From d8d6d8985611381a74c8304972aa440602e9943c Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 1 Mar 2024 14:49:04 +0200 Subject: [PATCH] fix: remove duplicate chainsaw tests for PSA (#9835) Signed-off-by: Mariam Fahmy --- .../psa/test-exclusion-capabilities/README.md | 7 ---- .../test-exclusion-capabilities/bad-pod.yaml | 27 ------------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 26 ------------- .../test-exclusion-capabilities/good-pod.yaml | 26 ------------- .../policy-assert.yaml | 9 ----- .../test-exclusion-capabilities/policy.yaml | 31 --------------- .../test-exclusion-host-namespaces/README.md | 7 ---- .../bad-pod.yaml | 13 ------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 13 ------- .../good-pod.yaml | 13 ------- .../policy-assert.yaml | 9 ----- .../policy.yaml | 23 ----------- .../psa/test-exclusion-host-ports/README.md | 7 ---- .../test-exclusion-host-ports/bad-pod.yaml | 24 ------------ .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 24 ------------ .../test-exclusion-host-ports/good-pod.yaml | 24 ------------ .../policy-assert.yaml | 9 ----- .../psa/test-exclusion-host-ports/policy.yaml | 31 --------------- .../test-exclusion-hostpath-volume/README.md | 7 ---- .../chainsaw-test.yaml | 19 --------- .../excluded-pod.yaml | 16 -------- .../good-pod.yaml | 12 ------ .../policy-assert.yaml | 9 ----- .../policy.yaml | 23 ----------- .../test-exclusion-hostprocesses/README.md | 7 ---- .../test-exclusion-hostprocesses/bad-pod.yaml | 27 ------------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 28 ------------- .../good-pod.yaml | 27 ------------- .../policy-assert.yaml | 9 ----- .../test-exclusion-hostprocesses/policy.yaml | 39 ------------------- .../README.md | 7 ---- .../bad-pod.yaml | 32 --------------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 34 ---------------- .../good-pod.yaml | 34 ---------------- .../policy-assert.yaml | 9 ----- .../policy.yaml | 31 --------------- .../README.md | 7 ---- .../chainsaw-test.yaml | 19 --------- .../excluded-pod.yaml | 22 ----------- .../good-pod.yaml | 23 ----------- .../policy-assert.yaml | 9 ----- .../policy.yaml | 31 --------------- .../psa/test-exclusion-procmount/README.md | 7 ---- .../psa/test-exclusion-procmount/bad-pod.yaml | 22 ----------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 22 ----------- .../test-exclusion-procmount/good-pod.yaml | 22 ----------- .../policy-assert.yaml | 9 ----- .../psa/test-exclusion-procmount/policy.yaml | 31 --------------- .../README.md | 7 ---- .../bad-pod.yaml | 38 ------------------ .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 38 ------------------ .../good-pod.yaml | 36 ----------------- .../policy-assert.yaml | 9 ----- .../policy.yaml | 31 --------------- .../README.md | 7 ---- .../bad-pod.yaml | 37 ------------------ .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 37 ------------------ .../good-pod.yaml | 37 ------------------ .../policy-assert.yaml | 9 ----- .../policy.yaml | 35 ----------------- .../README.md | 7 ---- .../bad-pod.yaml | 36 ----------------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 36 ----------------- .../good-pod.yaml | 36 ----------------- .../policy-assert.yaml | 9 ----- .../policy.yaml | 29 -------------- .../README.md | 7 ---- .../bad-pod.yaml | 34 ---------------- .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 34 ---------------- .../good-pod.yaml | 34 ---------------- .../policy-assert.yaml | 9 ----- .../policy.yaml | 29 -------------- .../psa/test-exclusion-seccomp/README.md | 7 ---- .../psa/test-exclusion-seccomp/bad-pod.yaml | 27 ------------- .../test-exclusion-seccomp/chainsaw-test.yaml | 24 ------------ .../test-exclusion-seccomp/excluded-pod.yaml | 27 ------------- .../psa/test-exclusion-seccomp/good-pod.yaml | 24 ------------ .../test-exclusion-seccomp/policy-assert.yaml | 9 ----- .../psa/test-exclusion-seccomp/policy.yaml | 35 ----------------- .../psa/test-exclusion-selinux/README.md | 7 ---- .../psa/test-exclusion-selinux/bad-pod.yaml | 24 ------------ .../test-exclusion-selinux/chainsaw-test.yaml | 24 ------------ .../test-exclusion-selinux/excluded-pod.yaml | 24 ------------ .../psa/test-exclusion-selinux/good-pod.yaml | 24 ------------ .../test-exclusion-selinux/policy-assert.yaml | 9 ----- .../psa/test-exclusion-selinux/policy.yaml | 31 --------------- .../psa/test-exclusion-sysctls/README.md | 7 ---- .../psa/test-exclusion-sysctls/bad-pod.yaml | 15 ------- .../test-exclusion-sysctls/chainsaw-test.yaml | 24 ------------ .../test-exclusion-sysctls/excluded-pod.yaml | 15 ------- .../psa/test-exclusion-sysctls/good-pod.yaml | 15 ------- .../test-exclusion-sysctls/policy-assert.yaml | 9 ----- .../psa/test-exclusion-sysctls/policy.yaml | 23 ----------- .../psa/test-exclusion-volume-types/README.md | 7 ---- .../test-exclusion-volume-types/bad-pod.yaml | 24 ------------ .../chainsaw-test.yaml | 24 ------------ .../excluded-pod.yaml | 24 ------------ .../test-exclusion-volume-types/good-pod.yaml | 24 ------------ .../policy-assert.yaml | 9 ----- .../test-exclusion-volume-types/policy.yaml | 23 ----------- 110 files changed, 2317 deletions(-) delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml delete mode 100644 test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md deleted file mode 100644 index c59ed5dd51..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Capabilities` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml deleted file mode 100644 index 4c04991e7c..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/bad-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - bar - - baz - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml deleted file mode 100644 index f31c14a3bb..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-capabilities -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml deleted file mode 100644 index 0515247211..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/excluded-pod.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - foo - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml deleted file mode 100644 index 6441d8da8e..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/good-pod.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - CHOWN - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - capabilities: - add: - - FOWNER diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml deleted file mode 100644 index 15c3374370..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml deleted file mode 100644 index 2f6900595f..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-capabilities/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-capabilities -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-capabilities - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Capabilities" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.capabilities.add" - values: - - "foo" - - controlName: "Capabilities" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.capabilities.add" - values: - - "baz" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md deleted file mode 100644 index e87d5374d4..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Namespaces` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Namespaces` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml deleted file mode 100644 index 760e331699..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/bad-pod.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - hostPID: true - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml deleted file mode 100644 index 6a05e375f1..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-host-namespaces -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml deleted file mode 100644 index 8bbbde5351..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/excluded-pod.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - hostNetwork: true - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml deleted file mode 100644 index 3da6f315fb..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/good-pod.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - hostNetwork: false - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml deleted file mode 100644 index 5e3b676332..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-host-namespaces -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml deleted file mode 100644 index d4ab72b505..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-namespaces/policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-host-namespaces -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-host-namespaces - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Host Namespaces" - restrictedField: "spec.hostNetwork" - values: - - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md deleted file mode 100644 index 2d2caf46c7..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Host Ports` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Host Ports` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml deleted file mode 100644 index 879fd503fd..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/bad-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - ports: - - hostPort: 20 - containerPort: 80 - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - ports: - - hostPort: 20 - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml deleted file mode 100644 index 31ffadacae..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-host-ports -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml deleted file mode 100644 index c35a7b6c70..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/excluded-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - ports: - - hostPort: 10 - containerPort: 80 - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - ports: - - hostPort: 20 - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml deleted file mode 100644 index 89e31240a6..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/good-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - ports: - - hostPort: 0 - containerPort: 80 - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - ports: - - hostPort: 0 - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml deleted file mode 100644 index a137213552..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-host-ports -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml deleted file mode 100644 index 36f71a6a9b..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-host-ports/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-host-ports -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-host-ports - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Host Ports" - images: - - nginx - restrictedField: "spec.containers[*].ports[*].hostPort" - values: - - "10" - - controlName: "Host Ports" - images: - - nginx - restrictedField: "spec.initContainers[*].ports[*].hostPort" - values: - - "20" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md deleted file mode 100644 index 15b6c2aee2..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostPath Volumes` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml deleted file mode 100644 index e52a274da5..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/chainsaw-test.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-hostpath-volume -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml deleted file mode 100644 index 940666c6d6..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/excluded-pod.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - volumes: - - name: host - hostPath: - path: /var/lib1 - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml deleted file mode 100644 index f4dad266d6..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/good-pod.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml deleted file mode 100644 index f9ae6dc5af..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-hostpath-volumes -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml deleted file mode 100644 index 8756065eac..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostpath-volume/policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-hostpath-volumes -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-hostpath-volumes - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "HostPath Volumes" - restrictedField: "spec.volumes[*].hostPath" - values: - - "path" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md deleted file mode 100644 index 683dd82937..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `HostProcesses` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `HostProcesses` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml deleted file mode 100644 index 38cc7d061c..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/bad-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: true - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: true diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml deleted file mode 100644 index 60e01f882c..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-hostprocesses -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml deleted file mode 100644 index e8cac71d5b..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/excluded-pod.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - hostNetwork: true - securityContext: - windowsOptions: - hostProcess: true - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: true - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: true diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml deleted file mode 100644 index c7ab1ddd15..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/good-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - securityContext: - windowsOptions: - hostProcess: false - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: false - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: false diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml deleted file mode 100644 index 23cbe07db7..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-hostprocess -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml deleted file mode 100644 index 646a92695a..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-hostprocesses/policy.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-hostprocess -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-hostprocess - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Host Namespaces" - restrictedField: "spec.hostNetwork" - values: - - "true" - - controlName: "HostProcess" - restrictedField: "spec.securityContext.windowsOptions.hostProcess" - values: - - "true" - - controlName: "HostProcess" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.windowsOptions.hostProcess" - values: - - "true" - - controlName: "HostProcess" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.windowsOptions.hostProcess" - values: - - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md deleted file mode 100644 index a07943a47c..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Privilege Escalation` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Privilege Escalation` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml deleted file mode 100644 index 81f6cacc97..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/bad-pod.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml deleted file mode 100644 index 4cc4f3b891..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-privilege-escalation -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml deleted file mode 100644 index 704b940d71..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/excluded-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml deleted file mode 100644 index 258f6471f2..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/good-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml deleted file mode 100644 index ca0fb3dde5..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-privilege-escalation -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml deleted file mode 100644 index 795a9ad24d..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privilege-escalation/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-privilege-escalation -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-privilege-escalation - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: restricted - version: latest - exclude: - - controlName: "Privilege Escalation" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.allowPrivilegeEscalation" - values: - - "true" - - controlName: "Privilege Escalation" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.allowPrivilegeEscalation" - values: - - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md deleted file mode 100644 index 797b269c72..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Privileged Containers` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml deleted file mode 100644 index 9f98299f5b..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/chainsaw-test.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-privileged-containers -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml deleted file mode 100644 index 9ad1d46816..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/excluded-pod.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - privileged: true - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - privileged: true diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml deleted file mode 100644 index 1edfd29c6b..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/good-pod.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - privileged: false - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - windowsOptions: - hostProcess: false diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml deleted file mode 100644 index 754f2b3064..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-privileged-containers -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml deleted file mode 100644 index ee775897fc..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-privileged-containers/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-privileged-containers -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-privileged-containers - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Privileged Containers" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.privileged" - values: - - "true" - - controlName: "Privileged Containers" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.privileged" - values: - - "true" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md deleted file mode 100644 index 59c07abdd1..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `/proc MountType` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `/proc MountType` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml deleted file mode 100644 index 6f20df94fc..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/bad-pod.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - procMount: unknown - initContainers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - procMount: other diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml deleted file mode 100644 index 1dbb3c4cb1..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-procmount -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml deleted file mode 100644 index 0dc7fe3cc8..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/excluded-pod.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - procMount: foo - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - procMount: bar diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml deleted file mode 100644 index 2367e6c3c4..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/good-pod.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - procMount: default - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - procMount: default diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml deleted file mode 100644 index 4f48e3a387..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-procmount -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml deleted file mode 100644 index 37c460c781..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-procmount/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-procmount -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-procmount - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "/proc Mount Type" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.procMount" - values: - - "foo" - - controlName: "/proc Mount Type" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.procMount" - values: - - "bar" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md deleted file mode 100644 index 9a050435fb..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Capabilities` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Capabilities` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml deleted file mode 100644 index bb7edc0e5f..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/bad-pod.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - bar - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml deleted file mode 100644 index 3618ab3150..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-restricted-capabilities -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml deleted file mode 100644 index 27c3194101..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/excluded-pod.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - foo - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - baz diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml deleted file mode 100644 index b39aa5c87b..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/good-pod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml deleted file mode 100644 index 8e9265264a..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-restricted-capabilities -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml deleted file mode 100644 index 766cba4e4a..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-capabilities/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-restricted-capabilities -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-restricted-capabilities - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: restricted - version: latest - exclude: - - controlName: "Capabilities" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.capabilities.add" - values: - - "foo" - - controlName: "Capabilities" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.capabilities.add" - values: - - "baz" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md deleted file mode 100644 index dbc1666d30..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Seccomp` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml deleted file mode 100644 index 93d641e1fc..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/bad-pod.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - securityContext: - seccompProfile: - type: foo - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: baz - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Localhost - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml deleted file mode 100644 index cf7c618a8e..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-restricted-seccomp -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml deleted file mode 100644 index d99a52e4b4..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/excluded-pod.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Unconfined - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Unconfined - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml deleted file mode 100644 index 8eab1c40c1..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/good-pod.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml deleted file mode 100644 index fa3c8d69b8..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-restricted-seccomp -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml deleted file mode 100644 index f13dd4c9a7..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-restricted-seccomp/policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-restricted-seccomp -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-restricted-seccomp - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: restricted - version: latest - exclude: - - controlName: "Seccomp" - restrictedField: "spec.securityContext.seccompProfile.type" - values: - - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md deleted file mode 100644 index 4d7c2a17bc..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root User` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root User` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml deleted file mode 100644 index df05759dc2..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/bad-pod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 1 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 0 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml deleted file mode 100644 index c3d11ab7c3..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-running-as-nonroot-user -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml deleted file mode 100644 index 4b9093f0e1..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/excluded-pod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 0 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 10 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml deleted file mode 100644 index 52e3dd3b33..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/good-pod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 1 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - runAsUser: 1000 - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml deleted file mode 100644 index 7d7d2c13c1..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-running-as-non-root-user -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml deleted file mode 100644 index e5f15a04be..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot-user/policy.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-running-as-non-root-user -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-running-as-non-root-user - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: restricted - version: latest - exclude: - - controlName: "Running as Non-root user" - restrictedField: "spec.securityContext.runAsUser" - values: - - "0" - - controlName: "Running as Non-root user" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.runAsUser" - values: - - "0" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md deleted file mode 100644 index 3ca78c89e0..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Running as Non-root` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Running as Non-root` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml deleted file mode 100644 index ea4d3fb9da..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/bad-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml deleted file mode 100644 index 1890ea875c..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-running-as-nonroot -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml deleted file mode 100644 index ea6e182be5..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/excluded-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: false - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml deleted file mode 100644 index 258f6471f2..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/good-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml deleted file mode 100644 index df09dc96cc..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-running-as-non-root -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml deleted file mode 100644 index a52ba806b3..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-running-as-nonroot/policy.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-running-as-non-root -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-running-as-non-root - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: restricted - version: latest - exclude: - - controlName: "Running as Non-root" - restrictedField: "spec.securityContext.runAsNonRoot" - values: - - "false" - - controlName: "Running as Non-root" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.runAsNonRoot" - values: - - "false" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md deleted file mode 100644 index 05d0308040..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Seccomp` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Seccomp` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml deleted file mode 100644 index 00bc10c39c..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/bad-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - securityContext: - seccompProfile: - type: foo - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: baz - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Localhost diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml deleted file mode 100644 index 1b2c1061e3..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-seccomp -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml deleted file mode 100644 index c44be0a5d9..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/excluded-pod.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - securityContext: - seccompProfile: - type: Unconfined - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Unconfined - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Unconfined diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml deleted file mode 100644 index 78d9e7d64e..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/good-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - securityContext: - seccompProfile: - type: RuntimeDefault - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml deleted file mode 100644 index 60894fe185..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-seccomp -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml deleted file mode 100644 index 77a97aaa6f..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-seccomp/policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-seccomp -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-seccomp - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Seccomp" - restrictedField: "spec.securityContext.seccompProfile.type" - values: - - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" - - controlName: "Seccomp" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.seccompProfile.type" - values: - - "Unconfined" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md deleted file mode 100644 index a9f2af0d65..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `SELinux` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `SELinux` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml deleted file mode 100644 index 03c84e8fa0..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/bad-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seLinuxOptions: - type: bar - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seLinuxOptions: - type: foo diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml deleted file mode 100644 index 2136f8d365..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-selinux -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml deleted file mode 100644 index 9ee7c56b57..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/excluded-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seLinuxOptions: - type: foo - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seLinuxOptions: - type: bar diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml deleted file mode 100644 index d62a7cd981..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/good-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - containers: - - name: nginx1 - image: nginx - args: - - sleep - - 1d - securityContext: - seLinuxOptions: - type: container_t - initContainers: - - name: nginx2 - image: nginx - args: - - sleep - - 1d - securityContext: - seLinuxOptions: - type: container_init_t diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml deleted file mode 100644 index 9a05399776..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-selinux -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml deleted file mode 100644 index 7402f47910..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-selinux/policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-selinux -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-selinux - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "SELinux" - images: - - nginx - restrictedField: "spec.containers[*].securityContext.seLinuxOptions.type" - values: - - "foo" - - controlName: "SELinux" - images: - - nginx - restrictedField: "spec.initContainers[*].securityContext.seLinuxOptions.type" - values: - - "bar" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md deleted file mode 100644 index 741afe0dab..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the baseline:latest `Sysctls` PSS check and one pod (`bad-pod`) should not be created as it violate the baseline:latest `Sysctls` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml deleted file mode 100644 index 121cb49914..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/bad-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - securityContext: - sysctls: - - name: unknown - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml deleted file mode 100644 index 501fcc88fc..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-sysctls -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml deleted file mode 100644 index 0d58f98577..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/excluded-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - securityContext: - sysctls: - - name: fake.value - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml deleted file mode 100644 index 509a7c407b..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/good-pod.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - securityContext: - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml deleted file mode 100644 index 323c615563..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-sysctls -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml deleted file mode 100644 index c33b74ee5f..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-sysctls/policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-sysctls -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-sysctls - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: baseline - version: latest - exclude: - - controlName: "Sysctls" - restrictedField: "spec.securityContext.sysctls[*].name" - values: - - "fake.value" diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md deleted file mode 100644 index 436bf39a29..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## Description - -This test ensures the PSS checks with the new advanced support on exclusions are applied to the resources successfully. - -## Expected Behavior - -Two pods (`good-pod` & `excluded-pod`) should be created as it follows the restricted:latest `Volume Types` PSS check and one pod (`bad-pod`) should not be created as it violate the restricted:latest `Volume Types` PSS check. diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml deleted file mode 100644 index 9a1e942bfb..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/bad-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: bad-pod - namespace: default -spec: - volumes: - - name: flex - flexVolume: - driver: /var/lib2 - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: Localhost - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml deleted file mode 100644 index 28e73aef95..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/chainsaw-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: test-exclusion-volume-types -spec: - steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml - - name: step-02 - try: - - apply: - expect: - - check: - ($error != null): true - file: bad-pod.yaml - - apply: - file: excluded-pod.yaml - - apply: - file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml deleted file mode 100644 index b9296ba409..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/excluded-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: excluded-pod - namespace: default -spec: - volumes: - - name: flex - flexVolume: - driver: /var/lib1 - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml deleted file mode 100644 index c2aab040a6..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/good-pod.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: good-pod - namespace: default -spec: - volumes: - - name: configmap - configMap: - name: configmap - containers: - - name: nginx - image: nginx - args: - - sleep - - 1d - securityContext: - seccompProfile: - type: RuntimeDefault - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml deleted file mode 100644 index f647243baa..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy-assert.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-volume-types -status: - conditions: - - reason: Succeeded - status: "True" - type: Ready diff --git a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml b/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml deleted file mode 100644 index 6c30ac197f..0000000000 --- a/test/conformance/chainsaw/validate/policy/standard/psa/test-exclusion-volume-types/policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-exclusion-volume-types -spec: - background: true - validationFailureAction: Enforce - rules: - - name: test-exclusion-volume-types - match: - any: - - resources: - kinds: - - Pod - validate: - podSecurity: - level: restricted - version: latest - exclude: - - controlName: "Volume Types" - restrictedField: "spec.volumes[*].flexVolume" - values: - - "driver"