchesJson6902: |- + - path: "/spec/retention" + op: replace + value: + hourly: 24 + daily: 30 + weekly: 4 + monthly: 3 diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/resource-mutated.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/resource-mutated.yaml new file mode 100644 index 0000000000..1717549537 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/resource-mutated.yaml @@ -0,0 +1,42 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + generation: 1 + labels: + appPriority: Mission-Critical + name: hourly-policy + namespace: k10-minimum-retention +spec: + actions: + - action: backup + - action: export + exportParameters: + exportData: + enabled: true + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + retention: + monthly: 12 + yearly: 5 + comment: My sample custom backup policy + frequency: '@hourly' + retention: + daily: 30 + hourly: 24 + monthly: 3 + weekly: 4 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp + subFrequency: + days: + - 15 + hours: + - 22 + - 7 + minutes: + - 30 + weekdays: + - 5 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/resource.yaml b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/resource.yaml new file mode 100644 index 0000000000..9f139aaba1 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/k10-minimum-retention/resource.yaml @@ -0,0 +1,35 @@ +apiVersion: config.kio.kasten.io/v1alpha1 +kind: Policy +metadata: + name: hourly-policy + namespace: k10-minimum-retention + labels: + appPriority: Mission-Critical +spec: + comment: My sample custom backup policy + frequency: '@hourly' # change this to @daily to test the 'audit_mission_critical_RPO' policy + subFrequency: + minutes: [30] + hours: [22,7] + weekdays: [5] + days: [15] + retention: + daily: 14 + weekly: 4 + monthly: 6 + actions: + - action: backup + - action: export # comment this line out to test 'enforce_3-2-1' policy + exportParameters: + frequency: '@monthly' + profile: + name: my-profile + namespace: kasten-io + exportData: + enabled: true + retention: + monthly: 12 + yearly: 5 + selector: + matchLabels: + k10.kasten.io/appNamespace: sampleApp \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/02-pod.yaml new file mode 100644 index 0000000000..4664caece5 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/02-pod.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml + - error: + file: pod-error.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/README.md b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/README.md new file mode 100644 index 0000000000..ecdbc082d3 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/README.md @@ -0,0 +1,11 @@ +## Description + +This test uses a nested foreach to remove all env variables from all containers. + +## Expected Behavior + +The created pod contains the same containers as the original pod but all env variables in all containers have been removed. + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod-assert.yaml new file mode 100644 index 0000000000..de5a1bd6fb --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox-1 + image: busybox:1.35 + - name: busybox-2 + image: busybox:1.35 diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod-error.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod-error.yaml new file mode 100644 index 0000000000..24bc3167b7 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod-error.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox-1 + image: busybox:1.35 + env: null + - name: busybox-2 + image: busybox:1.35 + env: null diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod.yaml new file mode 100644 index 0000000000..c3575184d9 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/pod.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox-1 + image: busybox:1.35 + env: + - name: ONE + value: "one" + - name: TWO + value: "two" + - name: busybox-2 + image: busybox:1.35 + env: + - name: THREE + value: "three" + - name: FOUR + value: "four" diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/policy.yaml b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/policy.yaml new file mode 100644 index 0000000000..bfad47fdaa --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/nested-foreach/remove-all-env-vars/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: dummy-1 + match: + any: + - resources: + kinds: + - Pod + mutate: + foreach: + - list: request.object.spec.containers + foreach: + - list: element0.env + order: Descending + patchesJson6902: |- + - path: /spec/containers/{{elementIndex0}}/env/{{elementIndex1}} + op: remove diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/README.md b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/README.md new file mode 100644 index 0000000000..633844c464 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/README.md @@ -0,0 +1,13 @@ +## Description + +This test removes multiple elements from an array iterating in ascending order. + +## Expected Behavior + +Removing in ascending order is usually not giving the expected result as removing one element will modify the index on the following elements. +Hence the path to remove following elements are going to point to the wrong index, removing should be done in descending order. +In this case, the we expect volumes at index 0 and 1 to be removed but as we remove volume at index 0 first, removing the volume at index 1 actually removes the volume at index 2 in the original array. + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/pod-assert.yaml new file mode 100644 index 0000000000..67a5cc838b --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/pod-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + volumes: + - name: volume-2 + hostPath: + path: "/var/run/foo-2" + - projected: {} diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/pod.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/pod.yaml new file mode 100644 index 0000000000..64fa05c327 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + volumes: + - name: volume-1 + hostPath: + path: "/var/run/foo-1" + - name: volume-2 + hostPath: + path: "/var/run/foo-2" + - name: volume-3 + hostPath: + path: "/var/run/foo-3" diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/policy.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/policy.yaml new file mode 100644 index 0000000000..b10c8aa91f --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-ascending-order/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: remove-elements + match: + any: + - resources: + kinds: + - Pod + mutate: + patchesJson6902: |- + - path: /spec/volumes/0 + op: remove + - path: /spec/volumes/1 + op: remove diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/01-policy.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/02-pod.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/02-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/README.md b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/README.md new file mode 100644 index 0000000000..849197fc3e --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/README.md @@ -0,0 +1,12 @@ +## Description + +This test removes multiple elements from an array iterating in descending order. + +## Expected Behavior + +The two first volumes in the pod are removed. +Removing in descending order is usually prefered as it preserves the index of array elements while iterating. + +## Reference Issue(s) + +5661 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/pod-assert.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/pod-assert.yaml new file mode 100644 index 0000000000..47818ade76 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/pod-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + volumes: + - name: volume-3 + hostPath: + path: /var/run/foo-3 + - projected: {} diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/pod.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/pod.yaml new file mode 100644 index 0000000000..a89a2e0c36 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + volumes: + - name: volume-1 + hostPath: + path: /var/run/foo-1 + - name: volume-2 + hostPath: + path: /var/run/foo-2 + - name: volume-3 + hostPath: + path: /var/run/foo-3 diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/policy-assert.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/policy-assert.yaml new file mode 100644 index 0000000000..368e9a1688 --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/policy.yaml b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/policy.yaml new file mode 100644 index 0000000000..710234098e --- /dev/null +++ b/test/conformance/chainsaw/mutate/refactor/simple/remove-multiple-elements-in-descending-order/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: foreach-remove-elements +spec: + background: false + schemaValidation: false + rules: + - name: remove-elements + match: + any: + - resources: + kinds: + - Pod + mutate: + patchesJson6902: |- + - path: /spec/volumes/1 + op: remove + - path: /spec/volumes/0 + op: remove diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/01-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/01-policy.yaml new file mode 100644 index 0000000000..a0d1b31766 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/01-policy.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy-validate.yaml + - apply: + check: + (error != null): true + file: policy-mutate.yaml + - apply: + check: + (error != null): true + file: policy-generate.yaml + - apply: + check: + (error != null): true + file: policy-verify-image.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/README.md new file mode 100644 index 0000000000..610d979c5e --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies with `admission` set to `false`. + +## Expected Behavior + +Policies containing mutation, image verification or generation rules should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml new file mode 100644 index 0000000000..c81b03bebc --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: generate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: generate + match: + any: + - resources: + kinds: + - Namespace + generate: + apiVersion: v1 + kind: Secret + name: regcred + namespace: "{{request.object.metadata.name}}" + synchronize: true + clone: + namespace: default + name: regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml new file mode 100644 index 0000000000..c32a42c751 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate +spec: + admission: false + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar + name: mutate + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml new file mode 100644 index 0000000000..49e9184d56 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml new file mode 100644 index 0000000000..84169ccd46 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/01-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/01-policy.yaml new file mode 100644 index 0000000000..df1eb99be6 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/README.md new file mode 100644 index 0000000000..7e39604238 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create a policy with both `admission` and `background` set to `false`. + +## Expected Behavior + +Policy should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml new file mode 100644 index 0000000000..0370eaa4f7 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: all-disabled +spec: + validationFailureAction: Audit + admission: false + background: false + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/01-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/01-policy.yaml new file mode 100644 index 0000000000..414bdc162c --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-1.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/02-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/02-policy.yaml new file mode 100644 index 0000000000..07728aa0a2 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/03-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/03-policy.yaml new file mode 100644 index 0000000000..c658eb5c25 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/03-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-3.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/04-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/04-policy.yaml new file mode 100644 index 0000000000..c2c9874c57 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/04-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-4.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/05-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/05-policy.yaml new file mode 100644 index 0000000000..111874e718 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/05-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-5.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/README.md new file mode 100644 index 0000000000..5e2e96aea6 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies targeting subresources and `background` set to `true`. + +## Expected Behavior + +Every policies creation is expected to fail. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml new file mode 100644 index 0000000000..1e105b2f9b --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Scale + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml new file mode 100644 index 0000000000..ee896b4535 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/scale + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml new file mode 100644 index 0000000000..42f110e636 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/* + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml new file mode 100644 index 0000000000..1636a5b6ba --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/*' + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml new file mode 100644 index 0000000000..0ba57c663b --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/status' + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/01-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/02-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/02-policy.yaml new file mode 100644 index 0000000000..2f34f6a922 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/02-policy.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy-update.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/README.md new file mode 100644 index 0000000000..3a5e1c3007 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures the background policy update that does not contain admission userinfo variables should be allowed. + +## Expected Behavior + +The policy update should pass through. + +## Related Issue + +https://github.com/kyverno/kyverno/issues/6938 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-assert.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-assert.yaml new file mode 100644 index 0000000000..277982879c --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-variables-update +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml new file mode 100644 index 0000000000..3d67a52e6f --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-variables-update +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-userinfo + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: foo \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml new file mode 100644 index 0000000000..90e89fba89 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-variables-update +spec: + validationFailureAction: Audit + background: false + rules: + - name: ns-vars-userinfo + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "{{request.userInfo}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/01-policies.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/01-policies.yaml new file mode 100644 index 0000000000..5b7367dd61 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/01-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/README.md new file mode 100644 index 0000000000..a56a4d0016 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/README.md @@ -0,0 +1,12 @@ +## Description + +This test tries to create a policy with invalid an invalid subject kind (`Foo`). +Only kinds supported are `User`, `Group`, or `ServiceAccount`. + +## Expected Behavior + +Policy should be rejected. + +## Related Issue + +https://github.com/kyverno/kyverno/issues/7052 \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/policy.yaml new file mode 100644 index 0000000000..aaea8f76ef --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-subject-kind/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: temp +spec: + background: false + rules: + - name: test-rule + match: + any: + - resources: + kinds: + - ConfigMap + subjects: + - name: foo + kind: Foo + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/01-policies.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/01-policies.yaml new file mode 100644 index 0000000000..dde6769837 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/01-policies.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-1.yaml + - apply: + check: + (error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/README.md new file mode 100644 index 0000000000..8c81c1c150 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create policies with invalid timeouts (`< 1` or `> 30`). + +## Expected Behavior + +Policies should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml new file mode 100644 index 0000000000..2c73d95718 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: -1 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml new file mode 100644 index 0000000000..c7510ba423 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: 31 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/00-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml new file mode 100644 index 0000000000..b8b70f8198 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/01-policy_exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy_exception +spec: + timeouts: {} + try: + - apply: + file: policy_exception.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/README.md new file mode 100644 index 0000000000..c2aa0dccf9 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test is attempting to create a resource with the label "app: my-test-app", which would typically violate the policy defined. However, there is a policy exception defined for resources with the same label, which should bypass the policy. Since the Policy Exception feature has not been enabled, the resource will be blocked by the policy instead of being allowed. + +## Expected Behavior + +The Pod should be blocked. \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml new file mode 100644 index 0000000000..996222eb02 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-app-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml new file mode 100644 index 0000000000..f69ca35c45 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-app-label +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-app-label + match: + any: + - resources: + kinds: + - Pod + - Deployment + validate: + message: Pod must include the 'app=my-app' label + pattern: + metadata: + labels: + app: my-app \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml new file mode 100644 index 0000000000..8b1026d3a0 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: label-exception + namespace: default +spec: + exceptions: + - policyName: require-app-label + ruleNames: + - require-app-label + match: + any: + - resources: + kinds: + - Pod + - Deployment + namespaces: + - default + selector: + matchLabels: + app: my-test-app diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml new file mode 100644 index 0000000000..8fbfab9c00 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: my-pod + labels: + app: my-test-app +spec: + containers: + - name: nginx + image: nginx diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml new file mode 100644 index 0000000000..3123129ddf --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom + Resource Definition created by the subjects in the xteam Azure AD group and + adds the label "createdByXteam: true".' + policies.kyverno.io/subject: RBAC + policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad group + policy.reporter.kyverno.io/minimal: minimal + labels: + aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: "" + name: mutate-xteam-namespace-scoped-crds +spec: + admission: true + background: false + rules: + - match: + all: + - resources: + kinds: + - CustomResourceDefinition + subjects: + - kind: Group + name: aad:9b9had99-6k66-2222-9999-8aadb888e888 + mutate: + patchStrategicMerge: + metadata: + labels: + createdByXteam: "true" + name: mutate-xteams-crd-creation + preconditions: + all: + - key: '{{request.operation}}' + operator: Equals + value: CREATE + - key: '{{ request.object.spec.scope }}' + operator: Equals + value: Namespaced + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/README.md new file mode 100644 index 0000000000..23f9175f80 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures the schema validation is skipped for CustomResourceDefinition. + +## Expected Behavior + +The Pod creation should be allowed. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7844 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml new file mode 100644 index 0000000000..45ad7ff3a7 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-xteam-namespace-scoped-crds +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/success/01-policies.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/success/01-policies.yaml new file mode 100644 index 0000000000..c738788d3d --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/success/01-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + file: policy-1.yaml + - assert: + file: policy-1-assert.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/success/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/success/README.md new file mode 100644 index 0000000000..601e8fbdad --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/success/README.md @@ -0,0 +1,11 @@ +## Description + +This test tries to create policies. + +## Expected Behavior + +Policies are valid and should be accepted. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6937 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1-assert.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1-assert.yaml new file mode 100644 index 0000000000..689ed8e9dd --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: vault-init-injector +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml new file mode 100644 index 0000000000..1904697dc9 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml @@ -0,0 +1,62 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: vault-init-injector + annotations: + policies.kyverno.io/title: Inject vault init Container +spec: + background: false + validationFailureAction: Audit + rules: + - name: inject-vault-sidecar + match: + any: + - resources: + kinds: + - Deployment + preconditions: + all: + - key: "{{ request.object.spec.template.metadata.annotations.\"vault.k8s.corp.com/inject\" || ''}}" + operator: Equals + value: "true" + - key: vault-init + operator: AnyNotIn + value: "{{ request.object.spec.template.spec.initContainers[].name || ['']}}" + mutate: + patchesJson6902: |- + - op: add + path: /spec/template/spec/initContainers + value: + - name: vault-init + image: registry.corp.com/infrastructure/vault-init:dev-53 + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 64M + limits: + cpu: 500m + memory: 128M + volumeMounts: + - mountPath: "/secret" + name: vault-secret + env: + - name: VAULT_ENTRY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations["vault.k8s.corp.com/role"] + - op: add + path: /spec/template/spec/volumes/-1 + value: + name: vault-secret + emptyDir: + medium: Memory + - op: add + path: /spec/template/spec/containers/0/volumeMounts/-1 + value: + mountPath: "/secret" + name: vault-secret + - op: add + path: /spec/template/metadata/annotations/config.linkerd.io~1skip-outbound-ports + value: "8200" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/01-policies.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/01-policies.yaml new file mode 100644 index 0000000000..dde6769837 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/01-policies.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-1.yaml + - apply: + check: + (error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/README.md new file mode 100644 index 0000000000..d42f9132ec --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/README.md @@ -0,0 +1,8 @@ +## Description + +This test tries to create policies referencing `target` in the trigger preconditions or context of a mutate existing rule. + +## Expected Behavior + +Policies shoudl be rejected. +Referencing `target` is only allowed in the target section of a mutate existing rule. \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/policy-1.yaml new file mode 100644 index 0000000000..c0aa7e93fa --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/policy-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-targets +spec: + background: false + rules: + - name: update-targets + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: triggerContent + variable: + jmesPath: request.object.data.content + - name: targetContent + variable: + jmesPath: "{{target.data.content}}" + preconditions: + all: + - key: "{{ request.object.metadata.name }}" + operator: Equals + value: trigger + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + namespace: "{{ request.object.metadata.namespace }}" + name: target* + patchStrategicMerge: + data: + content: "{{ triggerContent }}" + targetContent: "{{ targetContent }}" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/policy-2.yaml new file mode 100644 index 0000000000..c68ebad920 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/target-context/policy-2.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-targets +spec: + background: false + rules: + - name: update-targets + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: triggerContent + variable: + jmesPath: request.object.data.content + preconditions: + all: + - key: "{{ request.object.metadata.name }}" + operator: Equals + value: trigger + - key: "{{ target.data.content }}" + operator: Equals + value: target + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + namespace: "{{ request.object.metadata.namespace }}" + name: target* + context: + - name: targetContent + variable: + jmesPath: target.data.content + patchStrategicMerge: + data: + content: "{{ triggerContent }}" + targetContent: "{{ targetContent }}" diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/01-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/01-policy.yaml new file mode 100644 index 0000000000..3ebdc1b2b8 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/01-policy.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy-validate.yaml + - apply: + check: + (error != null): true + file: policy-mutate.yaml + - apply: + check: + (error != null): true + file: policy-verify-image.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/README.md b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/README.md new file mode 100644 index 0000000000..610d979c5e --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies with `admission` set to `false`. + +## Expected Behavior + +Policies containing mutation, image verification or generation rules should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml new file mode 100644 index 0000000000..d12a8e299b --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: mutate + namespace: default +spec: + admission: false + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar + name: mutate + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml new file mode 100644 index 0000000000..8a334b28d6 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml new file mode 100644 index 0000000000..10f32ee1e1 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: verify-image +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/chainsaw/policy-validation/policy/all-disabled/01-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/all-disabled/01-policy.yaml new file mode 100644 index 0000000000..df1eb99be6 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/all-disabled/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/all-disabled/README.md b/test/conformance/chainsaw/policy-validation/policy/all-disabled/README.md new file mode 100644 index 0000000000..7e39604238 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/all-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create a policy with both `admission` and `background` set to `false`. + +## Expected Behavior + +Policy should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml new file mode 100644 index 0000000000..207a93769b --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: all-disabled +spec: + validationFailureAction: Audit + admission: false + background: false + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/01-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/01-policy.yaml new file mode 100644 index 0000000000..414bdc162c --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-1.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/02-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/02-policy.yaml new file mode 100644 index 0000000000..07728aa0a2 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/03-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/03-policy.yaml new file mode 100644 index 0000000000..c658eb5c25 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/03-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-3.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/04-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/04-policy.yaml new file mode 100644 index 0000000000..c2c9874c57 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/04-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-4.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/05-policy.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/05-policy.yaml new file mode 100644 index 0000000000..111874e718 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/05-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-5.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/README.md b/test/conformance/chainsaw/policy-validation/policy/background-subresource/README.md new file mode 100644 index 0000000000..5e2e96aea6 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies targeting subresources and `background` set to `true`. + +## Expected Behavior + +Every policies creation is expected to fail. diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml new file mode 100644 index 0000000000..34b13f1639 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Scale + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml new file mode 100644 index 0000000000..8be60c2d65 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/scale + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml new file mode 100644 index 0000000000..1a30fa8798 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/* + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml new file mode 100644 index 0000000000..ca34bbbf1d --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/*' + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml new file mode 100644 index 0000000000..33e9a6611b --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/status' + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/01-policies.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/01-policies.yaml new file mode 100644 index 0000000000..dde6769837 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/01-policies.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy-1.yaml + - apply: + check: + (error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/README.md b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/README.md new file mode 100644 index 0000000000..c787181e12 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create policies with invalid timeouts (`< 1` or `> 30`). + +## Expected Behavior + +Policies shoudl be rejected. diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml new file mode 100644 index 0000000000..87d62b44d9 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: -1 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml new file mode 100644 index 0000000000..3200c841f2 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: 31 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/rangeoperators/standard/01-policy.yaml b/test/conformance/chainsaw/rangeoperators/standard/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/rangeoperators/standard/01-policy.yaml +++ b/test/conformance/chainsaw/rangeoperators/standard/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/rangeoperators/standard/02-resource.yaml b/test/conformance/chainsaw/rangeoperators/standard/02-resource.yaml index 64cdfafd61..36f9a5b5d3 100644 --- a/test/conformance/chainsaw/rangeoperators/standard/02-resource.yaml +++ b/test/conformance/chainsaw/rangeoperators/standard/02-resource.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: resource spec: + timeouts: {} try: - apply: - file: resource.yaml check: - (error == null): false + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/rbac/aggregate-to-admin/00-cluster-role.yaml b/test/conformance/chainsaw/rbac/aggregate-to-admin/00-cluster-role.yaml index 6e92136478..e6faa9528c 100644 --- a/test/conformance/chainsaw/rbac/aggregate-to-admin/00-cluster-role.yaml +++ b/test/conformance/chainsaw/rbac/aggregate-to-admin/00-cluster-role.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: - name: rbac + creationTimestamp: null + name: cluster-role spec: + timeouts: {} try: - assert: file: admin-policies.yaml diff --git a/test/conformance/chainsaw/reports/admission/exception/01-policy.yaml b/test/conformance/chainsaw/reports/admission/exception/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/exception/02-exception.yaml b/test/conformance/chainsaw/reports/admission/exception/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/reports/admission/exception/03-configmap.yaml b/test/conformance/chainsaw/reports/admission/exception/03-configmap.yaml new file mode 100644 index 0000000000..574255eeea --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/03-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/reports/admission/exception/04-report.yaml b/test/conformance/chainsaw/reports/admission/exception/04-report.yaml new file mode 100644 index 0000000000..7cc1316356 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/04-report.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/exception/README.md b/test/conformance/chainsaw/reports/admission/exception/README.md new file mode 100644 index 0000000000..f9ac4e62f6 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, a policy exception and a configmap. +It makes sure the generated policy report contains a skipped result instead of a failed one. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency` +1. - Try to create a confimap named `emergency` +1. - Assert that a policy report exists with a skipped result diff --git a/test/conformance/chainsaw/reports/admission/exception/configmap.yaml b/test/conformance/chainsaw/reports/admission/exception/configmap.yaml new file mode 100644 index 0000000000..c9323595fb --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/configmap.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: emergency diff --git a/test/conformance/chainsaw/reports/admission/exception/exception.yaml b/test/conformance/chainsaw/reports/admission/exception/exception.yaml new file mode 100644 index 0000000000..3c5fd95b9b --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/exception.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: mynewpolex +spec: + exceptions: + - policyName: require-labels + ruleNames: + - require-team + match: + any: + - resources: + kinds: + - ConfigMap + names: + - emergency diff --git a/test/conformance/chainsaw/reports/admission/exception/policy-assert.yaml b/test/conformance/chainsaw/reports/admission/exception/policy-assert.yaml new file mode 100644 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/admission/exception/policy.yaml b/test/conformance/chainsaw/reports/admission/exception/policy.yaml new file mode 100644 index 0000000000..677e70d999 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: true + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml b/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml new file mode 100644 index 0000000000..daa514b0e7 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml @@ -0,0 +1,23 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: ConfigMap + name: emergency +scope: + apiVersion: v1 + kind: ConfigMap + name: emergency +results: +- policy: require-labels + result: skip + rule: require-team + scored: true + source: kyverno +summary: + error: 0 + fail: 0 + pass: 0 + skip: 1 + warn: 0 diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/01-policy.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/02-pod.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/02-pod.yaml new file mode 100644 index 0000000000..88483f0848 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pods.yaml + - assert: + file: pods.yaml diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/03-report.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/03-report.yaml new file mode 100644 index 0000000000..08c2d4263d --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/03-report.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-expected.yaml + - error: + file: report-unexpected.yaml diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/README.md b/test/conformance/chainsaw/reports/admission/namespaceselector/README.md new file mode 100644 index 0000000000..7f4781ff0a --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/README.md @@ -0,0 +1,8 @@ +## Description + +This test validate the reporting ability for a audit policy with the `namespaceSelector` defined. + +## Expected Behavior + +A policy report should be created for the pod `test-audit-reports-namespacesselector/audit-pod`, but not for `test-non-audit-reports-namespacesselector/non-audit-pod` as the namespace selector doesn't match. + diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/pods.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/pods.yaml new file mode 100644 index 0000000000..aed13ee341 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/pods.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: audit-pod + namespace: test-audit-reports-namespacesselector +spec: + containers: + - image: nginx:latest + name: audit-pod +--- +apiVersion: v1 +kind: Pod +metadata: + name: non-audit-pod + namespace: test-non-audit-reports-namespacesselector +spec: + containers: + - image: nginx:latest + name: non-audit-pod diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/policy-assert.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/policy-assert.yaml new file mode 100644 index 0000000000..203bc8ee93 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-audit-reports-namespacesselector +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml new file mode 100644 index 0000000000..16f853fdeb --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-audit-reports-namespacesselector + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + background: false + mutateExistingOnPolicyUpdate: false + validationFailureAction: Audit + rules: + - name: test-audit-reports-namespacesselector + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: org + operator: Exists + validate: + pattern: + metadata: + annotations: + validate: namespaceselector +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + org: kyverno-test + name: test-audit-reports-namespacesselector +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-non-audit-reports-namespacesselector diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/report-expected.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/report-expected.yaml new file mode 100644 index 0000000000..09df12ab48 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/report-expected.yaml @@ -0,0 +1,17 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + namespace: test-audit-reports-namespacesselector + ownerReferences: + - apiVersion: v1 + kind: Pod + name: audit-pod +scope: + apiVersion: v1 + kind: Pod + name: audit-pod + namespace: test-audit-reports-namespacesselector +results: +- policy: test-audit-reports-namespacesselector + result: fail + rule: test-audit-reports-namespacesselector diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/report-unexpected.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/report-unexpected.yaml new file mode 100644 index 0000000000..dd849351c8 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/report-unexpected.yaml @@ -0,0 +1,8 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + namespace: test-non-audit-reports-namespacesselector + ownerReferences: + - apiVersion: v1 + kind: Pod + name: non-audit-pod diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/01-assert.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/01-assert.yaml new file mode 100644 index 0000000000..d3fab0a660 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-owner +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/01-manifests.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/01-manifests.yaml new file mode 100644 index 0000000000..e57be5e5ea --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/01-manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-owner +spec: + validationFailureAction: Audit + background: false + rules: + - name: check-owner + match: + any: + - resources: + kinds: + - Namespace + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/02-ns.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/02-ns.yaml new file mode 100644 index 0000000000..4f230d84eb --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/02-ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bar + labels: + owner: david \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/03-assert.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/03-assert.yaml new file mode 100644 index 0000000000..da041762af --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/03-assert.yaml @@ -0,0 +1,18 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bar +scope: + apiVersion: v1 + kind: Namespace + name: bar +results: +- message: validation rule 'check-owner' passed. + policy: require-owner + result: pass + rule: check-owner + scored: true + source: kyverno \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/99-cleanup.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/99-cleanup.yaml new file mode 100644 index 0000000000..76dc94764f --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/99-cleanup.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - -f + - 01-manifests.yaml,02-ns.yaml + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/README.md b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/README.md new file mode 100644 index 0000000000..cdc1a901a7 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/README.md @@ -0,0 +1,3 @@ +# Title + +This test checks that a Policy Report in admission mode is created with an entry that is as expected. \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/update/01-policy.yaml b/test/conformance/chainsaw/reports/admission/update/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/update/02-deployment-fail.yaml b/test/conformance/chainsaw/reports/admission/update/02-deployment-fail.yaml new file mode 100644 index 0000000000..5b571105f2 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/02-deployment-fail.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deployment-fail +spec: + timeouts: {} + try: + - apply: + file: deployment-fail.yaml + - assert: + file: deployment-fail-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/update/03-report-fail-assert.yaml b/test/conformance/chainsaw/reports/admission/update/03-report-fail-assert.yaml new file mode 100644 index 0000000000..863c8a224d --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/03-report-fail-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report-fail-assert +spec: + timeouts: {} + try: + - assert: + file: report-fail-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/update/04-deployment-pass.yaml b/test/conformance/chainsaw/reports/admission/update/04-deployment-pass.yaml new file mode 100644 index 0000000000..d8da7cd27c --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/04-deployment-pass.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deployment-pass +spec: + timeouts: {} + try: + - apply: + file: deployment-pass.yaml + - assert: + file: deployment-pass-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/update/05-report-pass-assert.yaml b/test/conformance/chainsaw/reports/admission/update/05-report-pass-assert.yaml new file mode 100644 index 0000000000..58d1df9396 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/05-report-pass-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report-pass-assert +spec: + timeouts: {} + try: + - assert: + file: report-pass-assert.yaml diff --git a/test/conformance/chainsaw/reports/admission/update/README.md b/test/conformance/chainsaw/reports/admission/update/README.md new file mode 100644 index 0000000000..4de1ac6a87 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/README.md @@ -0,0 +1,14 @@ +## Description + +This test verifies that policy report is correctly updated when a resource changes. +A policy in Audit mode is created. +A deployment is created, the deployment violates the policy and we assert the policy report contains a `fail` result. +The deployment is then updated to not violate the policy anymore and we assert the policy report changes to contain `pass` result. + +## Expected result + +When the resource does not violate the policy anymore, the result in the policy report should change from `fail` to `pass`. + +## Related issue(s) + +- https://github.com/kyverno/kyverno/issues/7793 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/update/deployment-fail-assert.yaml b/test/conformance/chainsaw/reports/admission/update/deployment-fail-assert.yaml new file mode 100644 index 0000000000..7c8222009b --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/deployment-fail-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +status: + observedGeneration: 1 + updatedReplicas: 1 + readyReplicas: 1 + replicas: 1 diff --git a/test/conformance/chainsaw/reports/admission/update/deployment-fail.yaml b/test/conformance/chainsaw/reports/admission/update/deployment-fail.yaml new file mode 100644 index 0000000000..0a34bd2209 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/deployment-fail.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +spec: + selector: + matchLabels: + app: test-dpl-1 + template: + metadata: + labels: + app: test-dpl-1 + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: test-container + image: nginx:latest diff --git a/test/conformance/chainsaw/reports/admission/update/deployment-pass-assert.yaml b/test/conformance/chainsaw/reports/admission/update/deployment-pass-assert.yaml new file mode 100644 index 0000000000..2611dbe7e2 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/deployment-pass-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +status: + observedGeneration: 2 + updatedReplicas: 1 + readyReplicas: 1 + replicas: 1 diff --git a/test/conformance/chainsaw/reports/admission/update/deployment-pass.yaml b/test/conformance/chainsaw/reports/admission/update/deployment-pass.yaml new file mode 100644 index 0000000000..12bc160b77 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/deployment-pass.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-dpl-1 +spec: + selector: + matchLabels: + app: test-dpl-1 + template: + metadata: + labels: + app: test-dpl-1 + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: test-container + image: nginx:1.25.1 diff --git a/test/conformance/chainsaw/reports/admission/update/policy-assert.yaml b/test/conformance/chainsaw/reports/admission/update/policy-assert.yaml new file mode 100644 index 0000000000..19f4753128 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/admission/update/policy.yaml b/test/conformance/chainsaw/reports/admission/update/policy.yaml new file mode 100644 index 0000000000..e296c0d44a --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-image-tag-pod + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Using a mutable image tag e.g. 'latest' is not allowed." + pattern: + spec: + containers: + - image: "!*:latest" diff --git a/test/conformance/chainsaw/reports/admission/update/report-fail-assert.yaml b/test/conformance/chainsaw/reports/admission/update/report-fail-assert.yaml new file mode 100644 index 0000000000..65ed6f0afb --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/report-fail-assert.yaml @@ -0,0 +1,24 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 +scope: + apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 +results: +- message: 'validation error: Using a mutable image tag e.g. ''latest'' is not allowed. + rule autogen-validate-image-tag-pod failed at path /spec/template/spec/containers/0/image/' + policy: disallow-latest-tag + result: fail + rule: autogen-validate-image-tag-pod + source: kyverno +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/update/report-pass-assert.yaml b/test/conformance/chainsaw/reports/admission/update/report-pass-assert.yaml new file mode 100644 index 0000000000..fbf5f02e1d --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/update/report-pass-assert.yaml @@ -0,0 +1,23 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 +scope: + apiVersion: apps/v1 + kind: Deployment + name: test-dpl-1 +results: +- message: validation rule 'autogen-validate-image-tag-pod' passed. + policy: disallow-latest-tag + result: pass + rule: autogen-validate-image-tag-pod + source: kyverno +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/exception/01-policy.yaml b/test/conformance/chainsaw/reports/background/exception/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/exception/02-exception.yaml b/test/conformance/chainsaw/reports/background/exception/02-exception.yaml new file mode 100644 index 0000000000..b5b31d4d2a --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/02-exception.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: exception +spec: + timeouts: {} + try: + - apply: + file: exception.yaml diff --git a/test/conformance/chainsaw/reports/background/exception/03-configmap.yaml b/test/conformance/chainsaw/reports/background/exception/03-configmap.yaml new file mode 100644 index 0000000000..574255eeea --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/03-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: configmap +spec: + timeouts: {} + try: + - apply: + file: configmap.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/reports/background/exception/04-report.yaml b/test/conformance/chainsaw/reports/background/exception/04-report.yaml new file mode 100644 index 0000000000..7cc1316356 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/04-report.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/exception/README.md b/test/conformance/chainsaw/reports/background/exception/README.md new file mode 100644 index 0000000000..6600368c12 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, a policy exception and a configmap. +It makes sure the generated background scan report contains a skipped result instead of a failed one. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency` +1. - Try to create a confimap named `emergency` +1. - Assert that a policy report exists with a skipped result diff --git a/test/conformance/chainsaw/reports/background/exception/configmap.yaml b/test/conformance/chainsaw/reports/background/exception/configmap.yaml new file mode 100644 index 0000000000..c9323595fb --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/configmap.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: emergency diff --git a/test/conformance/chainsaw/reports/background/exception/exception.yaml b/test/conformance/chainsaw/reports/background/exception/exception.yaml new file mode 100644 index 0000000000..54a997c350 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/exception.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: mynewpolex + namespace: kyverno +spec: + exceptions: + - policyName: require-labels + ruleNames: + - require-team + match: + any: + - resources: + kinds: + - ConfigMap + names: + - emergency diff --git a/test/conformance/chainsaw/reports/background/exception/policy-assert.yaml b/test/conformance/chainsaw/reports/background/exception/policy-assert.yaml new file mode 100644 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/exception/policy.yaml b/test/conformance/chainsaw/reports/background/exception/policy.yaml new file mode 100644 index 0000000000..3fcd7b2fe5 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/reports/background/exception/report-assert.yaml b/test/conformance/chainsaw/reports/background/exception/report-assert.yaml new file mode 100644 index 0000000000..daa514b0e7 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/exception/report-assert.yaml @@ -0,0 +1,23 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: ConfigMap + name: emergency +scope: + apiVersion: v1 + kind: ConfigMap + name: emergency +results: +- policy: require-labels + result: skip + rule: require-team + scored: true + source: kyverno +summary: + error: 0 + fail: 0 + pass: 0 + skip: 1 + warn: 0 diff --git a/test/conformance/chainsaw/reports/background/report-deletion/00-policy.yaml b/test/conformance/chainsaw/reports/background/report-deletion/00-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/00-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/report-deletion/01-pod.yaml b/test/conformance/chainsaw/reports/background/report-deletion/01-pod.yaml new file mode 100644 index 0000000000..0969965637 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/01-pod.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml diff --git a/test/conformance/chainsaw/reports/background/report-deletion/02-report.yaml b/test/conformance/chainsaw/reports/background/report-deletion/02-report.yaml new file mode 100644 index 0000000000..7cc1316356 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/02-report.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/report-deletion/03-delete-policy.yaml b/test/conformance/chainsaw/reports/background/report-deletion/03-delete-policy.yaml new file mode 100644 index 0000000000..e7d7e57ca0 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/03-delete-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete-policy +spec: + timeouts: {} + try: + - delete: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: podsecurity-subrule-restricted diff --git a/test/conformance/chainsaw/reports/background/report-deletion/04-check-report-deleted.yaml b/test/conformance/chainsaw/reports/background/report-deletion/04-check-report-deleted.yaml new file mode 100644 index 0000000000..a25fdac92c --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/04-check-report-deleted.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check-report-deleted +spec: + timeouts: {} + try: + - error: + file: report-error.yaml diff --git a/test/conformance/chainsaw/reports/background/report-deletion/README.md b/test/conformance/chainsaw/reports/background/report-deletion/README.md new file mode 100644 index 0000000000..17e133b054 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/README.md @@ -0,0 +1,13 @@ +## Description + +This test creates a policy and a pod, it then expects a background scan report to be created for the pod. +When the policy is deleted, the background scan report should also be deleted. + +## Steps + +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Create a pod +1. - Assert a policy report is created for the pod and contains the right summary +1. - Delete the policy + - Assert the policy report is deleted for the pod diff --git a/test/conformance/chainsaw/reports/background/report-deletion/pod.yaml b/test/conformance/chainsaw/reports/background/report-deletion/pod.yaml new file mode 100644 index 0000000000..2b73ac5fb5 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/pod.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/conformance/chainsaw/reports/background/report-deletion/policy-assert.yaml b/test/conformance/chainsaw/reports/background/report-deletion/policy-assert.yaml new file mode 100644 index 0000000000..c21f7dd310 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml new file mode 100644 index 0000000000..a823bc1720 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +spec: + admission: false + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: restricted + validate: + podSecurity: + level: restricted + version: latest + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/reports/background/report-deletion/report-assert.yaml b/test/conformance/chainsaw/reports/background/report-deletion/report-assert.yaml new file mode 100644 index 0000000000..238f99fbaa --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/report-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: badpod01 +scope: + apiVersion: v1 + kind: Pod + name: badpod01 +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/reports/background/report-deletion/report-error.yaml b/test/conformance/chainsaw/reports/background/report-deletion/report-error.yaml new file mode 100644 index 0000000000..fef601e131 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/report-deletion/report-error.yaml @@ -0,0 +1,7 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: badpod01 diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/01-pod.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/02-policy.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/03-report.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/03-report.yaml new file mode 100644 index 0000000000..7cc1316356 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/03-report.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/README.md b/test/conformance/chainsaw/reports/background/test-report-background-mode/README.md new file mode 100644 index 0000000000..a301efe0ec --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/README.md @@ -0,0 +1,10 @@ +# Title + +This test checks that a Policy Report is created with an entry that is as expected. + +## Steps + +1. - Create a pod +1. - Create a cluster policy + - Assert the policy becomes ready +1. - Assert a report is created for the pod/policy diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/pod-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/pod-assert.yaml new file mode 100644 index 0000000000..6fa1f4c067 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/pod.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/pod.yaml new file mode 100644 index 0000000000..00ac4d5575 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: default +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml new file mode 100644 index 0000000000..f1332d1189 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +spec: + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: restricted + validate: + podSecurity: + level: restricted + version: latest + validationFailureAction: Audit +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml new file mode 100644 index 0000000000..074dd3e883 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted + annotations: + policies.kyverno.io/title: Restricted Pod Security Standards + policies.kyverno.io/category: Pod Security + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.8.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The restricted profile of the Pod Security Standards, which is inclusive of + the baseline profile, is a collection of all the most common configurations + that can be taken to secure Pods. Beginning with Kyverno 1.8, an entire profile + may be assigned to the cluster through a single rule. This policy configures the + restricted profile through the latest version of the Pod Security Standards cluster wide. +spec: + background: true + validationFailureAction: Audit + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml new file mode 100644 index 0000000000..d1ea83f8ed --- /dev/null +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/report-assert.yaml @@ -0,0 +1,33 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + namespace: default + ownerReferences: + - apiVersion: v1 + kind: Pod + name: badpod01 +scope: + apiVersion: v1 + kind: Pod + name: badpod01 + namespace: default +results: +- category: Pod Security + message: | + Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]}) + policy: podsecurity-subrule-restricted + properties: + controls: capabilities_restricted + standard: restricted + version: latest + result: fail + rule: restricted + scored: true + severity: medium + source: kyverno +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/01-pod.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/02-policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/03-report.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/03-report.yaml new file mode 100644 index 0000000000..7cc1316356 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/03-report.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/README.md b/test/conformance/chainsaw/reports/background/verify-image-fail/README.md new file mode 100644 index 0000000000..da4a092495 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/README.md @@ -0,0 +1,10 @@ +# Title + +This test creates pods using an unsigned or not correctly signed image. +It then creates an image verification policy running in the background. + +Note: the pods have to be created first because we don't want the policy to apply at admission time. + +## Expected Behavior + +The pods are created and policy reports are generated with a fail result. diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/pod-assert.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/pod-assert.yaml new file mode 100644 index 0000000000..09d29aefb3 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/pod-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: unsigned +--- +apiVersion: v1 +kind: Pod +metadata: + name: signed-by-someone-else diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/pod.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/pod.yaml new file mode 100644 index 0000000000..375a2b5917 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/pod.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: unsigned +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test-secret +--- +apiVersion: v1 +kind: Pod +metadata: + name: signed-by-someone-else +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed-by-someone-else + name: test-secret diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/policy-assert.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/policy-assert.yaml new file mode 100644 index 0000000000..9b7835826a --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml new file mode 100644 index 0000000000..3831d9ced5 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +spec: + validationFailureAction: Audit + background: true + webhookTimeoutSeconds: 30 + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - ghcr.io/kyverno/test-verify-image:* + verifyDigest: false + mutateDigest: false + required: false + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/report-assert.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/report-assert.yaml new file mode 100644 index 0000000000..99e052ed78 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/report-assert.yaml @@ -0,0 +1,35 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: unsigned +scope: + apiVersion: v1 + kind: Pod + name: unsigned +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: signed-by-someone-else +scope: + apiVersion: v1 + kind: Pod + name: signed-by-someone-else +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/01-pod.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/02-policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/03-report.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/03-report.yaml new file mode 100644 index 0000000000..7cc1316356 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/03-report.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: report +spec: + timeouts: {} + try: + - assert: + file: report-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/README.md b/test/conformance/chainsaw/reports/background/verify-image-pass/README.md new file mode 100644 index 0000000000..e018a44415 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/README.md @@ -0,0 +1,10 @@ +# Title + +This test creates a pod using a valid signed image. +It then creates an image verification policy running in the background. + +Note: the pod has to be created first because we don't want the policy to apply at admission time. + +## Expected Behavior + +The pod is created and a policy report is generated for it with a pass result. diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/pod-assert.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/pod-assert.yaml new file mode 100644 index 0000000000..d57097734d --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/pod-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/pod.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/pod.yaml new file mode 100644 index 0000000000..9a7c8aeac0 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/pod.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-secret diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/policy-assert.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/policy-assert.yaml new file mode 100644 index 0000000000..9b7835826a --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml new file mode 100644 index 0000000000..a0c6b904c8 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: keyed-basic-policy +spec: + validationFailureAction: Audit + background: true + webhookTimeoutSeconds: 30 + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - ghcr.io/kyverno/test-verify-image:* + verifyDigest: false + mutateDigest: false + required: false + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/report-assert.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/report-assert.yaml new file mode 100644 index 0000000000..f17a4931ae --- /dev/null +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/report-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: signed +scope: + apiVersion: v1 + kind: Pod + name: signed +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/ttl/delete-twice/01-pod.yaml b/test/conformance/chainsaw/ttl/delete-twice/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/delete-twice/02-check.yaml b/test/conformance/chainsaw/ttl/delete-twice/02-check.yaml new file mode 100644 index 0000000000..7571906109 --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/02-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/delete-twice/03-pod.yaml b/test/conformance/chainsaw/ttl/delete-twice/03-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/03-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/delete-twice/04-check.yaml b/test/conformance/chainsaw/ttl/delete-twice/04-check.yaml new file mode 100644 index 0000000000..7571906109 --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/04-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/delete-twice/README.md b/test/conformance/chainsaw/ttl/delete-twice/README.md new file mode 100644 index 0000000000..fb565cce6e --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/README.md @@ -0,0 +1,10 @@ +# ## Description + +This test cleans up pods via a label assignment named `cleanup.kyverno.io/ttl: 10s`. +Once deleted, the pod is created a second time and we expect to be deleted again. + +## Expected Behavior + +The pod `test-pod` is cleaned up successfully after 10s twice. + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/ttl/delete-twice/pod-assert.yaml b/test/conformance/chainsaw/ttl/delete-twice/pod-assert.yaml new file mode 100644 index 0000000000..06ec46e3f4 --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/pod-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 10s \ No newline at end of file diff --git a/test/conformance/chainsaw/ttl/delete-twice/pod.yaml b/test/conformance/chainsaw/ttl/delete-twice/pod.yaml new file mode 100644 index 0000000000..5218083366 --- /dev/null +++ b/test/conformance/chainsaw/ttl/delete-twice/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 10s +spec: + containers: + - image: nginx:latest + name: nginx diff --git a/test/conformance/chainsaw/ttl/invalid-label/01-pod.yaml b/test/conformance/chainsaw/ttl/invalid-label/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/ttl/invalid-label/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/invalid-label/02-wait.yaml b/test/conformance/chainsaw/ttl/invalid-label/02-wait.yaml new file mode 100644 index 0000000000..369a510e2f --- /dev/null +++ b/test/conformance/chainsaw/ttl/invalid-label/02-wait.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: wait +spec: + timeouts: {} + try: + - command: + args: + - "15" + entrypoint: sleep diff --git a/test/conformance/chainsaw/ttl/invalid-label/03-check.yaml b/test/conformance/chainsaw/ttl/invalid-label/03-check.yaml new file mode 100644 index 0000000000..e827ea8770 --- /dev/null +++ b/test/conformance/chainsaw/ttl/invalid-label/03-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/invalid-label/README.md b/test/conformance/chainsaw/ttl/invalid-label/README.md new file mode 100644 index 0000000000..eeda2bcc33 --- /dev/null +++ b/test/conformance/chainsaw/ttl/invalid-label/README.md @@ -0,0 +1,9 @@ +# ## Description + +This test must not be able to clean up pod as the label assignment is invalid which will not be recognized by the controller in this case the label is named `cleanup.kyverno.io/ttl: 10ay`. + +## Expected Behavior + +The pod `test-pod` is not cleaned up successfully after 10s. + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/ttl/invalid-label/pod-assert.yaml b/test/conformance/chainsaw/ttl/invalid-label/pod-assert.yaml new file mode 100644 index 0000000000..4ce27fac0d --- /dev/null +++ b/test/conformance/chainsaw/ttl/invalid-label/pod-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 10ay diff --git a/test/conformance/chainsaw/ttl/invalid-label/pod.yaml b/test/conformance/chainsaw/ttl/invalid-label/pod.yaml new file mode 100644 index 0000000000..5480ecd493 --- /dev/null +++ b/test/conformance/chainsaw/ttl/invalid-label/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 10ay +spec: + containers: + - image: nginx:latest + name: nginx diff --git a/test/conformance/chainsaw/ttl/past-timestamp/01-pod.yaml b/test/conformance/chainsaw/ttl/past-timestamp/01-pod.yaml new file mode 100644 index 0000000000..0969965637 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/01-pod.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml diff --git a/test/conformance/chainsaw/ttl/past-timestamp/02-check.yaml b/test/conformance/chainsaw/ttl/past-timestamp/02-check.yaml new file mode 100644 index 0000000000..9917924327 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/02-check.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml + - command: + args: + - "5" + entrypoint: sleep diff --git a/test/conformance/chainsaw/ttl/past-timestamp/03-pod.yaml b/test/conformance/chainsaw/ttl/past-timestamp/03-pod.yaml new file mode 100644 index 0000000000..549c524bb0 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/03-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod-2.yaml + - assert: + file: pod-assert-2.yaml diff --git a/test/conformance/chainsaw/ttl/past-timestamp/04-patch.yaml b/test/conformance/chainsaw/ttl/past-timestamp/04-patch.yaml new file mode 100644 index 0000000000..28b0700893 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/04-patch.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: patch +spec: + timeouts: {} + try: + - apply: + file: past-timestamp.yaml diff --git a/test/conformance/chainsaw/ttl/past-timestamp/05-check.yaml b/test/conformance/chainsaw/ttl/past-timestamp/05-check.yaml new file mode 100644 index 0000000000..242a27b5d5 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/05-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert-2.yaml diff --git a/test/conformance/chainsaw/ttl/past-timestamp/README.md b/test/conformance/chainsaw/ttl/past-timestamp/README.md new file mode 100644 index 0000000000..c0d0060141 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/README.md @@ -0,0 +1,13 @@ +# ## Description + +This test cleans up pods instanteaously without any delay as the value of the label is `cleanup.kyverno.io/ttl: 2023-07-19T120000Z` the timestamp is mentioned in past. + +## Expected Behavior + +The pod `test-pod` is cleaned up instantaneously. + +The pod `test-pod-2` is cleaned up instantaneously when the label is updated to `cleanup.kyverno.io/ttl: 2023-07-19T120000Z` the timestamp is mentioned in past. + +## Reference Issue(s) + +- [8242](https://github.com/kyverno/kyverno/issues/8242): `test-pod` might never be created, so the assert could fail. diff --git a/test/conformance/chainsaw/ttl/past-timestamp/past-timestamp.yaml b/test/conformance/chainsaw/ttl/past-timestamp/past-timestamp.yaml new file mode 100644 index 0000000000..7aca725c6d --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/past-timestamp.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-2 + labels: + cleanup.kyverno.io/ttl: 2023-07-19T120000Z \ No newline at end of file diff --git a/test/conformance/chainsaw/ttl/past-timestamp/pod-2.yaml b/test/conformance/chainsaw/ttl/past-timestamp/pod-2.yaml new file mode 100644 index 0000000000..9f96a38a24 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/pod-2.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-2 +spec: + containers: + - image: nginx:latest + name: nginx diff --git a/test/conformance/chainsaw/ttl/past-timestamp/pod-assert-2.yaml b/test/conformance/chainsaw/ttl/past-timestamp/pod-assert-2.yaml new file mode 100644 index 0000000000..cb80212cdf --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/pod-assert-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/ttl/past-timestamp/pod-assert.yaml b/test/conformance/chainsaw/ttl/past-timestamp/pod-assert.yaml new file mode 100644 index 0000000000..5b304debf0 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/pod-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 2023-07-19T120000Z \ No newline at end of file diff --git a/test/conformance/chainsaw/ttl/past-timestamp/pod.yaml b/test/conformance/chainsaw/ttl/past-timestamp/pod.yaml new file mode 100644 index 0000000000..cf2f414401 --- /dev/null +++ b/test/conformance/chainsaw/ttl/past-timestamp/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 2023-07-19T120000Z +spec: + containers: + - image: nginx:latest + name: nginx diff --git a/test/conformance/chainsaw/ttl/permission-lack/01-resource.yaml b/test/conformance/chainsaw/ttl/permission-lack/01-resource.yaml new file mode 100644 index 0000000000..07a73f22a0 --- /dev/null +++ b/test/conformance/chainsaw/ttl/permission-lack/01-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/ttl/permission-lack/02-wait.yaml b/test/conformance/chainsaw/ttl/permission-lack/02-wait.yaml new file mode 100644 index 0000000000..369a510e2f --- /dev/null +++ b/test/conformance/chainsaw/ttl/permission-lack/02-wait.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: wait +spec: + timeouts: {} + try: + - command: + args: + - "15" + entrypoint: sleep diff --git a/test/conformance/chainsaw/ttl/permission-lack/03-check.yaml b/test/conformance/chainsaw/ttl/permission-lack/03-check.yaml new file mode 100644 index 0000000000..edd02cd29c --- /dev/null +++ b/test/conformance/chainsaw/ttl/permission-lack/03-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/ttl/permission-lack/README.md b/test/conformance/chainsaw/ttl/permission-lack/README.md new file mode 100644 index 0000000000..385726707e --- /dev/null +++ b/test/conformance/chainsaw/ttl/permission-lack/README.md @@ -0,0 +1,9 @@ +# ## Description + +This test must not be able to clean up config map as the service account mounted does not have required permission to cleanup the config map via the `cleanup.kyverno.io/ttl: 10s` label assignment. + +## Expected Behavior + +The pod `test-cm` is not cleaned up successfully after 10s. + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/ttl/permission-lack/resource-assert.yaml b/test/conformance/chainsaw/ttl/permission-lack/resource-assert.yaml new file mode 100644 index 0000000000..dd1798a255 --- /dev/null +++ b/test/conformance/chainsaw/ttl/permission-lack/resource-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-cm + labels: + cleanup.kyverno.io/ttl: 10s diff --git a/test/conformance/chainsaw/ttl/permission-lack/resource.yaml b/test/conformance/chainsaw/ttl/permission-lack/resource.yaml new file mode 100644 index 0000000000..13e021b9d7 --- /dev/null +++ b/test/conformance/chainsaw/ttl/permission-lack/resource.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-cm + labels: + cleanup.kyverno.io/ttl: 10s +data: + foo: bar diff --git a/test/conformance/chainsaw/ttl/valid-label/01-pod.yaml b/test/conformance/chainsaw/ttl/valid-label/01-pod.yaml new file mode 100644 index 0000000000..b6172499fe --- /dev/null +++ b/test/conformance/chainsaw/ttl/valid-label/01-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/valid-label/02-wait.yaml b/test/conformance/chainsaw/ttl/valid-label/02-wait.yaml new file mode 100644 index 0000000000..369a510e2f --- /dev/null +++ b/test/conformance/chainsaw/ttl/valid-label/02-wait.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: wait +spec: + timeouts: {} + try: + - command: + args: + - "15" + entrypoint: sleep diff --git a/test/conformance/chainsaw/ttl/valid-label/03-check.yaml b/test/conformance/chainsaw/ttl/valid-label/03-check.yaml new file mode 100644 index 0000000000..7571906109 --- /dev/null +++ b/test/conformance/chainsaw/ttl/valid-label/03-check.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: check +spec: + timeouts: {} + try: + - error: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/ttl/valid-label/README.md b/test/conformance/chainsaw/ttl/valid-label/README.md new file mode 100644 index 0000000000..9f76ff1501 --- /dev/null +++ b/test/conformance/chainsaw/ttl/valid-label/README.md @@ -0,0 +1,9 @@ +# ## Description + +This test cleans up pods via a label assignment named `cleanup.kyverno.io/ttl: 10s`. + +## Expected Behavior + +The pod `test-pod` is cleaned up successfully after 10s. + +## Reference Issue(s) diff --git a/test/conformance/chainsaw/ttl/valid-label/pod-assert.yaml b/test/conformance/chainsaw/ttl/valid-label/pod-assert.yaml new file mode 100644 index 0000000000..06ec46e3f4 --- /dev/null +++ b/test/conformance/chainsaw/ttl/valid-label/pod-assert.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 10s \ No newline at end of file diff --git a/test/conformance/chainsaw/ttl/valid-label/pod.yaml b/test/conformance/chainsaw/ttl/valid-label/pod.yaml new file mode 100644 index 0000000000..5218083366 --- /dev/null +++ b/test/conformance/chainsaw/ttl/valid-label/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pod + labels: + cleanup.kyverno.io/ttl: 10s +spec: + containers: + - image: nginx:latest + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/01-cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/01-cluster-policy.yaml new file mode 100644 index 0000000000..93bea49ced --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/01-cluster-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/02-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/02-manifests.yaml new file mode 100644 index 0000000000..81b88514a8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/02-manifests.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: manifests +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - apply: + file: service.yaml + - assert: + file: service.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/03-path-service.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/03-path-service.yaml new file mode 100644 index 0000000000..2331253a68 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/03-path-service.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: path-service +spec: + timeouts: {} + try: + - script: + content: | + kubectl patch service podinfo -p '{"metadata":{"finalizers":["bburky.com/hax"]}}' -n apply-on-deletion-ns + kubectl delete service podinfo --wait=false -n apply-on-deletion-ns diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/04-script-patch-svc-type.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/04-script-patch-svc-type.yaml new file mode 100644 index 0000000000..cd43bd72b6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/04-script-patch-svc-type.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-patch-svc-type +spec: + timeouts: {} + try: + - script: + content: "if kubectl patch service podinfo -p '{\"spec\":{\"type\":\"NodePort\",\"ports\":[{\"port\":9898,\"nodePort\":32000}]}}' + -n apply-on-deletion-ns\nthen \n echo \"Tested failed. The service type cannot + be changed to NodePort\"\n exit 1 \nelse \n echo \"Test succeeded. The service + update is blocked\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/05-update-svc-label.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/05-update-svc-label.yaml new file mode 100644 index 0000000000..120e731226 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/05-update-svc-label.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + name: podinfo + namespace: apply-on-deletion-ns + labels: + name: podinfo + namespace: apply-on-deletion-ns +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 9898 + protocol: TCP + targetPort: http + - name: grpc + port: 9999 + protocol: TCP + targetPort: grpc + selector: + app: podinfo + sessionAffinity: None + type: ClusterIP \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/06-remove-finalizer.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/06-remove-finalizer.yaml new file mode 100644 index 0000000000..2d992d04cc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/06-remove-finalizer.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: remove-finalizer +spec: + timeouts: {} + try: + - script: + content: | + kubectl patch service podinfo -p '{"metadata":{"finalizers":null}}' -n apply-on-deletion-ns diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/README.md new file mode 100644 index 0000000000..2492fd9c67 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures the policy is applied on the resource to be deleted (deletionTimestamp is set). + +## Expected Behavior + +With a bogus finalizer added to the service, the resource deletion is blocked as no controller serves behind to perform deletion. During this time, when one tries to patch the service that violates the policy, the patch request should be blocked. While if the patch doesn't result in an violation it should be allowed. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/ns.yaml new file mode 100644 index 0000000000..d749e1367a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: apply-on-deletion-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy-ready.yaml new file mode 100644 index 0000000000..e652590157 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-apply-on-deletion +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml new file mode 100644 index 0000000000..daeb1b478d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-apply-on-deletion +spec: + validationFailureAction: Enforce + background: true + rules: + - name: validate-nodeport + match: + any: + - resources: + kinds: + - Service + validate: + message: "Services of type NodePort are not allowed." + pattern: + spec: + =(type): "!NodePort" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/service.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/service.yaml new file mode 100644 index 0000000000..7ccc93bf48 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: podinfo + namespace: apply-on-deletion-ns +spec: + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: http + port: 9898 + protocol: TCP + targetPort: http + - name: grpc + port: 9999 + protocol: TCP + targetPort: grpc + selector: + app: podinfo + sessionAffinity: None + type: ClusterIP \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/02-resources.yaml new file mode 100644 index 0000000000..0f9e6dfaa2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/02-resources.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f pod-fail.yaml 2>&1 | grep -q 'host-port-pods: + hostPort must either be unset or set to 0' \nthen \n echo \"Test succeeded. + The message is displayed.\"\n exit 0\nelse \n echo \"Test failed. The + message isn't found.\"\n exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/README.md new file mode 100644 index 0000000000..3e2d1d96f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy that uses CEL expressions to disallow host ports in pods. + +## Expected Behavior + +The pod `pod-fail` is blocked, and a message is displayed indicating the reason of failure. + +## Reference Issue(s) + +8826 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/pod-fail.yaml new file mode 100644 index 0000000000..7e2382340c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/pod-fail.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver-pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - hostPort: 80 + containerPort: 8080 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy-assert.yaml new file mode 100644 index 0000000000..44cefa2052 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-in-pods +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml new file mode 100644 index 0000000000..f0764c84b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-in-pods + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port-pods + match: + any: + - resources: + kinds: + - Pod + validate: + message: "hostPort must either be unset or set to 0" + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/02-resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/02-resource.yaml new file mode 100644 index 0000000000..07a73f22a0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/03-debug.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/03-debug.yaml new file mode 100644 index 0000000000..dc4d6d5054 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/03-debug.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: debug +spec: + timeouts: {} + try: + - command: + args: + - debug + - --image=bar.io/busybox:1.35 + - -c + - debugger + - mypod + - -n + - default + entrypoint: kubectl diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/04-debugassert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/04-debugassert.yaml new file mode 100644 index 0000000000..ae7d9b4598 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/04-debugassert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: default +spec: + containers: + - image: bar.io/busybox:1.35 + name: busybox + ephemeralContainers: + - image: bar.io/busybox:1.35 + name: debugger \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/README.md new file mode 100644 index 0000000000..d02bb0f071 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that Kyverno is able to perform basic validation functions against ephemeral containers. + +## Expected Behavior + +The initial Pod should be successfully created. An ephemeral container, added via the `kubectl debug` imperative command, should be allowed because it does not violate the policy. If the ephemeral container is added, the test passes. If the debug is blocked, the test fails. + +## Reference Issue(s) + +6943 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy-ready.yaml new file mode 100644 index 0000000000..3061a8121c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml new file mode 100644 index 0000000000..67490ae9b6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + validationFailureAction: Enforce + background: false + rules: + - name: validate-registries + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Unknown image registry." + pattern: + spec: + =(ephemeralContainers): + - image: "eu.foo.io/* | bar.io/*" + =(initContainers): + - image: "eu.foo.io/* | bar.io/*" + containers: + - image: "eu.foo.io/* | bar.io/*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/resource-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/resource-assert.yaml new file mode 100644 index 0000000000..4b0e629c95 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/resource-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mypod + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/resource.yaml new file mode 100644 index 0000000000..b0bd67d92a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers/resource.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: busybox + name: mypod + namespace: default +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: bar.io/busybox:1.35 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/00-keda.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/00-keda.yaml new file mode 100644 index 0000000000..13c5d4b2b2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/00-keda.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: keda +spec: + timeouts: {} + try: + - apply: + file: keda.yaml + - assert: + file: keda-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/01-cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/01-cluster-policy.yaml new file mode 100644 index 0000000000..e8e70ecd4a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/01-cluster-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cluster-policy +spec: + timeouts: {} + try: + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/02-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/README.md new file mode 100644 index 0000000000..2a0054d0d0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/README.md @@ -0,0 +1,23 @@ +## Description + +Tests the ability to create both a ClusterPolicy and a Policy when there is an external API provider registered in the cluster but with no resources which fall under that group. + +## Expected Behavior + +Both ClusterPolicy and Policy should be successfully created. + +## Reference Issue(s) + +918 +942 +1324 +1325 +1490 +1830 +2126 +2162 +2267 +2684 +3244 +3788 +5221 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy-ready.yaml new file mode 100644 index 0000000000..5770a6453c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: external-metrics-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml new file mode 100644 index 0000000000..8a4bb5c351 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/cluster-policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: external-metrics-policy +spec: + validationFailureAction: Enforce + background: false + rules: + - name: external-metrics-rule + match: + all: + - clusterRoles: + - evil-cr + resources: + kinds: + - Secret + validate: + message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' + deny: + conditions: + any: + - key: '{{request.operation}}' + operator: Equals + value: DELETE + - key: '{{request.operation}}' + operator: Equals + value: UPDATE + - key: '{{request.operation}}' + operator: Equals + value: CREATE \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/keda-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/keda-ready.yaml new file mode 100644 index 0000000000..059335ea54 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/keda-ready.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keda-metrics-apiserver + namespace: keda +status: + availableReplicas: 1 + readyReplicas: 1 + replicas: 1 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: scaledobjects.keda.sh +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1beta1.external.metrics.k8s.io diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/keda.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/keda.yaml new file mode 100644 index 0000000000..982f284573 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/keda.yaml @@ -0,0 +1,768 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/name: keda + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + labels: + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: scaledobjects.keda.sh +spec: + group: keda.sh + names: + kind: ScaledObject + listKind: ScaledObjectList + plural: scaledobjects + shortNames: + - so + singular: scaledobject + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.scaleTargetKind + name: ScaleTargetKind + type: string + - jsonPath: .spec.scaleTargetRef.name + name: ScaleTargetName + type: string + - jsonPath: .spec.minReplicaCount + name: Min + type: integer + - jsonPath: .spec.maxReplicaCount + name: Max + type: integer + - jsonPath: .spec.triggers[*].type + name: Triggers + type: string + - jsonPath: .spec.triggers[*].authenticationRef.name + name: Authentication + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Active")].status + name: Active + type: string + - jsonPath: .status.conditions[?(@.type=="Fallback")].status + name: Fallback + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ScaledObject is a specification for a ScaledObject resource + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ScaledObjectSpec is the spec for a ScaledObject resource + properties: + advanced: + description: AdvancedConfig specifies advance scaling options + properties: + horizontalPodAutoscalerConfig: + description: HorizontalPodAutoscalerConfig specifies horizontal + scale config + properties: + behavior: + description: HorizontalPodAutoscalerBehavior configures the + scaling behavior of the target in both Up and Down directions + (scaleUp and scaleDown fields respectively). + properties: + scaleDown: + description: scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down + to minReplicas pods, with a 300 second stabilization + window (i.e., the highest recommendation for the last + 300sec is used). + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + MaxPolicySelect is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + type: integer + type: object + scaleUp: + description: 'scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: * increase + no more than 4 pods per 60 seconds * double the number + of pods per 60 seconds No stabilization is used.' + properties: + policies: + description: policies is a list of potential scaling + polices which can be used during scaling. At least + one policy must be specified, otherwise the HPAScalingRules + will be discarded as invalid + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: PeriodSeconds specifies the window + of time for which the policy should hold true. + PeriodSeconds must be greater than zero and + less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: Type is used to specify the scaling + policy. + type: string + value: + description: Value contains the amount of change + which is permitted by the policy. It must + be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + selectPolicy: + description: selectPolicy is used to specify which + policy should be used. If not set, the default value + MaxPolicySelect is used. + type: string + stabilizationWindowSeconds: + description: 'StabilizationWindowSeconds is the number + of seconds for which past recommendations should + be considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than + or equal to zero and less than or equal to 3600 + (one hour). If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window + is 300 seconds long).' + format: int32 + type: integer + type: object + type: object + name: + type: string + type: object + restoreToOriginalReplicaCount: + type: boolean + type: object + cooldownPeriod: + format: int32 + type: integer + fallback: + description: Fallback is the spec for fallback options + properties: + failureThreshold: + format: int32 + type: integer + replicas: + format: int32 + type: integer + required: + - failureThreshold + - replicas + type: object + idleReplicaCount: + format: int32 + type: integer + maxReplicaCount: + format: int32 + type: integer + minReplicaCount: + format: int32 + type: integer + pollingInterval: + format: int32 + type: integer + scaleTargetRef: + description: ScaleTarget holds the a reference to the scale target + Object + properties: + apiVersion: + type: string + envSourceContainerName: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + triggers: + items: + description: ScaleTriggers reference the scaler that will be used + properties: + authenticationRef: + description: ScaledObjectAuthRef points to the TriggerAuthentication + or ClusterTriggerAuthentication object that is used to authenticate + the scaler with the environment + properties: + kind: + description: Kind of the resource being referred to. Defaults + to TriggerAuthentication. + type: string + name: + type: string + required: + - name + type: object + metadata: + additionalProperties: + type: string + type: object + metricType: + description: MetricTargetType specifies the type of metric being + targeted, and should be either "Value", "AverageValue", or + "Utilization" + type: string + name: + type: string + type: + type: string + required: + - metadata + - type + type: object + type: array + required: + - scaleTargetRef + - triggers + type: object + status: + description: ScaledObjectStatus is the status for a ScaledObject resource + properties: + conditions: + description: Conditions an array representation to store multiple + Conditions + items: + description: Condition to store the condition state + properties: + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition + type: string + required: + - status + - type + type: object + type: array + externalMetricNames: + items: + type: string + type: array + health: + additionalProperties: + description: HealthStatus is the status for a ScaledObject's health + properties: + numberOfFailures: + format: int32 + type: integer + status: + description: HealthStatusType is an indication of whether the + health status is happy or failing + type: string + type: object + type: object + hpaName: + type: string + lastActiveTime: + format: date-time + type: string + originalReplicaCount: + format: int32 + type: integer + pausedReplicaCount: + format: int32 + type: integer + resourceMetricNames: + items: + type: string + type: array + scaleTargetGVKR: + description: GroupVersionKindResource provides unified structure for + schema.GroupVersionKind and Resource + properties: + group: + type: string + kind: + type: string + resource: + type: string + version: + type: string + required: + - group + - kind + - resource + - version + type: object + scaleTargetKind: + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator + namespace: keda +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keda-external-metrics-reader + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-external-metrics-reader +rules: +- apiGroups: + - external.metrics.k8s.io + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + - configmaps/status + - events + verbs: + - '*' +- apiGroups: + - "" + resources: + - external + - pods + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - list + - watch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get +- apiGroups: + - '*' + resources: + - '*/scale' + verbs: + - '*' +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - clustertriggerauthentications/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledjobs + - scaledjobs/finalizers + - scaledjobs/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - scaledobjects + - scaledobjects/finalizers + - scaledobjects/status + verbs: + - '*' +- apiGroups: + - keda.sh + resources: + - triggerauthentications + - triggerauthentications/status + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-auth-reader + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-hpa-controller-external-metrics + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-hpa-controller-external-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keda-external-metrics-reader +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keda-operator +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keda-system-auth-delegator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-system-auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: keda-operator + namespace: keda +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: keda-metrics-apiserver + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-metrics-apiserver + namespace: keda +spec: + ports: + - name: https + port: 443 + targetPort: 6443 + - name: http + port: 80 + targetPort: 8080 + selector: + app: keda-metrics-apiserver +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: keda-metrics-apiserver + app.kubernetes.io/name: keda-metrics-apiserver + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-metrics-apiserver + namespace: keda +spec: + replicas: 1 + selector: + matchLabels: + app: keda-metrics-apiserver + template: + metadata: + labels: + app: keda-metrics-apiserver + name: keda-metrics-apiserver + spec: + containers: + - args: + - /usr/local/bin/keda-adapter + - --secure-port=6443 + - --logtostderr=true + - --v=0 + env: + - name: WATCH_NAMESPACE + value: "" + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: "" + image: ghcr.io/kedacore/keda-metrics-apiserver:2.8.0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 6443 + scheme: HTTPS + initialDelaySeconds: 5 + name: keda-metrics-apiserver + ports: + - containerPort: 6443 + name: https + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 6443 + scheme: HTTPS + initialDelaySeconds: 5 + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /tmp + name: temp-vol + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: keda-operator + volumes: + - emptyDir: {} + name: temp-vol +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: keda-operator + app.kubernetes.io/component: operator + app.kubernetes.io/name: keda-operator + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: keda-operator + namespace: keda +spec: + replicas: 1 + selector: + matchLabels: + app: keda-operator + template: + metadata: + labels: + app: keda-operator + name: keda-operator + name: keda-operator + spec: + containers: + - args: + - --leader-elect + - --zap-log-level=info + - --zap-encoder=console + - --zap-time-encoding=rfc3339 + command: + - /keda + env: + - name: WATCH_NAMESPACE + value: "" + - name: KEDA_HTTP_DEFAULT_TIMEOUT + value: "" + image: ghcr.io/kedacore/keda:2.8.0 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 25 + name: keda-operator + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 20 + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: keda-operator + terminationGracePeriodSeconds: 10 +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + app.kubernetes.io/name: v1beta1.external.metrics.k8s.io + app.kubernetes.io/part-of: keda-operator + app.kubernetes.io/version: 2.8.0 + name: v1beta1.external.metrics.k8s.io +spec: + group: external.metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: keda-metrics-apiserver + namespace: keda + version: v1beta1 + versionPriority: 100 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy-ready.yaml new file mode 100644 index 0000000000..a963ab024b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: external-metrics-policy-default + namespace: default +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml new file mode 100644 index 0000000000..ae4b0451e3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: external-metrics-policy-default + namespace: default +spec: + validationFailureAction: Enforce + background: false + rules: + - name: external-metrics-rule-default + match: + all: + - clusterRoles: + - evil-cr + resources: + kinds: + - Secret + validate: + message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.' + deny: + conditions: + any: + - key: '{{request.operation}}' + operator: Equals + value: DELETE + - key: '{{request.operation}}' + operator: Equals + value: UPDATE + - key: '{{request.operation}}' + operator: Equals + value: CREATE \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/00-clusterrole.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/00-clusterrole.yaml new file mode 100644 index 0000000000..b094e55fb2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/00-clusterrole.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:temp + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - '*' + resources: + - deployments + verbs: + - create + - update + - patch + - delete + - get + - list \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/README.md new file mode 100644 index 0000000000..d7061da4e0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensure Schema validation should validate the target resource rather than the trigger for the mutateExisting type of policy. + +## Expected Behavior + +ClusterPolicy should be successfully created. + +## Reference Issue(s) + +6594 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy-assert.yaml new file mode 100644 index 0000000000..f5fb60444d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-cm-for-kube-state-metrics-crds +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy.yaml new file mode 100644 index 0000000000..e8943b202f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting/policy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-cm-for-kube-state-metrics-crds + annotations: + policies.kyverno.io/description: >- + This policy generates and synchronizes a configmap for custom resource kube-state-metrics. +spec: + generateExisting: true + mutateExistingOnPolicyUpdate: true + rules: + - name: restart-kube-state-metrics-on-cm-change + match: + any: + - resources: + kinds: + - ConfigMap + names: + - "kube-state-metrics-crds" + namespaces: + - "kube-state-metrics" + preconditions: + all: + - key: "{{ request.object.metadata.labels.\"kubestatemetrics.platform.example\" || '' }}" + operator: NotEquals + value: source + mutate: + targets: + - apiVersion: apps/v1 + kind: Deployment + name: kube-state-metrics + namespace: kube-state-metrics + patchStrategicMerge: + spec: + template: + metadata: + annotations: + platform.cloud.allianz/triggerrestart: "{{request.object.metadata.resourceVersion}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/01-assert.yaml new file mode 100644 index 0000000000..23f97ed230 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/01-assert.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-unique-host +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: my-app-ingress + namespace: test-ingress diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/01-manifests.yaml new file mode 100644 index 0000000000..290c9a4113 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/01-manifests.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-unique-host +spec: + validationFailureAction: Enforce + failurePolicy: Fail + rules: + - name: unique-ingress-against-other-ingress-class + match: # match any ingress resource + all: + - resources: + kinds: + - Ingress + context: + - name: requestIngressClass + variable: + jmesPath: request.object.metadata.annotations."kubernetes.io/ingress.class" + # Create a list of ingresses, excluding the ingress we are currently reviewing + - name: ingresses + apiCall: + urlPath: '/apis/networking.k8s.io/v1/ingresses' + jmesPath: items[?metadata.name != '{{ request.object.metadata.name }}'] + preconditions: + all: + - key: "{{ request.operation }}" + operator: AnyIn + value: + - CREATE + - UPDATE + validate: + message: > + Ingress must have a unique hostname across different ingress classes + deny: + conditions: + any: + # select ingresses with ingress class that does NOT match the class of the request object + # compare the request object hosts against the selected set of hosts - if they match, deny + - key: '{{ request.object.spec.rules[].host }}' + operator: AnyIn + value: "{{ingresses[?metadata.annotations.\"kubernetes.io/ingress.class\" != '{{ request.object.metadata.annotations.\"kubernetes.io/ingress.class\" }}'].spec.rules[].host }}" +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-ingress +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + name: my-app-ingress + namespace: test-ingress +spec: + rules: + - host: my-app.myorg.io + http: + paths: + - backend: + service: + name: my-app-deployment + port: + number: 80 + path: / + pathType: ImplementationSpecific \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/02-teststep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/02-teststep.yaml new file mode 100644 index 0000000000..e869c8ee54 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/02-teststep.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: teststep +spec: + timeouts: {} + try: + - delete: + apiVersion: networking.k8s.io/v1 + kind: Ingress + name: my-app-ingress + namespace: test-ingress diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/README.md new file mode 100644 index 0000000000..cd39f0598d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/lazyload/README.md @@ -0,0 +1,12 @@ +## Description + +This test verifies that context variables (APICalls, etc.) are lazily evaluated after pre-conditions are processed. + +## Expected Behavior + +The Ingress delete should be allowed. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/4374 + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/01-assert.yaml new file mode 100644 index 0000000000..6fe832672c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-subjectaccessreview +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/01-manifests.yaml new file mode 100644 index 0000000000..9251b58028 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/01-manifests.yaml @@ -0,0 +1,81 @@ + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:subjectaccessreviews +rules: +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:namespace-delete +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - delete + resourceNames: + - test-sar +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-sar +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-subjectaccessreview +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-sar + match: + any: + - resources: + kinds: + - ConfigMap + context: + - name: subjectaccessreview + apiCall: + urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews + method: POST + data: + - key: kind + value: SubjectAccessReview + - key: apiVersion + value: authorization.k8s.io/v1 + - key: spec + value: + resourceAttributes: + resource: namespaces + name: "{{ request.namespace }}" + verb: "delete" + group: "" + #user: "{{ request.userInfo.username }}" + user: "system:serviceaccount:kyverno:kyverno-admission-controller" + validate: + message: "User is not authorized." + deny: + conditions: + any: + - key: "{{ subjectaccessreview.status.allowed }}" + operator: NotEquals + value: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/02-teststep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/02-teststep.yaml new file mode 100644 index 0000000000..cb3c818afe --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/02-teststep.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: teststep +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: cm-default-ns.yaml + - apply: + file: cm-test-ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/README.md new file mode 100644 index 0000000000..262855246f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/README.md @@ -0,0 +1,13 @@ +## Description + +This test checks a POST operation to the Kubernetes API server for a SubjectAccessReview. It checks for delete access to the namespace of the request, and allows or denies the request. + +## Expected Behavior + +The test resource should be allowed to be created in the test namespace but not in the `default` namespace, as Kyverno cannot delete it. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/1717 + +https://github.com/kyverno/kyverno/issues/6857 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/cm-default-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/cm-default-ns.yaml new file mode 100644 index 0000000000..0b9be553e2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/cm-default-ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + namespace: default +data: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/cm-test-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/cm-test-ns.yaml new file mode 100644 index 0000000000..424fd590aa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls/subjectaccessreview/cm-test-ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm + namespace: test-sar +data: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/01-script-check-for-output.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/01-script-check-for-output.yaml new file mode 100644 index 0000000000..d2a644b51e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/01-script-check-for-output.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-check-for-output +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f manifests.yaml 2>&1 | grep -q 'invalid variable + used' \nthen \n echo \"Test succeeded. The phrase 'invalid variable used' + is found.\"\n exit 0\nelse \n echo \"Test failed. The phrase 'invalid + variable used' has not been found.\"\n exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/02-errors.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/02-errors.yaml new file mode 100644 index 0000000000..7a7a97568d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/02-errors.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-clusterroles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-clusterroles + match: + any: + - resources: + kinds: + - Pod + clusterRoles: + - foo-admin + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/manifests.yaml new file mode 100644 index 0000000000..7a7a97568d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-clusterRoles/manifests.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-clusterroles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-clusterroles + match: + any: + - resources: + kinds: + - Pod + clusterRoles: + - foo-admin + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/01-script-check-for-output.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/01-script-check-for-output.yaml new file mode 100644 index 0000000000..d2a644b51e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/01-script-check-for-output.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-check-for-output +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f manifests.yaml 2>&1 | grep -q 'invalid variable + used' \nthen \n echo \"Test succeeded. The phrase 'invalid variable used' + is found.\"\n exit 0\nelse \n echo \"Test failed. The phrase 'invalid + variable used' has not been found.\"\n exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/02-errors.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/02-errors.yaml new file mode 100644 index 0000000000..28f5299a20 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/02-errors.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-roles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-roles + match: + any: + - resources: + kinds: + - Pod + roles: + - foo-role + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/manifests.yaml new file mode 100644 index 0000000000..28f5299a20 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-match-roles/manifests.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-match-roles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-roles + match: + any: + - resources: + kinds: + - Pod + roles: + - foo-role + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/01-script-check-for-output.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/01-script-check-for-output.yaml new file mode 100644 index 0000000000..8bf3a886f3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/01-script-check-for-output.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-check-for-output +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f manifests.yaml 2>&1 | grep -q 'variable {{request.roles}} + is not allowed' \nthen \n echo \"Test succeeded. The phrase 'variable {{request.roles}} + is not allowed' is found.\"\n exit 0\nelse \n echo \"Test failed. The + phrase 'variable {{request.roles}} is not allowed' has not been found.\"\n + \ exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/02-errors.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/02-errors.yaml new file mode 100644 index 0000000000..8ddd546f19 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/02-errors.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-roles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-roles + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + foo: "{{request.roles}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/manifests.yaml new file mode 100644 index 0000000000..8ddd546f19 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-roles/manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-roles +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-roles + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + foo: "{{request.roles}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/01-script-check-for-output.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/01-script-check-for-output.yaml new file mode 100644 index 0000000000..87fe149843 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/01-script-check-for-output.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-check-for-output +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f manifests.yaml 2>&1 | grep -q 'variable {{serviceAccountName}} + is not allowed' \nthen \n echo \"Test succeeded. The phrase 'variable {{serviceAccountName}} + is not allowed' is found.\"\n exit 0\nelse \n echo \"Test failed. The + phrase 'variable {{serviceAccountName}} is not allowed' has not been found.\"\n + \ exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/02-errors.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/02-errors.yaml new file mode 100644 index 0000000000..071a720227 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/02-errors.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-serviceaccountname +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-serviceaccountname + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + baz: "{{serviceAccountName}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/manifests.yaml new file mode 100644 index 0000000000..071a720227 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-serviceAccountName/manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-serviceaccountname +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-serviceaccountname + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + baz: "{{serviceAccountName}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/01-script-check-for-output.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/01-script-check-for-output.yaml new file mode 100644 index 0000000000..84a51f07d9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/01-script-check-for-output.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script-check-for-output +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f manifests.yaml 2>&1 | grep -q 'variable {{request.userInfo}} + is not allowed' \nthen \n echo \"Test succeeded. The phrase 'variable {{request.userInfo}} + is not allowed' is found.\"\n exit 0\nelse \n echo \"Test failed. The + phrase 'variable {{request.userInfo}} is not allowed' has not been found.\"\n + \ exit 1\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/02-errors.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/02-errors.yaml new file mode 100644 index 0000000000..2534e8b57f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/02-errors.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-userinfo +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-userinfo + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "{{request.userInfo}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/README.md new file mode 100644 index 0000000000..80d57b93cf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/README.md @@ -0,0 +1,3 @@ +# Title + +Ensures this policy cannot be created because clusterRoles is not valid in background mode. It checks that the return failure output contains the given string and finally checks that the policy has not been created (in case somehow it returned an error, which passed, but was still created). \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/manifests.yaml new file mode 100644 index 0000000000..2534e8b57f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/background-vars-userInfo/manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: background-vars-userinfo +spec: + validationFailureAction: Audit + background: true + rules: + - name: ns-vars-userinfo + match: + any: + - resources: + kinds: + - Pod + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "{{request.userInfo}}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml new file mode 100644 index 0000000000..075d398147 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml new file mode 100644 index 0000000000..6f0f902ec5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/01-manifests.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-cm-lookup +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: test-cm-lookup + name: keys +data: + foo: bar +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-labels +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-labels + match: + any: + - resources: + kinds: + - Pod + context: + - name: keys + configMap: + name: keys + namespace: test-cm-lookup + validate: + pattern: + metadata: + labels: + foo: "{{ keys.data.foo }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml new file mode 100644 index 0000000000..cd6d198362 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-cm-lookup-pod + namespace: test-cm-lookup \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml new file mode 100644 index 0000000000..74097529b4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/02-goodpod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-cm-lookup-pod + namespace: test-cm-lookup + labels: + foo: bar +spec: + containers: + - image: nginx + name: test-cm-lookup \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml new file mode 100644 index 0000000000..d5f9565351 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/03-assert.yaml @@ -0,0 +1,21 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + namespace: test-cm-lookup +results: +- policy: validate-labels + resources: + - apiVersion: v1 + kind: Pod + name: test-cm-lookup-pod + namespace: test-cm-lookup + result: pass + rule: validate-labels +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md new file mode 100644 index 0000000000..cf94c9703b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md @@ -0,0 +1,11 @@ +## Description + +The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno. + +## Expected Behavior + +Policy is created successfully and the report is generated properly. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5704 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/01-serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/01-serviceaccount.yaml new file mode 100644 index 0000000000..995712f187 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/01-serviceaccount.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: serviceaccount +spec: + timeouts: {} + try: + - apply: + file: serviceaccount.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/02-rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/02-rbac.yaml new file mode 100644 index 0000000000..36f4242fac --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/02-rbac.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: rbac +spec: + timeouts: {} + try: + - apply: + file: rbac.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/03-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/03-policy.yaml new file mode 100644 index 0000000000..909c002ac4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/03-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/04-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/04-pod.yaml new file mode 100644 index 0000000000..6e5d4d3e5b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/04-pod.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - command: + args: + - apply + - -f + - ./pod.yaml + - --as=system:serviceaccount:default:test-account + entrypoint: kubectl diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/pod.yaml new file mode 100644 index 0000000000..b16314c63a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml new file mode 100644 index 0000000000..6afcf2b5bc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "authorizer.serviceAccount('default', 'test-account').group('').resource('pods').namespace('default').check('delete').allowed()" + message: "The user isn't allowed to delete pods in the 'default' namespace." + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" + message: "The fields spec.containers[*].ports[*].hostPort must either be unset or set to `0`" + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/rbac.yaml new file mode 100644 index 0000000000..13f2520426 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: role + namespace: default +rules: + - apiGroups: + - '' + resources: + - pods + verbs: ["create", "update", "get", "list", "patch", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: role +subjects: +- namespace: default + kind: ServiceAccount + name: test-account diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/serviceaccount.yaml new file mode 100644 index 0000000000..feb9ff5783 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-account + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/01-serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/01-serviceaccount.yaml new file mode 100644 index 0000000000..995712f187 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/01-serviceaccount.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: serviceaccount +spec: + timeouts: {} + try: + - apply: + file: serviceaccount.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/02-rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/02-rbac.yaml new file mode 100644 index 0000000000..36f4242fac --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/02-rbac.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: rbac +spec: + timeouts: {} + try: + - apply: + file: rbac.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/03-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/03-policy.yaml new file mode 100644 index 0000000000..909c002ac4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/03-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/04-deployment.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/04-deployment.yaml new file mode 100644 index 0000000000..f9a71333d4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/04-deployment.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: deployment +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f ./deployment.yaml --as=system:serviceaccount:default:test-account-1\nthen\n + \ echo \"Test failed. Deployment shouldn't be created.\"\n exit 1\nelse \n + \ echo \"Test succeeded. Deployment isn't created as expected.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/deployment.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/deployment.yaml new file mode 100644 index 0000000000..b4e5a7a097 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-test-1 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml new file mode 100644 index 0000000000..662dc2ea9e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas-1 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deployment-replicas + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + expressions: + - expression: "authorizer.serviceAccount('default', 'test-account-1').group('apps').resource('deployments').namespace('default').check('delete').allowed()" + message: "The user isn't allowed to delete deployments in the 'default' namespace." + - expression: "object.spec.replicas <= 3" + message: "Deployment spec.replicas must be less than 3." diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/rbac.yaml new file mode 100644 index 0000000000..86b3ff6f2c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: role-1 + namespace: default +rules: + - apiGroups: + - apps + resources: + - deployments + verbs: ["create", "update", "get", "list", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rolebinding-1 + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: role-1 +subjects: +- namespace: default + kind: ServiceAccount + name: test-account-1 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/serviceaccount.yaml new file mode 100644 index 0000000000..4a115a9b2b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-account-1 + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml new file mode 100644 index 0000000000..902fdd4629 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/02-resources.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: pod-pass.yaml + - apply: + check: + (error != null): true + file: pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/03-sleep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/03-sleep.yaml new file mode 100644 index 0000000000..f30782fbbe --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "4" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/README.md new file mode 100644 index 0000000000..86c9fe12dd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/README.md @@ -0,0 +1,9 @@ +## Description + +This test validates the use of `rule.celPreconditions`. +The policy will be applied on resources that matches the CEL Preconditions. + +## Expected Behavior + +The policy will be applied on `pod-fail` and since it violates the rule, it will be blocked. +The policy won't be applied on `pod-pass` because it doesn't match the CEL precondition. Therefore it will be created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml new file mode 100644 index 0000000000..f532677735 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/pod-fail.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml new file mode 100644 index 0000000000..0f39450a86 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/pod-pass.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml new file mode 100644 index 0000000000..9ee9af9fde --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-range +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml new file mode 100644 index 0000000000..fe4ebfdb42 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port-range +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port-range + match: + any: + - resources: + kinds: + - Pod + celPreconditions: + - name: "first match condition in CEL" + expression: "object.metadata.name.matches('nginx-pod')" + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || (port.hostPort >= 5000 && port.hostPort <= 6000)))" + message: "The only permitted hostPorts are in the range 5000-6000." diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/01-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/01-ns.yaml new file mode 100644 index 0000000000..3dee45aec0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/01-ns.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/02-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/03-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/03-resources.yaml new file mode 100644 index 0000000000..2691ebb776 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/03-resources.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: deployments-pass.yaml + - apply: + check: + (error != null): true + file: deployments-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/04-sleep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/04-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/README.md new file mode 100644 index 0000000000..da0fd3a0df --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/README.md @@ -0,0 +1,20 @@ +## Description + +This test validates the use of variables in validate.cel subrule. + +This test creates the following: +1. Two namespaces: `production-ns` and `staging-ns` +2. A policy that enforces that all containers of a deployment has the image repo match the environment label of its namespace. Except for "exempt" deployments, or any containers that do not belong to the "example.com" organization For example, if the namespace has a label of {"environment": "staging"}, all container images must be either staging.example.com/* or do not contain "example.com" at all, unless the deployment has {"exempt": "true"} label. +3. Six deployments. + +## Expected Behavior + +The following deployments is blocked: +1. `deployment-fail-01`: It intended to be created in namespace `production-ns` but its container image is `staging.example.com/nginx` which violates the validation rule. +2. `deployment-fail-02`: It intended to be created in namespace `staging-ns` but its container image is `example.com/nginx` which violates the validation rule. +3. `deployment-fail-03`: It intended to be created in namespace `staging-ns` and it has a label of `exempt: "false"` but its container image is `example.com/nginx` which violates the validation rule. + +The following deployments is created: +1. `deployment-pass-01`, It is created in namespace `production-ns` and its container image is `prod.example.com/nginx`. +2. `deployment-pass-02`, It is created in namespace `staging-ns` and its container image is `staging.example.com/nginx`. +3. `deployment-pass-03`, It is created in namespace `staging-ns` and its container image is `example.com/nginx` but it has a label of `exempt: "true"` so it passes the validation rule. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/deployments-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/deployments-fail.yaml new file mode 100644 index 0000000000..19068b5f63 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/deployments-fail.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-01 + namespace: production-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: staging.example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-02 + namespace: staging-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-03 + namespace: staging-ns + labels: + exempt: "false" +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: example.com/nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/deployments-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/deployments-pass.yaml new file mode 100644 index 0000000000..8ec7ba2e2e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/deployments-pass.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass-01 + namespace: production-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: prod.example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass-02 + namespace: staging-ns +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: staging.example.com/nginx +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass-03 + namespace: staging-ns + labels: + exempt: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: example.com/nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/ns.yaml new file mode 100644 index 0000000000..a9dc28210c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/ns.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: staging-ns + labels: + environment: staging diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy-assert.yaml new file mode 100644 index 0000000000..acb6a9fa1c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-matches-namespace-environment.policy.example.com +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml new file mode 100644 index 0000000000..e1274adcdf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-matches-namespace-environment.policy.example.com +spec: + validationFailureAction: Enforce + background: false + rules: + - name: image-matches-namespace-environment + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + variables: + - name: environment + expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'" + - name: exempt + expression: "has(object.metadata.labels) && 'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'" + - name: containers + expression: "object.spec.template.spec.containers" + - name: containersToCheck + expression: "variables.containers.filter(c, c.image.contains('example.com/'))" + expressions: + - expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))" + messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/01-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/01-ns.yaml new file mode 100644 index 0000000000..3dee45aec0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/01-ns.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/02-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/02-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/03-statefulset.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/03-statefulset.yaml new file mode 100644 index 0000000000..59f11abbe6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/03-statefulset.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: statefulset +spec: + timeouts: {} + try: + - apply: + file: statefulset-pass.yaml + - apply: + check: + (error != null): true + file: statefulset-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/04-sleep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/04-sleep.yaml new file mode 100644 index 0000000000..f30782fbbe --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "4" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/README.md new file mode 100644 index 0000000000..78b4ea6bb9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy that uses CEL expressions to check if the statefulset is created in the `production` namespace or not. + +## Expected Behavior + +The statefulset `bad-statefulset` is blocked, and the statefulset `good-statefulset` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/ns.yaml new file mode 100644 index 0000000000..83e1993da7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: testing diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy-assert.yaml new file mode 100644 index 0000000000..d721c304a9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-namespace +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml new file mode 100644 index 0000000000..259b0b8008 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-namespace +spec: + validationFailureAction: Enforce + background: false + rules: + - name: statefulset-namespace + match: + any: + - resources: + kinds: + - StatefulSet + validate: + cel: + expressions: + - expression: "namespaceObject.metadata.name == 'production'" + message: "The StatefulSet must be created in the 'production' namespace." diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/statefulset-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/statefulset-fail.yaml new file mode 100644 index 0000000000..90c08772c8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/statefulset-fail.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: bad-statefulset + namespace: testing +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/statefulset-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/statefulset-pass.yaml new file mode 100644 index 0000000000..1f6b372ff1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/statefulset-pass.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: good-statefulset + namespace: production +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml new file mode 100644 index 0000000000..902fdd4629 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/02-resources.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: pod-pass.yaml + - apply: + check: + (error != null): true + file: pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/README.md new file mode 100644 index 0000000000..d5fa6cd256 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy that uses CEL expressions to disallow host ports in pods. + +## Expected Behavior + +The pod `pod-fail` is blocked, and the pod `pod-pass` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml new file mode 100644 index 0000000000..6372287332 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - hostPort: 80 + \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml new file mode 100644 index 0000000000..5c766069f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: webserver +spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml new file mode 100644 index 0000000000..a53a885448 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml new file mode 100644 index 0000000000..bfefda93de --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-port + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: host-port + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))" + message: "The fields spec.containers[*].ports[*].hostPort must either be unset or set to `0`" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/01-crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/01-crd.yaml new file mode 100644 index 0000000000..36684ade76 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/01-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/02-namespaceConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/02-namespaceConstraint.yaml new file mode 100644 index 0000000000..24667595a3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/02-namespaceConstraint.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: namespaceConstraint +spec: + timeouts: {} + try: + - apply: + file: namespaceConstraint.yaml + - assert: + file: namespaceConstraint.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/03-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/03-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/03-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/04-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/04-ns.yaml new file mode 100644 index 0000000000..6641ed12c1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/04-ns.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + file: ns-pass.yaml + - apply: + check: + (error != null): true + file: ns-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/README.md new file mode 100644 index 0000000000..038bde1132 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/README.md @@ -0,0 +1,12 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A cluster-scoped custom resource definition `NamespaceConstraint` +3. A policy that checks the namespace name using the parameter resource. +4. Two namespaces. + +## Expected Behavior + +The namespace `testing-ns` is blocked, and the namespace `production-ns` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/crd-assert.yaml new file mode 100644 index 0000000000..e21ee264bf --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: namespaceconstraints.rules.example.com +status: + acceptedNames: + kind: NamespaceConstraint + plural: namespaceconstraints + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/crd.yaml new file mode 100644 index 0000000000..547d191e6c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: namespaceconstraints.rules.example.com +spec: + group: rules.example.com + names: + kind: NamespaceConstraint + plural: namespaceconstraints + scope: Cluster + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + name: + type: string diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/namespaceConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/namespaceConstraint.yaml new file mode 100644 index 0000000000..65dab27e63 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/namespaceConstraint.yaml @@ -0,0 +1,5 @@ +apiVersion: rules.example.com/v1 +kind: NamespaceConstraint +metadata: + name: "namespace-constraint-test.example.com" +name: "production-ns-01" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/ns-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/ns-fail.yaml new file mode 100644 index 0000000000..7d9c90f9f9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/ns-fail.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing-ns-01 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/ns-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/ns-pass.yaml new file mode 100644 index 0000000000..671093e15b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/ns-pass.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: production-ns-01 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy-assert.yaml new file mode 100644 index 0000000000..28cee3049a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-01 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml new file mode 100644 index 0000000000..ca5716d203 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-01 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: namespace-name-01 + match: + any: + - resources: + kinds: + - Namespace + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: NamespaceConstraint + paramRef: + name: "namespace-constraint-test.example.com" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.metadata.name == params.name" + messageExpression: "'Namespace name must be ' + params.name" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/01-crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/01-crd.yaml new file mode 100644 index 0000000000..36684ade76 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/01-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/02-nameConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/02-nameConstraint.yaml new file mode 100644 index 0000000000..5d7235b5f1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/02-nameConstraint.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: nameConstraint +spec: + timeouts: {} + try: + - apply: + file: nameConstraint.yaml + - assert: + file: nameConstraint.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/03-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/03-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/03-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/04-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/04-ns.yaml new file mode 100644 index 0000000000..0bab51c393 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/04-ns.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/README.md new file mode 100644 index 0000000000..6a1dfe495c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/README.md @@ -0,0 +1,12 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespaced custom resource definition `NameConstraint` +3. A policy that checks the namespace name using the parameter resource. +4. A namespace `testing`. + +## Expected Behavior + +Since the parameter resource is namespaced-scope and the policy matches cluster-scoped resource `Namespace`, therefore the creation of a namespace is blocked diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml new file mode 100644 index 0000000000..7c08e10e7e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nameconstraints.rules.example.com +status: + acceptedNames: + kind: NameConstraint + plural: nameconstraints + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml new file mode 100644 index 0000000000..ed6ad995e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nameconstraints.rules.example.com +spec: + group: rules.example.com + names: + kind: NameConstraint + plural: nameconstraints + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + name: + type: string diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml new file mode 100644 index 0000000000..dd46254c5f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml @@ -0,0 +1,5 @@ +apiVersion: rules.example.com/v1 +kind: NameConstraint +metadata: + name: "name-constraint-test.example.com" +name: "default" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml new file mode 100644 index 0000000000..dadddb459a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing-01 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml new file mode 100644 index 0000000000..a540add3b7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-02 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml new file mode 100644 index 0000000000..e926bcc125 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-namespace-name-02 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: namespace-name-02 + match: + any: + - resources: + kinds: + - Namespace + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: NameConstraint + paramRef: + name: "name-constraint-test.example.com" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.metadata.name == params.name" + messageExpression: "'Namespace name must be ' + params.name" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/01-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/01-ns.yaml new file mode 100644 index 0000000000..3dee45aec0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/01-ns.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/02-crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/02-crd.yaml new file mode 100644 index 0000000000..36684ade76 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/02-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/03-replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/03-replicaLimit.yaml new file mode 100644 index 0000000000..b4ef0abb56 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/03-replicaLimit.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: replicaLimit +spec: + timeouts: {} + try: + - apply: + file: replicaLimit.yaml + - assert: + file: replicaLimit.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/04-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/04-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/04-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/05-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/05-resources.yaml new file mode 100644 index 0000000000..16b3bedb32 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/05-resources.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: deployment-pass.yaml + - apply: + check: + (error != null): true + file: deployment-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/06-sleep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/README.md new file mode 100644 index 0000000000..55c0594938 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/README.md @@ -0,0 +1,13 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespace `test-params` +2. A namespaced custom resource definition `ReplicaLimit` +3. A policy that checks the deployment replicas using the parameter resource. The `validate.cel.paramRef.namespace` is set. +4. Two deployments. + +## Expected Behavior + +The deployment `deployment-fail` is blocked, and the deployment `deployment-pass` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml new file mode 100644 index 0000000000..50c84516f6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: deploymentreplicalimits.rules.example.com +status: + acceptedNames: + kind: DeploymentReplicaLimit + plural: deploymentreplicalimits + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/crd.yaml new file mode 100644 index 0000000000..b5dfd371f1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: deploymentreplicalimits.rules.example.com +spec: + group: rules.example.com + names: + kind: DeploymentReplicaLimit + plural: deploymentreplicalimits + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + maxReplicas: + type: integer \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml new file mode 100644 index 0000000000..cc24bd227a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail +spec: + replicas: 4 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml new file mode 100644 index 0000000000..19f9b25db0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-pass +spec: + replicas: 2 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/ns.yaml new file mode 100644 index 0000000000..31556c7dcb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing-02 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml new file mode 100644 index 0000000000..d94b5b3f4f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas-01 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml new file mode 100644 index 0000000000..ab29121404 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deployment-replicas-01 +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deployment-replicas-01 + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: DeploymentReplicaLimit + paramRef: + name: "replica-limit" + namespace: "testing-02" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.spec.replicas <= params.maxReplicas" + messageExpression: "'Deployment spec.replicas must be less than ' + string(params.maxReplicas)" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml new file mode 100644 index 0000000000..0563910919 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml @@ -0,0 +1,6 @@ +apiVersion: rules.example.com/v1 +kind: DeploymentReplicaLimit +metadata: + name: "replica-limit" + namespace: testing-02 +maxReplicas: 3 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/01-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/01-ns.yaml new file mode 100644 index 0000000000..3dee45aec0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/01-ns.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/02-crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/02-crd.yaml new file mode 100644 index 0000000000..36684ade76 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/02-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/03-replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/03-replicaLimit.yaml new file mode 100644 index 0000000000..b4ef0abb56 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/03-replicaLimit.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: replicaLimit +spec: + timeouts: {} + try: + - apply: + file: replicaLimit.yaml + - assert: + file: replicaLimit.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/04-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/04-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/04-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/05-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/05-resources.yaml new file mode 100644 index 0000000000..1232e1164c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/05-resources.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: statefulset-pass.yaml + - apply: + check: + (error != null): true + file: statefulset-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/06-sleep.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/06-sleep.yaml new file mode 100644 index 0000000000..eb76ed03b9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/06-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "3" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/README.md new file mode 100644 index 0000000000..4b7d700d5d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/README.md @@ -0,0 +1,13 @@ +## Description + +This test validates the use of parameter resources in validate.cel subrule. + +This test creates the following: +1. A namespace `test-params` +2. A namespaced custom resource definition `ReplicaLimit` +3. A policy that checks the statefulset replicas using the parameter resource. The `validate.cel.paramRef.namespace` is unset so it is expected to retrieve the parameter resource from the statefulset's namespace +4. Two statefulsets. + +## Expected Behavior + +The statefulset `statefulset-fail` is blocked, and the statefulset `statefulset-pass` is created. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml new file mode 100644 index 0000000000..072eae7097 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: statefulsetreplicalimits.rules.example.com +status: + acceptedNames: + kind: StatefulSetReplicaLimit + plural: statefulsetreplicalimits + storedVersions: + - v1 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml new file mode 100644 index 0000000000..8e6d82a99b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml @@ -0,0 +1,26 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: statefulsetreplicalimits.rules.example.com +spec: + group: rules.example.com + names: + kind: StatefulSetReplicaLimit + plural: statefulsetreplicalimits + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + maxReplicas: + type: integer \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml new file mode 100644 index 0000000000..1e4f718efa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-params \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml new file mode 100644 index 0000000000..3f2481450a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-replicas +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml new file mode 100644 index 0000000000..8f0ed08d44 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-statefulset-replicas +spec: + validationFailureAction: Enforce + background: false + rules: + - name: statefulset-replicas + match: + any: + - resources: + kinds: + - StatefulSet + validate: + cel: + paramKind: + apiVersion: rules.example.com/v1 + kind: StatefulSetReplicaLimit + paramRef: + name: "replica-limit-test.example.com" + parameterNotFoundAction: "Deny" + expressions: + - expression: "object.spec.replicas <= params.maxReplicas" + messageExpression: "'StatefulSet spec.replicas must be less than ' + string(params.maxReplicas)" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml new file mode 100644 index 0000000000..2cb6b3c48e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml @@ -0,0 +1,6 @@ +apiVersion: rules.example.com/v1 +kind: StatefulSetReplicaLimit +metadata: + name: "replica-limit-test.example.com" + namespace: test-params +maxReplicas: 3 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml new file mode 100644 index 0000000000..b880940cb7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: statefulset-fail + namespace: test-params +spec: + replicas: 4 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml new file mode 100644 index 0000000000..18b3b9cad0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: statefulset-pass + namespace: test-params +spec: + replicas: 2 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container2 + image: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/01-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml new file mode 100644 index 0000000000..6c8390bdf4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/02-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml new file mode 100644 index 0000000000..48aa8cbc47 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/03-debug.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: debug +spec: + timeouts: {} + try: + - script: + content: "if kubectl debug --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/README.md new file mode 100644 index 0000000000..bb85c86815 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod` (we implicitly add the `ephemeralcontainers` subresource) and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml new file mode 100644 index 0000000000..94220c6ad6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-pod/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml new file mode 100644 index 0000000000..6c8390bdf4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/01-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/02-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml new file mode 100644 index 0000000000..48aa8cbc47 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/03-debug.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: debug +spec: + timeouts: {} + try: + - script: + content: "if kubectl debug --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/README.md new file mode 100644 index 0000000000..4c814b16c3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `Pod/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml new file mode 100644 index 0000000000..66d75f0f55 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - Pod/ephemeralcontainers + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-subresource/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml new file mode 100644 index 0000000000..6c8390bdf4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/01-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/02-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml new file mode 100644 index 0000000000..48aa8cbc47 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/03-debug.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: debug +spec: + timeouts: {} + try: + - script: + content: "if kubectl debug --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/README.md new file mode 100644 index 0000000000..bb288e3ae2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/README.md @@ -0,0 +1,4 @@ +## Description + +This test creates a policy to deny the creation of ephemeral containers. +The policy is targeting `*/ephemeralcontainers` and calls `kubectl debug`, the call is expected to fail. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml new file mode 100644 index 0000000000..48784ef1f8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml new file mode 100644 index 0000000000..64f4b261a1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/policies.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: block-ephemeral-containers + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-debug + match: + any: + - resources: + kinds: + - '*/ephemeralcontainers' + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml new file mode 100644 index 0000000000..4b440e5b4e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug/with-wildcard/resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + namespace: default +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/01-assert.yaml new file mode 100644 index 0000000000..f2887a6ccb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-evict-by-pod-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/01-manifests.yaml new file mode 100644 index 0000000000..a367c75615 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/01-manifests.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-evict-by-pod-label +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-evict-by-label + match: + resources: + kinds: + - Pod/eviction + context: + - name: podevictlabel + apiCall: + urlPath: "/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}" + jmesPath: "metadata.labels.evict" + validate: + message: Evicting Pods protected with the label 'evict=false' is forbidden. + deny: + conditions: + all: + - key: "{{ podevictlabel }}" + operator: Equals + value: "false" +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + app: nginx + tier: frontend + evict: "false" + namespace: test-validate +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/02-script.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/02-script.yaml new file mode 100644 index 0000000000..56804ece87 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/02-script.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: ./api-initiated-eviction.sh diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/README.md new file mode 100644 index 0000000000..5d33f76a12 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/README.md @@ -0,0 +1,3 @@ +# Evicting pod with label 'evict=false' is forbidden + +Validate test to check that a pod with label 'evict=false' cannot be evicted. Related issue https://github.com/kyverno/kyverno/issues/4313 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/api-initiated-eviction.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/api-initiated-eviction.sh new file mode 100755 index 0000000000..1faa823630 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/api-initiated-eviction.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +set -eu + +kubectl proxy & +proxy_pid=$! +echo $proxy_pid + +function cleanup { + echo "killing kubectl proxy" >&2 + kill $proxy_pid +} + +attempt_counter=0 +max_attempts=5 + +until curl --output /dev/null -fsSL http://localhost:8001/; do + if [ ${attempt_counter} -eq ${max_attempts} ];then + echo "Max attempts reached" + exit 1 + fi + + attempt_counter=$((attempt_counter+1)) + sleep 5 +done + +if curl -v -H 'Content-type: application/json' \ + http://localhost:8001/api/v1/namespaces/test-validate/pods/nginx/eviction -d @eviction.json 2>&1 | grep -q "Evicting Pods protected with the label 'evict=false' is forbidden"; then + echo "Test succeeded. Resource was not evicted." + trap cleanup EXIT + exit 0 +else + echo "Tested failed. Resource was evicted." + trap cleanup EXIT + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/eviction.json b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/eviction.json new file mode 100644 index 0000000000..48976c7434 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/api-initiated-pod-eviction/eviction.json @@ -0,0 +1,8 @@ +{ + "apiVersion": "policy/v1", + "kind": "Eviction", + "metadata": { + "name": "nginx", + "namespace": "test-validate" + } +} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/01-assert.yaml new file mode 100644 index 0000000000..29794ca537 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-exec-by-pod-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/01-manifests.yaml new file mode 100644 index 0000000000..247260a02a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/01-manifests.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-exec-by-pod-label + annotations: + policies.kyverno.io/title: Block Pod Exec by Pod Label + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.4.2 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The 'exec' command may be used to gain shell access, or run other commands, in a Pod's container. While this can + be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. + This policy blocks Pod exec commands to Pods having the label 'exec=false'. +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-exec-by-label + match: + resources: + kinds: + - Pod/exec + context: + - name: podexeclabel + apiCall: + urlPath: "/api/v1/namespaces/{{request.namespace}}/pods/{{request.name}}" + jmesPath: "metadata.labels.exec" + preconditions: + all: + - key: "{{ request.operation }}" + operator: Equals + value: CONNECT + validate: + message: Exec'ing into Pods protected with the label 'exec=false' is forbidden. + deny: + conditions: + all: + - key: "{{ podexeclabel }}" + operator: Equals + value: "false" +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + app: nginx + tier: frontend + exec: "false" + namespace: test-validate +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/02-script.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/02-script.yaml new file mode 100644 index 0000000000..626963d1b0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/02-script.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: "if kubectl -n test-validate exec nginx -it -- sh 2>&1 | grep -q \"Exec'ing + into Pods protected with the label 'exec=false' is forbidden\" \nthen \n echo + \"Tested failed. Exec Request was not blocked.\"\n exit 1 \nelse \n echo + \"Test succeeded. Exec Request was blocked.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/README.md new file mode 100644 index 0000000000..21f5680036 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/block-pod-exec-requests/README.md @@ -0,0 +1,3 @@ +# Exec'ing into a pod + +Validate test to ensure pods with label `exec=false` cannot be exec'ed into. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/01-assert.yaml new file mode 100644 index 0000000000..e6cfe62f12 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/01-assert.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +status: + replicas: 2 +--- +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: allow-scaling-nginx-test + namespace: test-validate +spec: + exceptions: + - policyName: nginx-test-scaling-policy + ruleNames: + - validate-nginx-test + match: + any: + - resources: + kinds: + - Deployment/scale + names: + - nginx-test diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/01-manifests.yaml new file mode 100644 index 0000000000..f712c36815 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/01-manifests.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +spec: + background: false + failurePolicy: Fail + rules: + - match: + resources: + kinds: + - "Deployment/scale" + names: + - nginx-test + namespaces: + - test-validate + name: validate-nginx-test + validate: + message: 'nginx-test needs to have 2 replicas' + pattern: + spec: + replicas: 2 + validationFailureAction: Enforce +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +spec: + replicas: 2 + selector: + matchLabels: + app: nginx-test + template: + metadata: + labels: + app: nginx-test + spec: + containers: + - image: nginx + name: nginx +--- +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: allow-scaling-nginx-test + namespace: test-validate +spec: + exceptions: + - policyName: nginx-test-scaling-policy + ruleNames: + - validate-nginx-test + match: + any: + - resources: + kinds: + - Deployment/scale + names: + - nginx-test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/02-script.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/02-script.yaml new file mode 100644 index 0000000000..1f1aa73d71 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/02-script.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: "if kubectl scale deployment nginx-test --replicas=1 -n test-validate + 2>&1 | grep -q 'validation error: nginx-test needs to have 2 replicas' \nthen + \n echo \"Test failed. Resource was blocked from scaling.\"\n exit 1\nelse + \n echo \"Tested succeeded. Resource was allowed to scale.\"\n exit 0 \nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/README.md new file mode 100644 index 0000000000..cfff4ae394 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/README.md @@ -0,0 +1,20 @@ +# ## Description + +This test validates that a policy blocking scaling using `Deployment/scale` resource can be bypassed using `PolicyException`. + +## Expected Behavior + +The `Deployment` is scaled. + +## Steps + +### Test Steps + +1. Create a `ClusterPolicy` that matches on `Deployment/scale` and blocks scaling the `Deployment`. +2. Create a `Deployment` with the number of replicas allowed in the policy. +3. Create a `PolicyException` for the above mentioned policy. +4. Validate that the `Deployment` is scaled. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5804 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/02-csr-create.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/02-csr-create.yaml new file mode 100644 index 0000000000..09ddfd4319 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/02-csr-create.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: csr-create +spec: + timeouts: {} + try: + - apply: + file: csr.yaml + - assert: + file: csr-mutated.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/README.md new file mode 100644 index 0000000000..23387c1a82 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/README.md @@ -0,0 +1,12 @@ +## Description + +This test mainly verifies that the JMESPath path for x509decode works for CSR does work properly. + +## Expected Behavior + +1. A policy is created to check Certificate Signing Requests and a policy that adds labels to the CSR. +2. A CSR Resource is created and it is verified that it has the same labels. + +## Reference Issue(s) + +5858 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/csr-mutated.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/csr-mutated.yaml new file mode 100644 index 0000000000..8a5b69b557 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/csr-mutated.yaml @@ -0,0 +1,6 @@ +apiVersion: certificates.k8s.io/v1 +kind: CertificateSigningRequest +metadata: + name: myuser + labels: + name: angela diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/csr.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/csr.yaml new file mode 100644 index 0000000000..6c18b6fad5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/csr.yaml @@ -0,0 +1,10 @@ +apiVersion: certificates.k8s.io/v1 +kind: CertificateSigningRequest +metadata: + name: myuser +spec: + request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= + signerName: kubernetes.io/kube-apiserver-client + expirationSeconds: 86400 + usages: + - client auth \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy-ready.yaml new file mode 100644 index 0000000000..21b61984d3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy-ready.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-csr +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-csr +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml new file mode 100644 index 0000000000..8d0d254101 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/csr/policy.yaml @@ -0,0 +1,46 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: validate-csr +spec: + background: false + validationFailureAction: Enforce + rules: + - name: csr + match: + any: + - resources: + kinds: + - CertificateSigningRequest + validate: + message: >- + CSR created by {{ request.userInfo | to_string(@) }} + with ClusterRoles {{ request.clusterRoles | to_string(@) }} + and Roles {{ request.roles | to_string(@) }}. + Subjects and groups requested are "{{ x509_decode(base64_decode(request.object.spec.request)).Subject | to_string(@) }}" + deny: + conditions: + any: + - key: "{{ x509_decode(base64_decode(request.object.spec.request)).Subject.CommonName }}" + operator: NotEquals + value: "angela" +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: mutate-csr +spec: + background: false + validationFailureAction: Enforce + rules: + - name: csr + match: + any: + - resources: + kinds: + - CertificateSigningRequest + mutate: + patchStrategicMerge: + metadata: + labels: + name: "{{ x509_decode(base64_decode(request.object.spec.request)).Subject.CommonName | to_string(@) }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml new file mode 100644 index 0000000000..9ced8ae36f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md new file mode 100644 index 0000000000..6a01cc0c6b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies that when failurePolicy is set to to Ignore for a policy that was set to Enforce, Admission webhook denies requests when validation of a resource fails. The error should not get consumed by ignore failurePolicy + +## Expected Behavior + +The pod should be not created. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/8916 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml new file mode 100644 index 0000000000..472296498a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: disallow-annotations-example + namespace: default + annotations: + kyverno-policies-test/key: disallowed +spec: + containers: + - name: example + image: busybox + args: ["sleep", "infinity"] diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml new file mode 100644 index 0000000000..d884d82d65 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-annotations diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml new file mode 100644 index 0000000000..eed8b5fc16 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-annotations +spec: + background: true + failurePolicy: Ignore + rules: + - match: + all: + - resources: + kinds: + - Pod + name: disallow-annotations + validate: + message: One or more annotations is not allowed per the policies disallowed + values list. + pattern: + metadata: + =(annotations): + =(kyverno-policies-test/key): '!disallowed' + X(kyverno-policies-test/disallowed): "null" + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml new file mode 100644 index 0000000000..3dee45aec0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: ns +spec: + timeouts: {} + try: + - apply: + file: ns.yaml + - assert: + file: ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/03-pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/03-pod-fail.yaml new file mode 100644 index 0000000000..ec1d80ad3d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/03-pod-fail.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod-fail +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod-fail.yaml + - apply: + file: pod-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md new file mode 100644 index 0000000000..5057c54da7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md @@ -0,0 +1,13 @@ +# ## Description + +This test validates that the namespaceSelector is applied to a wildcard policy successfully. + +## Expected Behavior + +The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass` is created. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6015 +https://github.com/kyverno/kyverno/issues/7771 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/ns.yaml new file mode 100644 index 0000000000..db57908a16 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/ns.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-wildcard + labels: + freeze: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-fail.yaml new file mode 100644 index 0000000000..2fb33e13d5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-fail.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: nginx + name: nginx-block + namespace: test-wildcard +spec: + containers: + - image: nginx + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-pass.yaml new file mode 100644 index 0000000000..9313c2d769 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-pass.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: nginx + name: nginx-pass + namespace: default +spec: + containers: + - image: nginx + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy-assert.yaml new file mode 100644 index 0000000000..043c65f83d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: freeze-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml new file mode 100644 index 0000000000..8469b1ac3c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: freeze-policy +spec: + validationFailureAction: Enforce + background: false + rules: + - name: freeze-rule + match: + any: + - resources: + kinds: + - "*" + namespaceSelector: + matchExpressions: + - key: freeze + operator: In + values: + - "true" + validate: + message: "Namespace is frozen." + deny: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml new file mode 100644 index 0000000000..b0bd73c54e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml new file mode 100644 index 0000000000..255e4f3130 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/01-manifests.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +spec: + background: false + rules: + - name: check-for-labels + match: + any: + - resources: + kinds: + - Deployment + preconditions: + any: + - key: "{{ request.object.metadata.namespace }}" + operator: AllNotIn + value: + - kyverno + - def* + validate: + message: "label 'app.kubernetes.io/name' is required" + pattern: + metadata: + labels: + app.kubernetes.io/name: "?*" + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml new file mode 100644 index 0000000000..7b77870e6a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/02-script.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: | + if kubectl apply -f resource.yaml 2>&1 | grep -q "label ''app.kubernetes.io/name'' is required" + then + echo "Test succeeded. Resource was blocked from label." + exit 0 + else + echo "Tested failed. Resource was allowed to create." + exit 1 + fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml new file mode 100644 index 0000000000..cf53ab73b8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/03-deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: nginx + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml new file mode 100644 index 0000000000..5e8150cd0e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/04-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: apps/v1 + kind: Deployment + name: nginx + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md new file mode 100644 index 0000000000..956f6a058e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/README.md @@ -0,0 +1,13 @@ +## Description + +This test mainly verifies that the operator AllNotIn does not work properly. + +## Expected Behavior + +1. The clusterpolicy is created correctly. +2. Failed to create resources in test-validate namespace because the deployment lacks of label. +3. Successfully created deployment in default because 'def*' is within the value of AllNotIn. + +## Reference Issue(s) + +5617 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml new file mode 100644 index 0000000000..c988d4899d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-allnotin-01/resource.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-test + template: + metadata: + labels: + app: nginx-test + spec: + containers: + - image: nginx + name: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml new file mode 100644 index 0000000000..6bf3852832 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol + # annotations: + # pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-commands + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}" + operator: GreaterThan + value: 0 + - key: "{{ request.operation }}" + operator: NotEquals + value: DELETE + validate: + message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. + deny: + conditions: + any: + - key: true + operator: AnyIn + value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml new file mode 100644 index 0000000000..7e920d3527 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml new file mode 100644 index 0000000000..ddb18226e1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod-fail +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md new file mode 100644 index 0000000000..a18f638bb5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md @@ -0,0 +1,12 @@ +## Description + +This test mainly verifies that the operator AllIn work properly with the boolean comparison. + +## Expected Behavior + +1. The clusterpolicy is created correctly. +2. Failed to create resources in because the deny condition is true. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7045 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml new file mode 100644 index 0000000000..ee459edcfd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: operator-anyin-boolean-pod +spec: + containers: + - name: container01 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - jcmd | grep Main + - name: container02 + image: czjunkfoo + - name: container03 + image: czjunkfoo + livenessProbe: + httpGet: + port: 8080 + - name: container04 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - cat | ls -l \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/01-assert.yaml new file mode 100644 index 0000000000..d3fab0a660 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-owner +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/01-manifests.yaml new file mode 100644 index 0000000000..86c1bf0e2f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/01-manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-owner +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-owner + match: + any: + - resources: + kinds: + - Namespace + validate: + message: The `owner` label is required for all Namespaces. + pattern: + metadata: + labels: + owner: "?*" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/02-resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/03-errors.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/03-errors.yaml new file mode 100644 index 0000000000..0950676715 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/03-errors.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mytestingns + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/README.md new file mode 100644 index 0000000000..b9ed7e236e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/README.md @@ -0,0 +1,3 @@ +# Title + +Basic validate test to check that a violating resource cannot be created when the policy is in enforce mode. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/resource.yaml new file mode 100644 index 0000000000..0950676715 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/resource-apply-block/resource.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mytestingns + labels: + app-type: corp + annotations: + cloud.platformzero.com/serviceClass: "xl2" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/01-assert.yaml new file mode 100644 index 0000000000..28ed7ef9d1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/01-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +status: + replicas: 2 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/01-manifests.yaml new file mode 100644 index 0000000000..89a7eb6d8b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/01-manifests.yaml @@ -0,0 +1,49 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: nginx-test-scaling-policy +spec: + background: false + failurePolicy: Fail + rules: + - match: + resources: + kinds: + - "Deployment/scale" + names: + - nginx-test + namespaces: + - test-validate + name: validate-nginx-test + validate: + message: 'nginx-test needs to have 2 replicas' + pattern: + spec: + replicas: 2 + validationFailureAction: Enforce +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-test + name: nginx-test + namespace: test-validate +spec: + replicas: 2 + selector: + matchLabels: + app: nginx-test + template: + metadata: + labels: + app: nginx-test + spec: + containers: + - image: nginx + name: nginx \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/02-script.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/02-script.yaml new file mode 100644 index 0000000000..569eeda791 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/02-script.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: "if kubectl scale deployment nginx-test --replicas=1 -n test-validate + 2>&1 | grep -q 'validation error: nginx-test needs to have 2 replicas' \nthen + \n echo \"Test succeeded. Resource was blocked from scaling.\"\n exit 0\nelse + \n echo \"Tested failed. Resource was allowed to scale.\"\n exit 1 \nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/README.md new file mode 100644 index 0000000000..51806ff45e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/scaling-with-kubectl-scale/README.md @@ -0,0 +1,3 @@ +# Scaling with kubectl scale + +Validate test to check that a resource can't be scaled through the `kubectl scale` command. Related issue https://github.com/kyverno/kyverno/issues/3118 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml new file mode 100644 index 0000000000..6c8390bdf4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/01-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/02-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md new file mode 100644 index 0000000000..60c371ca2f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy to validate all resources have a `foo: bar` label. +The policy matches on a wildcard but excludes a whole Namespace. +The net result should be any Namespaced resource in the excluded Namespace should not be processed. +It then creates a configmap in the default namespace that doesn't have the expected label. + + +## Expected Behavior + +The configmap should be created successfully as it is excluded by the policy. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml new file mode 100644 index 0000000000..7149accf8d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml new file mode 100644 index 0000000000..b339516f26 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/policies.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-label +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-label + match: + any: + - resources: + kinds: + - "*" + exclude: + any: + - resources: + namespaces: + - default + preconditions: + all: + - key: "{{ request.operation }}" + operator: NotEquals + value: DELETE + validate: + message: 'Test' + pattern: + metadata: + labels: + foo: bar diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml new file mode 100644 index 0000000000..1746b5de27 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/exclude/exclude-namespace/resources.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-name + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/00-crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/00-crd.yaml new file mode 100644 index 0000000000..b5096b7a9f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/00-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/01-crd-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/01-crd-1.yaml new file mode 100644 index 0000000000..9153fd8bc8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/01-crd-1.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd-1 +spec: + timeouts: {} + try: + - apply: + file: crd-1.yaml + - assert: + file: crd-ready-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/02-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/02-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/02-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/03-task.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/03-task.yaml new file mode 100644 index 0000000000..6e15eef2ee --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/03-task.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: task +spec: + timeouts: {} + try: + - apply: + file: task.yaml + - assert: + file: task.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/README.md new file mode 100644 index 0000000000..adf720e182 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that a ClusterPolicy with multiple custom resources validate the GVK as defined in the policy. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-1.yaml new file mode 100644 index 0000000000..f8fd7eb6eb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-1.yaml @@ -0,0 +1,890 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: dbclusters.docdb.aws.crossplane.io +spec: + group: docdb.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: DBCluster + listKind: DBClusterList + plural: dbclusters + singular: dbcluster + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DBCluster is the Schema for the DBClusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DBClusterSpec defines the desired state of DBCluster + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: DBClusterParameters defines the desired state of DBCluster + properties: + applyImmediately: + description: "A value that specifies whether the changes in this + request and any pending changes are asynchronously applied as + soon as possible, regardless of the PreferredMaintenanceWindow + setting for the cluster. If this parameter is set to false, + changes to the cluster are applied during the next maintenance + window. \n The ApplyImmediately parameter affects only the NewDBClusterIdentifier + and MasterUserPassword values. If you set this parameter value + to false, the changes to the NewDBClusterIdentifier and MasterUserPassword + values are applied during the next maintenance window. All other + changes are applied immediately, regardless of the value of + the ApplyImmediately parameter. \n Default: false" + type: boolean + availabilityZones: + description: A list of Amazon EC2 Availability Zones that instances + in the cluster can be created in. + items: + type: string + type: array + backupRetentionPeriod: + description: "The number of days for which automated backups are + retained. You must specify a minimum value of 1. \n Default: + 1 \n Constraints: \n * Must be a value from 1 to 35." + format: int64 + type: integer + dbClusterParameterGroupName: + description: The name of the cluster parameter group to associate + with this cluster. + type: string + dbClusterParameterGroupNameRef: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbClusterParameterGroupNameSelector: + description: A Selector selects an object. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + dbSubnetGroupName: + description: "A subnet group to associate with this cluster. \n + Constraints: Must match the name of an existing DBSubnetGroup. + Must not be default. \n Example: mySubnetgroup" + type: string + dbSubnetGroupNameRef: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbSubnetGroupNameSelector: + description: A Selector selects an object. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + deletionProtection: + description: Specifies whether this cluster can be deleted. If + DeletionProtection is enabled, the cluster cannot be deleted + unless it is modified and DeletionProtection is disabled. DeletionProtection + protects clusters from being accidentally deleted. + type: boolean + destinationRegion: + description: DestinationRegion is used for presigning the request + to a given region. + type: string + enableCloudwatchLogsExports: + description: A list of log types that need to be enabled for exporting + to Amazon CloudWatch Logs. You can enable audit logs or profiler + logs. For more information, see Auditing Amazon DocumentDB Events + (https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html) + and Profiling Amazon DocumentDB Operations (https://docs.aws.amazon.com/documentdb/latest/developerguide/profiling.html). + items: + type: string + type: array + engine: + description: "The name of the database engine to be used for this + cluster. \n Valid values: docdb" + type: string + engineVersion: + description: The version number of the database engine to use. + The --engine-version will default to the latest major engine + version. For production workloads, we recommend explicitly declaring + this parameter with the intended major engine version. + type: string + finalDBSnapshotIdentifier: + description: "The cluster snapshot identifier of the new cluster + snapshot created when SkipFinalSnapshot is set to false. \n + Specifying this parameter and also setting the SkipFinalShapshot + parameter to true results in an error. \n Constraints: \n * + Must be from 1 to 255 letters, numbers, or hyphens. \n * The + first character must be a letter. \n * Cannot end with a hyphen + or contain two consecutive hyphens." + type: string + globalClusterIdentifier: + description: The cluster identifier of the new global cluster. + type: string + kmsKeyID: + description: "The KMS key identifier for an encrypted cluster. + \n The KMS key identifier is the Amazon Resource Name (ARN) + for the KMS encryption key. If you are creating a cluster using + the same account that owns the KMS encryption key that is used + to encrypt the new cluster, you can use the KMS key alias instead + of the ARN for the KMS encryption key. \n If an encryption key + is not specified in KmsKeyId: \n * If the StorageEncrypted parameter + is true, Amazon DocumentDB uses your default encryption key. + \n KMS creates the default encryption key for your account. + Your account has a different default encryption key for each + Regions." + type: string + kmsKeyIDRef: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to kmsKeyIdRef' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + kmsKeyIDSelector: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to kmsKeyIdSelector' + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + masterUserPasswordSecretRef: + description: "MasterUserPasswordSecretRef references the secret + that contains the password for the master database user. This + password can contain any printable ASCII character except forward + slash (/), double quote (\"), or the \"at\" symbol (@). \n Constraints: + Must contain from 8 to 100 characters." + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + masterUsername: + description: "The name of the master user for the cluster. \n + Constraints: \n * Must be from 1 to 63 letters or numbers. \n + * The first character must be a letter. \n * Cannot be a reserved + word for the chosen database engine." + type: string + port: + description: The port number on which the instances in the cluster + accept connections. + format: int64 + type: integer + preSignedURL: + description: Not currently supported. + type: string + preferredBackupWindow: + description: "The daily time range during which automated backups + are created if automated backups are enabled using the BackupRetentionPeriod + parameter. \n The default is a 30-minute window selected at + random from an 8-hour block of time for each Region. \n Constraints: + \n * Must be in the format hh24:mi-hh24:mi. \n * Must be in + Universal Coordinated Time (UTC). \n * Must not conflict with + the preferred maintenance window. \n * Must be at least 30 minutes." + type: string + preferredMaintenanceWindow: + description: "The weekly time range during which system maintenance + can occur, in Universal Coordinated Time (UTC). \n Format: ddd:hh24:mi-ddd:hh24:mi + \n The default is a 30-minute window selected at random from + an 8-hour block of time for each Region, occurring on a random + day of the week. \n Valid days: Mon, Tue, Wed, Thu, Fri, Sat, + Sun \n Constraints: Minimum 30-minute window." + type: string + region: + description: Region is which region the DBCluster will be created. + type: string + skipFinalSnapshot: + description: "Determines whether a final cluster snapshot is created + before the cluster is deleted. If true is specified, no cluster + snapshot is created. If false is specified, a cluster snapshot + is created before the DB cluster is deleted. \n If SkipFinalSnapshot + is false, you must specify a FinalDBSnapshotIdentifier parameter. + \n Default: false" + type: boolean + sourceRegion: + description: SourceRegion is the source region where the resource + exists. This is not sent over the wire and is only used for + presigning. This value should always have the same region as + the source ARN. + type: string + storageEncrypted: + description: Specifies whether the cluster is encrypted. + type: boolean + tags: + description: The tags to be assigned to the cluster. + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + vpcSecurityGroupIDs: + description: A list of EC2 VPC security groups to associate with + this cluster. + items: + type: string + type: array + vpcSecurityGroupIDsRefs: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to vpcSecurityGroupIdRefs' + items: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution + of this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which + will attempt to resolve the reference only when the + corresponding field is not present. Use 'Always' to + resolve the reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + vpcSecurityGroupIDsSelector: + description: 'TODO(haarchri): when resource is bumped to beta + we will convert this field to vpcSecurityGroupIdSelector' + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + required: + - engine + - region + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: DBClusterStatus defines the observed state of DBCluster. + properties: + atProvider: + description: DBClusterObservation defines the observed state of DBCluster + properties: + associatedRoles: + description: Provides a list of the Identity and Access Management + (IAM) roles that are associated with the cluster. (IAM) roles + that are associated with a cluster grant permission for the + cluster to access other Amazon Web Services services on your + behalf. + items: + properties: + roleARN: + type: string + status: + type: string + type: object + type: array + clusterCreateTime: + description: Specifies the time when the cluster was created, + in Universal Coordinated Time (UTC). + format: date-time + type: string + dbClusterARN: + description: The Amazon Resource Name (ARN) for the cluster. + type: string + dbClusterIdentifier: + description: Contains a user-supplied cluster identifier. This + identifier is the unique key that identifies a cluster. + type: string + dbClusterMembers: + description: Provides the list of instances that make up the cluster. + items: + properties: + dbClusterParameterGroupStatus: + type: string + dbInstanceIdentifier: + type: string + isClusterWriter: + type: boolean + promotionTier: + format: int64 + type: integer + type: object + type: array + dbClusterParameterGroup: + description: Specifies the name of the cluster parameter group + for the cluster. + type: string + dbClusterResourceID: + description: The Region-unique, immutable identifier for the cluster. + This identifier is found in CloudTrail log entries whenever + the KMS key for the cluster is accessed. + type: string + dbSubnetGroup: + description: Specifies information on the subnet group that is + associated with the cluster, including the name, description, + and subnets in the subnet group. + type: string + earliestRestorableTime: + description: The earliest time to which a database can be restored + with point-in-time restore. + format: date-time + type: string + enabledCloudwatchLogsExports: + description: A list of log types that this cluster is configured + to export to Amazon CloudWatch Logs. + items: + type: string + type: array + endpoint: + description: Specifies the connection endpoint for the primary + instance of the cluster. + type: string + hostedZoneID: + description: Specifies the ID that Amazon Route 53 assigns when + you create a hosted zone. + type: string + latestRestorableTime: + description: Specifies the latest time to which a database can + be restored with point-in-time restore. + format: date-time + type: string + multiAZ: + description: Specifies whether the cluster has instances in multiple + Availability Zones. + type: boolean + percentProgress: + description: Specifies the progress of the operation as a percentage. + type: string + readReplicaIdentifiers: + description: Contains one or more identifiers of the secondary + clusters that are associated with this cluster. + items: + type: string + type: array + readerEndpoint: + description: "The reader endpoint for the cluster. The reader + endpoint for a cluster load balances connections across the + Amazon DocumentDB replicas that are available in a cluster. + As clients request new connections to the reader endpoint, Amazon + DocumentDB distributes the connection requests among the Amazon + DocumentDB replicas in the cluster. This functionality can help + balance your read workload across multiple Amazon DocumentDB + replicas in your cluster. \n If a failover occurs, and the Amazon + DocumentDB replica that you are connected to is promoted to + be the primary instance, your connection is dropped. To continue + sending your read workload to other Amazon DocumentDB replicas + in the cluster, you can then reconnect to the reader endpoint." + type: string + replicationSourceIdentifier: + description: Contains the identifier of the source cluster if + this cluster is a secondary cluster. + type: string + status: + description: Specifies the current state of this cluster. + type: string + vpcSecurityGroups: + description: Provides a list of virtual private cloud (VPC) security + groups that the cluster belongs to. + items: + properties: + status: + type: string + vpcSecurityGroupID: + type: string + type: object + type: array + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-ready-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-ready-1.yaml new file mode 100644 index 0000000000..8e47b9efc1 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-ready-1.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dbclusters.docdb.aws.crossplane.io \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-ready.yaml new file mode 100644 index 0000000000..8f7aaf4eea --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dbclusters.rds.aws.crossplane.io \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd.yaml new file mode 100644 index 0000000000..2a8fe07fbe --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/crd.yaml @@ -0,0 +1,1352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.8.0 + creationTimestamp: null + name: dbclusters.rds.aws.crossplane.io +spec: + group: rds.aws.crossplane.io + names: + categories: + - crossplane + - managed + - aws + kind: DBCluster + listKind: DBClusterList + plural: dbclusters + singular: dbcluster + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Ready')].status + name: READY + type: string + - jsonPath: .status.conditions[?(@.type=='Synced')].status + name: SYNCED + type: string + - jsonPath: .metadata.annotations.crossplane\.io/external-name + name: EXTERNAL-NAME + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: DBCluster is the Schema for the DBClusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: DBClusterSpec defines the desired state of DBCluster + properties: + deletionPolicy: + default: Delete + description: DeletionPolicy specifies what will happen to the underlying + external when this managed resource is deleted - either "Delete" + or "Orphan" the external resource. + enum: + - Orphan + - Delete + type: string + forProvider: + description: DBClusterParameters defines the desired state of DBCluster + properties: + applyImmediately: + description: "A value that indicates whether the modifications + in this request and any pending modifications are asynchronously + applied as soon as possible, regardless of the PreferredMaintenanceWindow + setting for the DB cluster. If this parameter is disabled, changes + to the DB cluster are applied during the next maintenance window. + \n The ApplyImmediately parameter only affects the EnableIAMDatabaseAuthentication, + MasterUserPassword values. If the ApplyImmediately parameter + is disabled, then changes to the EnableIAMDatabaseAuthentication, + MasterUserPassword values are applied during the next maintenance + window. All other changes are applied immediately, regardless + of the value of the ApplyImmediately parameter. \n By default, + this parameter is disabled." + type: boolean + autogeneratePassword: + description: "AutogeneratePassword indicates whether the controller + should generate a random password for the master user if one + is not provided via MasterUserPasswordSecretRef. \n If a password + is generated, it will be stored as a secret at the location + specified by MasterUserPasswordSecretRef." + type: boolean + availabilityZones: + description: A list of Availability Zones (AZs) where instances + in the DB cluster can be created. For information on Amazon + Web Services Regions and Availability Zones, see Choosing the + Regions and Availability Zones (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.RegionsAndAvailabilityZones.html) + in the Amazon Aurora User Guide. + items: + type: string + type: array + backtrackWindow: + description: "The target backtrack window, in seconds. To disable + backtracking, set this value to 0. \n Currently, Backtrack is + only supported for Aurora MySQL DB clusters. \n Default: 0 \n + Constraints: \n * If specified, this value must be set to a + number from 0 to 259,200 (72 hours)." + format: int64 + type: integer + backupRetentionPeriod: + description: "The number of days for which automated backups are + retained. \n Default: 1 \n Constraints: \n * Must be a value + from 1 to 35" + format: int64 + type: integer + characterSetName: + description: A value that indicates that the DB cluster should + be associated with the specified CharacterSet. + type: string + copyTagsToSnapshot: + description: A value that indicates whether to copy all tags from + the DB cluster to snapshots of the DB cluster. The default is + not to copy them. + type: boolean + databaseName: + description: The name for your database of up to 64 alphanumeric + characters. If you do not provide a name, Amazon RDS doesn't + create a database in the DB cluster you are creating. + type: string + dbClusterParameterGroupName: + description: "The name of the DB cluster parameter group to associate + with this DB cluster. If you do not specify a value, then the + default DB cluster parameter group for the specified DB engine + and version is used. \n Constraints: \n * If supplied, must + match the name of an existing DB cluster parameter group." + type: string + dbClusterParameterGroupNameRef: + description: DBClusterParameterGroupNameRef is a reference to + a DBClusterParameterGroup used to set DBClusterParameterGroupName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbClusterParameterGroupNameSelector: + description: DBClusterParameterGroupNameSelector selects a reference + to a DBClusterParameterGroup used to set DBClusterParameterGroupName. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + dbSubnetGroupName: + description: "A DB subnet group to associate with this DB cluster. + \n Constraints: Must match the name of an existing DBSubnetGroup. + Must not be default. \n Example: mySubnetgroup" + type: string + dbSubnetGroupNameRef: + description: DBSubnetGroupNameRef is a reference to a DBSubnetGroup + used to set DBSubnetGroupName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + dbSubnetGroupNameSelector: + description: DBSubnetGroupNameSelector selects a reference to + a DBSubnetGroup used to set DBSubnetGroupName. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + deletionProtection: + description: A value that indicates whether the DB cluster has + deletion protection enabled. The database can't be deleted when + deletion protection is enabled. By default, deletion protection + is disabled. + type: boolean + destinationRegion: + description: DestinationRegion is used for presigning the request + to a given region. + type: string + domain: + description: "The Active Directory directory ID to create the + DB cluster in. \n For Amazon Aurora DB clusters, Amazon RDS + can use Kerberos Authentication to authenticate users that connect + to the DB cluster. For more information, see Kerberos Authentication + (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/kerberos-authentication.html) + in the Amazon Aurora User Guide." + type: string + domainIAMRoleName: + description: Specify the name of the IAM role to be used when + making API calls to the Directory Service. + type: string + domainIAMRoleNameRef: + description: DomainIAMRoleNameRef is a reference to an IAMRole + used to set DomainIAMRoleName. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + domainIAMRoleNameSelector: + description: DomainIAMRoleNameSelector selects a reference to + an IAMRole used to set DomainIAMRoleName. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + enableCloudwatchLogsExports: + description: "The list of log types that need to be enabled for + exporting to CloudWatch Logs. The values in the list depend + on the DB engine being used. For more information, see Publishing + Database Logs to Amazon CloudWatch Logs (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch) + in the Amazon Aurora User Guide. \n Aurora MySQL \n Possible + values are audit, error, general, and slowquery. \n Aurora PostgreSQL + \n Possible value is postgresql." + items: + type: string + type: array + enableGlobalWriteForwarding: + description: "A value that indicates whether to enable this DB + cluster to forward write operations to the primary cluster of + an Aurora global database (GlobalCluster). By default, write + operations are not allowed on Aurora DB clusters that are secondary + clusters in an Aurora global database. \n You can set this value + only on Aurora DB clusters that are members of an Aurora global + database. With this parameter enabled, a secondary cluster can + forward writes to the current primary cluster and the resulting + changes are replicated back to this cluster. For the primary + DB cluster of an Aurora global database, this value is used + immediately if the primary is demoted by the FailoverGlobalCluster + API operation, but it does nothing until then." + type: boolean + enableHTTPEndpoint: + description: "A value that indicates whether to enable the HTTP + endpoint for an Aurora Serverless DB cluster. By default, the + HTTP endpoint is disabled. \n When enabled, the HTTP endpoint + provides a connectionless web service API for running SQL queries + on the Aurora Serverless DB cluster. You can also query your + database from inside the RDS console with the query editor. + \n For more information, see Using the Data API for Aurora Serverless + (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) + in the Amazon Aurora User Guide." + type: boolean + enableIAMDatabaseAuthentication: + description: "A value that indicates whether to enable mapping + of Amazon Web Services Identity and Access Management (IAM) + accounts to database accounts. By default, mapping is disabled. + \n For more information, see IAM Database Authentication (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html) + in the Amazon Aurora User Guide." + type: boolean + engine: + description: "The name of the database engine to be used for this + DB cluster. \n Valid Values: aurora (for MySQL 5.6-compatible + Aurora), aurora-mysql (for MySQL 5.7-compatible Aurora), and + aurora-postgresql" + type: string + engineMode: + description: "The DB engine mode of the DB cluster, either provisioned, + serverless, parallelquery, global, or multimaster. \n The parallelquery + engine mode isn't required for Aurora MySQL version 1.23 and + higher 1.x versions, and version 2.09 and higher 2.x versions. + \n The global engine mode isn't required for Aurora MySQL version + 1.22 and higher 1.x versions, and global engine mode isn't required + for any 2.x versions. \n The multimaster engine mode only applies + for DB clusters created with Aurora MySQL version 5.6.10a. \n + For Aurora PostgreSQL, the global engine mode isn't required, + and both the parallelquery and the multimaster engine modes + currently aren't supported. \n Limitations and requirements + apply to some DB engine modes. For more information, see the + following sections in the Amazon Aurora User Guide: \n * Limitations + of Aurora Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.limitations) + \n * Limitations of Parallel Query (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-mysql-parallel-query.html#aurora-mysql-parallel-query-limitations) + \n * Limitations of Aurora Global Databases (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html#aurora-global-database.limitations) + \n * Limitations of Multi-Master Clusters (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-multi-master.html#aurora-multi-master-limitations)" + type: string + engineVersion: + description: "The version number of the database engine to use. + \n To list all of the available engine versions for aurora (for + MySQL 5.6-compatible Aurora), use the following command: \n + aws rds describe-db-engine-versions --engine aurora --query + \"DBEngineVersions[].EngineVersion\" \n To list all of the available + engine versions for aurora-mysql (for MySQL 5.7-compatible Aurora), + use the following command: \n aws rds describe-db-engine-versions + --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\" + \n To list all of the available engine versions for aurora-postgresql, + use the following command: \n aws rds describe-db-engine-versions + --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\" + \n Aurora MySQL \n Example: 5.6.10a, 5.6.mysql_aurora.1.19.2, + 5.7.12, 5.7.mysql_aurora.2.04.5 \n Aurora PostgreSQL \n Example: + 9.6.3, 10.7" + type: string + finalDBSnapshotIdentifier: + description: "The DB cluster snapshot identifier of the new DB + cluster snapshot created when SkipFinalSnapshot is disabled. + \n Specifying this parameter and also skipping the creation + of a final DB cluster snapshot with the SkipFinalShapshot parameter + results in an error. \n Constraints: \n * Must be 1 to 255 letters, + numbers, or hyphens. \n * First character must be a letter \n + * Can't end with a hyphen or contain two consecutive hyphens" + type: string + globalClusterIdentifier: + description: The global cluster ID of an Aurora cluster that becomes + the primary cluster in the new global database cluster. + type: string + kmsKeyID: + description: "The Amazon Web Services KMS key identifier for an + encrypted DB cluster. \n The Amazon Web Services KMS key identifier + is the key ARN, key ID, alias ARN, or alias name for the KMS + key. To use a KMS key in a different Amazon Web Services account, + specify the key ARN or alias ARN. \n When a KMS key isn't specified + in KmsKeyId: \n * If ReplicationSourceIdentifier identifies + an encrypted source, then Amazon RDS will use the KMS key used + to encrypt the source. Otherwise, Amazon RDS will use your default + KMS key. \n * If the StorageEncrypted parameter is enabled and + ReplicationSourceIdentifier isn't specified, then Amazon RDS + will use your default KMS key. \n There is a default KMS key + for your Amazon Web Services account. Your Amazon Web Services + account has a different default KMS key for each Amazon Web + Services Region. \n If you create a read replica of an encrypted + DB cluster in another Amazon Web Services Region, you must set + KmsKeyId to a KMS key identifier that is valid in the destination + Amazon Web Services Region. This KMS key is used to encrypt + the read replica in that Amazon Web Services Region." + type: string + kmsKeyIDRef: + description: KMSKeyIDRef is a reference to a KMS Key used to set + KMSKeyID. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + kmsKeyIDSelector: + description: KMSKeyIDSelector selects a reference to a KMS Key + used to set KMSKeyID. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + masterUserPasswordSecretRef: + description: "The password for the master database user. This + password can contain any printable ASCII character except \"/\", + \"\"\", or \"@\". \n Constraints: Must contain from 8 to 41 + characters. Required." + properties: + key: + description: The key to select. + type: string + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - key + - name + - namespace + type: object + masterUsername: + description: "The name of the master user for the DB cluster. + \n Constraints: \n * Must be 1 to 16 letters or numbers. \n + * First character must be a letter. \n * Can't be a reserved + word for the chosen database engine." + type: string + optionGroupName: + description: "A value that indicates that the DB cluster should + be associated with the specified option group. \n Permanent + options can't be removed from an option group. The option group + can't be removed from a DB cluster once it is associated with + a DB cluster." + type: string + port: + description: "The port number on which the instances in the DB + cluster accept connections. \n Default: 3306 if engine is set + as aurora or 5432 if set to aurora-postgresql." + format: int64 + type: integer + preSignedURL: + description: "A URL that contains a Signature Version 4 signed + request for the CreateDBCluster action to be called in the source + Amazon Web Services Region where the DB cluster is replicated + from. You only need to specify PreSignedUrl when you are performing + cross-region replication from an encrypted DB cluster. \n The + pre-signed URL must be a valid request for the CreateDBCluster + API action that can be executed in the source Amazon Web Services + Region that contains the encrypted DB cluster to be copied. + \n The pre-signed URL request must contain the following parameter + values: \n * KmsKeyId - The Amazon Web Services KMS key identifier + for the KMS key to use to encrypt the copy of the DB cluster + in the destination Amazon Web Services Region. This should refer + to the same KMS key for both the CreateDBCluster action that + is called in the destination Amazon Web Services Region, and + the action contained in the pre-signed URL. \n * DestinationRegion + - The name of the Amazon Web Services Region that Aurora read + replica will be created in. \n * ReplicationSourceIdentifier + - The DB cluster identifier for the encrypted DB cluster to + be copied. This identifier must be in the Amazon Resource Name + (ARN) format for the source Amazon Web Services Region. For + example, if you are copying an encrypted DB cluster from the + us-west-2 Amazon Web Services Region, then your ReplicationSourceIdentifier + would look like Example: arn:aws:rds:us-west-2:123456789012:cluster:aurora-cluster1. + \n To learn how to generate a Signature Version 4 signed request, + see Authenticating Requests: Using Query Parameters (Amazon + Web Services Signature Version 4) (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) + and Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). + \n If you are using an Amazon Web Services SDK tool or the CLI, + you can specify SourceRegion (or --source-region for the CLI) + instead of specifying PreSignedUrl manually. Specifying SourceRegion + autogenerates a pre-signed URL that is a valid request for the + operation that can be executed in the source Amazon Web Services + Region." + type: string + preferredBackupWindow: + description: "The daily time range during which automated backups + are created if automated backups are enabled using the BackupRetentionPeriod + parameter. \n The default is a 30-minute window selected at + random from an 8-hour block of time for each Amazon Web Services + Region. To view the time blocks available, see Backup window + (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) + in the Amazon Aurora User Guide. \n Constraints: \n * Must be + in the format hh24:mi-hh24:mi. \n * Must be in Universal Coordinated + Time (UTC). \n * Must not conflict with the preferred maintenance + window. \n * Must be at least 30 minutes." + type: string + preferredMaintenanceWindow: + description: "The weekly time range during which system maintenance + can occur, in Universal Coordinated Time (UTC). \n Format: ddd:hh24:mi-ddd:hh24:mi + \n The default is a 30-minute window selected at random from + an 8-hour block of time for each Amazon Web Services Region, + occurring on a random day of the week. To see the time blocks + available, see Adjusting the Preferred DB Cluster Maintenance + Window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) + in the Amazon Aurora User Guide. \n Valid Days: Mon, Tue, Wed, + Thu, Fri, Sat, Sun. \n Constraints: Minimum 30-minute window." + type: string + region: + description: Region is which region the DBCluster will be created. + type: string + replicationSourceIdentifier: + description: The Amazon Resource Name (ARN) of the source DB instance + or DB cluster if this DB cluster is created as a read replica. + type: string + restoreFrom: + description: RestoreFrom specifies the details of the backup to + restore when creating a new DBCluster. + properties: + s3: + description: S3 specifies the details of the S3 backup to + restore from. + properties: + bucketName: + description: BucketName is the name of the S3 bucket containing + the backup to restore. + type: string + ingestionRoleARN: + description: IngestionRoleARN is the IAM role RDS can + assume that will allow it to access the contents of + the S3 bucket. + type: string + prefix: + description: Prefix is the path prefix of the S3 bucket + within which the backup to restore is located. + type: string + sourceEngine: + description: SourceEngine is the engine used to create + the backup. Must be "mysql". + type: string + sourceEngineVersion: + description: 'SourceEngineVersion is the version of the + engine used to create the backup. Example: "5.7.30"' + type: string + required: + - bucketName + - ingestionRoleARN + - sourceEngine + - sourceEngineVersion + type: object + source: + description: Source is the type of the backup to restore when + creating a new DBCluster. Only S3 is supported at present. + type: string + required: + - source + type: object + scalingConfiguration: + description: For DB clusters in serverless DB engine mode, the + scaling properties of the DB cluster. + properties: + autoPause: + type: boolean + maxCapacity: + format: int64 + type: integer + minCapacity: + format: int64 + type: integer + secondsBeforeTimeout: + format: int64 + type: integer + secondsUntilAutoPause: + format: int64 + type: integer + timeoutAction: + type: string + type: object + skipFinalSnapshot: + description: "A value that indicates whether to skip the creation + of a final DB cluster snapshot before the DB cluster is deleted. + If skip is specified, no DB cluster snapshot is created. If + skip isn't specified, a DB cluster snapshot is created before + the DB cluster is deleted. By default, skip isn't specified, + and the DB cluster snapshot is created. By default, this parameter + is disabled. \n You must specify a FinalDBSnapshotIdentifier + parameter if SkipFinalSnapshot is disabled." + type: boolean + sourceRegion: + description: SourceRegion is the source region where the resource + exists. This is not sent over the wire and is only used for + presigning. This value should always have the same region as + the source ARN. + type: string + storageEncrypted: + description: A value that indicates whether the DB cluster is + encrypted. + type: boolean + tags: + description: Tags to assign to the DB cluster. + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + vpcSecurityGroupIDRefs: + description: VPCSecurityGroupIDRefs are references to VPCSecurityGroups + used to set the VPCSecurityGroupIDs. + items: + description: A Reference to a named object. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution + of this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which + will attempt to resolve the reference only when the + corresponding field is not present. Use 'Always' to + resolve the reference on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + type: array + vpcSecurityGroupIDSelector: + description: VPCSecurityGroupIDSelector selects references to + VPCSecurityGroups used to set the VPCSecurityGroupIDs. + properties: + matchControllerRef: + description: MatchControllerRef ensures an object with the + same controller reference as the selecting object is selected. + type: boolean + matchLabels: + additionalProperties: + type: string + description: MatchLabels ensures an object with matching labels + is selected. + type: object + policy: + description: Policies for selection. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + type: object + vpcSecurityGroupIDs: + description: A list of EC2 VPC security groups to associate with + this DB cluster. + items: + type: string + type: array + required: + - engine + - masterUserPasswordSecretRef + - region + type: object + providerConfigRef: + default: + name: default + description: ProviderConfigReference specifies how the provider that + will be used to create, observe, update, and delete this managed + resource should be configured. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + providerRef: + description: 'ProviderReference specifies the provider that will be + used to create, observe, update, and delete this managed resource. + Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`' + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of this + reference is required. The default is 'Required', which + means the reconcile will fail if the reference cannot be + resolved. 'Optional' means this reference will be a no-op + if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will attempt + to resolve the reference only when the corresponding field + is not present. Use 'Always' to resolve the reference on + every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + publishConnectionDetailsTo: + description: PublishConnectionDetailsTo specifies the connection secret + config which contains a name, metadata and a reference to secret + store config to which any connection details for this managed resource + should be written. Connection details frequently include the endpoint, + username, and password required to connect to the managed resource. + properties: + configRef: + default: + name: default + description: SecretStoreConfigRef specifies which secret store + config should be used for this ConnectionSecret. + properties: + name: + description: Name of the referenced object. + type: string + policy: + description: Policies for referencing. + properties: + resolution: + default: Required + description: Resolution specifies whether resolution of + this reference is required. The default is 'Required', + which means the reconcile will fail if the reference + cannot be resolved. 'Optional' means this reference + will be a no-op if it cannot be resolved. + enum: + - Required + - Optional + type: string + resolve: + description: Resolve specifies when this reference should + be resolved. The default is 'IfNotPresent', which will + attempt to resolve the reference only when the corresponding + field is not present. Use 'Always' to resolve the reference + on every reconcile. + enum: + - Always + - IfNotPresent + type: string + type: object + required: + - name + type: object + metadata: + description: Metadata is the metadata for connection secret. + properties: + annotations: + additionalProperties: + type: string + description: Annotations are the annotations to be added to + connection secret. - For Kubernetes secrets, this will be + used as "metadata.annotations". - It is up to Secret Store + implementation for others store types. + type: object + labels: + additionalProperties: + type: string + description: Labels are the labels/tags to be added to connection + secret. - For Kubernetes secrets, this will be used as "metadata.labels". + - It is up to Secret Store implementation for others store + types. + type: object + type: + description: Type is the SecretType for the connection secret. + - Only valid for Kubernetes Secret Stores. + type: string + type: object + name: + description: Name is the name of the connection secret. + type: string + required: + - name + type: object + writeConnectionSecretToRef: + description: WriteConnectionSecretToReference specifies the namespace + and name of a Secret to which any connection details for this managed + resource should be written. Connection details frequently include + the endpoint, username, and password required to connect to the + managed resource. This field is planned to be replaced in a future + release in favor of PublishConnectionDetailsTo. Currently, both + could be set independently and connection details would be published + to both without affecting each other. + properties: + name: + description: Name of the secret. + type: string + namespace: + description: Namespace of the secret. + type: string + required: + - name + - namespace + type: object + required: + - forProvider + type: object + status: + description: DBClusterStatus defines the observed state of DBCluster. + properties: + atProvider: + description: DBClusterObservation defines the observed state of DBCluster + properties: + activityStreamKMSKeyID: + description: "The Amazon Web Services KMS key identifier used + for encrypting messages in the database activity stream. \n + The Amazon Web Services KMS key identifier is the key ARN, key + ID, alias ARN, or alias name for the KMS key." + type: string + activityStreamKinesisStreamName: + description: The name of the Amazon Kinesis data stream used for + the database activity stream. + type: string + activityStreamMode: + description: The mode of the database activity stream. Database + events such as a change or access generate an activity stream + event. The database session can handle these events either synchronously + or asynchronously. + type: string + activityStreamStatus: + description: The status of the database activity stream. + type: string + allocatedStorage: + description: For all database engines except Amazon Aurora, AllocatedStorage + specifies the allocated storage size in gibibytes (GiB). For + Aurora, AllocatedStorage always returns 1, because Aurora DB + cluster storage size isn't fixed, but instead automatically + adjusts as needed. + format: int64 + type: integer + associatedRoles: + description: Provides a list of the Amazon Web Services Identity + and Access Management (IAM) roles that are associated with the + DB cluster. IAM roles that are associated with a DB cluster + grant permission for the DB cluster to access other Amazon Web + Services on your behalf. + items: + properties: + featureName: + type: string + roleARN: + type: string + status: + type: string + type: object + type: array + automaticRestartTime: + description: The time when a stopped DB cluster is restarted automatically. + format: date-time + type: string + backtrackConsumedChangeRecords: + description: The number of change records stored for Backtrack. + format: int64 + type: integer + capacity: + description: "The current capacity of an Aurora Serverless DB + cluster. The capacity is 0 (zero) when the cluster is paused. + \n For more information about Aurora Serverless, see Using Amazon + Aurora Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html) + in the Amazon Aurora User Guide." + format: int64 + type: integer + cloneGroupID: + description: Identifies the clone group to which the DB cluster + is associated. + type: string + clusterCreateTime: + description: Specifies the time when the DB cluster was created, + in Universal Coordinated Time (UTC). + format: date-time + type: string + crossAccountClone: + description: Specifies whether the DB cluster is a clone of a + DB cluster owned by a different Amazon Web Services account. + type: boolean + customEndpoints: + description: Identifies all custom endpoints associated with the + cluster. + items: + type: string + type: array + dbClusterARN: + description: The Amazon Resource Name (ARN) for the DB cluster. + type: string + dbClusterIdentifier: + description: Contains a user-supplied DB cluster identifier. This + identifier is the unique key that identifies a DB cluster. + type: string + dbClusterMembers: + description: Provides the list of instances that make up the DB + cluster. + items: + properties: + dbClusterParameterGroupStatus: + type: string + dbInstanceIdentifier: + type: string + isClusterWriter: + type: boolean + promotionTier: + format: int64 + type: integer + type: object + type: array + dbClusterOptionGroupMemberships: + description: Provides the list of option group memberships for + this DB cluster. + items: + properties: + dbClusterOptionGroupName: + type: string + status: + type: string + type: object + type: array + dbClusterParameterGroup: + description: Specifies the name of the DB cluster parameter group + for the DB cluster. + type: string + dbClusterResourceID: + description: The Amazon Web Services Region-unique, immutable + identifier for the DB cluster. This identifier is found in Amazon + Web Services CloudTrail log entries whenever the KMS key for + the DB cluster is accessed. + type: string + dbSubnetGroup: + description: Specifies information on the subnet group associated + with the DB cluster, including the name, description, and subnets + in the subnet group. + type: string + domainMemberships: + description: The Active Directory Domain membership records associated + with the DB cluster. + items: + properties: + domain: + type: string + fQDN: + type: string + iamRoleName: + type: string + status: + type: string + type: object + type: array + earliestBacktrackTime: + description: The earliest time to which a DB cluster can be backtracked. + format: date-time + type: string + earliestRestorableTime: + description: The earliest time to which a database can be restored + with point-in-time restore. + format: date-time + type: string + enabledCloudwatchLogsExports: + description: "A list of log types that this DB cluster is configured + to export to CloudWatch Logs. \n Log types vary by DB engine. + For information about the log types for each DB engine, see + Amazon RDS Database Log Files (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html) + in the Amazon Aurora User Guide." + items: + type: string + type: array + endpoint: + description: Specifies the connection endpoint for the primary + instance of the DB cluster. + type: string + globalWriteForwardingRequested: + description: Specifies whether you have requested to enable write + forwarding for a secondary cluster in an Aurora global database. + Because write forwarding takes time to enable, check the value + of GlobalWriteForwardingStatus to confirm that the request has + completed before using the write forwarding feature for this + cluster. + type: boolean + globalWriteForwardingStatus: + description: Specifies whether a secondary cluster in an Aurora + global database has write forwarding enabled, not enabled, or + is in the process of enabling it. + type: string + hostedZoneID: + description: Specifies the ID that Amazon Route 53 assigns when + you create a hosted zone. + type: string + httpEndpointEnabled: + description: "A value that indicates whether the HTTP endpoint + for an Aurora Serverless DB cluster is enabled. \n When enabled, + the HTTP endpoint provides a connectionless web service API + for running SQL queries on the Aurora Serverless DB cluster. + You can also query your database from inside the RDS console + with the query editor. \n For more information, see Using the + Data API for Aurora Serverless (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html) + in the Amazon Aurora User Guide." + type: boolean + iamDatabaseAuthenticationEnabled: + description: A value that indicates whether the mapping of Amazon + Web Services Identity and Access Management (IAM) accounts to + database accounts is enabled. + type: boolean + latestRestorableTime: + description: Specifies the latest time to which a database can + be restored with point-in-time restore. + format: date-time + type: string + multiAZ: + description: Specifies whether the DB cluster has instances in + multiple Availability Zones. + type: boolean + percentProgress: + description: Specifies the progress of the operation as a percentage. + type: string + readReplicaIdentifiers: + description: Contains one or more identifiers of the read replicas + associated with this DB cluster. + items: + type: string + type: array + readerEndpoint: + description: "The reader endpoint for the DB cluster. The reader + endpoint for a DB cluster load-balances connections across the + Aurora Replicas that are available in a DB cluster. As clients + request new connections to the reader endpoint, Aurora distributes + the connection requests among the Aurora Replicas in the DB + cluster. This functionality can help balance your read workload + across multiple Aurora Replicas in your DB cluster. \n If a + failover occurs, and the Aurora Replica that you are connected + to is promoted to be the primary instance, your connection is + dropped. To continue sending your read workload to other Aurora + Replicas in the cluster, you can then reconnect to the reader + endpoint." + type: string + scalingConfigurationInfo: + properties: + autoPause: + type: boolean + maxCapacity: + format: int64 + type: integer + minCapacity: + format: int64 + type: integer + secondsBeforeTimeout: + format: int64 + type: integer + secondsUntilAutoPause: + format: int64 + type: integer + timeoutAction: + type: string + type: object + status: + description: Specifies the current state of this DB cluster. + type: string + tagList: + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + vpcSecurityGroups: + description: Provides a list of VPC security groups that the DB + cluster belongs to. + items: + properties: + status: + type: string + vpcSecurityGroupID: + type: string + type: object + type: array + type: object + conditions: + description: Conditions of the resource. + items: + description: A Condition that may apply to a resource. + properties: + lastTransitionTime: + description: LastTransitionTime is the last time this condition + transitioned from one status to another. + format: date-time + type: string + message: + description: A Message containing details about this condition's + last transition from one status to another, if any. + type: string + reason: + description: A Reason for this condition's last transition from + one status to another. + type: string + status: + description: Status of this condition; is it currently True, + False, or Unknown? + type: string + type: + description: Type of this condition. At most one of each condition + type may apply to a resource at any point in time. + type: string + required: + - lastTransitionTime + - reason + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy-ready.yaml new file mode 100644 index 0000000000..cbe2042e1b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rds-enforce-final-snapshot +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml new file mode 100644 index 0000000000..8c8c08359d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: rds-enforce-final-snapshot +spec: + validationFailureAction: Enforce + rules: + - name: rds-enforce-final-snapshot + match: + all: + - resources: + kinds: + - rds.aws.crossplane.io/v1alpha1/DBCluster + validate: + message: "Final snapshot must not be skipped" + pattern: + spec: + forProvider: + =(skipFinalSnapshot): "false" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/task.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/task.yaml new file mode 100644 index 0000000000..eef6a56fd9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk/task.yaml @@ -0,0 +1,9 @@ +apiVersion: docdb.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: db-cluster-not-skipping-final-snapshot +spec: + forProvider: + skipFinalSnapshot: false + region: eu-central-1 + engine: docdb \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/02-resources.yaml new file mode 100644 index 0000000000..469d976db8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/02-resources.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: pod-create.yaml + - apply: + check: + (error != null): true + file: pod-update.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/README.md new file mode 100644 index 0000000000..6e28f30c43 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy to deny pod updates. +It then creates a pod and updates it. + +## Expected Behavior + +The pod should create fine but the update should be rejected. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/pod-create.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/pod-create.yaml new file mode 100644 index 0000000000..4ddda0a666 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/pod-create.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/pod-update.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/pod-update.yaml new file mode 100644 index 0000000000..19fa300b03 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/pod-update.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: foo + labels: + xxx: yyy +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy-assert.yaml new file mode 100644 index 0000000000..5ede705d48 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml new file mode 100644 index 0000000000..5947cbbbdb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/operations/only-update/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +spec: + validationFailureAction: Enforce + background: false + rules: + - name: test + match: + any: + - resources: + kinds: + - Pod + operations: + - UPDATE + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml new file mode 100644 index 0000000000..0422ebe26e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/02-resources.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: bad-pod-1.yaml + - apply: + check: + (error != null): true + file: bad-pod-2.yaml + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md new file mode 100644 index 0000000000..a6347ea58d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/README.md @@ -0,0 +1,10 @@ +## Description + +This test ensures the PSS checks with the latest version, without exclusions, are applied to the resources successfully. + +## Expected Behavior + +The two pods should not be created as it violate the baseline:latest `seccomp` PSS check. + +## Reference Issue(s) +https://github.com/kyverno/kyverno/issues/7260 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml new file mode 100644 index 0000000000..d9f7e83b58 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-restricted-seccomp-profile-1 +spec: + containers: + - name: busybox + image: busybox:1.35 + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml new file mode 100644 index 0000000000..1cec108efa --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/bad-pod-2.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-restricted-seccomp-profile-2 +spec: + containers: + - name: busybox + image: busybox:1.35 + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: Unconfined \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml new file mode 100644 index 0000000000..b0b2066c78 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-restricted-seccomp-profile-3 +spec: + containers: + - name: busybox + image: busybox:1.35 + args: + - sleep + - 1d + securityContext: + seccompProfile: + type: RuntimeDefault \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml new file mode 100644 index 0000000000..1738a603a5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: latest-check-no-exclusion +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml new file mode 100644 index 0000000000..3df4ed2983 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/seccomp-latest-check-no-exclusion/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: latest-check-no-exclusion +spec: + background: false + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/02-resources.yaml new file mode 100644 index 0000000000..a5e5a7f166 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/02-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/03-delete.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/03-delete.yaml new file mode 100644 index 0000000000..8aeb4502dc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/03-delete.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: delete +spec: + timeouts: {} + try: + - delete: + apiVersion: apps/v1 + kind: DaemonSet + name: test-deletion-request-datadog-operator + namespace: cpol-validate-psa-test-deletion-request diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/README.md new file mode 100644 index 0000000000..8d91b0438e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/README.md @@ -0,0 +1,10 @@ +## Description + +This test ensures the deletion of a resource that matches the podSecurity does not cause any panic. + +## Expected Behavior + +The resource should be deleted successfully without any error. + +## Reference Issue(s) +https://github.com/kyverno/kyverno/issues/6897 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/manifests.yaml new file mode 100644 index 0000000000..a1b994c4bc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/manifests.yaml @@ -0,0 +1,480 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-validate-psa-test-deletion-request +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: agent + app.kubernetes.io/instance: datadog-operator + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: datadog-operator + app.kubernetes.io/version: "7" + helm.sh/chart: datadog-3.25.1 + name: test-deletion-request-datadog-operator + namespace: cpol-validate-psa-test-deletion-request +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + app: datadog-operator + template: + metadata: + annotations: + labels: + app: datadog-operator + app.kubernetes.io/component: agent + app.kubernetes.io/instance: datadog-operator + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: datadog-operator + name: datadog-operator + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - command: + - agent + - run + env: + - name: GODEBUG + value: x509ignoreCN=0 + - name: DD_API_KEY + valueFrom: + secretKeyRef: + key: api-key + name: datadog-operator + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + - name: DD_CLUSTER_NAME + value: cluster + - name: KUBERNETES + value: "yes" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_ENV + value: cluster + - name: DD_PROPAGATION_STYLE_INJECT + value: Datadog B3 + - name: DD_EC2_PREFER_IMDSV2 + value: "true" + - name: DD_PROXY_HTTP + value: http://proxy.config.pcp.local:3128 + - name: DD_PROXY_HTTPS + value: http://proxy.config.pcp.local:3128 + - name: DD_PROXY_NO_PROXY + value: localhost 127.0.0.1 10.100.0.0/16 172.31.0.0/16 172.16.0.0/12 + - name: DD_LOG_LEVEL + value: INFO + - name: DD_DOGSTATSD_PORT + value: "8125" + - name: DD_DOGSTATSD_NON_LOCAL_TRAFFIC + value: "true" + - name: DD_CLUSTER_AGENT_ENABLED + value: "true" + - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME + value: datadog-operator-cluster-agent + - name: DD_CLUSTER_AGENT_AUTH_TOKEN + valueFrom: + secretKeyRef: + key: token + name: datadog-operator-cluster-agent + - name: DD_APM_ENABLED + value: "false" + - name: DD_LOGS_ENABLED + value: "false" + - name: DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL + value: "false" + - name: DD_LOGS_CONFIG_K8S_CONTAINER_USE_FILE + value: "true" + - name: DD_LOGS_CONFIG_AUTO_MULTI_LINE_DETECTION + value: "false" + - name: DD_HEALTH_PORT + value: "5555" + - name: DD_DOGSTATSD_SOCKET + value: /var/run/datadog/dsd.socket + - name: DD_IGNORE_AUTOCONF + value: kubernetes_state + - name: DD_EXPVAR_PORT + value: "6000" + image: datadog/agent:7.36.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /live + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + name: agent + ports: + - containerPort: 8125 + hostPort: 8125 + name: dogstatsdport + protocol: UDP + readinessProbe: + failureThreshold: 6 + httpGet: + path: /ready + port: 5555 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/datadog-agent/install_info + name: installinfo + readOnly: true + subPath: install_info + - mountPath: /var/log/datadog + name: logdatadog + readOnly: false + - mountPath: /tmp + name: tmpdir + readOnly: false + - mountPath: /host/etc/os-release + mountPropagation: None + name: os-release-file + readOnly: true + - mountPath: /etc/datadog-agent + name: config + readOnly: false + - mountPath: /etc/datadog-agent/auth + name: auth-token + readOnly: false + - mountPath: /host/var/run + mountPropagation: None + name: runtimesocketdir + readOnly: true + - mountPath: /var/run/datadog + name: dsdsocket + readOnly: false + - mountPath: /host/proc + mountPropagation: None + name: procdir + readOnly: true + - mountPath: /host/sys/fs/cgroup + mountPropagation: None + name: cgroups + readOnly: true + - command: + - trace-agent + - -config=/etc/datadog-agent/datadog.yaml + env: + - name: GODEBUG + value: x509ignoreCN=0 + - name: DD_API_KEY + valueFrom: + secretKeyRef: + key: api-key + name: datadog-operator + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + - name: DD_CLUSTER_NAME + value: cluster + - name: KUBERNETES + value: "yes" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_ENV + value: cluster + - name: DD_PROPAGATION_STYLE_INJECT + value: Datadog B3 + - name: DD_EC2_PREFER_IMDSV2 + value: "true" + - name: DD_PROXY_HTTP + value: http://proxy.config.pcp.local:3128 + - name: DD_PROXY_HTTPS + value: http://proxy.config.pcp.local:3128 + - name: DD_PROXY_NO_PROXY + value: localhost 127.0.0.1 10.100.0.0/16 172.31.0.0/16 172.16.0.0/12 + - name: DD_CLUSTER_AGENT_ENABLED + value: "true" + - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME + value: datadog-operator-cluster-agent + - name: DD_CLUSTER_AGENT_AUTH_TOKEN + valueFrom: + secretKeyRef: + key: token + name: datadog-operator-cluster-agent + - name: DD_LOG_LEVEL + value: INFO + - name: DD_APM_ENABLED + value: "true" + - name: DD_APM_NON_LOCAL_TRAFFIC + value: "true" + - name: DD_APM_RECEIVER_PORT + value: "8126" + - name: DD_APM_RECEIVER_SOCKET + value: /var/run/datadog/apm.socket + - name: DD_DOGSTATSD_SOCKET + value: /var/run/datadog/dsd.socket + image: datadog/agent:7.36.0 + imagePullPolicy: IfNotPresent + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 15 + tcpSocket: + port: 8126 + timeoutSeconds: 5 + name: trace-agent + ports: + - containerPort: 8126 + hostPort: 8126 + name: traceport + protocol: TCP + resources: {} + volumeMounts: + - mountPath: /etc/datadog-agent + name: config + readOnly: true + - mountPath: /etc/datadog-agent/auth + name: auth-token + readOnly: true + - mountPath: /host/proc + mountPropagation: None + name: procdir + readOnly: true + - mountPath: /host/sys/fs/cgroup + mountPropagation: None + name: cgroups + readOnly: true + - mountPath: /var/log/datadog + name: logdatadog + readOnly: false + - mountPath: /tmp + name: tmpdir + readOnly: false + - mountPath: /var/run/datadog + name: dsdsocket + readOnly: false + - mountPath: /host/var/run + mountPropagation: None + name: runtimesocketdir + readOnly: true + - command: + - process-agent + - --cfgpath=/etc/datadog-agent/datadog.yaml + env: + - name: GODEBUG + value: x509ignoreCN=0 + - name: DD_API_KEY + valueFrom: + secretKeyRef: + key: api-key + name: datadog-operator + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + - name: DD_CLUSTER_NAME + value: cluster + - name: KUBERNETES + value: "yes" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_ENV + value: cluster + - name: DD_PROPAGATION_STYLE_INJECT + value: Datadog B3 + - name: DD_EC2_PREFER_IMDSV2 + value: "true" + - name: DD_PROXY_HTTP + value: http://proxy.config.pcp.local:3128 + - name: DD_PROXY_HTTPS + value: http://proxy.config.pcp.local:3128 + - name: DD_PROXY_NO_PROXY + value: localhost 127.0.0.1 10.100.0.0/16 172.31.0.0/16 172.16.0.0/12 + - name: DD_CLUSTER_AGENT_ENABLED + value: "true" + - name: DD_CLUSTER_AGENT_KUBERNETES_SERVICE_NAME + value: datadog-operator-cluster-agent + - name: DD_CLUSTER_AGENT_AUTH_TOKEN + valueFrom: + secretKeyRef: + key: token + name: datadog-operator-cluster-agent + - name: DD_PROCESS_AGENT_ENABLED + value: "true" + - name: DD_PROCESS_AGENT_DISCOVERY_ENABLED + value: "true" + - name: DD_LOG_LEVEL + value: INFO + - name: DD_SYSTEM_PROBE_ENABLED + value: "false" + - name: DD_DOGSTATSD_SOCKET + value: /var/run/datadog/dsd.socket + - name: DD_ORCHESTRATOR_EXPLORER_ENABLED + value: "true" + image: datadog/agent:7.36.0 + imagePullPolicy: IfNotPresent + name: process-agent + resources: {} + volumeMounts: + - mountPath: /etc/datadog-agent + name: config + readOnly: true + - mountPath: /etc/datadog-agent/auth + name: auth-token + readOnly: true + - mountPath: /var/run/datadog + name: dsdsocket + readOnly: false + - mountPath: /var/log/datadog + name: logdatadog + readOnly: false + - mountPath: /tmp + name: tmpdir + readOnly: false + - mountPath: /host/etc/os-release + mountPropagation: None + name: os-release-file + readOnly: true + - mountPath: /host/var/run + mountPropagation: None + name: runtimesocketdir + readOnly: true + - mountPath: /host/sys/fs/cgroup + mountPropagation: None + name: cgroups + readOnly: true + - mountPath: /etc/passwd + name: passwd + readOnly: true + - mountPath: /host/proc + mountPropagation: None + name: procdir + readOnly: true + hostPID: true + initContainers: + - args: + - cp -r /etc/datadog-agent /opt + command: + - bash + - -c + image: datadog/agent:7.36.0 + imagePullPolicy: IfNotPresent + name: init-volume + resources: {} + volumeMounts: + - mountPath: /opt/datadog-agent + name: config + readOnly: false + - args: + - for script in $(find /etc/cont-init.d/ -type f -name '*.sh' | sort) ; do + bash $script ; done + command: + - bash + - -c + env: + - name: GODEBUG + value: x509ignoreCN=0 + - name: DD_API_KEY + valueFrom: + secretKeyRef: + key: api-key + name: datadog-operator + - name: DD_AUTH_TOKEN_FILE_PATH + value: /etc/datadog-agent/auth/token + - name: DD_CLUSTER_NAME + value: cluster + - name: KUBERNETES + value: "yes" + - name: DD_KUBERNETES_KUBELET_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: DD_ENV + value: cluster + - name: DD_PROPAGATION_STYLE_INJECT + value: Datadog B3 + - name: DD_EC2_PREFER_IMDSV2 + value: "true" + image: datadog/agent:7.36.0 + imagePullPolicy: IfNotPresent + name: init-config + resources: {} + volumeMounts: + - mountPath: /var/log/datadog + name: logdatadog + readOnly: false + - mountPath: /etc/datadog-agent + name: config + readOnly: false + - mountPath: /host/proc + mountPropagation: None + name: procdir + readOnly: true + - mountPath: /host/var/run + mountPropagation: None + name: runtimesocketdir + readOnly: true + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: false + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + serviceAccountName: datadog-operator + tolerations: + - effect: NoSchedule + operator: Exists + volumes: + - emptyDir: {} + name: auth-token + - configMap: + name: datadog-operator-installinfo + name: installinfo + - emptyDir: {} + name: config + - emptyDir: {} + name: logdatadog + - emptyDir: {} + name: tmpdir + - hostPath: + path: /proc + name: procdir + - hostPath: + path: /sys/fs/cgroup + name: cgroups + - hostPath: + path: /etc/os-release + name: os-release-file + - hostPath: + path: /var/run/datadog/ + type: DirectoryOrCreate + name: dsdsocket + - hostPath: + path: /var/run/datadog/ + type: DirectoryOrCreate + name: apmsocket + - emptyDir: {} + name: s6-run + - hostPath: + path: /etc/passwd + name: passwd + - hostPath: + path: /var/run + name: runtimesocketdir + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy-assert.yaml new file mode 100644 index 0000000000..783c4c67a2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kyverno-psa-policy-test-deletion +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml new file mode 100644 index 0000000000..bd529a71d0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/test-deletion-request/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: kyverno-psa-policy-test-deletion +spec: + background: true + validationFailureAction: Enforce + rules: + - name: kyverno-psa-policy-test-deletion + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: latest + exclude: + - controlName: "HostPath Volumes" + - controlName: "Host Namespaces" + - controlName: "Host Ports" + images: + - datadog/* + \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/01-policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/01-policies.yaml new file mode 100644 index 0000000000..6c8390bdf4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/01-policies.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policies +spec: + timeouts: {} + try: + - apply: + file: policies.yaml + - assert: + file: policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/02-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/02-resources.yaml new file mode 100644 index 0000000000..6433c34d01 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/02-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/03-scale.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/03-scale.yaml new file mode 100644 index 0000000000..69fc627930 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/03-scale.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: scale +spec: + timeouts: {} + try: + - script: + content: "if kubectl scale deployment nginx-deployment --replicas 2\nthen \n + \ exit 0\nelse \n exit 1\nfi\n" + - script: + content: "if kubectl scale sts nginx-sts --replicas 2\nthen \n exit 1\nelse + \n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/README.md new file mode 100644 index 0000000000..cf6f5690d2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/README.md @@ -0,0 +1,9 @@ +## Description + +This test create two policies: +- one that denies `Deployment/scale` in Audit mode +- one that denies `StatefulSet/scale` in Enforce mode + +It then create a statefulset and a deployment. + +Finally it tries to create the statefulset and expects failure, the, scales the deployment and expects success. diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies-assert.yaml new file mode 100644 index 0000000000..4626275f4d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-deployment +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-statefulset +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml new file mode 100644 index 0000000000..70a00d0ad4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/policies.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-deployment + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + background: false + rules: + - name: deny-scale-deployment + match: + any: + - resources: + kinds: + - Deployment/scale + validate: + deny: {} +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-scale-statefulset + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: deny-scale-statefulset + match: + any: + - resources: + kinds: + - StatefulSet/scale + validate: + deny: {} diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/resources.yaml new file mode 100644 index 0000000000..d559fd3862 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource/resources.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: default + labels: + app: nginx-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-deployment + template: + metadata: + labels: + app: nginx-deployment + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: nginx-sts + namespace: default + labels: + app: nginx-sts +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-sts + template: + metadata: + labels: + app: nginx-sts + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/README.md new file mode 100644 index 0000000000..56d72502a9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies a variable definition is not evaluated until the condition is used + +## Expected Behavior + +The policy should not cause an error if the first condition (any) passes. The policy should cause an error if the first condition (all) fails. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/7211 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/01-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/01-assert.yaml new file mode 100644 index 0000000000..48b630df69 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/01-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml new file mode 100644 index 0000000000..507a7e11e2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/01-manifests.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +spec: + admission: true + background: false + rules: + - context: + - apiCall: + method: GET + urlPath: /api/v1/namespaces/missing/configmaps/nothere + name: nothere + match: + any: + - resources: + kinds: + - Pod + name: test + preconditions: + any: + - key: '{{ request.name }}' + message: this pod is not allowed + operator: Equals + value: test + - key: '{{ nothere }}' + message: value mismatch + operator: Equals + value: hello + validate: + pattern: + metadata: + name: '*' + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/02-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/02-assert.yaml new file mode 100644 index 0000000000..48b630df69 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/02-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/02-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/02-test.yaml new file mode 100644 index 0000000000..0621641386 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/02-test.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: test +spec: + timeouts: {} + try: + - apply: + file: pod-good.yaml + - apply: + check: + (error != null): true + file: pod-bad.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/03-cleanup.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/03-cleanup.yaml new file mode 100644 index 0000000000..c7717f8e22 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/03-cleanup.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - delete: + apiVersion: v1 + kind: Pod + name: test diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml new file mode 100644 index 0000000000..8392ae1b59 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: preconditions +spec: + validationFailureAction: Enforce + background: false + rules: + - name: test + match: + any: + - resources: + kinds: + - Pod + context: + - name: nothere + apiCall: + urlPath: /api/v1/namespaces/missing/configmaps/nothere + validate: + deny: + conditions: + all: + - key: "{{ request.name }}" + operator: Equals + value: test + message: this pod is not allowed + - key: "{{ nothere }}" + operator: Equals + value: hello + message: value mismatch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/04-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/04-test.yaml new file mode 100644 index 0000000000..bb9b85c7df --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/04-test.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: test +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod-good.yaml + - apply: + file: pod-bad.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/pod-bad.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/pod-bad.yaml new file mode 100644 index 0000000000..30cfb1118b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/pod-bad.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: other +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/pod-good.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/pod-good.yaml new file mode 100644 index 0000000000..2d3d102a7a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions/pod-good.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/01-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/01-policy.yaml new file mode 100644 index 0000000000..df1eb99be6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md new file mode 100644 index 0000000000..5a825e7038 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/README.md @@ -0,0 +1,3 @@ +## Description + +Basic validate test to check that a verify-image policy cannot be created when the policy has wildcard(*) included in match any/all resource block. \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml new file mode 100644 index 0000000000..ca98a584f0 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image +spec: + validationFailureAction: Enforce + background: false + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - "*" + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + mutateDigest: true + attestors: + - entries: + - keys: + publicKeys: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/01-assert.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/01-assert.yaml new file mode 100644 index 0000000000..eb21b4d4fb --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/01-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: configmap-policy + namespace: test-validate-e2e-adding-key-to-config-map +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/01-manifests.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/01-manifests.yaml new file mode 100644 index 0000000000..cdb245e260 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/01-manifests.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate-e2e-adding-key-to-config-map +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: configmap-policy + namespace: test-validate-e2e-adding-key-to-config-map +spec: + background: false + failurePolicy: Fail + validationFailureAction: Enforce + rules: + - match: + all: + - resources: + kinds: + - ConfigMap + name: key-abc + preconditions: + all: + - key: "admin" + operator: Equals + value: "{{ request.object.data.lock || '' }}" + validate: + anyPattern: + - data: + key: "abc" + message: Configmap key must be "abc" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-configmap + namespace: test-validate-e2e-adding-key-to-config-map +data: + key: xyz diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/02-script.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/02-script.yaml new file mode 100644 index 0000000000..2b3d6a1d1c --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/02-script.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: script +spec: + timeouts: {} + try: + - script: + content: "if kubectl patch ConfigMap test-configmap -n test-validate-e2e-adding-key-to-config-map + --type='json' -p=\"[{\\\"op\\\": \\\"add\\\", \\\"path\\\": \\\"/data/lock\\\", + \\\"value\\\":\"\"admin\"\"}]\" 2>&1 | grep -q 'validation error: Configmap + key must be \"abc\"' \nthen \n echo \"Test succeeded. Resource was blocked + from adding key.\"\n exit 0\nelse \n echo \"Tested failed. Resource was + not blocked from adding key.\"\n exit 1 \nfi\n" diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/README.md b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/README.md new file mode 100644 index 0000000000..8fed6477c8 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map/README.md @@ -0,0 +1,21 @@ +## Description + +This test validates that an existing ConfigMap can't be updated with a new key that results in violation of a policy. + +## Expected Behavior + +The existing ConfigMap isn't patched and policy violation is reported. + +## Steps + +### Test Steps + +1. Create a `Policy` that denies only permits combination of two particular keys together. +2. Create a `ConfigMap` that contains one of the keys. +3. Try to patch the `ConfigMap` with a new key that is not permitted by the policy. +4. Verify that the `ConfigMap` is not patched and policy violation is reported. +5. Delete the `Policy` and `ConfigMap`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/3253 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/01-policy.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/02-create-good.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/02-create-good.yaml new file mode 100644 index 0000000000..554be22b75 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/02-create-good.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-nginx-allowed-registry + namespace: default +spec: + containers: + - name: nginx + image: someimagename + imagePullSecrets: + - name: my-registry-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/03-create-bad.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/03-create-bad.yaml new file mode 100644 index 0000000000..7af48344c6 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/03-create-bad.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-bad +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/README.md b/test/conformance/chainsaw/validate/e2e/global-anchor/README.md new file mode 100644 index 0000000000..f601a57c5b --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/README.md @@ -0,0 +1,11 @@ +## Description + +This is a migrated test from e2e. The global anchor is being checked for basic functionality here. + +## Expected Behavior + +If a container uses an image named `someimagename` then the `imagePullSecret` must be set to `my-registry-secret`. The test passes if this combination is found. If an image named `someimagename` uses some other imagePullSecret, the test fails. + +## Reference Issue(s) + +2390 diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/bad.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/bad.yaml new file mode 100644 index 0000000000..14b674c61c --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/bad.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-nginx-disallowed-registry + namespace: default +spec: + containers: + - name: nginx + image: someimagename + imagePullSecrets: + - name: other-registory-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/policy-ready.yaml new file mode 100644 index 0000000000..5f42e456d2 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sample +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml new file mode 100644 index 0000000000..bc1b7b1b6c --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/global-anchor/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sample +spec: + validationFailureAction: Enforce + rules: + - name: check-container-image + match: + any: + - resources: + kinds: + - Pod + validate: + pattern: + spec: + containers: + - name: "*" + <(image): "someimagename" + imagePullSecrets: + - name: my-registry-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/00-create-crd.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/00-create-crd.yaml new file mode 100644 index 0000000000..dd9379c6f0 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/00-create-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-crd +spec: + timeouts: {} + try: + - apply: + file: postgresqls.yaml + - assert: + file: postgresqls-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/01-assert.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/01-assert.yaml new file mode 100644 index 0000000000..d292590a53 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/01-assert.yaml @@ -0,0 +1,14 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/01-manifests.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/01-manifests.yaml new file mode 100644 index 0000000000..73ffb45778 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/01-manifests.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-validate +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test +spec: + validationFailureAction: Enforce + rules: + - name: test-rule + match: + any: + - resources: + kinds: + - "acid.zalan.do/v1/postgresql" + validate: + message: "The label app=foo is required" + pattern: + metadata: + labels: + app: foo diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/02-resource.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/02-resource.yaml new file mode 100644 index 0000000000..36f9a5b5d3 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/README.md b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/README.md new file mode 100644 index 0000000000..184a2a0053 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/README.md @@ -0,0 +1,11 @@ +## Description + +This test validates that CRD with lowercase kind is supported. + +## Expected Behavior + +A resource with kind `postgresql` should have the label `app=foo`. + +## Reference Issue(s) + +5989 diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/postgresqls-ready.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/postgresqls-ready.yaml new file mode 100644 index 0000000000..618d1b081d --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/postgresqls-ready.yaml @@ -0,0 +1,27 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: postgresqls.acid.zalan.do + labels: + app.kubernetes.io/name: postgres-operator +status: + acceptedNames: + categories: + - all + kind: postgresql + listKind: postgresqlList + plural: postgresqls + shortNames: + - pg + singular: postgresql + conditions: + - message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + storedVersions: + - v1 diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/postgresqls.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/postgresqls.yaml new file mode 100644 index 0000000000..e6b570a23f --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/postgresqls.yaml @@ -0,0 +1,656 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: postgresqls.acid.zalan.do + labels: + app.kubernetes.io/name: postgres-operator +spec: + group: acid.zalan.do + names: + kind: postgresql + listKind: postgresqlList + plural: postgresqls + singular: postgresql + shortNames: + - pg + categories: + - all + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Team + type: string + description: Team responsible for Postgres cluster + jsonPath: .spec.teamId + - name: Version + type: string + description: PostgreSQL version + jsonPath: .spec.postgresql.version + - name: Pods + type: integer + description: Number of Pods per Postgres cluster + jsonPath: .spec.numberOfInstances + - name: Volume + type: string + description: Size of the bound volume + jsonPath: .spec.volume.size + - name: CPU-Request + type: string + description: Requested CPU for Postgres containers + jsonPath: .spec.resources.requests.cpu + - name: Memory-Request + type: string + description: Requested memory for Postgres containers + jsonPath: .spec.resources.requests.memory + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: Status + type: string + description: Current sync status of postgresql resource + jsonPath: .status.PostgresClusterStatus + schema: + openAPIV3Schema: + type: object + required: + - kind + - apiVersion + - spec + properties: + kind: + type: string + enum: + - postgresql + apiVersion: + type: string + enum: + - acid.zalan.do/v1 + spec: + type: object + required: + - numberOfInstances + - teamId + - postgresql + - volume + properties: + additionalVolumes: + type: array + items: + type: object + required: + - name + - mountPath + - volumeSource + properties: + name: + type: string + mountPath: + type: string + targetContainers: + type: array + nullable: true + items: + type: string + volumeSource: + type: object + x-kubernetes-preserve-unknown-fields: true + subPath: + type: string + allowedSourceRanges: + type: array + nullable: true + items: + type: string + pattern: '^(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])$' + clone: + type: object + required: + - cluster + properties: + cluster: + type: string + s3_endpoint: + type: string + s3_access_key_id: + type: string + s3_secret_access_key: + type: string + s3_force_path_style: + type: boolean + s3_wal_path: + type: string + timestamp: + type: string + pattern: '^([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([+-]([01][0-9]|2[0-3]):[0-5][0-9]))$' + # The regexp matches the date-time format (RFC 3339 Section 5.6) that specifies a timezone as an offset relative to UTC + # Example: 1996-12-19T16:39:57-08:00 + # Note: this field requires a timezone + uid: + format: uuid + type: string + connectionPooler: + type: object + properties: + dockerImage: + type: string + maxDBConnections: + type: integer + mode: + type: string + enum: + - "session" + - "transaction" + numberOfInstances: + type: integer + minimum: 1 + resources: + type: object + properties: + limits: + type: object + properties: + cpu: + type: string + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + memory: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + requests: + type: object + properties: + cpu: + type: string + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + memory: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + schema: + type: string + user: + type: string + databases: + type: object + additionalProperties: + type: string + # Note: usernames specified here as database owners must be declared in the users key of the spec key. + dockerImage: + type: string + enableConnectionPooler: + type: boolean + enableReplicaConnectionPooler: + type: boolean + enableLogicalBackup: + type: boolean + enableMasterLoadBalancer: + type: boolean + enableMasterPoolerLoadBalancer: + type: boolean + enableReplicaLoadBalancer: + type: boolean + enableReplicaPoolerLoadBalancer: + type: boolean + enableShmVolume: + type: boolean + env: + type: array + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + init_containers: + type: array + description: deprecated + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + initContainers: + type: array + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + logicalBackupSchedule: + type: string + pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$' + maintenanceWindows: + type: array + items: + type: string + pattern: '^\ *((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))-((Mon|Tue|Wed|Thu|Fri|Sat|Sun):(2[0-3]|[01]?\d):([0-5]?\d)|(2[0-3]|[01]?\d):([0-5]?\d))\ *$' + masterServiceAnnotations: + type: object + additionalProperties: + type: string + nodeAffinity: + type: object + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + type: object + required: + - preference + - weight + properties: + preference: + type: object + properties: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + weight: + format: int32 + type: integer + requiredDuringSchedulingIgnoredDuringExecution: + type: object + required: + - nodeSelectorTerms + properties: + nodeSelectorTerms: + type: array + items: + type: object + properties: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + matchFields: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + numberOfInstances: + type: integer + minimum: 0 + patroni: + type: object + properties: + failsafe_mode: + type: boolean + initdb: + type: object + additionalProperties: + type: string + loop_wait: + type: integer + maximum_lag_on_failover: + type: integer + pg_hba: + type: array + items: + type: string + retry_timeout: + type: integer + slots: + type: object + additionalProperties: + type: object + additionalProperties: + type: string + synchronous_mode: + type: boolean + synchronous_mode_strict: + type: boolean + synchronous_node_count: + type: integer + ttl: + type: integer + podAnnotations: + type: object + additionalProperties: + type: string + pod_priority_class_name: + type: string + description: deprecated + podPriorityClassName: + type: string + postgresql: + type: object + required: + - version + properties: + version: + type: string + enum: + - "10" + - "11" + - "12" + - "13" + - "14" + - "15" + parameters: + type: object + additionalProperties: + type: string + preparedDatabases: + type: object + additionalProperties: + type: object + properties: + defaultUsers: + type: boolean + extensions: + type: object + additionalProperties: + type: string + schemas: + type: object + additionalProperties: + type: object + properties: + defaultUsers: + type: boolean + defaultRoles: + type: boolean + secretNamespace: + type: string + replicaLoadBalancer: + type: boolean + description: deprecated + replicaServiceAnnotations: + type: object + additionalProperties: + type: string + resources: + type: object + properties: + limits: + type: object + properties: + cpu: + type: string + # Decimal natural followed by m, or decimal natural followed by + # dot followed by up to three decimal digits. + # + # This is because the Kubernetes CPU resource has millis as the + # maximum precision. The actual values are checked in code + # because the regular expression would be huge and horrible and + # not very helpful in validation error messages; this one checks + # only the format of the given number. + # + # https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + # Note: the value specified here must not be zero or be lower + # than the corresponding request. + memory: + type: string + # You can express memory as a plain integer or as a fixed-point + # integer using one of these suffixes: E, P, T, G, M, k. You can + # also use the power-of-two equivalents: Ei, Pi, Ti, Gi, Mi, Ki + # + # https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-memory + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + # Note: the value specified here must not be zero or be higher + # than the corresponding limit. + requests: + type: object + properties: + cpu: + type: string + pattern: '^(\d+m|\d+(\.\d{1,3})?)$' + memory: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + schedulerName: + type: string + serviceAnnotations: + type: object + additionalProperties: + type: string + sidecars: + type: array + nullable: true + items: + type: object + x-kubernetes-preserve-unknown-fields: true + spiloRunAsUser: + type: integer + spiloRunAsGroup: + type: integer + spiloFSGroup: + type: integer + standby: + type: object + properties: + s3_wal_path: + type: string + gs_wal_path: + type: string + standby_host: + type: string + standby_port: + type: string + oneOf: + - required: + - s3_wal_path + - required: + - gs_wal_path + - required: + - standby_host + streams: + type: array + items: + type: object + required: + - applicationId + - database + - tables + properties: + applicationId: + type: string + batchSize: + type: integer + database: + type: string + filter: + type: object + additionalProperties: + type: string + tables: + type: object + additionalProperties: + type: object + required: + - eventType + properties: + eventType: + type: string + idColumn: + type: string + payloadColumn: + type: string + teamId: + type: string + tls: + type: object + required: + - secretName + properties: + secretName: + type: string + certificateFile: + type: string + privateKeyFile: + type: string + caFile: + type: string + caSecretName: + type: string + tolerations: + type: array + items: + type: object + properties: + key: + type: string + operator: + type: string + enum: + - Equal + - Exists + value: + type: string + effect: + type: string + enum: + - NoExecute + - NoSchedule + - PreferNoSchedule + tolerationSeconds: + type: integer + useLoadBalancer: + type: boolean + description: deprecated + users: + type: object + additionalProperties: + type: array + nullable: true + items: + type: string + enum: + - bypassrls + - BYPASSRLS + - nobypassrls + - NOBYPASSRLS + - createdb + - CREATEDB + - nocreatedb + - NOCREATEDB + - createrole + - CREATEROLE + - nocreaterole + - NOCREATEROLE + - inherit + - INHERIT + - noinherit + - NOINHERIT + - login + - LOGIN + - nologin + - NOLOGIN + - replication + - REPLICATION + - noreplication + - NOREPLICATION + - superuser + - SUPERUSER + - nosuperuser + - NOSUPERUSER + usersWithInPlaceSecretRotation: + type: array + nullable: true + items: + type: string + usersWithSecretRotation: + type: array + nullable: true + items: + type: string + volume: + type: object + required: + - size + properties: + iops: + type: integer + selector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + enum: + - DoesNotExist + - Exists + - In + - NotIn + values: + type: array + items: + type: string + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + size: + type: string + pattern: '^(\d+(e\d+)?|\d+(\.\d+)?(e\d+)?[EPTGMK]i?)$' + # Note: the value specified here must not be zero. + storageClass: + type: string + subPath: + type: string + throughput: + type: integer + status: + type: object + additionalProperties: + type: string diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/resource.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/resource.yaml new file mode 100644 index 0000000000..d6c04ec7bc --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd/resource.yaml @@ -0,0 +1,21 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: acid-minimal-cluster + namespace: test-validate +spec: + teamId: "acid" + volume: + size: 1Gi + numberOfInstances: 2 + users: + # database owner + zalando: + - superuser + - createdb + + #databases: name->owner + databases: + foo: zalando + postgresql: + version: "15" diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/01-policy.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/02-create-good.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/02-create-good.yaml new file mode 100644 index 0000000000..27dd9ba084 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/02-create-good.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: root-pod-from-trusted-registry + # namespace: default +spec: + containers: + - name: kyverno + image: ghcr.io/kyverno/test-verify-image:unsigned diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/03-create-bad.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/03-create-bad.yaml new file mode 100644 index 0000000000..7af48344c6 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/03-create-bad.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-bad +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/README.md b/test/conformance/chainsaw/validate/e2e/trusted-images/README.md new file mode 100644 index 0000000000..40552dbb9b --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests an imageRegistry context lookup for a "real" image and states that an image built to run as root can only come from GHCR. + +## Expected Behavior + +If an image is built to run as root user and it does NOT come from GHCR, the Pod is blocked. If it either isn't built to run as root OR it is built to run as root and does come from GHCR, it is allowed. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/bad.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/bad.yaml new file mode 100644 index 0000000000..1fd8d42096 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/bad.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod-with-root-user-dockerhub + # namespace: default +spec: + containers: + - name: ubuntu + image: ubuntu:bionic \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/policy-ready.yaml new file mode 100644 index 0000000000..a8eeb9b888 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-trustable-images +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml new file mode 100644 index 0000000000..6a424882df --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/trusted-images/policy.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-trustable-images +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: only-allow-trusted-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + jmesPath: '{user: configData.config.User || '''', registry: registry}' + reference: '{{ element.image }}' + name: imageData + deny: + conditions: + all: + - key: '{{ imageData.user }}' + operator: Equals + value: "" + - key: '{{ imageData.registry }}' + operator: NotEquals + value: ghcr.io + list: request.object.spec.containers + message: images with root user are not allowed + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/01-policy.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/02-bad-configmap.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/02-bad-configmap.yaml new file mode 100644 index 0000000000..af3f109986 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/02-bad-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: bad-configmap +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/03-good-configmap.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/03-good-configmap.yaml new file mode 100644 index 0000000000..77e94b8d53 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/03-good-configmap.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-good-configmap +data: + cert: | + -----BEGIN CERTIFICATE----- + MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQEL + BQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNV + BAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAw + WjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UE + ChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + ANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUop + iYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3 + RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5y + n9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRr + txqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweq + kbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud + EwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqG + SIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1d + huukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi + 85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIo + Q226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAm + jwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1F + UFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/ + -----END CERTIFICATE----- + certB64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTakNDQWpLZ0F3SUJBZ0lVV3htajQwbCtURFZKcTk4WHk3YzZMZW8zbnA4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1BURUxNQWtHQTFVRUJoTUNlSGd4Q2pBSUJnTlZCQWdUQVhneENqQUlCZ05WQkFjVEFYZ3hDakFJQmdOVgpCQW9UQVhneENqQUlCZ05WQkFzVEFYZ3dIaGNOTVRnd01qQXlNVEl6T0RBd1doY05Nak13TWpBeE1USXpPREF3CldqQTlNUXN3Q1FZRFZRUUdFd0o0ZURFS01BZ0dBMVVFQ0JNQmVERUtNQWdHQTFVRUJ4TUJlREVLTUFnR0ExVUUKQ2hNQmVERUtNQWdHQTFVRUN4TUJlRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQgpBTkhrcU9tVmYyM0tNWGRhWlUyZUZVeDFoNHdiMDlKSU5CQjh4L0hMN1VFMEtGSmNuT29Wbk5RQjBnUnVrVW9wCmlZQ3pyek1GeUdXV21CL3BBRUtvb2wrWmlJMnVNeTZtY1lCRHRPaTRwT203VTBUUVFNVjZMLzVZZmk2NXhSejMKUlRNZC90WUFvRmk0YUNaYkpBR2p4VTZVV05ZRHpUeThFL2NQNlpubE5iVkhSaUE2L3dIc29XY1h0V1RYWVA1eQpuOWNmN0VXUWkxaE9CTTRCV21PSXlCMWY2TEVnUWlwWldNT01QUEhPM2hzdVNCbjByazdqb3ZTdDVYVGxiZ1JyCnR4cUFKaU5qSlV5a1d6SUYrbExuWkNpb2lwcEd2NXZrZEd2RTgzSm9BQ1h2WlRVd3pBK01MdTQ5Zmt3M2J3ZXEKa2JocmVyOGthY2pmR2x3M2FKTjM3ZUVDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnRUdNQThHQTFVZApFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRktYY2I1MmJ2Nm9xbkQrRDlmVE5GSFpMOElXeE1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUFEdkt2djN5bTBYQVl3S3hQTExsM0xjNnNKWUhEYlROMGRvbmR1RzdQWGViMWQKaHV1a0oybGZ1ZlVZcDJJR1NBeHVMZWNUWWVlQnlPVnAxZ2FNYjVMc0lHdDJCVkRtbE1Na2lIMjlMVUhzdmJ5aQo4NUNwSm83QTVSSkc2QVdXMlZCQ2lEano1djhKRk02cE1rQlJGZlhIK3B3SWdlNjVDRStNVFNRY2ZiMS9hSUlvClEyMjZQN0UvM3VVR1g0azRwRFhHL083R052eWtGNDB2MURCNXk3RERCVFE0SldpSmZ5R2tUNjlUbWRPR0xGQW0Kand4VWpXeXZFZXk0cUpleC9FR0VtNVJRY012OWl5N3RiYTF3SzdzeWtOR241dURFTEdQR0lJRUFhNXJJSG0xRgpVRk9aWlZvRUxhYXNXUzU1OXd5OG9nMzlFcTIxZERNeW5iOEJuZG4vCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/README.md b/test/conformance/chainsaw/validate/e2e/x509-decode/README.md new file mode 100644 index 0000000000..9df9119997 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests basic functionality of the x509_decode JMESPath filter. + +## Expected Behavior + +The `test-bad-configmap` should fail and the `test-good-configmap` should succeed. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/bad.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/bad.yaml new file mode 100644 index 0000000000..5b488bde03 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/bad.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-bad-configmap +data: + cert: | + -----BEGIN CERTIFICATE----- + MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQEL + BQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNV + BAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAw + WjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UE + ChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + ANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUop + iYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3 + RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5y + n9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRr + txqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweq + kbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud + EwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqG + SIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1d + huukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi + 85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIo + Q226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAm + jwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1F + UFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/ + -----END CERTIFICATE----- + certB64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM3VENDQWRXZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFZTVJZd0ZBWURWUVFEREEwcUxtdDUKZG1WeWJtOHVjM1pqTUI0WERUSXlNREV4TVRFek1qWTBNMW9YRFRJek1ERXhNVEUwTWpZME0xb3dHREVXTUJRRwpBMVVFQXd3TktpNXJlWFpsY201dkxuTjJZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTXNBejg1K3lpbm8rTW1kS3NWdEh3Tmkzb0FWanVtelhIaUxmVUpLN3hpNUtVOEI3Z29QSEYvVkNlL1YKN1kyYzRhZnlmZ1kyZVB3NEx4U0RrQ1lOZ1l3cWpTd0dJYmNzcXY1WlJhekJkRHhSMDlyaTZQa25OeUJWR0xpNQpSbFBYSXJHUTNwc051ZjU1cXd4SnhMTzMxcUNadXZrdEtZNVl2dUlSNEpQbUJodVNGWE9ubjBaaVF3OHV4TWNRCjBRQTJseitQeFdDVk5rOXErMzFINURIMW9ZWkRMZlUzbWlqSU9BK0FKR1piQmIrWndCbXBWTDArMlRYTHhFNzQKV293ZEtFVitXVHNLb2pOVGQwVndjdVJLUktSLzZ5blhBQWlzMjF5MVg3VWk5RkpFNm1ESXlsVUQ0MFdYT0tHSgoxbFlZNDFrUm5ZaFZodlhZTjlKdE5ZZFkzSHNDQXdFQUFhTkNNRUF3RGdZRFZSMFBBUUgvQkFRREFnS2tNQThHCkExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRk9ubEFTVkQ5ZnUzVEFqcHRsVy9nQVhBNHFsK01BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNJcHlSaUNoeHA5N2NyS2ZRMjRKdDd6OFArQUdwTGYzc1g0ZUw4N0VTYQo3UVJvVkp0WExtYXV0MXBVRW9ZTFFydUttaC8wWUZ0Wkc5V3hWZ1k2aXVLYldudTdiT2VNQi9JcitWL3lyWDNSCitYdlpPc3VYaUpuRWJKaUJXNmxKekxsZG9XNGYvNzFIK2oxV0Q0dEhwcW1kTXhxL3NMcVhmUEl1YzAvbTB5RkMKbitBREJXR0dCOE5uNjZ2eHR2K2NUNnArUklWb3RYUFFXYk1pbFdwNnBkNXdTdUI2OEZxckR3dFlMTkp0UHdGcwo5TVBWa3VhSmRZWjBlV2Qvck1jS0Q5NEhnZjg5Z3ZBMCtxek1WRmYrM0JlbVhza2pRUll5NkNLc3FveUM2alg0Cm5oWWp1bUFQLzdwc2J6SVRzbnBIdGZDRUVVKzJKWndnTTQwNmFpTWNzZ0xiCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/policy-ready.yaml new file mode 100644 index 0000000000..f83bb3d222 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-x509-decode +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml new file mode 100644 index 0000000000..88ab88b726 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/x509-decode/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-x509-decode +spec: + validationFailureAction: Enforce + rules: + - name: test-x509-decode + match: + any: + - resources: + kinds: + - ConfigMap + names: + - test-* + validate: + message: "public key modulus mismatch: \"{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}\" != \"{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}\"" + deny: + conditions: + any: + - key: "{{ x509_decode('{{request.object.data.cert}}').PublicKey.N }}" + operator: NotEquals + value: "{{ x509_decode('{{base64_decode('{{request.object.data.certB64}}')}}').PublicKey.N }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/01-policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/02-good-deployment.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/02-good-deployment.yaml new file mode 100644 index 0000000000..ffd1fdeca1 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/02-good-deployment.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wBaAaX+H4sIAAAAAAAA/+ySz27bMAzGffZT8AUcSf6TpDrvuMMOw64DazOeEP2bxBZtn35wnXhegOW4oYB/F9rg930gQYlnTOIU7EApC/8mlDye7c9xqNk/Stc49902rn1ppZRy9OKr6IOLiXI2fqwYUzW+KXmQDw9tUx8FU+ZqoGjDqyPPu1d0tigm775t3+th371XWc//E12zL1Rbq042XacOhWzquusKkMU/4CkzpkLKdH4awh1dZjyd7vQvuyz1g4DRfKOUTfAaMMYsnlV5Nn7Q8Gk5Y+mIcUBGXQJYfCSbpy+YDBr8aPxLCeDRkYabF1DmSP0kThSt6TFrUCVAJks9hzTHOOT+x+dV7k0yk4sWmS7q1TAT9g/jjRXgOsBEHzyj8ZRW8gqMw5EuFq12qt3VS/e61u+8mRgSr0LmoCX+S0is4SjL/33djY2Njb/zKwAA//+MAMwjAAgAAAEAAP//7NcJ9loBAAA= + cosign.sigstore.dev/signature: MEUCICLCfb3LGKXcdKV3gTXl6qba3T2goZMbVX/54gyNR05UAiEAlvPuWVsCPuBx5wVqvtyT7hr/AfR9Fl7cNLDACaNIbx8= + labels: + app: nginx + name: test-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/03-bad-deployment.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/03-bad-deployment.yaml new file mode 100644 index 0000000000..2b52be6762 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/03-bad-deployment.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: bad-deployment +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f bad.yaml\nthen \n echo \"Tested failed. Deployment + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Deployment was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/README.md b/test/conformance/chainsaw/validate/e2e/yaml-signing/README.md new file mode 100644 index 0000000000..421d1f1220 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests basic YAML manifest signature validation functionality. + +## Expected Behavior + +The `test-deployment` (defined in `bad.yaml`) should fail because it matches the policy conditions yet has not been signed while the `test-deployment` (defined in `02-good-deployment.yaml`) should pass because it also matches yet has been signed and the signature is valid according to the public key defined in the policy. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/bad.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/bad.yaml new file mode 100644 index 0000000000..2d62719135 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/bad.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: test-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy-ready.yaml new file mode 100644 index 0000000000..85287d431e --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-resources +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml new file mode 100644 index 0000000000..031a39261d --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-resources +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-resources + match: + any: + - resources: + kinds: + - Deployment + - Pod + name: test* + exclude: + any: + - resources: + kinds: + - Pod + subjects: + - kind: ServiceAccount + namespace: kube-system + name: replicaset-controller + - resources: + kinds: + - ReplicaSet + subjects: + - kind: ServiceAccount + namespace: kube-system + name: deployment-controller + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml index 77f2a7f75f..74e509eb90 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: deployment spec: + timeouts: {} try: - apply: file: deployment.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml index cb209bd523..909c002ac4 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/03-report.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/03-report.yaml index 7ca0b48244..7cc1316356 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/03-report.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/03-report.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: report spec: + timeouts: {} try: - assert: file: report-assert.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/04-sleep.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/04-sleep.yaml new file mode 100644 index 0000000000..f30782fbbe --- /dev/null +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "4" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml index 77f2a7f75f..74e509eb90 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: deployment spec: + timeouts: {} try: - apply: file: deployment.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml index cb209bd523..909c002ac4 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/03-report.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/03-report.yaml index 7ca0b48244..7cc1316356 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/03-report.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/03-report.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: report spec: + timeouts: {} try: - assert: file: report-assert.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/04-sleep.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/04-sleep.yaml new file mode 100644 index 0000000000..f30782fbbe --- /dev/null +++ b/test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/04-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "4" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/events/01-deployment.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/events/01-deployment.yaml index 77f2a7f75f..74e509eb90 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/events/01-deployment.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/events/01-deployment.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: deployment spec: + timeouts: {} try: - apply: file: deployment.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/events/02-policy.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/events/02-policy.yaml index cb209bd523..909c002ac4 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/events/02-policy.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/events/02-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/events/03-sleep.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/events/03-sleep.yaml new file mode 100644 index 0000000000..01d2ae5728 --- /dev/null +++ b/test/conformance/chainsaw/validating-admission-policy-reports/events/03-sleep.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: sleep +spec: + timeouts: {} + try: + - command: + args: + - "5" + entrypoint: sleep diff --git a/test/conformance/chainsaw/validating-admission-policy-reports/events/03-event.yaml b/test/conformance/chainsaw/validating-admission-policy-reports/events/04-event.yaml similarity index 75% rename from test/conformance/chainsaw/validating-admission-policy-reports/events/03-event.yaml rename to test/conformance/chainsaw/validating-admission-policy-reports/events/04-event.yaml index 935bde52fa..fa5aa2c741 100644 --- a/test/conformance/chainsaw/validating-admission-policy-reports/events/03-event.yaml +++ b/test/conformance/chainsaw/validating-admission-policy-reports/events/04-event.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: event spec: + timeouts: {} try: - assert: file: policy-event.yaml diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/01-policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/02-resources.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/02-resources.yaml new file mode 100644 index 0000000000..4edbb173bb --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/02-resources.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource-no-signature.yaml + - apply: + check: + (error != null): true + file: resource-one-signature.yaml + - apply: + file: resource-two-signatures.yaml + - apply: + check: + (error != null): true + file: resource-bad-signatures.yaml diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/README.md b/test/conformance/chainsaw/verify-manifests/multi-signatures/README.md new file mode 100644 index 0000000000..ce47d1280c --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that two signatures are expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be rejected. +Resource with two signatures should be accepted. diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy-assert.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy-assert.yaml new file mode 100644 index 0000000000..582ac4e67a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml new file mode 100644 index 0000000000..e862e67b54 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-bad-signatures.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-bad-signatures.yaml new file mode 100644 index 0000000000..736b82c127 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-bad-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: NotMyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-no-signature.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-no-signature.yaml new file mode 100644 index 0000000000..87100c787a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-one-signature.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-one-signature.yaml new file mode 100644 index 0000000000..3de473b4ee --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-two-signatures.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-two-signatures.yaml new file mode 100644 index 0000000000..50a69cf200 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/01-policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/02-resources.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/02-resources.yaml new file mode 100644 index 0000000000..96e1e23787 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/02-resources.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: resource-no-signature.yaml + - apply: + file: resource-one-signature.yaml + - apply: + file: resource-two-signatures.yaml + - apply: + check: + (error != null): true + file: resource-bad-signatures.yaml diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/README.md b/test/conformance/chainsaw/verify-manifests/single-signature/README.md new file mode 100644 index 0000000000..cf5eb1c5b2 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that at least one signature is expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be accepted. +Resource with two signatures should be accepted. diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy-assert.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy-assert.yaml new file mode 100644 index 0000000000..582ac4e67a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml new file mode 100644 index 0000000000..156eda52fe --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/resource-bad-signatures.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/resource-bad-signatures.yaml new file mode 100644 index 0000000000..736b82c127 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/resource-bad-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: NotMyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/resource-no-signature.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/resource-no-signature.yaml new file mode 100644 index 0000000000..87100c787a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/resource-one-signature.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/resource-one-signature.yaml new file mode 100644 index 0000000000..3de473b4ee --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/resource-two-signatures.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/resource-two-signatures.yaml new file mode 100644 index 0000000000..50a69cf200 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml new file mode 100644 index 0000000000..a0c2dc8a1b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-signatures +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml new file mode 100644 index 0000000000..81ad463757 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/01-policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-signatures + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-1 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + imageReferences: + - ghcr.io/kyverno/test-verify-image:* + mutateDigest: true + required: true + verifyDigest: true + - name: check-2 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUD2uzRHLnx1oH6XAnF+8haL73BF + zh9pMI1x1/c4Nj/w+rsrgMCDyV/S8hmsXEbizhYD3QndVtV1piBDfDIb8w== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + imageReferences: + - my.local.repo/* + mutateDigest: false + required: true + verifyDigest: false \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml new file mode 100644 index 0000000000..b1cd0a9ce3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-assert.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed + namespace: default +spec: + containers: + - name: signed \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml new file mode 100644 index 0000000000..775c9c20c3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/02-pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed + namespace: default +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + imagePullPolicy: IfNotPresent + name: signed \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md new file mode 100644 index 0000000000..b3626dfecd --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/README.md @@ -0,0 +1,11 @@ +## Description + +A `VerifyImages` rule specifying multiple attestors should allow pod creation with valid images. + +## Expected Behavior + +The pod `signed` should be created successfully. + +## Reference Issue(s) + +Slack discussion - https://kubernetes.slack.com/archives/CLGR9BJU9/p1673303296239259. \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml new file mode 100644 index 0000000000..8719f9010a --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-with-multi-keys +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml new file mode 100644 index 0000000000..227475e62f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/01-manifests.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: default + name: keys +data: + org: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ + 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== + -----END PUBLIC KEY----- + org1: + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkooBXoWI+9fAJWeWoB26K539sTp/ + 50J9t2brN73cxQURl1TCbUvw+3T/XmOCwVrkP6stjHJN2SatnhLmx6736A== + -----END PUBLIC KEY----- +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-with-multi-keys + annotations: + policies.kyverno.io/title: Verify Image with Multiple Keys + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kyverno-version: 1.7.2 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + There may be multiple keys used to sign images based on + the parties involved in the creation process. This image + verification policy requires the named image be signed by + two separate keys. It will search for a global "production" + key in a ConfigMap called `key` in the `default` Namespace + and also a Namespace key in the same ConfigMap. +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-image-with-two-keys + match: + any: + - resources: + kinds: + - Pod + context: + - name: keys + configMap: + name: keys + namespace: default + verifyImages: + - image: "*" + key: "{{ keys.data.org }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md new file mode 100644 index 0000000000..73e0b53bb4 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/README.md @@ -0,0 +1,13 @@ +## Description + +The configmap context lookup uses informer's cache internally, the background processing should use the same to resolve configmap context without crashing Kyverno. + +This is the second test for configmap lookup, see `test/conformance/kuttl/validate/clusterpolicy/standard/audit/configmap-context-lookup/README.md` for another. + +## Expected Behavior + +Policy is expected to be successfully created AND not result in an internal panic. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5704 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml new file mode 100644 index 0000000000..24dae9ea6d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/02-resources.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resources +spec: + timeouts: {} + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/README.md new file mode 100644 index 0000000000..1a0dedf626 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy to verify images signature. +It then creates a `Deployment` that references an image with an empty string. + +## Expected Behavior + +The deployment should be created without error. diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml new file mode 100644 index 0000000000..a2d2cc907e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml new file mode 100644 index 0000000000..1d64382014 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-policy +spec: + admission: true + background: false + failurePolicy: Fail + rules: + - match: + any: + - resources: + kinds: + - Pod + name: keyed-basic-rule + verifyImages: + - attestors: + - entries: + - keys: + ctlog: + ignoreSCT: true + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + ignoreTlog: true + url: https://rekor.sigstore.dev + signatureAlgorithm: sha256 + imageReferences: + - '*' + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/resource.yaml new file mode 100644 index 0000000000..e739848a9a --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/resource.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"httpd:latest","namespace":"example-namespace"},"fieldPath":"spec.template.spec.containers[?(@.name==\"httpd\")].image"}]' + openshift.io/generated-by: OpenShiftNewApp + labels: + app: httpd + app.kubernetes.io/component: httpd + app.kubernetes.io/instance: httpd + name: httpd +spec: + replicas: 1 + selector: + matchLabels: + deployment: httpd + strategy: {} + template: + metadata: + annotations: + openshift.io/generated-by: OpenShiftNewApp + labels: + deployment: httpd + spec: + containers: + - image: ' ' + name: httpd + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml new file mode 100644 index 0000000000..6f5564258f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: failure-policy-test-noconfigmap-diffimage-success diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml new file mode 100644 index 0000000000..9e0de98696 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-bad-pod +spec: + timeouts: {} + try: + - apply: + file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md new file mode 100644 index 0000000000..c40477b6f5 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables. + +## Expected Behavior + +The pod should be created successfully. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6742 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml new file mode 100644 index 0000000000..0d38ac01a6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-fail + namespace: failure-policy-test-noconfigmap-diffimage-success +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-fail diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml new file mode 100644 index 0000000000..cfdc4c1e1c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-verify-polset-failurepolicy-ignore +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml new file mode 100644 index 0000000000..2b70672960 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: image-verify-polset-failurepolicy-ignore +spec: + background: false + failurePolicy: Ignore + rules: + - context: + - configMap: + name: myconfigmap + namespace: mynamespace + name: myconfigmap + match: + any: + - resources: + kinds: + - Pod + name: image-verify-pol1 + verifyImages: + - imageReferences: + - ghcr.io/* + mutateDigest: false + verifyDigest: false + attestors: + - entries: + - keys: + publicKeys: '{{myconfigmap.data.configmapkey}}' + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + validationFailureAction: Audit + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml new file mode 100644 index 0000000000..b5096b7a9f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/00-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml new file mode 100644 index 0000000000..6e15eef2ee --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/02-task.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: task +spec: + timeouts: {} + try: + - apply: + file: task.yaml + - assert: + file: task.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md new file mode 100644 index 0000000000..6abc915a9b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that more complex image extraction with keyless verification and required=true is working by submitting a Task which uses a verified container image. The Task should be created and the annotation `kyverno.io/verify-images` written which contains the image with digest and `true` indicating it was verified. \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/crd-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/crd-ready.yaml new file mode 100644 index 0000000000..f592e6b44d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/crd-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/crd.yaml new file mode 100644 index 0000000000..145b9e0120 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/crd.yaml @@ -0,0 +1,24 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy-ready.yaml new file mode 100644 index 0000000000..058180242b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-keyless +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml new file mode 100644 index 0000000000..b5e0e3fc41 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-keyless +spec: + admission: true + background: true + rules: + - imageExtractors: + Task: + - path: /spec/steps/*/image + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + name: verify-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + verifyImages: + - attestors: + - count: 1 + entries: + - keyless: + ctlog: + ignoreSCT: true + issuer: https://token.actions.githubusercontent.com + rekor: + url: https://rekor.sigstore.dev + subject: https://github.com/* + imageReferences: + - ghcr.io/* + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/task.yaml new file mode 100644 index 0000000000..d70f7c06f2 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/task.yaml @@ -0,0 +1,8 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name +spec: + steps: + - name: cosign + image: ghcr.io/sigstore/cosign/cosign@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml new file mode 100644 index 0000000000..b5096b7a9f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/00-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml new file mode 100644 index 0000000000..66057a045c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/02-create-task.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-task +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: badtask.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml new file mode 100644 index 0000000000..7d55f37d42 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/03-errors.yaml @@ -0,0 +1,4 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md new file mode 100644 index 0000000000..698da27e03 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that more complex image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned). \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml new file mode 100644 index 0000000000..e7e28c800c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/badtask.yaml @@ -0,0 +1,8 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name +spec: + steps: + - name: ubuntu-example + image: ubuntu:bionic diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/crd-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/crd-ready.yaml new file mode 100644 index 0000000000..f592e6b44d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/crd-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/crd.yaml new file mode 100644 index 0000000000..145b9e0120 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/crd.yaml @@ -0,0 +1,24 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy-ready.yaml new file mode 100644 index 0000000000..b585ce2dc6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-complex +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml new file mode 100644 index 0000000000..a0d1272bb1 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-complex +spec: + admission: true + background: true + rules: + - imageExtractors: + Task: + - key: name + name: steps + path: /spec/steps/* + value: image + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + name: verify-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + verifyImages: + - image: '*' + key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END + PUBLIC KEY----- " + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml new file mode 100644 index 0000000000..b5096b7a9f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/00-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml new file mode 100644 index 0000000000..6e15eef2ee --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/02-task.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: task +spec: + timeouts: {} + try: + - apply: + file: task.yaml + - assert: + file: task.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md new file mode 100644 index 0000000000..d4dd872f51 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that a ClusterPolicy without defining an imageExtractor causes a CustomResource to pass through. Since the ClusterPolicy does not name a field from which to extract the image, no verification can be performed. Expected result is the Task is created even though the image within is not verified. \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/crd-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/crd-ready.yaml new file mode 100644 index 0000000000..f592e6b44d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/crd-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/crd.yaml new file mode 100644 index 0000000000..145b9e0120 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/crd.yaml @@ -0,0 +1,24 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy-ready.yaml new file mode 100644 index 0000000000..098aa82821 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-no-extractor +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml new file mode 100644 index 0000000000..b45ba79cb9 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-no-extractor +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + name: verify-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + verifyImages: + - image: '*' + key: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/task.yaml new file mode 100644 index 0000000000..e7e28c800c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/task.yaml @@ -0,0 +1,8 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name +spec: + steps: + - name: ubuntu-example + image: ubuntu:bionic diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml new file mode 100644 index 0000000000..b5096b7a9f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/00-crd.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: crd +spec: + timeouts: {} + try: + - apply: + file: crd.yaml + - assert: + file: crd-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml new file mode 100644 index 0000000000..66057a045c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/02-create-task.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-task +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: badtask.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md new file mode 100644 index 0000000000..dd7287ff04 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/README.md @@ -0,0 +1,3 @@ +# Title + +Checks that simple image extraction is working by submitting a Task which uses an unverified container image. The Task should fail to be created since the supplied public key is not valid for it (the image is unsigned). \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml new file mode 100644 index 0000000000..e7e28c800c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/badtask.yaml @@ -0,0 +1,8 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: example-task-name +spec: + steps: + - name: ubuntu-example + image: ubuntu:bionic diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/crd-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/crd-ready.yaml new file mode 100644 index 0000000000..f592e6b44d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/crd-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/crd.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/crd.yaml new file mode 100644 index 0000000000..145b9e0120 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/crd.yaml @@ -0,0 +1,24 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tasks.tekton.dev +spec: + group: tekton.dev + preserveUnknownFields: false + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + subresources: + status: {} + names: + kind: Task + plural: tasks + categories: + - tekton + - tekton-pipelines + scope: Namespaced diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy-ready.yaml new file mode 100644 index 0000000000..567f022953 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-simple +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml new file mode 100644 index 0000000000..2e89d77ee3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: tasks-simple +spec: + admission: true + background: true + rules: + - imageExtractors: + Task: + - path: /spec/steps/*/image + match: + any: + - resources: + kinds: + - tekton.dev/v1beta1/Task + name: verify-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + verifyImages: + - image: '*' + key: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM\n5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==\n-----END + PUBLIC KEY----- " + mutateDigest: true + required: true + useCache: true + verifyDigest: true + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-assert.yaml new file mode 100644 index 0000000000..fcd09f08dd --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-ns-selector-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml new file mode 100644 index 0000000000..72035aea49 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/01-manifests.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images + labels: + signed: "true" +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images-unprotected + labels: + signed: "false" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-ns-selector-policy +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: keyed-basic-rule + match: + all: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: signed + operator: In + values: + - "true" + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-assert.yaml new file mode 100644 index 0000000000..639b8513a2 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-signed-pod + namespace: test-verify-images \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-goodpod.yaml new file mode 100644 index 0000000000..9caad98758 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/02-goodpod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-signed-pod + namespace: test-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml new file mode 100644 index 0000000000..34dc72d48f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/03-teststep.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: teststep +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod-unsigned.yaml + - apply: + file: pod-signed.yaml + - apply: + file: pod-unprotected-ns.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/README.md new file mode 100644 index 0000000000..8c84b5a79d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/README.md @@ -0,0 +1,11 @@ +## Description + +This test performs a simple verification of an image using a public key specified directly in the policy. + +## Expected Behavior + +Pod creation should pass as the image has been signed by the public key specified in the policy. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-signed.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-signed.yaml new file mode 100644 index 0000000000..e39d151826 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-signed.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-signed-pod2 + namespace: test-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-signed2 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-unprotected-ns.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-unprotected-ns.yaml new file mode 100644 index 0000000000..a9bf784f52 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-unprotected-ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-unsigned-pod + namespace: test-verify-images-unprotected +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test-unsigned \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-unsigned.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-unsigned.yaml new file mode 100644 index 0000000000..09495cdfbf --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/pod-unsigned.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-unsigned-pod + namespace: test-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:unsigned + name: test-unsigned \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml new file mode 100644 index 0000000000..a2d2cc907e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml new file mode 100644 index 0000000000..d0e96819a4 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyed-basic-policy +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml new file mode 100644 index 0000000000..b736ae3d48 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-secret-pod + namespace: test-verify-images \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml new file mode 100644 index 0000000000..de7987da27 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-secret-pod + namespace: test-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/README.md new file mode 100644 index 0000000000..8c84b5a79d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/README.md @@ -0,0 +1,11 @@ +## Description + +This test performs a simple verification of an image using a public key specified directly in the policy. + +## Expected Behavior + +Pod creation should pass as the image has been signed by the public key specified in the policy. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml new file mode 100644 index 0000000000..ca9cef7de7 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secret-in-keys +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml new file mode 100644 index 0000000000..3c9d37c7ea --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/01-manifests.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secret-in-keys +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: check-secret-in-keys + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + secret: + name: testsecret + namespace: test-verify-images + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true +--- +apiVersion: v1 +kind: Secret +metadata: + name: testsecret + namespace: test-verify-images +data: + cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFOG5YUmg5NTBJWmJSajhSYS9OOXNicU9QWnJmTQo1L0tBUU4wL0tqSGNvcm0vSjV5Y3RWZDdpRWNuZXNzUlFqVTkxN2htS082SldWR0hwRGd1SXlha1pBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t +type: Opaque diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml new file mode 100644 index 0000000000..b736ae3d48 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-secret-pod + namespace: test-verify-images \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml new file mode 100644 index 0000000000..de7987da27 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/02-goodpod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-secret-pod + namespace: test-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/README.md new file mode 100644 index 0000000000..3cb272bb55 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/README.md @@ -0,0 +1,3 @@ +# Title + +This test tries to verify an image from a public key stored in a Kubernetes Secret. For version 1.9+. \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml new file mode 100644 index 0000000000..0377e9a1d5 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml new file mode 100644 index 0000000000..c076eb8287 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/01-manifests.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless-pass-1 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md new file mode 100644 index 0000000000..e5f74ea6f0 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/README.md @@ -0,0 +1,11 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the image's subject and issuer match as well as the attestation specified in the conditions block. The pod creation should pass. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml new file mode 100644 index 0000000000..ab5f8349bc --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml new file mode 100644 index 0000000000..cade958935 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-2 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: cosign.sigstore.dev/attestation/vuln/v1 + attestors: + - entries: + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + conditions: + - all: + - key: "{{ regex_match('^pkg:github/aquasecurity/trivy@0.34.0','{{ scanner.uri }}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md new file mode 100644 index 0000000000..710581b1c8 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/README.md @@ -0,0 +1,11 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given another defined predicateType, the image's subject and issuer match as well as the attestation specified in the conditions block. The pod creation should pass. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml new file mode 100644 index 0000000000..cb2b58a3b7 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml new file mode 100644 index 0000000000..92df5dc734 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/01-manifests.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-1 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless-fail-1 + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: cosign.sigstore.dev/attestation/vuln/v1 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml new file mode 100644 index 0000000000..9ced8ae36f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml new file mode 100644 index 0000000000..7d6170cd20 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md new file mode 100644 index 0000000000..3d963c9ee7 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the image's subject and issuer for this predicateType does not match. The pod creation should be blocked. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml new file mode 100644 index 0000000000..e61e72b07b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-4 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml new file mode 100644 index 0000000000..cf3307f818 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/01-manifests.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: check-slsa-attestations-pass-4 +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: check-builder-id-keyless + verifyImages: + - attestations: + - conditions: + - all: + - key: '{{ regex_match(''^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main'',''{{ + builder.id}}'') }}' + operator: Equals + value: true + predicateType: https://slsa.dev/provenance/v0.2 + imageReferences: + - ghcr.io/chipzoller/zulu* + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml new file mode 100644 index 0000000000..669073222c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml new file mode 100644 index 0000000000..921f8ee747 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md new file mode 100644 index 0000000000..2538fe6ed0 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +`attestations.attestor` is optional. The pod creation should be allowed with the valid attestations. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml new file mode 100644 index 0000000000..73fe2f59e3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-3 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml new file mode 100644 index 0000000000..a757ddcd29 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/01-manifests.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-pass-3 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + count: 1 + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md new file mode 100644 index 0000000000..70ce0f9413 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the matching attestor entries must greater than or equal to the count specified in the rule. This test has one valid attestor so the pod creation should be allowed. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml new file mode 100644 index 0000000000..05b4f2c4d8 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml new file mode 100644 index 0000000000..df879b1e2b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/01-manifests.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-2 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + count: 2 + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml new file mode 100644 index 0000000000..9ced8ae36f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml new file mode 100644 index 0000000000..7d6170cd20 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md new file mode 100644 index 0000000000..7a82b5e3df --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, the matching attestor entries must greater than or equal to the count specified in the rule. This test has one valid attestor which is less than the specified count, so the pod creation should be blocked. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml new file mode 100644 index 0000000000..1df5237d8d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-3 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml new file mode 100644 index 0000000000..bb4550eb2d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/01-manifests.yaml @@ -0,0 +1,43 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-slsa-attestations-fail-3 + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + background: false + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + attestations: + - predicateType: https://slsa.dev/provenance/v0.2 + attestors: + - entries: + - keyless: + subject: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/vulnerability-scan.yaml@refs/heads/main" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true + conditions: + - all: + - key: "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main','{{ builder.id}}') }}" + operator: Equals + value: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml new file mode 100644 index 0000000000..9ced8ae36f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/02-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: pod +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml new file mode 100644 index 0000000000..7d6170cd20 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/03-errors.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md new file mode 100644 index 0000000000..adac99649e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/README.md @@ -0,0 +1,12 @@ +## Description + +Verify image attestations with the given predicateType and attestors. The image has multiple signatures for different predicateTypes. + +## Expected Behavior + +Given the defined predicateType, all attestor entries must be valid if the count is not specified. This test only has one valid attestor so the pod creation should be blocked. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/4847 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml new file mode 100644 index 0000000000..efc7fb59b4 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-mutatedigest-verifydigest-required +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml new file mode 100644 index 0000000000..d7e3fd1e2a --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/01-manifests.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-mutatedigest-verifydigest-required +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu:*" + mutateDigest: true + verifyDigest: true + required: true + attestors: + - entries: + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml new file mode 100644 index 0000000000..79cb2b586b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14@sha256:476b21f1a75dc90fac3579ee757f4607bb5546f476195cf645c54badf558c0db + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml new file mode 100644 index 0000000000..f5619b6873 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu:v0.0.14 + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/README.md new file mode 100644 index 0000000000..7ce10ee11d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/README.md @@ -0,0 +1,3 @@ +# Title + +This is a description of your test. diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml new file mode 100644 index 0000000000..1ef915c783 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-nomutatedigest-noverifydigest-norequired +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml new file mode 100644 index 0000000000..9c04ebac84 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/01-manifests.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-nomutatedigest-noverifydigest-norequired +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + mutateDigest: false + verifyDigest: false + required: false + attestors: + - entries: + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml new file mode 100644 index 0000000000..2d32ed3cb6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu:latest":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml new file mode 100644 index 0000000000..5160f6f593 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/README.md new file mode 100644 index 0000000000..7ce10ee11d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/README.md @@ -0,0 +1,3 @@ +# Title + +This is a description of your test. diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml new file mode 100644 index 0000000000..090b115c1b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-nomutatedigest-noverifydigest-required +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml new file mode 100644 index 0000000000..e5b766d233 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/01-manifests.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: keyless-nomutatedigest-noverifydigest-required +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: check-builder-id-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/chipzoller/zulu*" + mutateDigest: false + verifyDigest: false + required: true + attestors: + - entries: + - keyless: + subject: "https://github.com/chipzoller/zulu/.github/workflows/slsa-generic-keyless.yaml@refs/tags/v*" + issuer: "https://token.actions.githubusercontent.com" + rekor: + url: https://rekor.sigstore.dev + ctlog: + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml new file mode 100644 index 0000000000..2d32ed3cb6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kyverno.io/verify-images: '{"ghcr.io/chipzoller/zulu:latest":true}' + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml new file mode 100644 index 0000000000..5160f6f593 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: zulu + namespace: default +spec: + containers: + - image: ghcr.io/chipzoller/zulu + name: zulu \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/README.md new file mode 100644 index 0000000000..7ce10ee11d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/README.md @@ -0,0 +1,3 @@ +# Title + +This is a description of your test. diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml new file mode 100644 index 0000000000..3a68a73a0b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutatedigest-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml new file mode 100644 index 0000000000..5c954dafee --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutatedigest-policy +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: mutatedigest-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image*" + mutateDigest: true + verifyDigest: false + required: false \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml new file mode 100644 index 0000000000..5222b22b49 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: testpod + namespace: default +spec: + containers: + - name: container01 + image: ghcr.io/kyverno/test-verify-image:signed-keyless diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml new file mode 100644 index 0000000000..21a5237632 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: testpod + namespace: default +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1 + name: container01 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md new file mode 100644 index 0000000000..22091f0fe0 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md @@ -0,0 +1,5 @@ +# Title + +Issue: 1234 + +This is a description of your test. diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml new file mode 100644 index 0000000000..e14deb4fcf --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/02-create-good-pod.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-good-pod +spec: + timeouts: {} + try: + - apply: + file: namespace.yaml + - apply: + file: good-pod.yaml + - assert: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml new file mode 100644 index 0000000000..e950814ccc --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/03-create-bad-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-bad-pod +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml new file mode 100644 index 0000000000..82d239395e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/04-update-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: update-policy +spec: + timeouts: {} + try: + - apply: + file: update-policy.yaml + - assert: + file: update-policy.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml new file mode 100644 index 0000000000..aafe1238cf --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/05-create-pod-with-configmap.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-pod-with-configmap +spec: + timeouts: {} + try: + - apply: + file: pod-with-configmap.yaml + - assert: + file: pod-with-configmap-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/README.md new file mode 100644 index 0000000000..c30e3ef58c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/README.md @@ -0,0 +1,13 @@ +## Description + +This test verifies that resource creation is not blocked if resource image is different than policy image. + +## Expected Behavior + +This test should create a policy with missing configmap, a pod with different image than policy image. This shouldn't block pod creation. +When pod is created with same image as policy image, pod creation should be blocked. +When test tries to update any field in a policy, it should get updated properly. + +## Reference Issue(s) + +3709 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/bad-pod.yaml new file mode 100644 index 0000000000..bc2398c14e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/bad-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-fail + namespace: mynamespace +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-fail diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/good-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/good-pod.yaml new file mode 100644 index 0000000000..c34c95c25e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/good-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-success + namespace: mynamespace +spec: + containers: + - image: nginx:latest + name: test-success diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/namespace.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/namespace.yaml new file mode 100644 index 0000000000..772bdfd13e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mynamespace diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/pod-with-configmap-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/pod-with-configmap-ready.yaml new file mode 100644 index 0000000000..95e165a54b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/pod-with-configmap-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-with-configmap + namespace: mynamespace +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-with-configmap diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/pod-with-configmap.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/pod-with-configmap.yaml new file mode 100644 index 0000000000..08b93ecdb6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/pod-with-configmap.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: myconfigmap1 + namespace: mynamespace +data: + configmapkey: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-with-configmap + namespace: mynamespace +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-with-configmap diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy-ready.yaml new file mode 100644 index 0000000000..cc9949b4f2 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-verify-polset +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml new file mode 100644 index 0000000000..f2180b171a --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: image-verify-polset +spec: + background: false + failurePolicy: Fail + rules: + - context: + - configMap: + name: myconfigmap + namespace: mynamespace + name: myconfigmap + match: + any: + - resources: + kinds: + - Pod + name: image-verify-pol1 + verifyImages: + - imageReferences: + - ghcr.io/* + mutateDigest: false + verifyDigest: false + attestors: + - entries: + - keys: + publicKeys: '{{myconfigmap.data.configmapkey}}' + validationFailureAction: Audit + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml new file mode 100644 index 0000000000..ac01c744bb --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: image-verify-polset +spec: + background: false + failurePolicy: Fail + rules: + - context: + - configMap: + name: myconfigmap1 + namespace: mynamespace + name: myconfigmap1 + match: + any: + - resources: + kinds: + - Pod + name: image-verify-pol1 + verifyImages: + - imageReferences: + - ghcr.io/* + mutateDigest: false + verifyDigest: false + attestors: + - entries: + - keys: + publicKeys: '{{myconfigmap1.data.configmapkey}}' + validationFailureAction: Audit + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml new file mode 100644 index 0000000000..3a68a73a0b --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutatedigest-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml new file mode 100644 index 0000000000..a7b88d499c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutatedigest-policy +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: mutatedigest-rule + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image*" + mutateDigest: false + verifyDigest: true + required: false \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml new file mode 100644 index 0000000000..21a5237632 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: testpod + namespace: default +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1 + name: container01 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml new file mode 100644 index 0000000000..21a5237632 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: testpod + namespace: default +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1 + name: container01 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml new file mode 100644 index 0000000000..eaf5386ebe --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: create-badpod +spec: + timeouts: {} + try: + - apply: + check: + (error != null): true + file: badpod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md new file mode 100644 index 0000000000..22091f0fe0 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md @@ -0,0 +1,5 @@ +# Title + +Issue: 1234 + +This is a description of your test. diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml new file mode 100644 index 0000000000..84b1db96ab --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: testpod + namespace: default +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed-keyless + name: container01 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml new file mode 100644 index 0000000000..cb4e511905 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/README.md new file mode 100644 index 0000000000..b246475eda --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/README.md @@ -0,0 +1,12 @@ +## Description + +This test verifies image attestations using notary signatures + +## Expected Behavior + +This test creates a cluster policy. +When a pod is created with the image reference and the signature on attestations matches, the pod creation is successful + +## Reference Issue(s) + +6142 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/pod-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/pod-assert.yaml new file mode 100644 index 0000000000..d18a0a10e9 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test + namespace: notary-verify-attestation \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/pod.yaml new file mode 100644 index 0000000000..e16637872d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/pod.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + run: test + name: test + namespace: notary-verify-attestation +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test + resources: {} + dnsPolicy: ClusterFirst + restartPolicy: Always +status: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy-ready.yaml new file mode 100644 index 0000000000..83c51e7057 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-image-attestation +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml new file mode 100644 index 0000000000..25245849de --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: notary-verify-attestation +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: keys + namespace: notary-verify-attestation +data: + certificate: |- + -----BEGIN CERTIFICATE----- + MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV + BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG + Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx + MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0 + dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+ + b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL + hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m + Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0 + Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f + ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG + A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G + CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9 + kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8 + Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF + ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ + 5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0 + uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz + -----END CERTIFICATE----- +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image-attestation +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: verify-attestation-notary + match: + any: + - resources: + kinds: + - Pod + context: + - name: keys + configMap: + name: keys + namespace: notary-verify-attestation + verifyImages: + - type: Notary + imageReferences: + - "ghcr.io/kyverno/test-verify-image*" + attestations: + - type: sbom/cyclone-dx + attestors: + - entries: + - certificates: + cert: "{{ keys.data.certificate }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml new file mode 100644 index 0000000000..953ef73a79 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/01-manifests.yaml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-verify-images +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: keys + namespace: test-verify-images +data: + certificate: |- + -----BEGIN CERTIFICATE----- + MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV + BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG + Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx + MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0 + dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+ + b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL + hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m + Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0 + Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f + ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG + A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G + CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9 + kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8 + Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF + ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ + 5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0 + uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz + -----END CERTIFICATE----- +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: secret-in-policy +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: verify-signature-notary + context: + - name: keys + configMap: + name: keys + namespace: test-verify-images + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - type: Notary + imageReferences: + - "ghcr.io/kyverno/test-verify-image-private*" + attestors: + - count: 1 + entries: + - certificates: + cert: "{{ keys.data.certificate }}" + imageRegistryCredentials: + secrets: + - regcred \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml new file mode 100644 index 0000000000..35afee707f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/02-assert-manifest.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: secret-in-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml new file mode 100644 index 0000000000..e51f1b9339 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/03-bad-pod.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: bad-pod +spec: + timeouts: {} + try: + - script: + content: "if kubectl apply -f 06-pod.yaml\nthen \n echo \"Tested failed. Pod + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Pod was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml new file mode 100644 index 0000000000..69d0faae34 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/04-secret.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: secret +spec: + timeouts: {} + try: + - script: + content: | + kubectl create secret docker-registry regcred --docker-username=kyverno --docker-password=$GITHUB_TOKEN --docker-server=ghcr.io -n kyverno diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml new file mode 100644 index 0000000000..594f33c59e --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/05-assert-secret.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: regcred + namespace: kyverno \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml new file mode 100644 index 0000000000..153d4f2804 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/06-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-secret-pod + namespace: test-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-private:signed + name: test-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml new file mode 100644 index 0000000000..b736ae3d48 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/07-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-secret-pod + namespace: test-verify-images \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml new file mode 100644 index 0000000000..09c03dd610 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/08-cleanup.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: cleanup +spec: + timeouts: {} + try: + - command: + args: + - delete + - secret + - regcred + - -n + - kyverno + entrypoint: kubectl diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md new file mode 100644 index 0000000000..3db2e729d0 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/README.md @@ -0,0 +1,3 @@ +# Title + +This test verifies images in private registries, that are signed using notary. \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml new file mode 100644 index 0000000000..cb4e511905 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: pod.yaml + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/README.md new file mode 100644 index 0000000000..a87ff91a4a --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/README.md @@ -0,0 +1,12 @@ +## Description + +This test verifies images using notary signatures + +## Expected Behavior + +This test creates a cluster policy. +When a pod is created with the image reference and the signature matches, the pod creation is successful + +## Reference Issue(s) + +6142 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/pod-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/pod-assert.yaml new file mode 100644 index 0000000000..4bf9852a3c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/pod-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test + namespace: notary-verify-images \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/pod.yaml new file mode 100644 index 0000000000..b5ab8f7959 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/pod.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + run: test + name: test + namespace: notary-verify-images +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test + resources: {} + dnsPolicy: ClusterFirst + restartPolicy: Always +status: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy-ready.yaml new file mode 100644 index 0000000000..b3ad396d26 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-image-notary +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml new file mode 100644 index 0000000000..05d6d6311c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: notary-verify-images +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: keys + namespace: notary-verify-images +data: + certificate: |- + -----BEGIN CERTIFICATE----- + MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV + BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG + Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx + MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0 + dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+ + b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL + hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m + Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0 + Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f + ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG + A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G + CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9 + kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8 + Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF + ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ + 5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0 + uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz + -----END CERTIFICATE----- +--- +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-image-notary +spec: + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: verify-signature-notary + context: + - name: keys + configMap: + name: keys + namespace: notary-verify-images + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - type: Notary + imageReferences: + - "ghcr.io/kyverno/test-verify-image*" + attestors: + - count: 1 + entries: + - certificates: + cert: "{{ keys.data.certificate }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml new file mode 100644 index 0000000000..e521d0d761 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml new file mode 100644 index 0000000000..501b27055d --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/02-resource.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: deployment_old.yaml + - apply: + file: deployment_new.yaml + - assert: + file: deployment-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml new file mode 100644 index 0000000000..831f02fed7 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/03-test.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl -n verify-images rollout undo deployment nginx-deployment + namespaced: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml new file mode 100644 index 0000000000..ca5b8c5451 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/04-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: verify-images +spec: + template: + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2@sha256:0fc1f3b764be56f7c881a69cbd553ae25a2b5523c6901fbacb8270307c29d0c4 + name: nginx \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md new file mode 100644 index 0000000000..56ccf6e408 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies images during rollback + +## Expected Behavior + +This test creates a ClusterPolicy and Deployments, and when we perform a rollback, it will be successfully rolled back. + +## Reference Issue(s) + +5363 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml new file mode 100644 index 0000000000..905b7e8912 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: verify-images +spec: + template: + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-1@sha256:e0cc6dba04bee00badd8b13495d4411060b5563a9499fbc20e46316328efad30 + name: nginx \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml new file mode 100644 index 0000000000..384579eae6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_new.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: nginx-deployment + namespace: verify-images +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-1 + name: nginx + resources: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml new file mode 100644 index 0000000000..32abf02f00 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/deployment_old.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: nginx-deployment + namespace: verify-images +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: ghcr.io/kyverno/test-verify-image-rollback:signed-2 + name: nginx + resources: {} \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml new file mode 100644 index 0000000000..b4fc505a22 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: check-image +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml new file mode 100644 index 0000000000..297fdbfaae --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: verify-images +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: check-image + match: + any: + - resources: + kinds: + - Deployment + verifyImages: + - imageReferences: + - "ghcr.io/kyverno*" + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfnYaFSrs2pLp4ShcWBgMLJM6Gki/ + 1tC5ZWN2IuJTe2RbyVrDEn1qLBXNzGKhIXbsUyO5+BuIfgMdek1pDYFZGQ== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml new file mode 100644 index 0000000000..6134698445 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/01-policy.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: policy +spec: + timeouts: {} + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml new file mode 100644 index 0000000000..43390639ff --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/02-resource.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + timeouts: {} + try: + - apply: + file: resource-v1.yaml + - apply: + file: resource-v2.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/README.md new file mode 100644 index 0000000000..e4f3658ded --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies we can update deployments with multiple containers when image verification is enabled + +## Expected Behavior + +Update works + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7651 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml new file mode 100644 index 0000000000..5a37fb4321 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: verify-image-signature +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml new file mode 100644 index 0000000000..5a23716568 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-signature +spec: + background: false + failurePolicy: Fail + rules: + - match: + any: + - resources: + kinds: + - Pod + name: verify-image + verifyImages: + - attestors: + - count: 1 + entries: + - keys: + publicKeys: | + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKLYTatU9CUsrA5Td6jXiZTolwsx + HZKwYP5XkHhU436FGDD5Zi2nVFem6AbzXWHssIQRkAI3yJgKkB4J6Qe4OQ== + -----END PUBLIC KEY----- + imageReferences: + - ghcr.io/seankhliao/* + mutateDigest: false + required: true + verifyDigest: false + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml new file mode 100644 index 0000000000..f79ff0d58c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v1.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: double +spec: + selector: + matchLabels: + app.kubernetes.io/name: double + template: + metadata: + labels: + app.kubernetes.io/name: double + spec: + containers: + - name: podinfo-a + image: ghcr.io/seankhliao/podinfo:6.3.3 + - name: podinfo-b + image: ghcr.io/seankhliao/podinfo:6.3.4 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml new file mode 100644 index 0000000000..9be0f1f950 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/resource-v2.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: double +spec: + selector: + matchLabels: + app.kubernetes.io/name: double + template: + metadata: + labels: + app.kubernetes.io/name: double + spec: + containers: + - name: podinfo-a + image: ghcr.io/seankhliao/podinfo:6.3.3 + - name: podinfo-b + image: ghcr.io/seankhliao/podinfo:6.3.5 diff --git a/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml b/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml +++ b/test/conformance/chainsaw/webhooks/all-scale/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml index be95983ce4..c50e2362ce 100644 --- a/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/all-scale/02-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml +++ b/test/conformance/chainsaw/webhooks/double-wildcard/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml index be95983ce4..c50e2362ce 100644 --- a/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/double-wildcard/02-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml b/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml index be95983ce4..c50e2362ce 100644 --- a/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/expected-webhooks/01-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml b/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml +++ b/test/conformance/chainsaw/webhooks/only-pod/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml index be95983ce4..c50e2362ce 100644 --- a/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/only-pod/02-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml index be95983ce4..c50e2362ce 100644 --- a/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/02-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/scale/01-policy.yaml b/test/conformance/chainsaw/webhooks/scale/01-policy.yaml index b3b0a6a189..df1eb99be6 100644 --- a/test/conformance/chainsaw/webhooks/scale/01-policy.yaml +++ b/test/conformance/chainsaw/webhooks/scale/01-policy.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: - file: policy.yaml check: - (error == null): false + (error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml index c681d90e23..b4bd5b2843 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/01-unknown-kind.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: unknown-kind spec: + timeouts: {} try: - apply: - file: policy-1.yaml check: - (error == null): false + (error != null): true + file: policy-1.yaml diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml index e51b99f8f8..565a0d0878 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/02-unknown-kind-subresource.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: unknown-kind-subresource spec: + timeouts: {} try: - apply: - file: policy-2.yaml check: - (error == null): false + (error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml index 46edc9299c..f1457ee852 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/03-wrong-version.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: wrong-version spec: + timeouts: {} try: - apply: - file: policy-3.yaml check: - (error == null): false + (error != null): true + file: policy-3.yaml diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml index b06720170a..7d86bb919e 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/04-unknown-subresource.yaml @@ -1,10 +1,13 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: unknown-subresource spec: + timeouts: {} try: - apply: - file: policy-4.yaml check: - (error == null): false + (error != null): true + file: policy-4.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml b/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml index 744135ecd0..6134698445 100644 --- a/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml +++ b/test/conformance/chainsaw/webhooks/wildcard/01-policy.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: policy spec: + timeouts: {} try: - apply: file: policy.yaml diff --git a/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml b/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml index be95983ce4..c50e2362ce 100644 --- a/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml +++ b/test/conformance/chainsaw/webhooks/wildcard/02-webhooks.yaml @@ -1,8 +1,11 @@ +--- apiVersion: chainsaw.kyverno.io/v1alpha1 kind: TestStep metadata: + creationTimestamp: null name: webhooks spec: + timeouts: {} try: - assert: file: webhooks.yaml