diff --git a/test/conformance/kuttl/aaa_template_resources/README.md b/test/conformance/kuttl/aaa_template_resources/README.md
index 22091f0fe0..f08e18d5e8 100644
--- a/test/conformance/kuttl/aaa_template_resources/README.md
+++ b/test/conformance/kuttl/aaa_template_resources/README.md
@@ -1,5 +1,11 @@
-# Title
+## Description
-Issue: 1234
+This is a description of what my test does and why it needs to do it.
-This is a description of your test.
+## Expected Behavior
+
+This is the expected behavior of my test. Although it's assumed the test, overall, should pass/succeed, be specific about what the internal behavior is which leads to that result.
+
+## Reference Issue(s)
+
+1234
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/01-assert.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/01-assert.yaml
new file mode 100644
index 0000000000..7f1d7387c9
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: add-labels
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/01-manifests.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/01-manifests.yaml
new file mode 100644
index 0000000000..970b4aa5c4
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/01-manifests.yaml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: add-labels
+spec:
+ rules:
+ - name: add-labels
+ match:
+ resources:
+ kinds:
+ - Pod
+ - Service
+ - ConfigMap
+ - Secret
+ mutate:
+ patchStrategicMerge:
+ metadata:
+ labels:
+ foo: bar
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/99-cleanup.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/99-cleanup.yaml
new file mode 100644
index 0000000000..15c3c49051
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/README.md b/test/conformance/kuttl/aaa_template_resources/scaffold/README.md
new file mode 100644
index 0000000000..f08e18d5e8
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This is a description of what my test does and why it needs to do it.
+
+## Expected Behavior
+
+This is the expected behavior of my test. Although it's assumed the test, overall, should pass/succeed, be specific about what the internal behavior is which leads to that result.
+
+## Reference Issue(s)
+
+1234
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/errors.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/errors.yaml
new file mode 100644
index 0000000000..dcb47a5770
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/errors.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: testingsecret
+ namespace: default
+ labels:
+ foo: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/ns.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/ns.yaml
new file mode 100644
index 0000000000..26f9d8ac2e
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/resource.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/resource.yaml
new file mode 100644
index 0000000000..cfafb7c22b
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/resource.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+ foo: YmFy
+kind: Secret
+metadata:
+ name: testingsecret
+ namespace: default
+type: Opaque
\ No newline at end of file
diff --git a/test/conformance/kuttl/aaa_template_resources/scaffold/script-check-for-error.yaml b/test/conformance/kuttl/aaa_template_resources/scaffold/script-check-for-error.yaml
new file mode 100644
index 0000000000..fc29fa83d3
--- /dev/null
+++ b/test/conformance/kuttl/aaa_template_resources/scaffold/script-check-for-error.yaml
@@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+ if kubectl apply -f manifests.yaml
+ then
+ echo "Tested failed. Policy was created when it shouldn't have been."
+ exit 1
+ else
+ echo "Test succeeded. Policy was not created as intended."
+ exit 0
+ fi
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml
new file mode 100644
index 0000000000..ef8b3de638
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: gen-clone-role-policy
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml
new file mode 100644
index 0000000000..f13d131c34
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/01-manifests.yaml
@@ -0,0 +1,59 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ namespace: default
+ name: ns-role
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "watch", "list", "delete", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: ns-role-binding
+ namespace: default
+subjects:
+ - apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: minikube-userclone
+roleRef:
+ kind: Role
+ name: ns-role
+ apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: gen-clone-role-policy
+spec:
+ background: false
+ rules:
+ - name: gen-role
+ match:
+ any:
+ - resources:
+ kinds:
+ - Namespace
+ generate:
+ kind: Role
+ name: ns-role
+ namespace: "{{request.object.metadata.name}}"
+ synchronize: true
+ clone:
+ name: ns-role
+ namespace: default
+ - name: gen-role-binding
+ match:
+ any:
+ - resources:
+ kinds:
+ - Namespace
+ generate:
+ kind: RoleBinding
+ name: ns-role-binding
+ namespace: "{{request.object.metadata.name}}"
+ synchronize: true
+ clone:
+ name: ns-role-binding
+ namespace: default
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml
new file mode 100644
index 0000000000..f09957352b
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: generate-clone-role-tests
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml
new file mode 100644
index 0000000000..8ae6267cb2
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/03-assert.yaml
@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: ns-role
+ namespace: generate-clone-role-tests
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - watch
+ - list
+ - delete
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: ns-role-binding
+ namespace: generate-clone-role-tests
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: ns-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: minikube-userclone
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md
new file mode 100644
index 0000000000..edea18ec63
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test checks the Kyverno can generate a Role and RoleBinding from a clone-type generate rule. This test does NOT require additional privileges granted to the Kyverno ServiceAccount. Because this is a test which covers generation of security-related constructs which the API server has special logic to block if it detects a possible privilege escalation attack, it is being considered a corner case. This test was migrated from e2e.
+
+## Expected Behavior
+
+The Role and RoleBinding should be generated as per the clone declaration in the ClusterPolicy.
+
+## Reference Issue(s)
+
+N/A
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml
new file mode 100644
index 0000000000..4047f4fc55
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: gen-role-policy
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml
new file mode 100644
index 0000000000..c09729c4a1
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/01-manifests.yaml
@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: gen-role-policy
+spec:
+ background: false
+ rules:
+ - name: gen-role
+ match:
+ any:
+ - resources:
+ kinds:
+ - Namespace
+ generate:
+ kind: Role
+ name: ns-role
+ namespace: "{{request.object.metadata.name}}"
+ synchronize: true
+ data:
+ rules:
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["get", "watch", "list"]
+ - name: gen-role-binding
+ match:
+ any:
+ - resources:
+ kinds:
+ - Namespace
+ generate:
+ kind: RoleBinding
+ name: ns-role-binding
+ namespace: "{{request.object.metadata.name}}"
+ synchronize: true
+ data:
+ subjects:
+ - apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: minikube-user
+ roleRef:
+ kind: Role
+ name: ns-role
+ namespace: "{{request.object.metadata.name}}"
+ apiGroup: rbac.authorization.k8s.io
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml
new file mode 100644
index 0000000000..82164ae27a
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/02-ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: generate-role-tests
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml
new file mode 100644
index 0000000000..c0844f4aca
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/03-assert.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: ns-role
+ namespace: generate-role-tests
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - watch
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: ns-role-binding
+ namespace: generate-role-tests
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: ns-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+ kind: User
+ name: minikube-user
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml
new file mode 100644
index 0000000000..1c6b4578bc
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml,02-ns.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md
new file mode 100644
index 0000000000..1b4ea5b28c
--- /dev/null
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/data-role-and-rolebinding/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test checks the Kyverno can generate a Role and RoleBinding from a data-type generate rule. This test does NOT require additional privileges granted to the Kyverno ServiceAccount. Because this is a test which covers generation of security-related constructs which the API server has special logic to block if it detects a possible privilege escalation attack, it is being considered a corner case. This test was migrated from e2e.
+
+## Expected Behavior
+
+The Role and RoleBinding should be generate as per the data declaration in the ClusterPolicy.
+
+## Reference Issue(s)
+
+N/A
\ No newline at end of file
diff --git a/test/conformance/kuttl/kuttl-test.yaml b/test/conformance/kuttl/kuttl-test.yaml
index 8f4b4b9ece..5c608ec9b6 100644
--- a/test/conformance/kuttl/kuttl-test.yaml
+++ b/test/conformance/kuttl/kuttl-test.yaml
@@ -6,17 +6,19 @@ testDirs:
- ./test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync
- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/sync
- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync
+- ./test/conformance/kuttl/generate/clusterpolicy/cornercases
# Mutate tests
- ./test/conformance/kuttl/mutate/clusterpolicy/standard
- ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing
# Validate tests
- ./test/conformance/kuttl/validate/clusterpolicy/standard/audit
- ./test/conformance/kuttl/validate/clusterpolicy/standard/enforce
+- ./test/conformance/kuttl/validate/clusterpolicy/cornercases
# verifyImages tests
- ./test/conformance/kuttl/verifyImages/clusterpolicy/standard
# Report tests
- ./test/conformance/kuttl/reports/admission
- ./test/conformance/kuttl/reports/background
startKIND: false
-timeout: 15
+# timeout: 15
parallel: 1
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/01-manifests.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/01-manifests.yaml
new file mode 100644
index 0000000000..02598d5442
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/01-manifests.yaml
@@ -0,0 +1,770 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ app.kubernetes.io/name: keda
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.9.0
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: scaledobjects.keda.sh
+spec:
+ group: keda.sh
+ names:
+ kind: ScaledObject
+ listKind: ScaledObjectList
+ plural: scaledobjects
+ shortNames:
+ - so
+ singular: scaledobject
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.scaleTargetKind
+ name: ScaleTargetKind
+ type: string
+ - jsonPath: .spec.scaleTargetRef.name
+ name: ScaleTargetName
+ type: string
+ - jsonPath: .spec.minReplicaCount
+ name: Min
+ type: integer
+ - jsonPath: .spec.maxReplicaCount
+ name: Max
+ type: integer
+ - jsonPath: .spec.triggers[*].type
+ name: Triggers
+ type: string
+ - jsonPath: .spec.triggers[*].authenticationRef.name
+ name: Authentication
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Active")].status
+ name: Active
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Fallback")].status
+ name: Fallback
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ScaledObject is a specification for a ScaledObject resource
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ScaledObjectSpec is the spec for a ScaledObject resource
+ properties:
+ advanced:
+ description: AdvancedConfig specifies advance scaling options
+ properties:
+ horizontalPodAutoscalerConfig:
+ description: HorizontalPodAutoscalerConfig specifies horizontal
+ scale config
+ properties:
+ behavior:
+ description: HorizontalPodAutoscalerBehavior configures the
+ scaling behavior of the target in both Up and Down directions
+ (scaleUp and scaleDown fields respectively).
+ properties:
+ scaleDown:
+ description: scaleDown is scaling policy for scaling Down.
+ If not set, the default value is to allow to scale down
+ to minReplicas pods, with a 300 second stabilization
+ window (i.e., the highest recommendation for the last
+ 300sec is used).
+ properties:
+ policies:
+ description: policies is a list of potential scaling
+ polices which can be used during scaling. At least
+ one policy must be specified, otherwise the HPAScalingRules
+ will be discarded as invalid
+ items:
+ description: HPAScalingPolicy is a single policy
+ which must hold true for a specified past interval.
+ properties:
+ periodSeconds:
+ description: PeriodSeconds specifies the window
+ of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and
+ less than or equal to 1800 (30 min).
+ format: int32
+ type: integer
+ type:
+ description: Type is used to specify the scaling
+ policy.
+ type: string
+ value:
+ description: Value contains the amount of change
+ which is permitted by the policy. It must
+ be greater than zero
+ format: int32
+ type: integer
+ required:
+ - periodSeconds
+ - type
+ - value
+ type: object
+ type: array
+ selectPolicy:
+ description: selectPolicy is used to specify which
+ policy should be used. If not set, the default value
+ MaxPolicySelect is used.
+ type: string
+ stabilizationWindowSeconds:
+ description: 'StabilizationWindowSeconds is the number
+ of seconds for which past recommendations should
+ be considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than
+ or equal to zero and less than or equal to 3600
+ (one hour). If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window
+ is 300 seconds long).'
+ format: int32
+ type: integer
+ type: object
+ scaleUp:
+ description: 'scaleUp is scaling policy for scaling Up.
+ If not set, the default value is the higher of: * increase
+ no more than 4 pods per 60 seconds * double the number
+ of pods per 60 seconds No stabilization is used.'
+ properties:
+ policies:
+ description: policies is a list of potential scaling
+ polices which can be used during scaling. At least
+ one policy must be specified, otherwise the HPAScalingRules
+ will be discarded as invalid
+ items:
+ description: HPAScalingPolicy is a single policy
+ which must hold true for a specified past interval.
+ properties:
+ periodSeconds:
+ description: PeriodSeconds specifies the window
+ of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and
+ less than or equal to 1800 (30 min).
+ format: int32
+ type: integer
+ type:
+ description: Type is used to specify the scaling
+ policy.
+ type: string
+ value:
+ description: Value contains the amount of change
+ which is permitted by the policy. It must
+ be greater than zero
+ format: int32
+ type: integer
+ required:
+ - periodSeconds
+ - type
+ - value
+ type: object
+ type: array
+ selectPolicy:
+ description: selectPolicy is used to specify which
+ policy should be used. If not set, the default value
+ MaxPolicySelect is used.
+ type: string
+ stabilizationWindowSeconds:
+ description: 'StabilizationWindowSeconds is the number
+ of seconds for which past recommendations should
+ be considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than
+ or equal to zero and less than or equal to 3600
+ (one hour). If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window
+ is 300 seconds long).'
+ format: int32
+ type: integer
+ type: object
+ type: object
+ name:
+ type: string
+ type: object
+ restoreToOriginalReplicaCount:
+ type: boolean
+ type: object
+ cooldownPeriod:
+ format: int32
+ type: integer
+ fallback:
+ description: Fallback is the spec for fallback options
+ properties:
+ failureThreshold:
+ format: int32
+ type: integer
+ replicas:
+ format: int32
+ type: integer
+ required:
+ - failureThreshold
+ - replicas
+ type: object
+ idleReplicaCount:
+ format: int32
+ type: integer
+ maxReplicaCount:
+ format: int32
+ type: integer
+ minReplicaCount:
+ format: int32
+ type: integer
+ pollingInterval:
+ format: int32
+ type: integer
+ scaleTargetRef:
+ description: ScaleTarget holds the a reference to the scale target
+ Object
+ properties:
+ apiVersion:
+ type: string
+ envSourceContainerName:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ triggers:
+ items:
+ description: ScaleTriggers reference the scaler that will be used
+ properties:
+ authenticationRef:
+ description: ScaledObjectAuthRef points to the TriggerAuthentication
+ or ClusterTriggerAuthentication object that is used to authenticate
+ the scaler with the environment
+ properties:
+ kind:
+ description: Kind of the resource being referred to. Defaults
+ to TriggerAuthentication.
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ metadata:
+ additionalProperties:
+ type: string
+ type: object
+ metricType:
+ description: MetricTargetType specifies the type of metric being
+ targeted, and should be either "Value", "AverageValue", or
+ "Utilization"
+ type: string
+ name:
+ type: string
+ type:
+ type: string
+ required:
+ - metadata
+ - type
+ type: object
+ type: array
+ required:
+ - scaleTargetRef
+ - triggers
+ type: object
+ status:
+ description: ScaledObjectStatus is the status for a ScaledObject resource
+ properties:
+ conditions:
+ description: Conditions an array representation to store multiple
+ Conditions
+ items:
+ description: Condition to store the condition state
+ properties:
+ message:
+ description: A human readable message indicating details about
+ the transition.
+ type: string
+ reason:
+ description: The reason for the condition's last transition.
+ type: string
+ status:
+ description: Status of the condition, one of True, False, Unknown.
+ type: string
+ type:
+ description: Type of condition
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ externalMetricNames:
+ items:
+ type: string
+ type: array
+ health:
+ additionalProperties:
+ description: HealthStatus is the status for a ScaledObject's health
+ properties:
+ numberOfFailures:
+ format: int32
+ type: integer
+ status:
+ description: HealthStatusType is an indication of whether the
+ health status is happy or failing
+ type: string
+ type: object
+ type: object
+ hpaName:
+ type: string
+ lastActiveTime:
+ format: date-time
+ type: string
+ originalReplicaCount:
+ format: int32
+ type: integer
+ pausedReplicaCount:
+ format: int32
+ type: integer
+ resourceMetricNames:
+ items:
+ type: string
+ type: array
+ scaleTargetGVKR:
+ description: GroupVersionKindResource provides unified structure for
+ schema.GroupVersionKind and Resource
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - resource
+ - version
+ type: object
+ scaleTargetKind:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-operator
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-operator
+ namespace: keda
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-external-metrics-reader
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-external-metrics-reader
+rules:
+- apiGroups:
+ - external.metrics.k8s.io
+ resources:
+ - '*'
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ labels:
+ app.kubernetes.io/name: keda-operator
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-operator
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - configmaps/status
+ - events
+ verbs:
+ - '*'
+- apiGroups:
+ - ""
+ resources:
+ - external
+ - pods
+ - secrets
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - '*'
+ resources:
+ - '*'
+ verbs:
+ - get
+- apiGroups:
+ - '*'
+ resources:
+ - '*/scale'
+ verbs:
+ - '*'
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ - statefulsets
+ verbs:
+ - list
+ - watch
+- apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - '*'
+- apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - '*'
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - '*'
+- apiGroups:
+ - keda.sh
+ resources:
+ - clustertriggerauthentications
+ - clustertriggerauthentications/status
+ verbs:
+ - '*'
+- apiGroups:
+ - keda.sh
+ resources:
+ - scaledjobs
+ - scaledjobs/finalizers
+ - scaledjobs/status
+ verbs:
+ - '*'
+- apiGroups:
+ - keda.sh
+ resources:
+ - scaledobjects
+ - scaledobjects/finalizers
+ - scaledobjects/status
+ verbs:
+ - '*'
+- apiGroups:
+ - keda.sh
+ resources:
+ - triggerauthentications
+ - triggerauthentications/status
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-auth-reader
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-auth-reader
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+ name: keda-operator
+ namespace: keda
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-hpa-controller-external-metrics
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-hpa-controller-external-metrics
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: keda-external-metrics-reader
+subjects:
+- kind: ServiceAccount
+ name: horizontal-pod-autoscaler
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-operator
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-operator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: keda-operator
+subjects:
+- kind: ServiceAccount
+ name: keda-operator
+ namespace: keda
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-system-auth-delegator
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-system-auth-delegator
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+ name: keda-operator
+ namespace: keda
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: keda-metrics-apiserver
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-metrics-apiserver
+ namespace: keda
+spec:
+ ports:
+ - name: https
+ port: 443
+ targetPort: 6443
+ - name: http
+ port: 80
+ targetPort: 8080
+ selector:
+ app: keda-metrics-apiserver
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: keda-metrics-apiserver
+ app.kubernetes.io/name: keda-metrics-apiserver
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-metrics-apiserver
+ namespace: keda
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: keda-metrics-apiserver
+ template:
+ metadata:
+ labels:
+ app: keda-metrics-apiserver
+ name: keda-metrics-apiserver
+ spec:
+ containers:
+ - args:
+ - /usr/local/bin/keda-adapter
+ - --secure-port=6443
+ - --logtostderr=true
+ - --v=0
+ env:
+ - name: WATCH_NAMESPACE
+ value: ""
+ - name: KEDA_HTTP_DEFAULT_TIMEOUT
+ value: ""
+ image: ghcr.io/kedacore/keda-metrics-apiserver:2.8.0
+ imagePullPolicy: Always
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 6443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ name: keda-metrics-apiserver
+ ports:
+ - containerPort: 6443
+ name: https
+ - containerPort: 8080
+ name: http
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 6443
+ scheme: HTTPS
+ initialDelaySeconds: 5
+ resources:
+ limits:
+ cpu: 1000m
+ memory: 1000Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ volumeMounts:
+ - mountPath: /tmp
+ name: temp-vol
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: keda-operator
+ volumes:
+ - emptyDir: {}
+ name: temp-vol
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: keda-operator
+ app.kubernetes.io/component: operator
+ app.kubernetes.io/name: keda-operator
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: keda-operator
+ namespace: keda
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: keda-operator
+ template:
+ metadata:
+ labels:
+ app: keda-operator
+ name: keda-operator
+ name: keda-operator
+ spec:
+ containers:
+ - args:
+ - --leader-elect
+ - --zap-log-level=info
+ - --zap-encoder=console
+ - --zap-time-encoding=rfc3339
+ command:
+ - /keda
+ env:
+ - name: WATCH_NAMESPACE
+ value: ""
+ - name: KEDA_HTTP_DEFAULT_TIMEOUT
+ value: ""
+ image: ghcr.io/kedacore/keda:2.8.0
+ imagePullPolicy: Always
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 25
+ name: keda-operator
+ ports:
+ - containerPort: 8080
+ name: http
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 20
+ resources:
+ limits:
+ cpu: 1000m
+ memory: 1000Mi
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: keda-operator
+ terminationGracePeriodSeconds: 10
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+ labels:
+ app.kubernetes.io/name: v1beta1.external.metrics.k8s.io
+ app.kubernetes.io/part-of: keda-operator
+ app.kubernetes.io/version: 2.8.0
+ name: v1beta1.external.metrics.k8s.io
+spec:
+ group: external.metrics.k8s.io
+ groupPriorityMinimum: 100
+ insecureSkipTLSVerify: true
+ service:
+ name: keda-metrics-apiserver
+ namespace: keda
+ version: v1beta1
+ versionPriority: 100
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/02-sleep.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/02-sleep.yaml
new file mode 100644
index 0000000000..f34516fc2d
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/02-sleep.yaml
@@ -0,0 +1,5 @@
+# Need to wait for the KEDA images to be pulled, Pods run, and external metrics API group to be properly registered and served.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: sleep 20
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/03-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/03-assert.yaml
new file mode 100644
index 0000000000..c2ade741b9
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/03-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: keda-metrics-apiserver
+ namespace: keda
+status:
+ availableReplicas: 1
+ readyReplicas: 1
+ replicas: 1
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-assert.yaml
new file mode 100644
index 0000000000..9d36296cef
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: external-metrics-policy
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-clusterpolicy.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-clusterpolicy.yaml
new file mode 100644
index 0000000000..67850b5039
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/04-clusterpolicy.yaml
@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: external-metrics-policy
+spec:
+ validationFailureAction: enforce
+ background: false
+ rules:
+ - name: external-metrics-rule
+ match:
+ all:
+ - clusterRoles:
+ - evil-cr
+ resources:
+ kinds:
+ - Secret
+ validate:
+ message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
+ deny:
+ conditions:
+ any:
+ - key: '{{request.operation}}'
+ operator: Equals
+ value: DELETE
+ - key: '{{request.operation}}'
+ operator: Equals
+ value: UPDATE
+ - key: '{{request.operation}}'
+ operator: Equals
+ value: CREATE
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-assert.yaml
new file mode 100644
index 0000000000..1f89a4d159
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-assert.yaml
@@ -0,0 +1,7 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+ name: external-metrics-policy-default
+ namespace: default
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-policy.yaml
new file mode 100644
index 0000000000..5a401385f8
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/05-policy.yaml
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+ name: external-metrics-policy-default
+ namespace: default
+spec:
+ validationFailureAction: enforce
+ background: false
+ rules:
+ - name: external-metrics-rule-default
+ match:
+ all:
+ - clusterRoles:
+ - evil-cr
+ resources:
+ kinds:
+ - Secret
+ validate:
+ message: 'You should be careful when trying to change/delete {{request.oldObject.kind}} in {{request.oldObject.name}}. These are my-precious resources and touching them might break my heart.'
+ deny:
+ conditions:
+ any:
+ - key: '{{request.operation}}'
+ operator: Equals
+ value: DELETE
+ - key: '{{request.operation}}'
+ operator: Equals
+ value: UPDATE
+ - key: '{{request.operation}}'
+ operator: Equals
+ value: CREATE
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/99-cleanup.yaml b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/99-cleanup.yaml
new file mode 100644
index 0000000000..1eb8dbd558
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml,04-clusterpolicy.yaml,05-policy.yaml --force --wait=false --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/README.md b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/README.md
new file mode 100644
index 0000000000..2a0054d0d0
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/cornercases/external-metrics/README.md
@@ -0,0 +1,23 @@
+## Description
+
+Tests the ability to create both a ClusterPolicy and a Policy when there is an external API provider registered in the cluster but with no resources which fall under that group.
+
+## Expected Behavior
+
+Both ClusterPolicy and Policy should be successfully created.
+
+## Reference Issue(s)
+
+918
+942
+1324
+1325
+1490
+1830
+2126
+2162
+2267
+2684
+3244
+3788
+5221
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml
new file mode 100644
index 0000000000..99a0cad525
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: keyed-basic-policy
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml
new file mode 100644
index 0000000000..f67dd12938
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/01-manifests.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: test-verify-images
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: keyed-basic-policy
+spec:
+ validationFailureAction: enforce
+ background: false
+ webhookTimeoutSeconds: 30
+ failurePolicy: Fail
+ rules:
+ - name: keyed-basic-rule
+ match:
+ any:
+ - resources:
+ kinds:
+ - Pod
+ verifyImages:
+ - imageReferences:
+ - "ghcr.io/kyverno/test-verify-image:*"
+ attestors:
+ - entries:
+ - keys:
+ publicKeys: |-
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+ 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+ -----END PUBLIC KEY-----
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml
new file mode 100644
index 0000000000..b736ae3d48
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-assert.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-secret-pod
+ namespace: test-verify-images
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml
new file mode 100644
index 0000000000..de7987da27
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/02-goodpod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-secret-pod
+ namespace: test-verify-images
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:signed
+ name: test-secret
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/99-cleanup.yaml
new file mode 100644
index 0000000000..61b7555976
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/README.md
new file mode 100644
index 0000000000..8c84b5a79d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-basic/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test performs a simple verification of an image using a public key specified directly in the policy.
+
+## Expected Behavior
+
+Pod creation should pass as the image has been signed by the public key specified in the policy.
+
+## Reference Issue(s)
+
+N/A
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml
new file mode 100644
index 0000000000..7d7c5b7da2
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: mutatedigest-policy
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml
new file mode 100644
index 0000000000..06279d2130
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/01-manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: mutatedigest-policy
+spec:
+ validationFailureAction: enforce
+ webhookTimeoutSeconds: 30
+ rules:
+ - name: mutatedigest-rule
+ match:
+ any:
+ - resources:
+ kinds:
+ - Pod
+ verifyImages:
+ - imageReferences:
+ - "ghcr.io/kyverno/test-verify-image*"
+ mutateDigest: true
+ verifyDigest: false
+ required: false
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml
new file mode 100644
index 0000000000..5222b22b49
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/02-pod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: testpod
+ namespace: default
+spec:
+ containers:
+ - name: container01
+ image: ghcr.io/kyverno/test-verify-image:signed-keyless
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml
new file mode 100644
index 0000000000..21a5237632
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/03-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: testpod
+ namespace: default
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1
+ name: container01
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/99-cleanup.yaml
new file mode 100644
index 0000000000..1f710a50a6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml,02-pod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md
new file mode 100644
index 0000000000..22091f0fe0
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/README.md
@@ -0,0 +1,5 @@
+# Title
+
+Issue: 1234
+
+This is a description of your test.
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/errors.yaml
new file mode 100644
index 0000000000..dcb47a5770
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/errors.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: testingsecret
+ namespace: default
+ labels:
+ foo: bar
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/resource.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/resource.yaml
new file mode 100644
index 0000000000..cfafb7c22b
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/resource.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+ foo: YmFy
+kind: Secret
+metadata:
+ name: testingsecret
+ namespace: default
+type: Opaque
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/script-check-for-error.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/script-check-for-error.yaml
new file mode 100644
index 0000000000..2886015091
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/script-check-for-error.yaml
@@ -0,0 +1,14 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+ if kubectl apply -f manifests.yaml
+ then
+ echo "Tested failed. Policy was created when it shouldn't have been."
+ exit 1
+ else
+ echo "Test succeeded. Policy was not created as intended."
+ exit 0
+ fi
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml
new file mode 100644
index 0000000000..7d7c5b7da2
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: mutatedigest-policy
+status:
+ ready: true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml
new file mode 100644
index 0000000000..e7f8a75d08
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/01-manifests.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: mutatedigest-policy
+spec:
+ validationFailureAction: enforce
+ webhookTimeoutSeconds: 30
+ rules:
+ - name: mutatedigest-rule
+ match:
+ any:
+ - resources:
+ kinds:
+ - Pod
+ verifyImages:
+ - imageReferences:
+ - "ghcr.io/kyverno/test-verify-image*"
+ mutateDigest: false
+ verifyDigest: true
+ required: false
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml
new file mode 100644
index 0000000000..21a5237632
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/02-goodpod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: testpod
+ namespace: default
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1
+ name: container01
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml
new file mode 100644
index 0000000000..21a5237632
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/03-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: testpod
+ namespace: default
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:signed-keyless@sha256:445a99db22e9add9bfb15ddb1980861a329e5dff5c88d7eec9cbf08b6b2f4eb1
+ name: container01
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml
new file mode 100644
index 0000000000..e8c31676e8
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/04-create-badpod.yaml
@@ -0,0 +1,14 @@
+## Checks that the badpod.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+ if kubectl apply -f badpod.yaml
+ then
+ echo "Tested failed. Bad pod was created when it shouldn't have been."
+ exit 1
+ else
+ echo "Test succeeded. Bad pod was not created as intended."
+ exit 0
+ fi
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/99-cleanup.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/99-cleanup.yaml
new file mode 100644
index 0000000000..61b7555976
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/99-cleanup.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+ - command: kubectl delete -f 01-manifests.yaml,02-goodpod.yaml --force --wait=true --ignore-not-found=true
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md
new file mode 100644
index 0000000000..22091f0fe0
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/README.md
@@ -0,0 +1,5 @@
+# Title
+
+Issue: 1234
+
+This is a description of your test.
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml
new file mode 100644
index 0000000000..84b1db96ab
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/badpod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: testpod
+ namespace: default
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:signed-keyless
+ name: container01
\ No newline at end of file
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/errors.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/errors.yaml
new file mode 100644
index 0000000000..dcb47a5770
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/errors.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: testingsecret
+ namespace: default
+ labels:
+ foo: bar
\ No newline at end of file