mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
chore: all chainsaw tests (#9011)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
ccf020abab
commit
d6933fff4f
2401 changed files with 40111 additions and 58 deletions
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-assert.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: background-event.yaml
|
file: background-event.yaml
|
||||||
- error:
|
- error:
|
||||||
file: admission-event.yaml
|
file: admission-event.yaml
|
||||||
catch:
|
|
||||||
- events: {}
|
|
||||||
|
|
|
||||||
|
|
@ -6,5 +6,5 @@ Then it creates a resource that violates the policy.
|
||||||
## Expected Behavior
|
## Expected Behavior
|
||||||
|
|
||||||
The resource creates fine as the policy doesn't apply at admission time.
|
The resource creates fine as the policy doesn't apply at admission time.
|
||||||
No admission ezvent is created.
|
No admission event is created.
|
||||||
One background event is created.
|
One background event is created.
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: report
|
name: report
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- error:
|
- error:
|
||||||
file: admission-report.yaml
|
file: admission-report.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: background-event.yaml
|
file: background-event.yaml
|
||||||
|
|
|
||||||
|
|
@ -6,5 +6,5 @@ Then it creates a resource that violates the policy.
|
||||||
## Expected Behavior
|
## Expected Behavior
|
||||||
|
|
||||||
The resource creates fine as the policy doesn't apply at admission time.
|
The resource creates fine as the policy doesn't apply at admission time.
|
||||||
No admission ezvent is created.
|
No admission event is created.
|
||||||
One background event is created.
|
One background event is created.
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: report
|
name: report
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- error:
|
- error:
|
||||||
file: admission-report.yaml
|
file: admission-report.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
creationTimestamp: null
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,5 +8,4 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: rbac.yaml
|
file: rbac.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: pod.yaml
|
file: pod.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: pod-assert.yaml
|
file: pod-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -10,5 +10,4 @@ spec:
|
||||||
- command:
|
- command:
|
||||||
args:
|
args:
|
||||||
- "65"
|
- "65"
|
||||||
check: null
|
|
||||||
entrypoint: sleep
|
entrypoint: sleep
|
||||||
|
|
|
||||||
|
|
@ -8,5 +8,4 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: rbac.yaml
|
file: rbac.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: pod.yaml
|
file: pod.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: pod-assert.yaml
|
file: pod-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -10,5 +10,4 @@ spec:
|
||||||
- command:
|
- command:
|
||||||
args:
|
args:
|
||||||
- "5"
|
- "5"
|
||||||
check: null
|
|
||||||
entrypoint: sleep
|
entrypoint: sleep
|
||||||
|
|
|
||||||
|
|
@ -8,5 +8,4 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: rbac.yaml
|
file: rbac.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: pod.yaml
|
file: pod.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: pod-assert.yaml
|
file: pod-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -10,5 +10,4 @@ spec:
|
||||||
- command:
|
- command:
|
||||||
args:
|
args:
|
||||||
- "65"
|
- "65"
|
||||||
check: null
|
|
||||||
entrypoint: sleep
|
entrypoint: sleep
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: clusterpolicy.yaml
|
file: clusterpolicy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: clusterpolicy.yaml
|
file: clusterpolicy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: invalidpolicy
|
name: invalidpolicy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: invalidpolicy.yaml
|
|
||||||
check:
|
check:
|
||||||
(error == null): false
|
(error != null): true
|
||||||
|
file: invalidpolicy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,21 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: cleanuppolicy
|
name: cleanuppolicy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
|
check:
|
||||||
|
(error != null): true
|
||||||
file: cleanuppolicy-with-subjects.yaml
|
file: cleanuppolicy-with-subjects.yaml
|
||||||
check:
|
|
||||||
(error == null): false
|
|
||||||
- apply:
|
- apply:
|
||||||
|
check:
|
||||||
|
(error != null): true
|
||||||
file: cleanuppolicy-with-roles.yaml
|
file: cleanuppolicy-with-roles.yaml
|
||||||
check:
|
|
||||||
(error == null): false
|
|
||||||
- apply:
|
- apply:
|
||||||
file: cleanuppolicy-with-clusterroles.yaml
|
|
||||||
check:
|
check:
|
||||||
(error == null): false
|
(error != null): true
|
||||||
|
file: cleanuppolicy-with-clusterroles.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,14 +1,17 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: cleanup-policy
|
name: cleanup-policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
|
check:
|
||||||
|
(error != null): true
|
||||||
file: cleanuppolicy-with-image-registry.yaml
|
file: cleanuppolicy-with-image-registry.yaml
|
||||||
check:
|
|
||||||
(error == null): false
|
|
||||||
- apply:
|
- apply:
|
||||||
file: cleanuppolicy-with-configmap.yaml
|
|
||||||
check:
|
check:
|
||||||
(error == null): false
|
(error != null): true
|
||||||
|
file: cleanuppolicy-with-configmap.yaml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,38 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: test-custom-sigstore
|
||||||
|
---
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: basic-sigstore-test-policy
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
background: false
|
||||||
|
webhookTimeoutSeconds: 30
|
||||||
|
failurePolicy: Fail
|
||||||
|
rules:
|
||||||
|
- name: keyed-basic-rule
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
context:
|
||||||
|
- name: tufvalues
|
||||||
|
configMap:
|
||||||
|
name: tufvalues
|
||||||
|
namespace: kyverno
|
||||||
|
verifyImages:
|
||||||
|
- imageReferences:
|
||||||
|
- "ttl.sh/*"
|
||||||
|
attestors:
|
||||||
|
- count: 1
|
||||||
|
entries:
|
||||||
|
- keyless:
|
||||||
|
issuer: "https://kubernetes.default.svc.cluster.local"
|
||||||
|
subject: "*"
|
||||||
|
rekor:
|
||||||
|
url: "{{ tufvalues.data.REKOR_URL }}"
|
||||||
|
required: true
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: basic-sigstore-test-policy
|
||||||
|
status:
|
||||||
|
conditions:
|
||||||
|
- reason: Succeeded
|
||||||
|
status: "True"
|
||||||
|
type: Ready
|
||||||
|
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: goodpod
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- command:
|
||||||
|
args:
|
||||||
|
- -n
|
||||||
|
- test-custom-sigstore
|
||||||
|
- run
|
||||||
|
- test-sigstore
|
||||||
|
- --image=$TEST_IMAGE_URL
|
||||||
|
entrypoint: kubectl
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: test-sigstore
|
||||||
|
namespace: test-custom-sigstore
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: manifests.yaml
|
file: manifests.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-assert.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: testcase
|
name: testcase
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: deploy.yaml
|
|
||||||
check:
|
check:
|
||||||
(error == null): false
|
(error != null): true
|
||||||
|
file: deploy.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: manifests.yaml
|
file: manifests.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-assert.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: cm.yaml
|
file: cm.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: cm-assert.yaml
|
file: cm-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-assert.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: resource-assert.yaml
|
file: resource-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-assert.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: resource-assert.yaml
|
file: resource-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-assert.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,6 @@ spec:
|
||||||
timeouts: {}
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
check: null
|
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: resource-assert.yaml
|
file: resource-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: crd
|
name: crd
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: crd.yaml
|
file: crd.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: sleep
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- command:
|
||||||
|
args:
|
||||||
|
- "3"
|
||||||
|
entrypoint: sleep
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: event.yaml
|
file: event.yaml
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: sleep
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- command:
|
||||||
|
args:
|
||||||
|
- "3"
|
||||||
|
entrypoint: sleep
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: policy-event.yaml
|
file: policy-event.yaml
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: event-assert.yaml
|
file: event-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- error:
|
- error:
|
||||||
file: event.yaml
|
file: event.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: event-assert.yaml
|
file: event-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: resource
|
name: resource
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: resource.yaml
|
|
||||||
check:
|
check:
|
||||||
(error == null): false
|
(error != null): true
|
||||||
|
file: resource.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: event
|
name: event
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: event-assert.yaml
|
file: event-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: admission-controller-apply
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: admission-controller.yaml
|
||||||
|
- assert:
|
||||||
|
file: admission-controller-assert.yaml
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: policy
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: policy.yaml
|
||||||
|
- assert:
|
||||||
|
file: policy-assert.yaml
|
||||||
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: resource
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: resource.yaml
|
||||||
|
- apply:
|
||||||
|
check:
|
||||||
|
(error != null): true
|
||||||
|
file: resource-fail.yaml
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: event
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- apply:
|
||||||
|
file: event-assert.yaml
|
||||||
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: TestStep
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: script
|
||||||
|
spec:
|
||||||
|
timeouts: {}
|
||||||
|
try:
|
||||||
|
- script:
|
||||||
|
content: "if kubectl logs deployment/kyverno-admission-controller -n kyverno
|
||||||
|
| grep \"reason=\\\"PolicyViolation\\\"\" \nthen \n echo \"Test succeeded.
|
||||||
|
PolicyViolation event was not created.\"\n exit 0\nelse \n echo \"Tested
|
||||||
|
failed. PolicyViolation event should have been created.\"\n exit 1\nfi\n"
|
||||||
|
|
@ -0,0 +1,18 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This test updates the deployment with flag `--omit-events=PolicyApplied` set
|
||||||
|
Then it creates a policy, and a resource.
|
||||||
|
The resource is expected to be accepted.
|
||||||
|
A `PolicyApplied` event should be created.
|
||||||
|
Then it creates a respource that is expected to be rejected
|
||||||
|
A `PolicyViolation` event should not be emitted as the flag does not include that.
|
||||||
|
|
||||||
|
## Steps
|
||||||
|
|
||||||
|
1. Update the deployment of admission controller to add this ar`--omit-events=PolicyApplied`.
|
||||||
|
2. - Create a policy
|
||||||
|
- Assert the policy becomes ready
|
||||||
|
3. - Create a resource,
|
||||||
|
4. - Asset a `PolicyApplied` event is created
|
||||||
|
5. Try creating a resource with a script that is expected to fail.
|
||||||
|
6. Exit the script with `0` if it returns an error
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: kyverno-admission-controller
|
||||||
|
namespace: kyverno
|
||||||
|
status:
|
||||||
|
readyReplicas: 1
|
||||||
|
updatedReplicas: 1
|
||||||
|
|
@ -0,0 +1,170 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: kyverno-admission-controller
|
||||||
|
namespace: kyverno
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/component: admission-controller
|
||||||
|
app.kubernetes.io/instance: kyverno
|
||||||
|
app.kubernetes.io/part-of: kyverno
|
||||||
|
app.kubernetes.io/version: latest
|
||||||
|
spec:
|
||||||
|
replicas:
|
||||||
|
strategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxSurge: 1
|
||||||
|
maxUnavailable: 40%
|
||||||
|
type: RollingUpdate
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/component: admission-controller
|
||||||
|
app.kubernetes.io/instance: kyverno
|
||||||
|
app.kubernetes.io/part-of: kyverno
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/component: admission-controller
|
||||||
|
app.kubernetes.io/instance: kyverno
|
||||||
|
app.kubernetes.io/part-of: kyverno
|
||||||
|
app.kubernetes.io/version: latest
|
||||||
|
spec:
|
||||||
|
dnsPolicy: ClusterFirst
|
||||||
|
serviceAccountName: kyverno-admission-controller
|
||||||
|
initContainers:
|
||||||
|
- name: kyverno-pre
|
||||||
|
image: "ghcr.io/kyverno/kyvernopre:latest"
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
args:
|
||||||
|
- --loggingFormat=text
|
||||||
|
- --v=2
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 256Mi
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
env:
|
||||||
|
- name: METRICS_CONFIG
|
||||||
|
value: kyverno-metrics
|
||||||
|
- name: KYVERNO_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: KYVERNO_POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: KYVERNO_DEPLOYMENT
|
||||||
|
value: kyverno
|
||||||
|
containers:
|
||||||
|
- name: kyverno
|
||||||
|
image: "ghcr.io/kyverno/kyverno:latest"
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
args:
|
||||||
|
- --omit-events=PolicyViolation
|
||||||
|
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
|
||||||
|
- --servicePort=443
|
||||||
|
- --loggingFormat=text
|
||||||
|
- --v=2
|
||||||
|
- --disableMetrics=false
|
||||||
|
- --otelConfig=prometheus
|
||||||
|
- --metricsPort=8000
|
||||||
|
- --admissionReports=true
|
||||||
|
- --autoUpdateWebhooks=true
|
||||||
|
- --enableConfigMapCaching=true
|
||||||
|
- --dumpPayload=false
|
||||||
|
- --forceFailurePolicyIgnore=false
|
||||||
|
- --enablePolicyException=false
|
||||||
|
- --exceptionNamespace=
|
||||||
|
- --protectManagedResources=false
|
||||||
|
- --allowInsecureRegistry=false
|
||||||
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
memory: 384Mi
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
ports:
|
||||||
|
- containerPort: 9443
|
||||||
|
name: https
|
||||||
|
protocol: TCP
|
||||||
|
- containerPort: 8000
|
||||||
|
name: metrics-port
|
||||||
|
protocol: TCP
|
||||||
|
env:
|
||||||
|
- name: INIT_CONFIG
|
||||||
|
value: kyverno
|
||||||
|
- name: METRICS_CONFIG
|
||||||
|
value: kyverno-metrics
|
||||||
|
- name: KYVERNO_NAMESPACE
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
- name: KYVERNO_POD_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
fieldPath: metadata.name
|
||||||
|
- name: KYVERNO_SERVICEACCOUNT_NAME
|
||||||
|
value: kyverno-admission-controller
|
||||||
|
- name: KYVERNO_SVC
|
||||||
|
value: kyverno-svc
|
||||||
|
- name: TUF_ROOT
|
||||||
|
value: /.sigstore
|
||||||
|
- name: KYVERNO_DEPLOYMENT
|
||||||
|
value: kyverno-admission-controller
|
||||||
|
startupProbe:
|
||||||
|
failureThreshold: 20
|
||||||
|
httpGet:
|
||||||
|
path: /health/liveness
|
||||||
|
port: 9443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 2
|
||||||
|
periodSeconds: 6
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 2
|
||||||
|
httpGet:
|
||||||
|
path: /health/liveness
|
||||||
|
port: 9443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 30
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 6
|
||||||
|
httpGet:
|
||||||
|
path: /health/readiness
|
||||||
|
port: 9443
|
||||||
|
scheme: HTTPS
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 5
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /.sigstore
|
||||||
|
name: sigstore
|
||||||
|
volumes:
|
||||||
|
- name: sigstore
|
||||||
|
emptyDir: {}
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Event
|
||||||
|
metadata: {}
|
||||||
|
involvedObject:
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: Policy
|
||||||
|
name: require-labels
|
||||||
|
type: Normal
|
||||||
|
reason: PolicyApplied
|
||||||
|
source:
|
||||||
|
component: kyverno-admission
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: Policy
|
||||||
|
metadata:
|
||||||
|
name: require-labels
|
||||||
|
status:
|
||||||
|
conditions:
|
||||||
|
- reason: Succeeded
|
||||||
|
status: "True"
|
||||||
|
type: Ready
|
||||||
|
|
@ -0,0 +1,20 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: Policy
|
||||||
|
metadata:
|
||||||
|
name: require-labels
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
background: false
|
||||||
|
rules:
|
||||||
|
- name: require-team
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- ConfigMap
|
||||||
|
validate:
|
||||||
|
message: 'The label `team` is required.'
|
||||||
|
pattern:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
team: '?*'
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: bar
|
||||||
|
labels:
|
||||||
|
foo: bar
|
||||||
|
|
||||||
|
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: foo
|
||||||
|
labels:
|
||||||
|
team: kyverno
|
||||||
|
|
||||||
|
|
@ -1,10 +1,13 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
- assert:
|
- assert:
|
||||||
file: policy.yaml
|
file: policy-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: webhooks
|
name: webhooks
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: webhooks-assert.yaml
|
file: webhooks-assert.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: validatingadmissionpolicy
|
name: validatingadmissionpolicy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: validatingadmissionpolicy.yaml
|
file: validatingadmissionpolicy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: validatingadmissionpolicy
|
name: validatingadmissionpolicy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: validatingadmissionpolicy.yaml
|
file: validatingadmissionpolicy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: policy
|
name: policy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- apply:
|
- apply:
|
||||||
file: policy.yaml
|
file: policy.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
|
---
|
||||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
kind: TestStep
|
kind: TestStep
|
||||||
metadata:
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
name: validatingadmissionpolicy
|
name: validatingadmissionpolicy
|
||||||
spec:
|
spec:
|
||||||
|
timeouts: {}
|
||||||
try:
|
try:
|
||||||
- assert:
|
- assert:
|
||||||
file: validatingadmissionpolicy.yaml
|
file: validatingadmissionpolicy.yaml
|
||||||
|
|
|
||||||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue