mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
chore: all chainsaw tests (#9011)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
ccf020abab
commit
d6933fff4f
2401 changed files with 40111 additions and 58 deletions
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,12 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: background-event.yaml
|
||||
- error:
|
||||
file: admission-event.yaml
|
||||
catch:
|
||||
- events: {}
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@ Then it creates a resource that violates the policy.
|
|||
## Expected Behavior
|
||||
|
||||
The resource creates fine as the policy doesn't apply at admission time.
|
||||
No admission ezvent is created.
|
||||
No admission event is created.
|
||||
One background event is created.
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: report
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- error:
|
||||
file: admission-report.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: background-event.yaml
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@ Then it creates a resource that violates the policy.
|
|||
## Expected Behavior
|
||||
|
||||
The resource creates fine as the policy doesn't apply at admission time.
|
||||
No admission ezvent is created.
|
||||
No admission event is created.
|
||||
One background event is created.
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: report
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- error:
|
||||
file: admission-report.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,9 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -8,5 +8,4 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: rbac.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: pod.yaml
|
||||
- assert:
|
||||
file: pod-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -10,5 +10,4 @@ spec:
|
|||
- command:
|
||||
args:
|
||||
- "65"
|
||||
check: null
|
||||
entrypoint: sleep
|
||||
|
|
|
|||
|
|
@ -8,5 +8,4 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: rbac.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: pod.yaml
|
||||
- assert:
|
||||
file: pod-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -10,5 +10,4 @@ spec:
|
|||
- command:
|
||||
args:
|
||||
- "5"
|
||||
check: null
|
||||
entrypoint: sleep
|
||||
|
|
|
|||
|
|
@ -8,5 +8,4 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: rbac.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: pod.yaml
|
||||
- assert:
|
||||
file: pod-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -10,5 +10,4 @@ spec:
|
|||
- command:
|
||||
args:
|
||||
- "65"
|
||||
check: null
|
||||
entrypoint: sleep
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: clusterpolicy.yaml
|
||||
- assert:
|
||||
file: clusterpolicy.yaml
|
||||
|
|
|
|||
|
|
@ -1,10 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: invalidpolicy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: invalidpolicy.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
(error != null): true
|
||||
file: invalidpolicy.yaml
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cleanuppolicy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check:
|
||||
(error != null): true
|
||||
file: cleanuppolicy-with-subjects.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
- apply:
|
||||
check:
|
||||
(error != null): true
|
||||
file: cleanuppolicy-with-roles.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
- apply:
|
||||
file: cleanuppolicy-with-clusterroles.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
(error != null): true
|
||||
file: cleanuppolicy-with-clusterroles.yaml
|
||||
|
|
|
|||
|
|
@ -1,14 +1,17 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: cleanup-policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check:
|
||||
(error != null): true
|
||||
file: cleanuppolicy-with-image-registry.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
- apply:
|
||||
file: cleanuppolicy-with-configmap.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
(error != null): true
|
||||
file: cleanuppolicy-with-configmap.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: test-custom-sigstore
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: basic-sigstore-test-policy
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: keyed-basic-rule
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
context:
|
||||
- name: tufvalues
|
||||
configMap:
|
||||
name: tufvalues
|
||||
namespace: kyverno
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "ttl.sh/*"
|
||||
attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keyless:
|
||||
issuer: "https://kubernetes.default.svc.cluster.local"
|
||||
subject: "*"
|
||||
rekor:
|
||||
url: "{{ tufvalues.data.REKOR_URL }}"
|
||||
required: true
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: basic-sigstore-test-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: goodpod
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- command:
|
||||
args:
|
||||
- -n
|
||||
- test-custom-sigstore
|
||||
- run
|
||||
- test-sigstore
|
||||
- --image=$TEST_IMAGE_URL
|
||||
entrypoint: kubectl
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-sigstore
|
||||
namespace: test-custom-sigstore
|
||||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: manifests.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
|
|||
|
|
@ -1,10 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: testcase
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: deploy.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
(error != null): true
|
||||
file: deploy.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: manifests.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: cm.yaml
|
||||
- assert:
|
||||
file: cm-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: resource.yaml
|
||||
- assert:
|
||||
file: resource-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: resource.yaml
|
||||
- assert:
|
||||
file: resource-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ spec:
|
|||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
check: null
|
||||
file: resource.yaml
|
||||
- assert:
|
||||
file: resource-assert.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: crd
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: crd.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: sleep
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- command:
|
||||
args:
|
||||
- "3"
|
||||
entrypoint: sleep
|
||||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: event.yaml
|
||||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: sleep
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- command:
|
||||
args:
|
||||
- "3"
|
||||
entrypoint: sleep
|
||||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: policy-event.yaml
|
||||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: event-assert.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- error:
|
||||
file: event.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: event-assert.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,10 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
check:
|
||||
(error == null): false
|
||||
(error != null): true
|
||||
file: resource.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: event-assert.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: admission-controller-apply
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: admission-controller.yaml
|
||||
- assert:
|
||||
file: admission-controller-assert.yaml
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: resource
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: resource.yaml
|
||||
- apply:
|
||||
check:
|
||||
(error != null): true
|
||||
file: resource-fail.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: event
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: event-assert.yaml
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: script
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- script:
|
||||
content: "if kubectl logs deployment/kyverno-admission-controller -n kyverno
|
||||
| grep \"reason=\\\"PolicyViolation\\\"\" \nthen \n echo \"Test succeeded.
|
||||
PolicyViolation event was not created.\"\n exit 0\nelse \n echo \"Tested
|
||||
failed. PolicyViolation event should have been created.\"\n exit 1\nfi\n"
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
## Description
|
||||
|
||||
This test updates the deployment with flag `--omit-events=PolicyApplied` set
|
||||
Then it creates a policy, and a resource.
|
||||
The resource is expected to be accepted.
|
||||
A `PolicyApplied` event should be created.
|
||||
Then it creates a respource that is expected to be rejected
|
||||
A `PolicyViolation` event should not be emitted as the flag does not include that.
|
||||
|
||||
## Steps
|
||||
|
||||
1. Update the deployment of admission controller to add this ar`--omit-events=PolicyApplied`.
|
||||
2. - Create a policy
|
||||
- Assert the policy becomes ready
|
||||
3. - Create a resource,
|
||||
4. - Asset a `PolicyApplied` event is created
|
||||
5. Try creating a resource with a script that is expected to fail.
|
||||
6. Exit the script with `0` if it returns an error
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: kyverno-admission-controller
|
||||
namespace: kyverno
|
||||
status:
|
||||
readyReplicas: 1
|
||||
updatedReplicas: 1
|
||||
|
|
@ -0,0 +1,170 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: kyverno-admission-controller
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
spec:
|
||||
replicas:
|
||||
strategy:
|
||||
rollingUpdate:
|
||||
maxSurge: 1
|
||||
maxUnavailable: 40%
|
||||
type: RollingUpdate
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
spec:
|
||||
dnsPolicy: ClusterFirst
|
||||
serviceAccountName: kyverno-admission-controller
|
||||
initContainers:
|
||||
- name: kyverno-pre
|
||||
image: "ghcr.io/kyverno/kyvernopre:latest"
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --loggingFormat=text
|
||||
- --v=2
|
||||
resources:
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 64Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
env:
|
||||
- name: METRICS_CONFIG
|
||||
value: kyverno-metrics
|
||||
- name: KYVERNO_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: KYVERNO_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: KYVERNO_DEPLOYMENT
|
||||
value: kyverno
|
||||
containers:
|
||||
- name: kyverno
|
||||
image: "ghcr.io/kyverno/kyverno:latest"
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --omit-events=PolicyViolation
|
||||
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
|
||||
- --servicePort=443
|
||||
- --loggingFormat=text
|
||||
- --v=2
|
||||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
- --metricsPort=8000
|
||||
- --admissionReports=true
|
||||
- --autoUpdateWebhooks=true
|
||||
- --enableConfigMapCaching=true
|
||||
- --dumpPayload=false
|
||||
- --forceFailurePolicyIgnore=false
|
||||
- --enablePolicyException=false
|
||||
- --exceptionNamespace=
|
||||
- --protectManagedResources=false
|
||||
- --allowInsecureRegistry=false
|
||||
- --registryCredentialHelpers=default,google,amazon,azure,github
|
||||
resources:
|
||||
limits:
|
||||
memory: 384Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
ports:
|
||||
- containerPort: 9443
|
||||
name: https
|
||||
protocol: TCP
|
||||
- containerPort: 8000
|
||||
name: metrics-port
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: INIT_CONFIG
|
||||
value: kyverno
|
||||
- name: METRICS_CONFIG
|
||||
value: kyverno-metrics
|
||||
- name: KYVERNO_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: KYVERNO_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: KYVERNO_SERVICEACCOUNT_NAME
|
||||
value: kyverno-admission-controller
|
||||
- name: KYVERNO_SVC
|
||||
value: kyverno-svc
|
||||
- name: TUF_ROOT
|
||||
value: /.sigstore
|
||||
- name: KYVERNO_DEPLOYMENT
|
||||
value: kyverno-admission-controller
|
||||
startupProbe:
|
||||
failureThreshold: 20
|
||||
httpGet:
|
||||
path: /health/liveness
|
||||
port: 9443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 2
|
||||
periodSeconds: 6
|
||||
livenessProbe:
|
||||
failureThreshold: 2
|
||||
httpGet:
|
||||
path: /health/liveness
|
||||
port: 9443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 30
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
readinessProbe:
|
||||
failureThreshold: 6
|
||||
httpGet:
|
||||
path: /health/readiness
|
||||
port: 9443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
volumeMounts:
|
||||
- mountPath: /.sigstore
|
||||
name: sigstore
|
||||
volumes:
|
||||
- name: sigstore
|
||||
emptyDir: {}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Event
|
||||
metadata: {}
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
name: require-labels
|
||||
type: Normal
|
||||
reason: PolicyApplied
|
||||
source:
|
||||
component: kyverno-admission
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: require-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: require-labels
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
validate:
|
||||
message: 'The label `team` is required.'
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: bar
|
||||
labels:
|
||||
foo: bar
|
||||
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: foo
|
||||
labels:
|
||||
team: kyverno
|
||||
|
||||
|
|
@ -1,10 +1,13 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy.yaml
|
||||
file: policy-assert.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: webhooks
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: webhooks-assert.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: validatingadmissionpolicy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: validatingadmissionpolicy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: validatingadmissionpolicy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: validatingadmissionpolicy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: policy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
|
|
|
|||
|
|
@ -1,8 +1,11 @@
|
|||
---
|
||||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: TestStep
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: validatingadmissionpolicy
|
||||
spec:
|
||||
timeouts: {}
|
||||
try:
|
||||
- assert:
|
||||
file: validatingadmissionpolicy.yaml
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue