mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

More kuttl tests (#5238)

Browse source 
* add remainder of e2e verifyImages tests

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add tests

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add external-metrics test case and scaffolding

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* update scaffolding

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add keyed-basic test

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add migrated e2e test for gen role and rolebinding

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add clone-role-and-rolebinding from e2e

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* remove timeout param from kuttl-test.yaml

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add tests for external-metrics Policy fix

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Chip Zoller 2022-11-07 12:23:19 -05:00 committed by GitHub
parent 35123af638
commit d9480c268d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
55 changed files with 1412 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
test/conformance/kuttl/aaa_template_resources/README.md
View file

@ -1,5 +1,11 @@
# Title
## Description
Issue: 1234
This is a description of what my test does and why it needs to do it.
This is a description of your test.
## Expected Behavior
This is the expected behavior of my test. Although it's assumed the test, overall, should pass/succeed, be specific about what the internal behavior is which leads to that result.
## Reference Issue(s)
1234

6
test/conformance/kuttl/aaa_template_resources/scaffold/01-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
status:
ready: true

19
test/conformance/kuttl/aaa_template_resources/scaffold/01-manifests.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
spec:
rules:
- name: add-labels
match:
resources:
kinds:
- Pod
- Service
- ConfigMap
- Secret
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar

4
test/conformance/kuttl/aaa_template_resources/scaffold/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true

11
test/conformance/kuttl/aaa_template_resources/scaffold/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This is a description of what my test does and why it needs to do it.
## Expected Behavior
This is the expected behavior of my test. Although it's assumed the test, overall, should pass/succeed, be specific about what the internal behavior is which leads to that result.
## Reference Issue(s)
1234

7
test/conformance/kuttl/aaa_template_resources/scaffold/errors.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: testingsecret
namespace: default
labels:
foo: bar

4
test/conformance/kuttl/aaa_template_resources/scaffold/ns.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: bar

8
test/conformance/kuttl/aaa_template_resources/scaffold/resource.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
name: testingsecret
namespace: default
type: Opaque

13
test/conformance/kuttl/aaa_template_resources/scaffold/script-check-for-error.yaml Normal file
View file

@ -0,0 +1,13 @@
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f manifests.yaml
then
echo "Tested failed. Policy was created when it shouldn't have been."
exit 1
else
echo "Test succeeded. Policy was not created as intended."
exit 0
fi

6
test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: gen-clone-role-policy
status:
ready: true

59
test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml Normal file
View file

@ -0,0 +1,59 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: ns-role
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list", "delete", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ns-role-binding
namespace: default
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: minikube-userclone
roleRef:
kind: Role
name: ns-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: gen-clone-role-policy
spec:
background: false
rules:
- name: gen-role
match:
any:
- resources:
kinds:
- Namespace
generate:
kind: Role
name: ns-role
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
name: ns-role
namespace: default
- name: gen-role-binding
match:
any:
- resources:
kinds:
- Namespace
generate:
kind: RoleBinding
name: ns-role-binding
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
name: ns-role-binding
namespace: default

4
test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: generate-clone-role-tests

30
test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ns-role
namespace: generate-clone-role-tests
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
- delete
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ns-role-binding
namespace: generate-clone-role-tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ns-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: minikube-userclone

4
test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true

11
test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test checks the Kyverno can generate a Role and RoleBinding from a clone-type generate rule. This test does NOT require additional privileges granted to the Kyverno ServiceAccount. Because this is a test which covers generation of security-related constructs which the API server has special logic to block if it detects a possible privilege escalation attack, it is being considered a corner case. This test was migrated from e2e.
## Expected Behavior
The Role and RoleBinding should be generated as per the clone declaration in the ClusterPolicy.
## Reference Issue(s)
N/A

6
test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: gen-role-policy
status:
ready: true

44
test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml Normal file
View file

@ -0,0 +1,44 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: gen-role-policy
spec:
background: false
rules:
- name: gen-role
match:
any:
- resources:
kinds:
- Namespace
generate:
kind: Role
name: ns-role
namespace: "{{request.object.metadata.name}}"
synchronize: true
data:
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- name: gen-role-binding
match:
any:
- resources:
kinds:
- Namespace
generate:
kind: RoleBinding
name: ns-role-binding
namespace: "{{request.object.metadata.name}}"
synchronize: true
data:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: minikube-user
roleRef:
kind: Role
name: ns-role
namespace: "{{request.object.metadata.name}}"
apiGroup: rbac.authorization.k8s.io

4
test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: generate-role-tests

28
test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ns-role
namespace: generate-role-tests
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ns-role-binding
namespace: generate-role-tests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ns-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: minikube-user

4
test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true

11
test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test checks the Kyverno can generate a Role and RoleBinding from a data-type generate rule. This test does NOT require additional privileges granted to the Kyverno ServiceAccount. Because this is a test which covers generation of security-related constructs which the API server has special logic to block if it detects a possible privilege escalation attack, it is being considered a corner case. This test was migrated from e2e.
## Expected Behavior
The Role and RoleBinding should be generate as per the data declaration in the ClusterPolicy.
## Reference Issue(s)
N/A

4
test/conformance/kuttl/kuttl-test.yaml
View file

@ -6,17 +6,19 @@ testDirs:
- ./test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync
- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/sync
- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync
- ./test/conformance/kuttl/generate/clusterpolicy/cornercases
# Mutate tests
- ./test/conformance/kuttl/mutate/clusterpolicy/standard
- ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing
# Validate tests
- ./test/conformance/kuttl/validate/clusterpolicy/standard/audit
- ./test/conformance/kuttl/validate/clusterpolicy/standard/enforce
- ./test/conformance/kuttl/validate/clusterpolicy/cornercases
# verifyImages tests
- ./test/conformance/kuttl/verifyImages/clusterpolicy/standard
# Report tests
- ./test/conformance/kuttl/reports/admission
- ./test/conformance/kuttl/reports/background
startKIND: false
timeout: 15
# timeout: 15
parallel: 1

770
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/01-manifests.yaml Normal file
View file

@ -0,0 +1,770 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: keda
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.0
creationTimestamp: null
labels:
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: scaledobjects.keda.sh
spec:
group: keda.sh
names:
kind: ScaledObject
listKind: ScaledObjectList
plural: scaledobjects
shortNames:
- so
singular: scaledobject
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.scaleTargetKind
name: ScaleTargetKind
type: string
- jsonPath: .spec.scaleTargetRef.name
name: ScaleTargetName
type: string
- jsonPath: .spec.minReplicaCount
name: Min
type: integer
- jsonPath: .spec.maxReplicaCount
name: Max
type: integer
- jsonPath: .spec.triggers[*].type
name: Triggers
type: string
- jsonPath: .spec.triggers[*].authenticationRef.name
name: Authentication
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
- jsonPath: .status.conditions[?(@.type=="Active")].status
name: Active
type: string
- jsonPath: .status.conditions[?(@.type=="Fallback")].status
name: Fallback
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ScaledObject is a specification for a ScaledObject resource
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ScaledObjectSpec is the spec for a ScaledObject resource
properties:
advanced:
description: AdvancedConfig specifies advance scaling options
properties:
horizontalPodAutoscalerConfig:
description: HorizontalPodAutoscalerConfig specifies horizontal
scale config
properties:
behavior:
description: HorizontalPodAutoscalerBehavior configures the
scaling behavior of the target in both Up and Down directions
(scaleUp and scaleDown fields respectively).
properties:
scaleDown:
description: scaleDown is scaling policy for scaling Down.
If not set, the default value is to allow to scale down
to minReplicas pods, with a 300 second stabilization
window (i.e., the highest recommendation for the last
300sec is used).
properties:
policies:
description: policies is a list of potential scaling
polices which can be used during scaling. At least
one policy must be specified, otherwise the HPAScalingRules
will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past interval.
properties:
periodSeconds:
description: PeriodSeconds specifies the window
of time for which the policy should hold true.
PeriodSeconds must be greater than zero and
less than or equal to 1800 (30 min).
format: int32
type: integer
type:
description: Type is used to specify the scaling
policy.
type: string
value:
description: Value contains the amount of change
which is permitted by the policy. It must
be greater than zero
format: int32
type: integer
required:
- periodSeconds
- type
- value
type: object
type: array
selectPolicy:
description: selectPolicy is used to specify which
policy should be used. If not set, the default value
MaxPolicySelect is used.
type: string
stabilizationWindowSeconds:
description: 'StabilizationWindowSeconds is the number
of seconds for which past recommendations should
be considered while scaling up or scaling down.
StabilizationWindowSeconds must be greater than
or equal to zero and less than or equal to 3600
(one hour). If not set, use the default values:
- For scale up: 0 (i.e. no stabilization is done).
- For scale down: 300 (i.e. the stabilization window
is 300 seconds long).'
format: int32
type: integer
type: object
scaleUp:
description: 'scaleUp is scaling policy for scaling Up.
If not set, the default value is the higher of: * increase
no more than 4 pods per 60 seconds * double the number
of pods per 60 seconds No stabilization is used.'
properties:
policies:
description: policies is a list of potential scaling
polices which can be used during scaling. At least
one policy must be specified, otherwise the HPAScalingRules
will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past interval.
properties:
periodSeconds:
description: PeriodSeconds specifies the window
of time for which the policy should hold true.
PeriodSeconds must be greater than zero and
less than or equal to 1800 (30 min).
format: int32
type: integer
type:
description: Type is used to specify the scaling
policy.
type: string
value:
description: Value contains the amount of change
which is permitted by the policy. It must
be greater than zero
format: int32
type: integer
required:
- periodSeconds
- type
- value
type: object
type: array
selectPolicy:
description: selectPolicy is used to specify which
policy should be used. If not set, the default value
MaxPolicySelect is used.
type: string
stabilizationWindowSeconds:
description: 'StabilizationWindowSeconds is the number
of seconds for which past recommendations should
be considered while scaling up or scaling down.
StabilizationWindowSeconds must be greater than
or equal to zero and less than or equal to 3600
(one hour). If not set, use the default values:
- For scale up: 0 (i.e. no stabilization is done).
- For scale down: 300 (i.e. the stabilization window
is 300 seconds long).'
format: int32
type: integer
type: object
type: object
name:
type: string
type: object
restoreToOriginalReplicaCount:
type: boolean
type: object
cooldownPeriod:
format: int32
type: integer
fallback:
description: Fallback is the spec for fallback options
properties:
failureThreshold:
format: int32
type: integer
replicas:
format: int32
type: integer
required:
- failureThreshold
- replicas
type: object
idleReplicaCount:
format: int32
type: integer
maxReplicaCount:
format: int32
type: integer
minReplicaCount:
format: int32
type: integer
pollingInterval:
format: int32
type: integer
scaleTargetRef:
description: ScaleTarget holds the a reference to the scale target
Object
properties:
apiVersion:
type: string
envSourceContainerName:
type: string
kind:
type: string
name:
type: string
required:
- name
type: object
triggers:
items:
description: ScaleTriggers reference the scaler that will be used
properties:
authenticationRef:
description: ScaledObjectAuthRef points to the TriggerAuthentication
or ClusterTriggerAuthentication object that is used to authenticate
the scaler with the environment
properties:
kind:
description: Kind of the resource being referred to. Defaults
to TriggerAuthentication.
type: string
name:
type: string
required:
- name
type: object
metadata:
additionalProperties:
type: string
type: object
metricType:
description: MetricTargetType specifies the type of metric being
targeted, and should be either "Value", "AverageValue", or
"Utilization"
type: string
name:
type: string
type:
type: string
required:
- metadata
- type
type: object
type: array
required:
- scaleTargetRef
- triggers
type: object
status:
description: ScaledObjectStatus is the status for a ScaledObject resource
properties:
conditions:
description: Conditions an array representation to store multiple
Conditions
items:
description: Condition to store the condition state
properties:
message:
description: A human readable message indicating details about
the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition
type: string
required:
- status
- type
type: object
type: array
externalMetricNames:
items:
type: string
type: array
health:
additionalProperties:
description: HealthStatus is the status for a ScaledObject's health
properties:
numberOfFailures:
format: int32
type: integer
status:
description: HealthStatusType is an indication of whether the
health status is happy or failing
type: string
type: object
type: object
hpaName:
type: string
lastActiveTime:
format: date-time
type: string
originalReplicaCount:
format: int32
type: integer
pausedReplicaCount:
format: int32
type: integer
resourceMetricNames:
items:
type: string
type: array
scaleTargetGVKR:
description: GroupVersionKindResource provides unified structure for
schema.GroupVersionKind and Resource
properties:
group:
type: string
kind:
type: string
resource:
type: string
version:
type: string
required:
- group
- kind
- resource
- version
type: object
scaleTargetKind:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: keda-external-metrics-reader
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-external-metrics-reader
rules:
- apiGroups:
- external.metrics.k8s.io
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
rules:
- apiGroups:
- ""
resources:
- configmaps
- configmaps/status
- events
verbs:
- '*'
- apiGroups:
- ""
resources:
- external
- pods
- secrets
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- list
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- apiGroups:
- '*'
resources:
- '*/scale'
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- clustertriggerauthentications
- clustertriggerauthentications/status
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- scaledjobs
- scaledjobs/finalizers
- scaledjobs/status
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- scaledobjects
- scaledobjects/finalizers
- scaledobjects/status
verbs:
- '*'
- apiGroups:
- keda.sh
resources:
- triggerauthentications
- triggerauthentications/status
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-auth-reader
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: keda-operator
namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-hpa-controller-external-metrics
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-hpa-controller-external-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: keda-external-metrics-reader
subjects:
- kind: ServiceAccount
name: horizontal-pod-autoscaler
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: keda-operator
subjects:
- kind: ServiceAccount
name: keda-operator
namespace: keda
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: keda-system-auth-delegator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-system-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: keda-operator
namespace: keda
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: keda-metrics-apiserver
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-metrics-apiserver
namespace: keda
spec:
ports:
- name: https
port: 443
targetPort: 6443
- name: http
port: 80
targetPort: 8080
selector:
app: keda-metrics-apiserver
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: keda-metrics-apiserver
app.kubernetes.io/name: keda-metrics-apiserver
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-metrics-apiserver
namespace: keda
spec:
replicas: 1
selector:
matchLabels:
app: keda-metrics-apiserver
template:
metadata:
labels:
app: keda-metrics-apiserver
name: keda-metrics-apiserver
spec:
containers:
- args:
- /usr/local/bin/keda-adapter
- --secure-port=6443
- --logtostderr=true
- --v=0
env:
- name: WATCH_NAMESPACE
value: ""
- name: KEDA_HTTP_DEFAULT_TIMEOUT
value: ""
image: ghcr.io/kedacore/keda-metrics-apiserver:2.8.0
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 5
name: keda-metrics-apiserver
ports:
- containerPort: 6443
name: https
- containerPort: 8080
name: http
readinessProbe:
httpGet:
path: /readyz
port: 6443
scheme: HTTPS
initialDelaySeconds: 5
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- mountPath: /tmp
name: temp-vol
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: keda-operator
volumes:
- emptyDir: {}
name: temp-vol
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: keda-operator
app.kubernetes.io/component: operator
app.kubernetes.io/name: keda-operator
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: keda-operator
namespace: keda
spec:
replicas: 1
selector:
matchLabels:
app: keda-operator
template:
metadata:
labels:
app: keda-operator
name: keda-operator
name: keda-operator
spec:
containers:
- args:
- --leader-elect
- --zap-log-level=info
- --zap-encoder=console
- --zap-time-encoding=rfc3339
command:
- /keda
env:
- name: WATCH_NAMESPACE
value: ""
- name: KEDA_HTTP_DEFAULT_TIMEOUT
value: ""
image: ghcr.io/kedacore/keda:2.8.0
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 25
name: keda-operator
ports:
- containerPort: 8080
name: http
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 20
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 100m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: keda-operator
terminationGracePeriodSeconds: 10
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
labels:
app.kubernetes.io/name: v1beta1.external.metrics.k8s.io
app.kubernetes.io/part-of: keda-operator
app.kubernetes.io/version: 2.8.0
name: v1beta1.external.metrics.k8s.io
spec:
group: external.metrics.k8s.io
groupPriorityMinimum: 100
insecureSkipTLSVerify: true
service:
name: keda-metrics-apiserver
namespace: keda
version: v1beta1
versionPriority: 100

5
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/02-sleep.yaml Normal file
View file

@ -0,0 +1,5 @@
# Need to wait for the KEDA images to be pulled, Pods run, and external metrics API group to be properly registered and served.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: sleep 20

9
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/03-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: keda-metrics-apiserver
namespace: keda
status:
availableReplicas: 1
readyReplicas: 1
replicas: 1

6
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: external-metrics-policy
status:
ready: true

30
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-clusterpolicy.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: external-metrics-policy
spec:
validationFailureAction: enforce
background: false
rules:
- name: external-metrics-rule
match:
all:
- clusterRoles:
- evil-cr
resources:
kinds:
- Secret
validate:
message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
deny:
conditions:
any:
- key: '{{request.operation}}'
operator: Equals
value: DELETE
- key: '{{request.operation}}'
operator: Equals
value: UPDATE
- key: '{{request.operation}}'
operator: Equals
value: CREATE

7
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-assert.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: external-metrics-policy-default
namespace: default
status:
ready: true

31
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-policy.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: external-metrics-policy-default
namespace: default
spec:
validationFailureAction: enforce
background: false
rules:
- name: external-metrics-rule-default
match:
all:
- clusterRoles:
- evil-cr
resources:
kinds:
- Secret
validate:
message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
deny:
conditions:
any:
- key: '{{request.operation}}'
operator: Equals
value: DELETE
- key: '{{request.operation}}'
operator: Equals
value: UPDATE
- key: '{{request.operation}}'
operator: Equals
value: CREATE

4
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,04-clusterpolicy.yaml,05-policy.yaml --force --wait=false --ignore-not-found=true

23
test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/README.md Normal file
View file

@ -0,0 +1,23 @@
## Description
Tests the ability to create both a ClusterPolicy and a Policy when there is an external API provider registered in the cluster but with no resources which fall under that group.
## Expected Behavior
Both ClusterPolicy and Policy should be successfully created.
## Reference Issue(s)
918
942
1324
1325
1490
1830
2126
2162
2267
2684
3244
3788
5221

6
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: keyed-basic-policy
status:
ready: true

32
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-verify-images
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: keyed-basic-policy
spec:
validationFailureAction: enforce
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: keyed-basic-rule
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: test-secret-pod
namespace: test-verify-images
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed
name: test-secret

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true

11
test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test performs a simple verification of an image using a public key specified directly in the policy.
## Expected Behavior
Pod creation should pass as the image has been signed by the public key specified in the policy.
## Reference Issue(s)
N/A

6
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutatedigest-policy
status:
ready: true

20
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutatedigest-policy
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
rules:
- name: mutatedigest-rule
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image*"
mutateDigest: true
verifyDigest: false
required: false

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: testpod
namespace: default
spec:
containers:
- name: container01
image: ghcr.io/kyverno/test-verify-image:signed-keyless

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: testpod
namespace: default
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1
name: container01

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md Normal file
View file

@ -0,0 +1,5 @@
# Title
Issue: 1234
This is a description of your test.

7
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/errors.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: testingsecret
namespace: default
labels:
foo: bar

8
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/resource.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
data:
foo: YmFy
kind: Secret
metadata:
name: testingsecret
namespace: default
type: Opaque

14
test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/script-check-for-error.yaml Normal file
View file

@ -0,0 +1,14 @@
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f manifests.yaml
then
echo "Tested failed. Policy was created when it shouldn't have been."
exit 1
else
echo "Test succeeded. Policy was not created as intended."
exit 0
fi

6
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutatedigest-policy
status:
ready: true

20
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutatedigest-policy
spec:
validationFailureAction: enforce
webhookTimeoutSeconds: 30
rules:
- name: mutatedigest-rule
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image*"
mutateDigest: false
verifyDigest: true
required: false

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: testpod
namespace: default
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1
name: container01

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: testpod
namespace: default
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1
name: container01

14
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml Normal file
View file

@ -0,0 +1,14 @@
## Checks that the badpod.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f badpod.yaml
then
echo "Tested failed. Bad pod was created when it shouldn't have been."
exit 1
else
echo "Test succeeded. Bad pod was not created as intended."
exit 0
fi

4
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/99-cleanup.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true

5
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md Normal file
View file

@ -0,0 +1,5 @@
# Title
Issue: 1234
This is a description of your test.

9
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: testpod
namespace: default
spec:
containers:
- image: ghcr.io/kyverno/test-verify-image:signed-keyless
name: container01

7
test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/errors.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: testingsecret
namespace: default
labels:
foo: bar