fix: namespace in kyverno-test.yaml seems to have no effect in case of exclude (#8354)

* fix: namespace in kyverno-test.yaml seems to have no effect in case of exclude

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* unit tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/cli/kubectl-kyverno/apis/test/test.go

@@ -10,6 +10,6 @@ type Test struct {
 	Resources []string       `json:"resources"`
 	Variables string         `json:"variables,omitempty"`
 	UserInfo  string         `json:"userinfo,omitempty"`
-	Results   []TestResults  `json:"results"`
+	Results   []TestResult   `json:"results"`
 	Values    *values.Values `json:"values,omitempty"`
 }

cmd/cli/kubectl-kyverno/apis/test/test_result.go

@@ -4,7 +4,7 @@ import (
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 )
 
-type TestResults struct {
+type TestResultBase struct {
 	// Policy mentions the name of the policy.
 	Policy string `json:"policy"`
 	// Rule mentions the name of the rule in the policy.
@@ -18,17 +18,8 @@ type TestResults struct {
 	// Result mentions the result that the user is expecting.
 	// Possible values are pass, fail and skip.
 	Result policyreportv1alpha2.PolicyResult `json:"result"`
-	// Status mentions the status that the user is expecting.
-	// Possible values are pass, fail and skip.
-	Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
-	// Resource mentions the name of the resource on which the policy is to be applied.
-	Resource string `json:"resource,omitempty"`
-	// Resources gives us the list of resources on which the policy is going to be applied.
-	Resources []string `json:"resources"`
 	// Kind mentions the kind of the resource on which the policy is to be applied.
 	Kind string `json:"kind"`
-	// Namespace mentions the namespace of the policy which has namespace scope.
-	Namespace string `json:"namespace,omitempty"`
 	// PatchedResource takes a resource configuration file in yaml format from
 	// the user to compare it against the Kyverno mutated resource configuration.
 	PatchedResource string `json:"patchedResource,omitempty"`
@@ -39,3 +30,23 @@ type TestResults struct {
 	// from the user which is meant to be cloned by the generate rule.
 	CloneSourceResource string `json:"cloneSourceResource,omitempty"`
 }
+
+type TestResultDeprecated struct {
+	// Status mentions the status that the user is expecting.
+	// Possible values are pass, fail and skip.
+	// This is DEPRECATED, use `Result` instead.
+	Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
+	// Resource mentions the name of the resource on which the policy is to be applied.
+	// This is DEPRECATED, use `Resources` instead.
+	Resource string `json:"resource,omitempty"`
+	// Namespace mentions the namespace of the policy which has namespace scope.
+	// This is DEPRECATED, use a name in the form `<namespace>/<name>` for policies and/or resources instead.
+	Namespace string `json:"namespace,omitempty"`
+}
+
+type TestResult struct {
+	TestResultBase       `json:",inline,omitempty"`
+	TestResultDeprecated `json:",inline,omitempty"`
+	// Resources gives us the list of resources on which the policy is going to be applied.
+	Resources []string `json:"resources"`
+}

cmd/cli/kubectl-kyverno/commands/apply/command.go

@@ -447,10 +447,7 @@ func printSkippedAndInvalidPolicies(skipInvalidPolicies SkippedInvalidPolicies)
 }
 
 func printReport(engineResponses []engineapi.EngineResponse, auditWarn bool) {
-	clustered, namespaced, err := report.ComputePolicyReports(auditWarn, engineResponses...)
-	if err != nil {
-		fmt.Println("Error: failed to compute policy reports")
-	}
+	clustered, namespaced := report.ComputePolicyReports(auditWarn, engineResponses...)
 	if len(clustered) > 0 || len(namespaced) > 0 {
 		fmt.Println(divider)
 		fmt.Println("POLICY REPORT:")

cmd/cli/kubectl-kyverno/commands/apply/command_test.go

@@ -317,7 +317,7 @@ func Test_Apply(t *testing.T) {
 		_, _, _, responses, err := tc.config.applyCommandHelper()
 		assert.NilError(t, err, desc)
 
-		clustered, _, _ := report.ComputePolicyReports(tc.config.AuditWarn, responses...)
+		clustered, _ := report.ComputePolicyReports(tc.config.AuditWarn, responses...)
 		assert.Assert(t, len(clustered) > 0, "policy reports should not be empty: %s", desc)
 		combined := []policyreportv1alpha2.ClusterPolicyReport{
 			report.MergeClusterReports(clustered),

cmd/cli/kubectl-kyverno/commands/fix/test/command.go

@@ -5,7 +5,6 @@ import (
 	"os"
 	"path/filepath"
 
-	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	testapi "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/test"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
@@ -50,7 +49,7 @@ func Command() *cobra.Command {
 					fmt.Println("  WARNING: test has no policies")
 				}
 				if len(test.Resources) == 0 {
-					fmt.Println("  WARNING: test has no policies")
+					fmt.Println("  WARNING: test has no resources")
 				}
 				for i := range test.Results {
 					result := &test.Results[i]
@@ -63,6 +62,12 @@ func Command() *cobra.Command {
 						result.Resource = ""
 						needsSave = true
 					}
+					if result.Namespace != "" {
+						fmt.Println("  WARNING: test result uses deprecated `namespace` field, replacing `policy` with a `<namespace>/<name>` pattern")
+						result.Policy = fmt.Sprintf("%s/%s", result.Namespace, result.Policy)
+						result.Namespace = ""
+						needsSave = true
+					}
 					if result.Status != "" && result.Result != "" {
 						fmt.Println("  ERROR: test result should not use both `status` and `result` fields")
 					}
@@ -74,37 +79,18 @@ func Command() *cobra.Command {
 					}
 				}
 				if compress {
-					compressed := map[key][]string{}
+					compressed := map[testapi.TestResultBase][]string{}
 					for _, result := range test.Results {
-						k := key{
-							Policy:                      result.Policy,
-							Rule:                        result.Rule,
-							IsValidatingAdmissionPolicy: result.IsValidatingAdmissionPolicy,
-							Result:                      result.Result,
-							Kind:                        result.Kind,
-							Namespace:                   result.Namespace,
-							PatchedResource:             result.PatchedResource,
-							GeneratedResource:           result.GeneratedResource,
-							CloneSourceResource:         result.CloneSourceResource,
-						}
-						compressed[k] = append(compressed[k], result.Resources...)
+						compressed[result.TestResultBase] = append(compressed[result.TestResultBase], result.Resources...)
 					}
 					if len(compressed) != len(test.Results) {
 						needsSave = true
 					}
 					test.Results = nil
 					for k, v := range compressed {
-						test.Results = append(test.Results, testapi.TestResults{
-							Policy:                      k.Policy,
-							Rule:                        k.Rule,
-							IsValidatingAdmissionPolicy: k.IsValidatingAdmissionPolicy,
-							Result:                      k.Result,
-							Kind:                        k.Kind,
-							Namespace:                   k.Namespace,
-							PatchedResource:             k.PatchedResource,
-							GeneratedResource:           k.GeneratedResource,
-							CloneSourceResource:         k.CloneSourceResource,
-							Resources:                   v,
+						test.Results = append(test.Results, testapi.TestResult{
+							TestResultBase: k,
+							Resources:      v,
 						})
 					}
 				}
@@ -135,15 +121,3 @@ func Command() *cobra.Command {
 	cmd.Flags().BoolVar(&compress, "compress", false, "Compress test results")
 	return cmd
 }
-
-type key struct {
-	Policy                      string
-	Rule                        string
-	IsValidatingAdmissionPolicy bool
-	Result                      policyreportv1alpha2.PolicyResult
-	Kind                        string
-	Namespace                   string
-	PatchedResource             string
-	GeneratedResource           string
-	CloneSourceResource         string
-}

cmd/cli/kubectl-kyverno/commands/test/command.go

@@ -17,14 +17,14 @@ import (
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/openapi"
 	"github.com/spf13/cobra"
+	"k8s.io/client-go/tools/cache"
 )
 
 func Command() *cobra.Command {
-	var cmd *cobra.Command
 	var testCase string
 	var fileName, gitBranch string
 	var registryAccess, failOnly, removeColor, detailedResults bool
-	cmd = &cobra.Command{
+	cmd := &cobra.Command{
 		Use:     "test [local folder or git repository]...",
 		Args:    cobra.MinimumNArgs(1),
 		Short:   command.FormatDescription(true, websiteUrl, false, description...),
@@ -118,7 +118,7 @@ func testCommandExecute(
 	for _, test := range tests {
 		if test.Err == nil {
 			// filter results
-			var filteredResults []testapi.TestResults
+			var filteredResults []testapi.TestResult
 			for _, res := range test.Test.Results {
 				if filter.Apply(res) {
 					filteredResults = append(filteredResults, res)
@@ -154,7 +154,7 @@ func testCommandExecute(
 	return nil
 }
 
-func checkResult(test testapi.TestResults, fs billy.Filesystem, resoucePath string, response engineapi.EngineResponse, rule engineapi.RuleResponse) (bool, string, string) {
+func checkResult(test testapi.TestResult, fs billy.Filesystem, resoucePath string, response engineapi.EngineResponse, rule engineapi.RuleResponse) (bool, string, string) {
 	expected := test.Result
 	// fallback to the deprecated field
 	if expected == "" {
@@ -179,31 +179,27 @@ func checkResult(test testapi.TestResults, fs billy.Filesystem, resoucePath stri
 			return false, "Generated resource didn't match the generated resource in the test result", "Resource diff"
 		}
 	}
-	result, err := report.ComputePolicyReportResult(false, response, rule)
-	if err != nil {
-		return false, err.Error(), "Error"
-	}
+	result := report.ComputePolicyReportResult(false, response, rule)
 	if result.Result != expected {
 		return false, result.Message, fmt.Sprintf("Want %s, got %s", expected, result.Result)
 	}
 	return true, result.Message, "Ok"
 }
 
-func lookupEngineResponses(test testapi.TestResults, resourceName string, responses ...engineapi.EngineResponse) []engineapi.EngineResponse {
+func lookupEngineResponses(test testapi.TestResult, resourceName string, responses ...engineapi.EngineResponse) []engineapi.EngineResponse {
 	var matches []engineapi.EngineResponse
 	for _, response := range responses {
 		policy := response.Policy()
 		resource := response.Resource
-		if policy.GetName() != test.Policy {
-			continue
-		}
+		pName := cache.MetaObjectToName(policy.MetaObject()).String()
+		rName := cache.MetaObjectToName(&resource).String()
 		if test.Kind != resource.GetKind() {
 			continue
 		}
-		if resourceName != "" && resourceName != resource.GetName() {
+		if pName != test.Policy {
 			continue
 		}
-		if test.Namespace != "" && test.Namespace != resource.GetNamespace() {
+		if resourceName != "" && rName != resourceName && resource.GetName() != resourceName {
 			continue
 		}
 		matches = append(matches, response)
@@ -211,7 +207,7 @@ func lookupEngineResponses(test testapi.TestResults, resourceName string, respon
 	return matches
 }
 
-func lookupRuleResponses(test testapi.TestResults, responses ...engineapi.RuleResponse) []engineapi.RuleResponse {
+func lookupRuleResponses(test testapi.TestResult, responses ...engineapi.RuleResponse) []engineapi.RuleResponse {
 	var matches []engineapi.RuleResponse
 	// Since there are no rules in case of validating admission policies, responses are returned without checking rule names.
 	if test.IsValidatingAdmissionPolicy {

cmd/cli/kubectl-kyverno/commands/test/output.go

@@ -12,7 +12,7 @@ import (
 )
 
 func printTestResult(
-	tests []testapi.TestResults,
+	tests []testapi.TestResult,
 	responses []engineapi.EngineResponse,
 	rc *resultCounts,
 	failOnly bool,

cmd/cli/kubectl-kyverno/report/report.go

@@ -11,12 +11,9 @@ import (
 	"k8s.io/client-go/tools/cache"
 )
 
-func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) (policyreportv1alpha2.PolicyReportResult, error) {
+func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) policyreportv1alpha2.PolicyReportResult {
 	policy := engineResponse.Policy()
-	policyName, err := cache.MetaNamespaceKeyFunc(policy.MetaObject())
-	if err != nil {
-		return policyreportv1alpha2.PolicyReportResult{}, err
-	}
+	policyName := cache.MetaObjectToName(policy.MetaObject()).String()
 	audit := engineResponse.GetValidationFailureAction().Audit()
 	scored := annotations.Scored(policy.GetAnnotations())
 	category := annotations.Category(policy.GetAnnotations())
@@ -57,10 +54,10 @@ func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineRe
 	result.Message = ruleResponse.Message()
 	result.Source = kyverno.ValueKyvernoApp
 	result.Timestamp = metav1.Timestamp{Seconds: ruleResponse.Stats().Timestamp()}
-	return result, nil
+	return result
 }
 
-func ComputePolicyReportResultsPerPolicy(auditWarn bool, engineResponses ...engineapi.EngineResponse) (map[engineapi.GenericPolicy][]policyreportv1alpha2.PolicyReportResult, error) {
+func ComputePolicyReportResultsPerPolicy(auditWarn bool, engineResponses ...engineapi.EngineResponse) map[engineapi.GenericPolicy][]policyreportv1alpha2.PolicyReportResult {
 	results := map[engineapi.GenericPolicy][]policyreportv1alpha2.PolicyReportResult{}
 	for _, engineResponse := range engineResponses {
 		if len(engineResponse.PolicyResponse.Rules) == 0 {
@@ -72,26 +69,19 @@ func ComputePolicyReportResultsPerPolicy(auditWarn bool, engineResponses ...engi
 			// if ruleResponse.RuleType() != engineapi.Validation && ruleResponse.RuleType() != engineapi.ImageVerify {
 			// 	continue
 			// }
-			result, err := ComputePolicyReportResult(auditWarn, engineResponse, ruleResponse)
-			if err != nil {
-				return nil, err
-			}
-			results[policy] = append(results[policy], result)
+			results[policy] = append(results[policy], ComputePolicyReportResult(auditWarn, engineResponse, ruleResponse))
 		}
 	}
 	if len(results) == 0 {
-		return nil, nil
+		return nil
 	}
-	return results, nil
+	return results
 }
 
-func ComputePolicyReports(auditWarn bool, engineResponses ...engineapi.EngineResponse) ([]policyreportv1alpha2.ClusterPolicyReport, []policyreportv1alpha2.PolicyReport, error) {
+func ComputePolicyReports(auditWarn bool, engineResponses ...engineapi.EngineResponse) ([]policyreportv1alpha2.ClusterPolicyReport, []policyreportv1alpha2.PolicyReport) {
 	var clustered []policyreportv1alpha2.ClusterPolicyReport
 	var namespaced []policyreportv1alpha2.PolicyReport
-	perPolicyResults, err := ComputePolicyReportResultsPerPolicy(auditWarn, engineResponses...)
-	if err != nil {
-		return nil, nil, err
-	}
+	perPolicyResults := ComputePolicyReportResultsPerPolicy(auditWarn, engineResponses...)
 	for policy, results := range perPolicyResults {
 		if policy.GetNamespace() == "" {
 			report := policyreportv1alpha2.ClusterPolicyReport{
@@ -118,7 +108,7 @@ func ComputePolicyReports(auditWarn bool, engineResponses ...engineapi.EngineRes
 			namespaced = append(namespaced, report)
 		}
 	}
-	return clustered, namespaced, nil
+	return clustered, namespaced
 }
 
 func MergeClusterReports(clustered []policyreportv1alpha2.ClusterPolicyReport) policyreportv1alpha2.ClusterPolicyReport {

cmd/cli/kubectl-kyverno/report/report_test.go

@@ -34,8 +34,7 @@ func TestComputeClusterPolicyReports(t *testing.T) {
 			"validation rule 'pods-require-limits' passed.",
 		),
 	)
-	clustered, namespaced, err := ComputePolicyReports(false, er)
-	assert.NilError(t, err)
+	clustered, namespaced := ComputePolicyReports(false, er)
 	assert.Equal(t, len(clustered), 1)
 	assert.Equal(t, len(namespaced), 0)
 	{
@@ -69,8 +68,7 @@ func TestComputePolicyReports(t *testing.T) {
 			"validation rule 'pods-require-limits' passed.",
 		),
 	)
-	clustered, namespaced, err := ComputePolicyReports(false, er)
-	assert.NilError(t, err)
+	clustered, namespaced := ComputePolicyReports(false, er)
 	assert.Equal(t, len(clustered), 0)
 	assert.Equal(t, len(namespaced), 1)
 	{
@@ -104,8 +102,7 @@ func TestComputePolicyReportResultsPerPolicyOld(t *testing.T) {
 			"validation rule 'pods-require-limits' passed.",
 		),
 	)
-	results, err := ComputePolicyReportResultsPerPolicy(false, er)
-	assert.NilError(t, err)
+	results := ComputePolicyReportResultsPerPolicy(false, er)
 	for _, result := range results {
 		assert.Equal(t, len(result), 2)
 		for _, r := range result {
@@ -274,8 +271,7 @@ func TestComputePolicyReportResult(t *testing.T) {
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse)
-			assert.NilError(t, err)
+			got := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse)
 			got.Timestamp = metav1.Timestamp{}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("ComputePolicyReportResult() = %v, want %v", got, tt.want)
@@ -300,8 +296,7 @@ func TestComputePolicyReportResultsPerPolicy(t *testing.T) {
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := ComputePolicyReportResultsPerPolicy(tt.auditWarn, tt.engineResponses...)
-			assert.NilError(t, err)
+			got := ComputePolicyReportResultsPerPolicy(tt.auditWarn, tt.engineResponses...)
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("ComputePolicyReportResultsPerPolicy() = %v, want %v", got, tt.want)
 			}

cmd/cli/kubectl-kyverno/test/filter/filter.go

@@ -9,14 +9,14 @@ import (
 )
 
 type Filter interface {
-	Apply(testapi.TestResults) bool
+	Apply(testapi.TestResult) bool
 }
 
 type policy struct {
 	value string
 }
 
-func (f policy) Apply(result testapi.TestResults) bool {
+func (f policy) Apply(result testapi.TestResult) bool {
 	if result.Policy == "" {
 		return true
 	}
@@ -30,7 +30,7 @@ type rule struct {
 	value string
 }
 
-func (f rule) Apply(result testapi.TestResults) bool {
+func (f rule) Apply(result testapi.TestResult) bool {
 	if result.Rule == "" {
 		return true
 	}
@@ -44,7 +44,7 @@ type resource struct {
 	value string
 }
 
-func (f resource) Apply(result testapi.TestResults) bool {
+func (f resource) Apply(result testapi.TestResult) bool {
 	if result.Resource == "" {
 		return true
 	}
@@ -58,7 +58,7 @@ type composite struct {
 	filters []Filter
 }
 
-func (f composite) Apply(result testapi.TestResults) bool {
+func (f composite) Apply(result testapi.TestResult) bool {
 	for _, f := range f.filters {
 		if !f.Apply(result) {
 			return false

cmd/cli/kubectl-kyverno/test/filter/filter_test.go

@@ -12,51 +12,51 @@ func Test_policy_Apply(t *testing.T) {
 	tests := []struct {
 		name   string
 		value  string
-		result testapi.TestResults
+		result testapi.TestResult
 		want   bool
 	}{{
 		name:   "empty result",
 		value:  "test",
-		result: testapi.TestResults{},
+		result: testapi.TestResult{},
 		want:   true,
 	}, {
 		name:  "empty value",
 		value: "",
-		result: testapi.TestResults{
-			Policy: "test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "test"},
 		},
 		want: false,
 	}, {
 		name:   "empty value and result",
 		value:  "",
-		result: testapi.TestResults{},
+		result: testapi.TestResult{},
 		want:   true,
 	}, {
 		name:  "match",
 		value: "test",
-		result: testapi.TestResults{
-			Policy: "test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "test"},
 		},
 		want: true,
 	}, {
 		name:  "no match",
 		value: "test",
-		result: testapi.TestResults{
-			Policy: "not-test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "not-test"},
 		},
 		want: false,
 	}, {
 		name:  "wildcard match",
 		value: "disallow-*",
-		result: testapi.TestResults{
-			Policy: "disallow-latest-tag",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "disallow-latest-tag"},
 		},
 		want: true,
 	}, {
 		name:  "wildcard does not match",
 		value: "allow-*",
-		result: testapi.TestResults{
-			Policy: "disallow-latest-tag",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "disallow-latest-tag"},
 		},
 		want: false,
 	}}
@@ -76,51 +76,51 @@ func Test_rule_Apply(t *testing.T) {
 	tests := []struct {
 		name   string
 		value  string
-		result testapi.TestResults
+		result testapi.TestResult
 		want   bool
 	}{{
 		name:   "empty result",
 		value:  "test",
-		result: testapi.TestResults{},
+		result: testapi.TestResult{},
 		want:   true,
 	}, {
 		name:  "empty value",
 		value: "",
-		result: testapi.TestResults{
-			Rule: "test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Rule: "test"},
 		},
 		want: false,
 	}, {
 		name:   "empty value and result",
 		value:  "",
-		result: testapi.TestResults{},
+		result: testapi.TestResult{},
 		want:   true,
 	}, {
 		name:  "match",
 		value: "test",
-		result: testapi.TestResults{
-			Rule: "test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Rule: "test"},
 		},
 		want: true,
 	}, {
 		name:  "no match",
 		value: "test",
-		result: testapi.TestResults{
-			Rule: "not-test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Rule: "not-test"},
 		},
 		want: false,
 	}, {
 		name:  "wildcard match",
 		value: "*-image-tag",
-		result: testapi.TestResults{
-			Rule: "validate-image-tag",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Rule: "validate-image-tag"},
 		},
 		want: true,
 	}, {
 		name:  "wildcard does not match",
 		value: "require-*",
-		result: testapi.TestResults{
-			Rule: "validate-image-tag",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Rule: "validate-image-tag"},
 		},
 		want: false,
 	}}
@@ -140,51 +140,51 @@ func Test_resource_Apply(t *testing.T) {
 	tests := []struct {
 		name   string
 		value  string
-		result testapi.TestResults
+		result testapi.TestResult
 		want   bool
 	}{{
 		name:   "empty result",
 		value:  "test",
-		result: testapi.TestResults{},
+		result: testapi.TestResult{},
 		want:   true,
 	}, {
 		name:  "empty value",
 		value: "",
-		result: testapi.TestResults{
-			Resource: "test",
+		result: testapi.TestResult{
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "test"},
 		},
 		want: false,
 	}, {
 		name:   "empty value and result",
 		value:  "",
-		result: testapi.TestResults{},
+		result: testapi.TestResult{},
 		want:   true,
 	}, {
 		name:  "match",
 		value: "test",
-		result: testapi.TestResults{
-			Resource: "test",
+		result: testapi.TestResult{
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "test"},
 		},
 		want: true,
 	}, {
 		name:  "no match",
 		value: "test",
-		result: testapi.TestResults{
-			Resource: "not-test",
+		result: testapi.TestResult{
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "not-test"},
 		},
 		want: false,
 	}, {
 		name:  "wildcard match",
 		value: "good*01",
-		result: testapi.TestResults{
-			Resource: "good-deployment-01",
+		result: testapi.TestResult{
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "good-deployment-01"},
 		},
 		want: true,
 	}, {
 		name:  "wildcard does not match",
 		value: "good*01",
-		result: testapi.TestResults{
-			Resource: "bad-deployment-01",
+		result: testapi.TestResult{
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "bad-deployment-01"},
 		},
 		want: false,
 	}}
@@ -204,46 +204,46 @@ func Test_composite_Apply(t *testing.T) {
 	tests := []struct {
 		name    string
 		filters []Filter
-		result  testapi.TestResults
+		result  testapi.TestResult
 		want    bool
 	}{{
 		name:    "nil",
 		filters: nil,
-		result:  testapi.TestResults{},
+		result:  testapi.TestResult{},
 		want:    true,
 	}, {
 		name:    "empty",
 		filters: []Filter{},
-		result:  testapi.TestResults{},
+		result:  testapi.TestResult{},
 		want:    true,
 	}, {
 		name:    "policy match",
 		filters: []Filter{policy{"test"}},
-		result: testapi.TestResults{
-			Policy: "test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "test"},
 		},
 		want: true,
 	}, {
 		name:    "policy no match",
 		filters: []Filter{policy{"test"}},
-		result: testapi.TestResults{
-			Policy: "not-test",
+		result: testapi.TestResult{
+			TestResultBase: testapi.TestResultBase{Policy: "not-test"},
 		},
 		want: false,
 	}, {
 		name:    "policy and resource match",
 		filters: []Filter{policy{"test"}, resource{"resource"}},
-		result: testapi.TestResults{
-			Policy:   "test",
-			Resource: "resource",
+		result: testapi.TestResult{
+			TestResultBase:       testapi.TestResultBase{Policy: "test"},
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "resource"},
 		},
 		want: true,
 	}, {
 		name:    "policy match and resource no match",
 		filters: []Filter{policy{"test"}, resource{"resource"}},
-		result: testapi.TestResults{
-			Policy:   "test",
-			Resource: "not-resource",
+		result: testapi.TestResult{
+			TestResultBase:       testapi.TestResultBase{Policy: "test"},
+			TestResultDeprecated: testapi.TestResultDeprecated{Resource: "not-resource"},
 		},
 		want: false,
 	},

cmd/cli/kubectl-kyverno/test/load_test.go

@@ -50,18 +50,22 @@ func TestLoadTests(t *testing.T) {
 				Name:      "test-registry",
 				Policies:  []string{"image-example.yaml"},
 				Resources: []string{"resources.yaml"},
-				Results: []testapi.TestResults{{
-					Kind:      "Pod",
-					Policy:    "images",
+				Results: []testapi.TestResult{{
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-non-root-user-image"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}, {
-					Kind:      "Pod",
-					Policy:    "images",
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-trusted-registry"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}},
 			},
 		}},
@@ -76,20 +80,24 @@ func TestLoadTests(t *testing.T) {
 				Name:      "add-quota",
 				Policies:  []string{"policy.yaml"},
 				Resources: []string{"resource.yaml"},
-				Results: []testapi.TestResults{{
-					Kind:              "Namespace",
-					Policy:            "add-ns-quota",
-					Resources:         []string{"hello-world-namespace"},
-					Result:            policyreportv1alpha2.StatusPass,
-					Rule:              "generate-resourcequota",
-					GeneratedResource: "generatedResourceQuota.yaml",
+				Results: []testapi.TestResult{{
+					TestResultBase: testapi.TestResultBase{
+						Kind:              "Namespace",
+						Policy:            "add-ns-quota",
+						Result:            policyreportv1alpha2.StatusPass,
+						Rule:              "generate-resourcequota",
+						GeneratedResource: "generatedResourceQuota.yaml",
+					},
+					Resources: []string{"hello-world-namespace"},
 				}, {
-					Kind:              "Namespace",
-					Policy:            "add-ns-quota",
-					Resources:         []string{"hello-world-namespace"},
-					Result:            policyreportv1alpha2.StatusPass,
-					Rule:              "generate-limitrange",
-					GeneratedResource: "generatedLimitRange.yaml",
+					TestResultBase: testapi.TestResultBase{
+						Kind:              "Namespace",
+						Policy:            "add-ns-quota",
+						Result:            policyreportv1alpha2.StatusPass,
+						Rule:              "generate-limitrange",
+						GeneratedResource: "generatedLimitRange.yaml",
+					},
+					Resources: []string{"hello-world-namespace"},
 				}},
 			},
 		}},
@@ -104,18 +112,22 @@ func TestLoadTests(t *testing.T) {
 				Name:      "test-registry",
 				Policies:  []string{"image-example.yaml"},
 				Resources: []string{"resources.yaml"},
-				Results: []testapi.TestResults{{
-					Kind:      "Pod",
-					Policy:    "images",
+				Results: []testapi.TestResult{{
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-non-root-user-image"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}, {
-					Kind:      "Pod",
-					Policy:    "images",
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-trusted-registry"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}},
 			},
 		}, {
@@ -124,20 +136,24 @@ func TestLoadTests(t *testing.T) {
 				Name:      "add-quota",
 				Policies:  []string{"policy.yaml"},
 				Resources: []string{"resource.yaml"},
-				Results: []testapi.TestResults{{
-					Kind:              "Namespace",
-					Policy:            "add-ns-quota",
-					Resources:         []string{"hello-world-namespace"},
-					Result:            policyreportv1alpha2.StatusPass,
-					Rule:              "generate-resourcequota",
-					GeneratedResource: "generatedResourceQuota.yaml",
+				Results: []testapi.TestResult{{
+					TestResultBase: testapi.TestResultBase{
+						Kind:              "Namespace",
+						Policy:            "add-ns-quota",
+						Result:            policyreportv1alpha2.StatusPass,
+						Rule:              "generate-resourcequota",
+						GeneratedResource: "generatedResourceQuota.yaml",
+					},
+					Resources: []string{"hello-world-namespace"},
 				}, {
-					Kind:              "Namespace",
-					Policy:            "add-ns-quota",
-					Resources:         []string{"hello-world-namespace"},
-					Result:            policyreportv1alpha2.StatusPass,
-					Rule:              "generate-limitrange",
-					GeneratedResource: "generatedLimitRange.yaml",
+					TestResultBase: testapi.TestResultBase{
+						Kind:              "Namespace",
+						Policy:            "add-ns-quota",
+						Result:            policyreportv1alpha2.StatusPass,
+						Rule:              "generate-limitrange",
+						GeneratedResource: "generatedLimitRange.yaml",
+					},
+					Resources: []string{"hello-world-namespace"},
 				}},
 			},
 		}},
@@ -185,18 +201,22 @@ func TestLoadTest(t *testing.T) {
 				Name:      "test-registry",
 				Policies:  []string{"image-example.yaml"},
 				Resources: []string{"resources.yaml"},
-				Results: []testapi.TestResults{{
-					Kind:      "Pod",
-					Policy:    "images",
+				Results: []testapi.TestResult{{
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-non-root-user-image"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}, {
-					Kind:      "Pod",
-					Policy:    "images",
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-trusted-registry"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}},
 			},
 		},
@@ -209,18 +229,22 @@ func TestLoadTest(t *testing.T) {
 				Name:      "test-registry",
 				Policies:  []string{"image-example.yaml"},
 				Resources: []string{"resources.yaml"},
-				Results: []testapi.TestResults{{
-					Kind:      "Pod",
-					Policy:    "images",
+				Results: []testapi.TestResult{{
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-non-root-user-image"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}, {
-					Kind:      "Pod",
-					Policy:    "images",
+					TestResultBase: testapi.TestResultBase{
+						Kind:   "Pod",
+						Policy: "images",
+						Result: policyreportv1alpha2.StatusPass,
+						Rule:   "only-allow-trusted-images",
+					},
 					Resources: []string{"test-pod-with-trusted-registry"},
-					Result:    policyreportv1alpha2.StatusPass,
-					Rule:      "only-allow-trusted-images",
 				}},
 			},
 		},

test/cli/test-generate/create-default-pdb/kyverno-test.yaml

@@ -6,9 +6,8 @@ resources:
 results:
 - generatedResource: generatedResource.yaml
   kind: Deployment
-  namespace: hello-world
   policy: create-default-pdb
   resources:
-  - nginx-deployment
+  - hello-world/nginx-deployment
   result: pass
   rule: create-default-pdb

test/cli/test-mutate/connection-draining/kyverno-test.yaml

@@ -1,17 +1,19 @@
 name: connection-draining
 policies:
-  - policy.yaml
+- policy.yaml
 resources:
-  - resource.yaml
+- resource.yaml
 results:
-- policy: disable-connection-draining
-  rule: clb
-  resource: nlb-aws-controller-no-attributes
-  kind: Service
+- kind: Service
+  policy: disable-connection-draining
+  resources:
+  - nlb-aws-controller-no-attributes
   result: skip
-- policy: disable-connection-draining
-  rule: nlb-no-attributes
+  rule: clb
+- kind: Service
   patchedResource: patched.yaml
-  resource: nlb-aws-controller-no-attributes
-  kind: Service
+  policy: disable-connection-draining
+  resources:
+  - nlb-aws-controller-no-attributes
   result: pass
+  rule: nlb-no-attributes

test/cli/test-mutate/kyverno-test.yaml

@@ -5,27 +5,10 @@ resources:
 - resource.yaml
 results:
 - kind: Pod
-  namespace: practice
-  patchedResource: patchedResource1.yaml
-  policy: add-label
-  resources:
-  - resource-equal-to-patch-res-for-cp
-  result: skip
-  rule: add-label
-- kind: Pod
-  namespace: testing
-  patchedResource: patchedResource2.yaml
-  policy: add-label
-  resources:
-  - same-name-but-diff-namespace
-  result: pass
-  rule: add-label
-- kind: Pod
-  namespace: production
   patchedResource: patchedResource3.yaml
   policy: add-label
   resources:
-  - same-name-but-diff-namespace
+  - production/same-name-but-diff-namespace
   result: pass
   rule: add-label
 - kind: Deployment
@@ -35,13 +18,6 @@ results:
   - mydeploy
   result: pass
   rule: add-label
-# - kind: Service
-#   patchedResource: patchedResource5.yaml
-#   policy: add-label
-#   resources:
-#   - same-name-but-diff-kind
-#   result: skip
-#   rule: add-label
 - kind: Pod
   patchedResource: patchedResource6.yaml
   policy: add-label
@@ -49,51 +25,13 @@ results:
   - same-name-but-diff-kind
   result: pass
   rule: add-label
-# - kind: Pod
-#   namespace: practice
-#   patchedResource: patchedResource7.yaml
-#   policy: add-ndots
-#   resources:
-#   - resource-equal-to-patch-res-for-cp
-#   result: skip
-#   rule: add-ndots
 - kind: Pod
-  namespace: testing
   patchedResource: patchedResource8.yaml
-  policy: add-ndots
+  policy: testing/add-ndots
   resources:
   - same-name-but-diff-namespace
   result: pass
   rule: add-ndots
-# - kind: Pod
-#   namespace: production
-#   patchedResource: patchedResource9.yaml
-#   policy: add-ndots
-#   resources:
-#   - same-name-but-diff-namespace
-#   result: skip
-#   rule: add-ndots
-# - kind: Deployment
-#   patchedResource: patchedResource10.yaml
-#   policy: add-ndots
-#   resources:
-#   - mydeploy
-#   result: skip
-#   rule: add-ndots
-# - kind: Service
-#   patchedResource: patchedResource5.yaml
-#   policy: add-ndots
-#   resources:
-#   - same-name-but-diff-kind
-#   result: skip
-#   rule: add-ndots
-# - kind: Pod
-#   patchedResource: patchedResource11.yaml
-#   policy: add-ndots
-#   resources:
-#   - same-name-but-diff-kind
-#   result: skip
-#   rule: add-ndots
 - kind: Pod
   patchedResource: patched-resource.yaml
   policy: example
@@ -101,3 +39,17 @@ results:
   - example
   result: pass
   rule: object_from_lists
+- kind: Pod
+  patchedResource: patchedResource1.yaml
+  policy: add-label
+  resources:
+  - practice/resource-equal-to-patch-res-for-cp
+  result: skip
+  rule: add-label
+- kind: Pod
+  patchedResource: patchedResource2.yaml
+  policy: add-label
+  resources:
+  - testing/same-name-but-diff-namespace
+  result: pass
+  rule: add-label

test/cli/test/any-all-wildcard/kyverno-test.yaml

@@ -5,24 +5,9 @@ resources:
 - resource.yaml
 results:
 - kind: Pod
-  namespace: namespace1
   policy: disallow-protected-namespaces
   resources:
-  - test1
+  - namespace2/test2
+  - namespace1/test1
   result: fail
   rule: disallow
-- kind: Pod
-  namespace: namespace2
-  policy: disallow-protected-namespaces
-  resources:
-  - test2
-  result: fail
-  rule: disallow
-# TODO CEB FIX
-# - kind: Pod
-#   namespace: namespace3
-#   policy: disallow-protected-namespaces
-#   resources:
-#   - test3
-#   result: skip
-#   rule: disallow

test/cli/test/any-namespaceSelector/kyverno-test.yaml

@@ -5,10 +5,9 @@ resources:
 - resource.yaml
 results:
 - kind: Pod
-  namespace: test1
   policy: enforce-pod-name
   resources:
-  - test-nginx
+  - test1/test-nginx
   result: pass
   rule: validate-name
 variables: value.yaml

test/cli/test/exec-subresource/kyverno-test.yaml

@@ -5,10 +5,9 @@ resources:
 - resource.yaml
 results:
 - kind: PodExecOptions
-  namespace: default
   policy: deny-exec-by-pod-label
   resources:
-  - execpod
+  - default/execpod
   result: fail
   rule: deny-exec-by-label
 values:

test/cli/test/images/digest/kyverno-test.yaml

@@ -5,16 +5,14 @@ resources:
 - resources.yaml
 results:
 - kind: Pod
-  namespace: test
   policy: require-image-digest
   resources:
-  - no-digest
+  - test/no-digest
   result: fail
   rule: check-digest
 - kind: Pod
-  namespace: test
   policy: require-image-digest
   resources:
-  - with-digest
+  - test/with-digest
   result: pass
   rule: check-digest

test/cli/test/jmespath-brackets/kyverno-test.yaml

@@ -5,7 +5,7 @@ resources:
 - resources.yaml
 results:
 - kind: Pod
-  policy: test-jmespath
+  policy: default/test-jmespath
   resources:
   - test-valid1
   - test-valid2
@@ -13,7 +13,7 @@ results:
   result: pass
   rule: test-jmespath
 - kind: Pod
-  policy: test-jmespath
+  policy: default/test-jmespath
   resources:
   - test-invalid
   result: fail

test/cli/test/jmespath-brackets/policy.yaml

@@ -2,6 +2,7 @@ apiVersion: kyverno.io/v1
 kind: Policy
 metadata:
   name: test-jmespath
+  namespace: default
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
 spec:

test/cli/test/limit-configmap-for-sa/kyverno-test.yaml

@@ -5,16 +5,15 @@ resources:
 - resource.yaml
 results:
 - kind: ConfigMap
-  namespace: any-namespace
   policy: limit-configmap-for-sa
   resources:
-  - any-configmap-name-good
+  - any-namespace/any-configmap-name-good
   result: fail
   rule: limit-configmap-for-sa-developer
 - kind: ConfigMap
   policy: limit-configmap-for-sa
   resources:
-  - any-configmap-name-bad
+  - any-namespace/any-configmap-name-bad
   result: skip
   rule: limit-configmap-for-sa-developer
 variables: variables.yaml

test/cli/test/mixed/kyverno-test.yaml

@@ -5,33 +5,21 @@ resources:
 - resource.yaml
 results:
 - kind: Pod
-  namespace: user-space
+  policy: ondemand
+  resources:
+  - user-foo/nodeselector-without-labels-on-mutation
+  result: fail
+  rule: ondemand-managed_by
+- kind: Pod
   patchedResource: patched-resource.yaml
   policy: ondemand
   resources:
-  - nodeselector-with-labels-on-mutation
+  - user-space/nodeselector-with-labels-on-mutation
   result: pass
   rule: ondemand-nodeselector
 - kind: Pod
-  namespace: user-space
   policy: ondemand
   resources:
-  - nodeselector-with-labels-on-mutation
+  - user-space/nodeselector-with-labels-on-mutation
   result: pass
   rule: ondemand-managed_by
-# TODO CEB FIX
-# - kind: Pod
-#   namespace: user-foo
-#   patchedResource: patched-resource1.yaml
-#   policy: ondemand
-#   resources:
-#   - nodeselector-without-labels-on-mutation
-#   result: skip
-#   rule: ondemand-nodeselector
-- kind: Pod
-  namespace: user-foo
-  policy: ondemand
-  resources:
-  - nodeselector-without-labels-on-mutation
-  result: fail
-  rule: ondemand-managed_by

test/cli/test/scale-subresource/kyverno-test.yaml

@@ -5,10 +5,9 @@ resources:
 - resource.yaml
 results:
 - kind: Scale
-  namespace: default
   policy: enforce-replicas-for-scale-subresource
   resources:
-  - nginx-test
+  - default/nginx-test
   result: fail
   rule: validate-nginx-test
 variables: values.yaml

test/cli/test/simple/kyverno-test.yaml

@@ -5,76 +5,62 @@ resources:
 - resources.yaml
 results:
 - kind: Pod
-  namespace: test
+  policy: disallow-latest-tag
+  resources:
+  - test/test-validate-image-tag-fail
+  result: fail
+  rule: validate-image-tag
+- kind: Pod
   policy: duration-test
   resources:
-  - test-lifetime-fail
+  - test/test-lifetime-fail
   result: fail
   rule: greater-than
 - kind: Pod
-  namespace: test
+  policy: disallow-latest-tag
+  resources:
+  - test/test-validate-image-tag-pass
+  result: pass
+  rule: validate-image-tag
+- kind: Pod
   policy: duration-test
   resources:
-  - test-lifetime-fail
+  - test/test-lifetime-fail
+  result: pass
+  rule: less-equal-than
+- kind: Pod
+  policy: disallow-latest-tag
+  resources:
+  - test/test-require-image-tag-pass
+  result: pass
+  rule: require-image-tag
+- kind: Pod
+  policy: disallow-latest-tag
+  resources:
+  - test/test-require-image-tag-fail
+  result: fail
+  rule: require-image-tag
+- kind: Pod
+  policy: duration-test
+  resources:
+  - test/test-lifetime-fail
   result: pass
   rule: less-than
 - kind: Pod
-  namespace: test
   policy: duration-test
   resources:
-  - test-lifetime-fail
+  - test/test-lifetime-fail
   result: fail
   rule: greater-equal-than
-- kind: Pod
-  namespace: test
-  policy: restrict-pod-counts
-  resources:
-  - test-require-image-tag-pass
-  - test-require-image-tag-fail
-  - test-validate-image-tag-fail
-  - test-validate-image-tag-pass
-  result: fail
-  rule: restrict-pod-count
-- kind: Pod
-  namespace: test
-  policy: disallow-latest-tag
-  resources:
-  - test-require-image-tag-pass
-  result: pass
-  rule: require-image-tag
-- kind: Pod
-  namespace: test
-  policy: disallow-latest-tag
-  resources:
-  - test-require-image-tag-fail
-  result: fail
-  rule: require-image-tag
-- kind: Pod
-  namespace: test
-  policy: disallow-latest-tag
-  resources:
-  - test-validate-image-tag-pass
-  result: pass
-  rule: validate-image-tag
-- kind: Pod
-  namespace: test
-  policy: disallow-latest-tag
-  resources:
-  - test-validate-image-tag-fail
-  result: fail
-  rule: validate-image-tag
-- kind: Pod
-  namespace: test
-  policy: duration-test
-  resources:
-  - test-lifetime-fail
-  result: pass
-  rule: less-equal-than
 - kind: Pod
   policy: restrict-pod-counts
   resources:
   - myapp-pod
   - test-validate-image-tag-ignore
+  - test/test-require-image-tag-pass
+  - test/test-require-image-tag-fail
+  - test/test-validate-image-tag-fail
+  - test/test-validate-image-tag-pass
   result: fail
   rule: restrict-pod-count
 variables: values.yaml