From dbad967150b83b256805efddea02d8b013d43c74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 12 Sep 2023 16:33:26 +0200 Subject: [PATCH] fix: namespace in kyverno-test.yaml seems to have no effect in case of exclude (#8354) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: namespace in kyverno-test.yaml seems to have no effect in case of exclude Signed-off-by: Charles-Edouard Brétéché * fix tests Signed-off-by: Charles-Edouard Brétéché * unit tests Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- cmd/cli/kubectl-kyverno/apis/test/test.go | 2 +- .../kubectl-kyverno/apis/test/test_result.go | 31 ++-- .../kubectl-kyverno/commands/apply/command.go | 5 +- .../commands/apply/command_test.go | 2 +- .../commands/fix/test/command.go | 50 ++---- .../kubectl-kyverno/commands/test/command.go | 26 ++- .../kubectl-kyverno/commands/test/output.go | 2 +- cmd/cli/kubectl-kyverno/report/report.go | 30 ++-- cmd/cli/kubectl-kyverno/report/report_test.go | 15 +- cmd/cli/kubectl-kyverno/test/filter/filter.go | 10 +- .../test/filter/filter_test.go | 104 ++++++------ cmd/cli/kubectl-kyverno/test/load_test.go | 148 ++++++++++-------- .../create-default-pdb/kyverno-test.yaml | 3 +- .../connection-draining/kyverno-test.yaml | 22 +-- test/cli/test-mutate/kyverno-test.yaml | 80 ++-------- .../test/any-all-wildcard/kyverno-test.yaml | 19 +-- .../any-namespaceSelector/kyverno-test.yaml | 3 +- .../test/exec-subresource/kyverno-test.yaml | 3 +- test/cli/test/images/digest/kyverno-test.yaml | 6 +- .../test/jmespath-brackets/kyverno-test.yaml | 4 +- test/cli/test/jmespath-brackets/policy.yaml | 1 + .../limit-configmap-for-sa/kyverno-test.yaml | 5 +- test/cli/test/mixed/kyverno-test.yaml | 28 +--- .../test/scale-subresource/kyverno-test.yaml | 3 +- test/cli/test/simple/kyverno-test.yaml | 88 +++++------ 25 files changed, 292 insertions(+), 398 deletions(-) diff --git a/cmd/cli/kubectl-kyverno/apis/test/test.go b/cmd/cli/kubectl-kyverno/apis/test/test.go index a2022db858..2f96a36a8f 100644 --- a/cmd/cli/kubectl-kyverno/apis/test/test.go +++ b/cmd/cli/kubectl-kyverno/apis/test/test.go @@ -10,6 +10,6 @@ type Test struct { Resources []string `json:"resources"` Variables string `json:"variables,omitempty"` UserInfo string `json:"userinfo,omitempty"` - Results []TestResults `json:"results"` + Results []TestResult `json:"results"` Values *values.Values `json:"values,omitempty"` } diff --git a/cmd/cli/kubectl-kyverno/apis/test/test_result.go b/cmd/cli/kubectl-kyverno/apis/test/test_result.go index fcbc0edf03..acbcb02003 100644 --- a/cmd/cli/kubectl-kyverno/apis/test/test_result.go +++ b/cmd/cli/kubectl-kyverno/apis/test/test_result.go @@ -4,7 +4,7 @@ import ( policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" ) -type TestResults struct { +type TestResultBase struct { // Policy mentions the name of the policy. Policy string `json:"policy"` // Rule mentions the name of the rule in the policy. @@ -18,17 +18,8 @@ type TestResults struct { // Result mentions the result that the user is expecting. // Possible values are pass, fail and skip. Result policyreportv1alpha2.PolicyResult `json:"result"` - // Status mentions the status that the user is expecting. - // Possible values are pass, fail and skip. - Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"` - // Resource mentions the name of the resource on which the policy is to be applied. - Resource string `json:"resource,omitempty"` - // Resources gives us the list of resources on which the policy is going to be applied. - Resources []string `json:"resources"` // Kind mentions the kind of the resource on which the policy is to be applied. Kind string `json:"kind"` - // Namespace mentions the namespace of the policy which has namespace scope. - Namespace string `json:"namespace,omitempty"` // PatchedResource takes a resource configuration file in yaml format from // the user to compare it against the Kyverno mutated resource configuration. PatchedResource string `json:"patchedResource,omitempty"` @@ -39,3 +30,23 @@ type TestResults struct { // from the user which is meant to be cloned by the generate rule. CloneSourceResource string `json:"cloneSourceResource,omitempty"` } + +type TestResultDeprecated struct { + // Status mentions the status that the user is expecting. + // Possible values are pass, fail and skip. + // This is DEPRECATED, use `Result` instead. + Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"` + // Resource mentions the name of the resource on which the policy is to be applied. + // This is DEPRECATED, use `Resources` instead. + Resource string `json:"resource,omitempty"` + // Namespace mentions the namespace of the policy which has namespace scope. + // This is DEPRECATED, use a name in the form `/` for policies and/or resources instead. + Namespace string `json:"namespace,omitempty"` +} + +type TestResult struct { + TestResultBase `json:",inline,omitempty"` + TestResultDeprecated `json:",inline,omitempty"` + // Resources gives us the list of resources on which the policy is going to be applied. + Resources []string `json:"resources"` +} diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command.go b/cmd/cli/kubectl-kyverno/commands/apply/command.go index 0deb8e9e9a..3e664a69ff 100644 --- a/cmd/cli/kubectl-kyverno/commands/apply/command.go +++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go @@ -447,10 +447,7 @@ func printSkippedAndInvalidPolicies(skipInvalidPolicies SkippedInvalidPolicies) } func printReport(engineResponses []engineapi.EngineResponse, auditWarn bool) { - clustered, namespaced, err := report.ComputePolicyReports(auditWarn, engineResponses...) - if err != nil { - fmt.Println("Error: failed to compute policy reports") - } + clustered, namespaced := report.ComputePolicyReports(auditWarn, engineResponses...) if len(clustered) > 0 || len(namespaced) > 0 { fmt.Println(divider) fmt.Println("POLICY REPORT:") diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command_test.go b/cmd/cli/kubectl-kyverno/commands/apply/command_test.go index a9cfdee0b1..f14cab8b78 100644 --- a/cmd/cli/kubectl-kyverno/commands/apply/command_test.go +++ b/cmd/cli/kubectl-kyverno/commands/apply/command_test.go @@ -317,7 +317,7 @@ func Test_Apply(t *testing.T) { _, _, _, responses, err := tc.config.applyCommandHelper() assert.NilError(t, err, desc) - clustered, _, _ := report.ComputePolicyReports(tc.config.AuditWarn, responses...) + clustered, _ := report.ComputePolicyReports(tc.config.AuditWarn, responses...) assert.Assert(t, len(clustered) > 0, "policy reports should not be empty: %s", desc) combined := []policyreportv1alpha2.ClusterPolicyReport{ report.MergeClusterReports(clustered), diff --git a/cmd/cli/kubectl-kyverno/commands/fix/test/command.go b/cmd/cli/kubectl-kyverno/commands/fix/test/command.go index 977aa93ad1..f625bd39b7 100644 --- a/cmd/cli/kubectl-kyverno/commands/fix/test/command.go +++ b/cmd/cli/kubectl-kyverno/commands/fix/test/command.go @@ -5,7 +5,6 @@ import ( "os" "path/filepath" - policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" testapi "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/test" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test" @@ -50,7 +49,7 @@ func Command() *cobra.Command { fmt.Println(" WARNING: test has no policies") } if len(test.Resources) == 0 { - fmt.Println(" WARNING: test has no policies") + fmt.Println(" WARNING: test has no resources") } for i := range test.Results { result := &test.Results[i] @@ -63,6 +62,12 @@ func Command() *cobra.Command { result.Resource = "" needsSave = true } + if result.Namespace != "" { + fmt.Println(" WARNING: test result uses deprecated `namespace` field, replacing `policy` with a `/` pattern") + result.Policy = fmt.Sprintf("%s/%s", result.Namespace, result.Policy) + result.Namespace = "" + needsSave = true + } if result.Status != "" && result.Result != "" { fmt.Println(" ERROR: test result should not use both `status` and `result` fields") } @@ -74,37 +79,18 @@ func Command() *cobra.Command { } } if compress { - compressed := map[key][]string{} + compressed := map[testapi.TestResultBase][]string{} for _, result := range test.Results { - k := key{ - Policy: result.Policy, - Rule: result.Rule, - IsValidatingAdmissionPolicy: result.IsValidatingAdmissionPolicy, - Result: result.Result, - Kind: result.Kind, - Namespace: result.Namespace, - PatchedResource: result.PatchedResource, - GeneratedResource: result.GeneratedResource, - CloneSourceResource: result.CloneSourceResource, - } - compressed[k] = append(compressed[k], result.Resources...) + compressed[result.TestResultBase] = append(compressed[result.TestResultBase], result.Resources...) } if len(compressed) != len(test.Results) { needsSave = true } test.Results = nil for k, v := range compressed { - test.Results = append(test.Results, testapi.TestResults{ - Policy: k.Policy, - Rule: k.Rule, - IsValidatingAdmissionPolicy: k.IsValidatingAdmissionPolicy, - Result: k.Result, - Kind: k.Kind, - Namespace: k.Namespace, - PatchedResource: k.PatchedResource, - GeneratedResource: k.GeneratedResource, - CloneSourceResource: k.CloneSourceResource, - Resources: v, + test.Results = append(test.Results, testapi.TestResult{ + TestResultBase: k, + Resources: v, }) } } @@ -135,15 +121,3 @@ func Command() *cobra.Command { cmd.Flags().BoolVar(&compress, "compress", false, "Compress test results") return cmd } - -type key struct { - Policy string - Rule string - IsValidatingAdmissionPolicy bool - Result policyreportv1alpha2.PolicyResult - Kind string - Namespace string - PatchedResource string - GeneratedResource string - CloneSourceResource string -} diff --git a/cmd/cli/kubectl-kyverno/commands/test/command.go b/cmd/cli/kubectl-kyverno/commands/test/command.go index c13c08d99f..1a6341f409 100644 --- a/cmd/cli/kubectl-kyverno/commands/test/command.go +++ b/cmd/cli/kubectl-kyverno/commands/test/command.go @@ -17,14 +17,14 @@ import ( engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/openapi" "github.com/spf13/cobra" + "k8s.io/client-go/tools/cache" ) func Command() *cobra.Command { - var cmd *cobra.Command var testCase string var fileName, gitBranch string var registryAccess, failOnly, removeColor, detailedResults bool - cmd = &cobra.Command{ + cmd := &cobra.Command{ Use: "test [local folder or git repository]...", Args: cobra.MinimumNArgs(1), Short: command.FormatDescription(true, websiteUrl, false, description...), @@ -118,7 +118,7 @@ func testCommandExecute( for _, test := range tests { if test.Err == nil { // filter results - var filteredResults []testapi.TestResults + var filteredResults []testapi.TestResult for _, res := range test.Test.Results { if filter.Apply(res) { filteredResults = append(filteredResults, res) @@ -154,7 +154,7 @@ func testCommandExecute( return nil } -func checkResult(test testapi.TestResults, fs billy.Filesystem, resoucePath string, response engineapi.EngineResponse, rule engineapi.RuleResponse) (bool, string, string) { +func checkResult(test testapi.TestResult, fs billy.Filesystem, resoucePath string, response engineapi.EngineResponse, rule engineapi.RuleResponse) (bool, string, string) { expected := test.Result // fallback to the deprecated field if expected == "" { @@ -179,31 +179,27 @@ func checkResult(test testapi.TestResults, fs billy.Filesystem, resoucePath stri return false, "Generated resource didn't match the generated resource in the test result", "Resource diff" } } - result, err := report.ComputePolicyReportResult(false, response, rule) - if err != nil { - return false, err.Error(), "Error" - } + result := report.ComputePolicyReportResult(false, response, rule) if result.Result != expected { return false, result.Message, fmt.Sprintf("Want %s, got %s", expected, result.Result) } return true, result.Message, "Ok" } -func lookupEngineResponses(test testapi.TestResults, resourceName string, responses ...engineapi.EngineResponse) []engineapi.EngineResponse { +func lookupEngineResponses(test testapi.TestResult, resourceName string, responses ...engineapi.EngineResponse) []engineapi.EngineResponse { var matches []engineapi.EngineResponse for _, response := range responses { policy := response.Policy() resource := response.Resource - if policy.GetName() != test.Policy { - continue - } + pName := cache.MetaObjectToName(policy.MetaObject()).String() + rName := cache.MetaObjectToName(&resource).String() if test.Kind != resource.GetKind() { continue } - if resourceName != "" && resourceName != resource.GetName() { + if pName != test.Policy { continue } - if test.Namespace != "" && test.Namespace != resource.GetNamespace() { + if resourceName != "" && rName != resourceName && resource.GetName() != resourceName { continue } matches = append(matches, response) @@ -211,7 +207,7 @@ func lookupEngineResponses(test testapi.TestResults, resourceName string, respon return matches } -func lookupRuleResponses(test testapi.TestResults, responses ...engineapi.RuleResponse) []engineapi.RuleResponse { +func lookupRuleResponses(test testapi.TestResult, responses ...engineapi.RuleResponse) []engineapi.RuleResponse { var matches []engineapi.RuleResponse // Since there are no rules in case of validating admission policies, responses are returned without checking rule names. if test.IsValidatingAdmissionPolicy { diff --git a/cmd/cli/kubectl-kyverno/commands/test/output.go b/cmd/cli/kubectl-kyverno/commands/test/output.go index 65b247b2fa..fcab7102d3 100644 --- a/cmd/cli/kubectl-kyverno/commands/test/output.go +++ b/cmd/cli/kubectl-kyverno/commands/test/output.go @@ -12,7 +12,7 @@ import ( ) func printTestResult( - tests []testapi.TestResults, + tests []testapi.TestResult, responses []engineapi.EngineResponse, rc *resultCounts, failOnly bool, diff --git a/cmd/cli/kubectl-kyverno/report/report.go b/cmd/cli/kubectl-kyverno/report/report.go index 254b3bc0f3..8c5b7066ce 100644 --- a/cmd/cli/kubectl-kyverno/report/report.go +++ b/cmd/cli/kubectl-kyverno/report/report.go @@ -11,12 +11,9 @@ import ( "k8s.io/client-go/tools/cache" ) -func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) (policyreportv1alpha2.PolicyReportResult, error) { +func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) policyreportv1alpha2.PolicyReportResult { policy := engineResponse.Policy() - policyName, err := cache.MetaNamespaceKeyFunc(policy.MetaObject()) - if err != nil { - return policyreportv1alpha2.PolicyReportResult{}, err - } + policyName := cache.MetaObjectToName(policy.MetaObject()).String() audit := engineResponse.GetValidationFailureAction().Audit() scored := annotations.Scored(policy.GetAnnotations()) category := annotations.Category(policy.GetAnnotations()) @@ -57,10 +54,10 @@ func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineRe result.Message = ruleResponse.Message() result.Source = kyverno.ValueKyvernoApp result.Timestamp = metav1.Timestamp{Seconds: ruleResponse.Stats().Timestamp()} - return result, nil + return result } -func ComputePolicyReportResultsPerPolicy(auditWarn bool, engineResponses ...engineapi.EngineResponse) (map[engineapi.GenericPolicy][]policyreportv1alpha2.PolicyReportResult, error) { +func ComputePolicyReportResultsPerPolicy(auditWarn bool, engineResponses ...engineapi.EngineResponse) map[engineapi.GenericPolicy][]policyreportv1alpha2.PolicyReportResult { results := map[engineapi.GenericPolicy][]policyreportv1alpha2.PolicyReportResult{} for _, engineResponse := range engineResponses { if len(engineResponse.PolicyResponse.Rules) == 0 { @@ -72,26 +69,19 @@ func ComputePolicyReportResultsPerPolicy(auditWarn bool, engineResponses ...engi // if ruleResponse.RuleType() != engineapi.Validation && ruleResponse.RuleType() != engineapi.ImageVerify { // continue // } - result, err := ComputePolicyReportResult(auditWarn, engineResponse, ruleResponse) - if err != nil { - return nil, err - } - results[policy] = append(results[policy], result) + results[policy] = append(results[policy], ComputePolicyReportResult(auditWarn, engineResponse, ruleResponse)) } } if len(results) == 0 { - return nil, nil + return nil } - return results, nil + return results } -func ComputePolicyReports(auditWarn bool, engineResponses ...engineapi.EngineResponse) ([]policyreportv1alpha2.ClusterPolicyReport, []policyreportv1alpha2.PolicyReport, error) { +func ComputePolicyReports(auditWarn bool, engineResponses ...engineapi.EngineResponse) ([]policyreportv1alpha2.ClusterPolicyReport, []policyreportv1alpha2.PolicyReport) { var clustered []policyreportv1alpha2.ClusterPolicyReport var namespaced []policyreportv1alpha2.PolicyReport - perPolicyResults, err := ComputePolicyReportResultsPerPolicy(auditWarn, engineResponses...) - if err != nil { - return nil, nil, err - } + perPolicyResults := ComputePolicyReportResultsPerPolicy(auditWarn, engineResponses...) for policy, results := range perPolicyResults { if policy.GetNamespace() == "" { report := policyreportv1alpha2.ClusterPolicyReport{ @@ -118,7 +108,7 @@ func ComputePolicyReports(auditWarn bool, engineResponses ...engineapi.EngineRes namespaced = append(namespaced, report) } } - return clustered, namespaced, nil + return clustered, namespaced } func MergeClusterReports(clustered []policyreportv1alpha2.ClusterPolicyReport) policyreportv1alpha2.ClusterPolicyReport { diff --git a/cmd/cli/kubectl-kyverno/report/report_test.go b/cmd/cli/kubectl-kyverno/report/report_test.go index 4fabccc3ed..a1570ae356 100644 --- a/cmd/cli/kubectl-kyverno/report/report_test.go +++ b/cmd/cli/kubectl-kyverno/report/report_test.go @@ -34,8 +34,7 @@ func TestComputeClusterPolicyReports(t *testing.T) { "validation rule 'pods-require-limits' passed.", ), ) - clustered, namespaced, err := ComputePolicyReports(false, er) - assert.NilError(t, err) + clustered, namespaced := ComputePolicyReports(false, er) assert.Equal(t, len(clustered), 1) assert.Equal(t, len(namespaced), 0) { @@ -69,8 +68,7 @@ func TestComputePolicyReports(t *testing.T) { "validation rule 'pods-require-limits' passed.", ), ) - clustered, namespaced, err := ComputePolicyReports(false, er) - assert.NilError(t, err) + clustered, namespaced := ComputePolicyReports(false, er) assert.Equal(t, len(clustered), 0) assert.Equal(t, len(namespaced), 1) { @@ -104,8 +102,7 @@ func TestComputePolicyReportResultsPerPolicyOld(t *testing.T) { "validation rule 'pods-require-limits' passed.", ), ) - results, err := ComputePolicyReportResultsPerPolicy(false, er) - assert.NilError(t, err) + results := ComputePolicyReportResultsPerPolicy(false, er) for _, result := range results { assert.Equal(t, len(result), 2) for _, r := range result { @@ -274,8 +271,7 @@ func TestComputePolicyReportResult(t *testing.T) { }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse) - assert.NilError(t, err) + got := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse) got.Timestamp = metav1.Timestamp{} if !reflect.DeepEqual(got, tt.want) { t.Errorf("ComputePolicyReportResult() = %v, want %v", got, tt.want) @@ -300,8 +296,7 @@ func TestComputePolicyReportResultsPerPolicy(t *testing.T) { }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := ComputePolicyReportResultsPerPolicy(tt.auditWarn, tt.engineResponses...) - assert.NilError(t, err) + got := ComputePolicyReportResultsPerPolicy(tt.auditWarn, tt.engineResponses...) if !reflect.DeepEqual(got, tt.want) { t.Errorf("ComputePolicyReportResultsPerPolicy() = %v, want %v", got, tt.want) } diff --git a/cmd/cli/kubectl-kyverno/test/filter/filter.go b/cmd/cli/kubectl-kyverno/test/filter/filter.go index 922ddc243b..11ce11e303 100644 --- a/cmd/cli/kubectl-kyverno/test/filter/filter.go +++ b/cmd/cli/kubectl-kyverno/test/filter/filter.go @@ -9,14 +9,14 @@ import ( ) type Filter interface { - Apply(testapi.TestResults) bool + Apply(testapi.TestResult) bool } type policy struct { value string } -func (f policy) Apply(result testapi.TestResults) bool { +func (f policy) Apply(result testapi.TestResult) bool { if result.Policy == "" { return true } @@ -30,7 +30,7 @@ type rule struct { value string } -func (f rule) Apply(result testapi.TestResults) bool { +func (f rule) Apply(result testapi.TestResult) bool { if result.Rule == "" { return true } @@ -44,7 +44,7 @@ type resource struct { value string } -func (f resource) Apply(result testapi.TestResults) bool { +func (f resource) Apply(result testapi.TestResult) bool { if result.Resource == "" { return true } @@ -58,7 +58,7 @@ type composite struct { filters []Filter } -func (f composite) Apply(result testapi.TestResults) bool { +func (f composite) Apply(result testapi.TestResult) bool { for _, f := range f.filters { if !f.Apply(result) { return false diff --git a/cmd/cli/kubectl-kyverno/test/filter/filter_test.go b/cmd/cli/kubectl-kyverno/test/filter/filter_test.go index 7e51a9b34c..ea92d5a099 100644 --- a/cmd/cli/kubectl-kyverno/test/filter/filter_test.go +++ b/cmd/cli/kubectl-kyverno/test/filter/filter_test.go @@ -12,51 +12,51 @@ func Test_policy_Apply(t *testing.T) { tests := []struct { name string value string - result testapi.TestResults + result testapi.TestResult want bool }{{ name: "empty result", value: "test", - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "empty value", value: "", - result: testapi.TestResults{ - Policy: "test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "test"}, }, want: false, }, { name: "empty value and result", value: "", - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "match", value: "test", - result: testapi.TestResults{ - Policy: "test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "test"}, }, want: true, }, { name: "no match", value: "test", - result: testapi.TestResults{ - Policy: "not-test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "not-test"}, }, want: false, }, { name: "wildcard match", value: "disallow-*", - result: testapi.TestResults{ - Policy: "disallow-latest-tag", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "disallow-latest-tag"}, }, want: true, }, { name: "wildcard does not match", value: "allow-*", - result: testapi.TestResults{ - Policy: "disallow-latest-tag", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "disallow-latest-tag"}, }, want: false, }} @@ -76,51 +76,51 @@ func Test_rule_Apply(t *testing.T) { tests := []struct { name string value string - result testapi.TestResults + result testapi.TestResult want bool }{{ name: "empty result", value: "test", - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "empty value", value: "", - result: testapi.TestResults{ - Rule: "test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Rule: "test"}, }, want: false, }, { name: "empty value and result", value: "", - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "match", value: "test", - result: testapi.TestResults{ - Rule: "test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Rule: "test"}, }, want: true, }, { name: "no match", value: "test", - result: testapi.TestResults{ - Rule: "not-test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Rule: "not-test"}, }, want: false, }, { name: "wildcard match", value: "*-image-tag", - result: testapi.TestResults{ - Rule: "validate-image-tag", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Rule: "validate-image-tag"}, }, want: true, }, { name: "wildcard does not match", value: "require-*", - result: testapi.TestResults{ - Rule: "validate-image-tag", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Rule: "validate-image-tag"}, }, want: false, }} @@ -140,51 +140,51 @@ func Test_resource_Apply(t *testing.T) { tests := []struct { name string value string - result testapi.TestResults + result testapi.TestResult want bool }{{ name: "empty result", value: "test", - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "empty value", value: "", - result: testapi.TestResults{ - Resource: "test", + result: testapi.TestResult{ + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "test"}, }, want: false, }, { name: "empty value and result", value: "", - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "match", value: "test", - result: testapi.TestResults{ - Resource: "test", + result: testapi.TestResult{ + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "test"}, }, want: true, }, { name: "no match", value: "test", - result: testapi.TestResults{ - Resource: "not-test", + result: testapi.TestResult{ + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "not-test"}, }, want: false, }, { name: "wildcard match", value: "good*01", - result: testapi.TestResults{ - Resource: "good-deployment-01", + result: testapi.TestResult{ + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "good-deployment-01"}, }, want: true, }, { name: "wildcard does not match", value: "good*01", - result: testapi.TestResults{ - Resource: "bad-deployment-01", + result: testapi.TestResult{ + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "bad-deployment-01"}, }, want: false, }} @@ -204,46 +204,46 @@ func Test_composite_Apply(t *testing.T) { tests := []struct { name string filters []Filter - result testapi.TestResults + result testapi.TestResult want bool }{{ name: "nil", filters: nil, - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "empty", filters: []Filter{}, - result: testapi.TestResults{}, + result: testapi.TestResult{}, want: true, }, { name: "policy match", filters: []Filter{policy{"test"}}, - result: testapi.TestResults{ - Policy: "test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "test"}, }, want: true, }, { name: "policy no match", filters: []Filter{policy{"test"}}, - result: testapi.TestResults{ - Policy: "not-test", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "not-test"}, }, want: false, }, { name: "policy and resource match", filters: []Filter{policy{"test"}, resource{"resource"}}, - result: testapi.TestResults{ - Policy: "test", - Resource: "resource", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "test"}, + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "resource"}, }, want: true, }, { name: "policy match and resource no match", filters: []Filter{policy{"test"}, resource{"resource"}}, - result: testapi.TestResults{ - Policy: "test", - Resource: "not-resource", + result: testapi.TestResult{ + TestResultBase: testapi.TestResultBase{Policy: "test"}, + TestResultDeprecated: testapi.TestResultDeprecated{Resource: "not-resource"}, }, want: false, }, diff --git a/cmd/cli/kubectl-kyverno/test/load_test.go b/cmd/cli/kubectl-kyverno/test/load_test.go index dd5d75731f..5cd344ce29 100644 --- a/cmd/cli/kubectl-kyverno/test/load_test.go +++ b/cmd/cli/kubectl-kyverno/test/load_test.go @@ -50,18 +50,22 @@ func TestLoadTests(t *testing.T) { Name: "test-registry", Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, - Results: []testapi.TestResults{{ - Kind: "Pod", - Policy: "images", + Results: []testapi.TestResult{{ + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-non-root-user-image"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }, { - Kind: "Pod", - Policy: "images", + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-trusted-registry"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }}, }, }}, @@ -76,20 +80,24 @@ func TestLoadTests(t *testing.T) { Name: "add-quota", Policies: []string{"policy.yaml"}, Resources: []string{"resource.yaml"}, - Results: []testapi.TestResults{{ - Kind: "Namespace", - Policy: "add-ns-quota", - Resources: []string{"hello-world-namespace"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "generate-resourcequota", - GeneratedResource: "generatedResourceQuota.yaml", + Results: []testapi.TestResult{{ + TestResultBase: testapi.TestResultBase{ + Kind: "Namespace", + Policy: "add-ns-quota", + Result: policyreportv1alpha2.StatusPass, + Rule: "generate-resourcequota", + GeneratedResource: "generatedResourceQuota.yaml", + }, + Resources: []string{"hello-world-namespace"}, }, { - Kind: "Namespace", - Policy: "add-ns-quota", - Resources: []string{"hello-world-namespace"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "generate-limitrange", - GeneratedResource: "generatedLimitRange.yaml", + TestResultBase: testapi.TestResultBase{ + Kind: "Namespace", + Policy: "add-ns-quota", + Result: policyreportv1alpha2.StatusPass, + Rule: "generate-limitrange", + GeneratedResource: "generatedLimitRange.yaml", + }, + Resources: []string{"hello-world-namespace"}, }}, }, }}, @@ -104,18 +112,22 @@ func TestLoadTests(t *testing.T) { Name: "test-registry", Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, - Results: []testapi.TestResults{{ - Kind: "Pod", - Policy: "images", + Results: []testapi.TestResult{{ + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-non-root-user-image"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }, { - Kind: "Pod", - Policy: "images", + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-trusted-registry"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }}, }, }, { @@ -124,20 +136,24 @@ func TestLoadTests(t *testing.T) { Name: "add-quota", Policies: []string{"policy.yaml"}, Resources: []string{"resource.yaml"}, - Results: []testapi.TestResults{{ - Kind: "Namespace", - Policy: "add-ns-quota", - Resources: []string{"hello-world-namespace"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "generate-resourcequota", - GeneratedResource: "generatedResourceQuota.yaml", + Results: []testapi.TestResult{{ + TestResultBase: testapi.TestResultBase{ + Kind: "Namespace", + Policy: "add-ns-quota", + Result: policyreportv1alpha2.StatusPass, + Rule: "generate-resourcequota", + GeneratedResource: "generatedResourceQuota.yaml", + }, + Resources: []string{"hello-world-namespace"}, }, { - Kind: "Namespace", - Policy: "add-ns-quota", - Resources: []string{"hello-world-namespace"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "generate-limitrange", - GeneratedResource: "generatedLimitRange.yaml", + TestResultBase: testapi.TestResultBase{ + Kind: "Namespace", + Policy: "add-ns-quota", + Result: policyreportv1alpha2.StatusPass, + Rule: "generate-limitrange", + GeneratedResource: "generatedLimitRange.yaml", + }, + Resources: []string{"hello-world-namespace"}, }}, }, }}, @@ -185,18 +201,22 @@ func TestLoadTest(t *testing.T) { Name: "test-registry", Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, - Results: []testapi.TestResults{{ - Kind: "Pod", - Policy: "images", + Results: []testapi.TestResult{{ + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-non-root-user-image"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }, { - Kind: "Pod", - Policy: "images", + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-trusted-registry"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }}, }, }, @@ -209,18 +229,22 @@ func TestLoadTest(t *testing.T) { Name: "test-registry", Policies: []string{"image-example.yaml"}, Resources: []string{"resources.yaml"}, - Results: []testapi.TestResults{{ - Kind: "Pod", - Policy: "images", + Results: []testapi.TestResult{{ + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-non-root-user-image"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }, { - Kind: "Pod", - Policy: "images", + TestResultBase: testapi.TestResultBase{ + Kind: "Pod", + Policy: "images", + Result: policyreportv1alpha2.StatusPass, + Rule: "only-allow-trusted-images", + }, Resources: []string{"test-pod-with-trusted-registry"}, - Result: policyreportv1alpha2.StatusPass, - Rule: "only-allow-trusted-images", }}, }, }, diff --git a/test/cli/test-generate/create-default-pdb/kyverno-test.yaml b/test/cli/test-generate/create-default-pdb/kyverno-test.yaml index 6866bb05e6..3471b46f2f 100644 --- a/test/cli/test-generate/create-default-pdb/kyverno-test.yaml +++ b/test/cli/test-generate/create-default-pdb/kyverno-test.yaml @@ -6,9 +6,8 @@ resources: results: - generatedResource: generatedResource.yaml kind: Deployment - namespace: hello-world policy: create-default-pdb resources: - - nginx-deployment + - hello-world/nginx-deployment result: pass rule: create-default-pdb diff --git a/test/cli/test-mutate/connection-draining/kyverno-test.yaml b/test/cli/test-mutate/connection-draining/kyverno-test.yaml index f41637fc8e..2c6f5325a5 100644 --- a/test/cli/test-mutate/connection-draining/kyverno-test.yaml +++ b/test/cli/test-mutate/connection-draining/kyverno-test.yaml @@ -1,17 +1,19 @@ name: connection-draining policies: - - policy.yaml +- policy.yaml resources: - - resource.yaml +- resource.yaml results: -- policy: disable-connection-draining - rule: clb - resource: nlb-aws-controller-no-attributes - kind: Service +- kind: Service + policy: disable-connection-draining + resources: + - nlb-aws-controller-no-attributes result: skip -- policy: disable-connection-draining - rule: nlb-no-attributes + rule: clb +- kind: Service patchedResource: patched.yaml - resource: nlb-aws-controller-no-attributes - kind: Service + policy: disable-connection-draining + resources: + - nlb-aws-controller-no-attributes result: pass + rule: nlb-no-attributes diff --git a/test/cli/test-mutate/kyverno-test.yaml b/test/cli/test-mutate/kyverno-test.yaml index b10c43e37f..e1fbdb95a8 100644 --- a/test/cli/test-mutate/kyverno-test.yaml +++ b/test/cli/test-mutate/kyverno-test.yaml @@ -5,27 +5,10 @@ resources: - resource.yaml results: - kind: Pod - namespace: practice - patchedResource: patchedResource1.yaml - policy: add-label - resources: - - resource-equal-to-patch-res-for-cp - result: skip - rule: add-label -- kind: Pod - namespace: testing - patchedResource: patchedResource2.yaml - policy: add-label - resources: - - same-name-but-diff-namespace - result: pass - rule: add-label -- kind: Pod - namespace: production patchedResource: patchedResource3.yaml policy: add-label resources: - - same-name-but-diff-namespace + - production/same-name-but-diff-namespace result: pass rule: add-label - kind: Deployment @@ -35,13 +18,6 @@ results: - mydeploy result: pass rule: add-label -# - kind: Service -# patchedResource: patchedResource5.yaml -# policy: add-label -# resources: -# - same-name-but-diff-kind -# result: skip -# rule: add-label - kind: Pod patchedResource: patchedResource6.yaml policy: add-label @@ -49,51 +25,13 @@ results: - same-name-but-diff-kind result: pass rule: add-label -# - kind: Pod -# namespace: practice -# patchedResource: patchedResource7.yaml -# policy: add-ndots -# resources: -# - resource-equal-to-patch-res-for-cp -# result: skip -# rule: add-ndots - kind: Pod - namespace: testing patchedResource: patchedResource8.yaml - policy: add-ndots + policy: testing/add-ndots resources: - same-name-but-diff-namespace result: pass rule: add-ndots -# - kind: Pod -# namespace: production -# patchedResource: patchedResource9.yaml -# policy: add-ndots -# resources: -# - same-name-but-diff-namespace -# result: skip -# rule: add-ndots -# - kind: Deployment -# patchedResource: patchedResource10.yaml -# policy: add-ndots -# resources: -# - mydeploy -# result: skip -# rule: add-ndots -# - kind: Service -# patchedResource: patchedResource5.yaml -# policy: add-ndots -# resources: -# - same-name-but-diff-kind -# result: skip -# rule: add-ndots -# - kind: Pod -# patchedResource: patchedResource11.yaml -# policy: add-ndots -# resources: -# - same-name-but-diff-kind -# result: skip -# rule: add-ndots - kind: Pod patchedResource: patched-resource.yaml policy: example @@ -101,3 +39,17 @@ results: - example result: pass rule: object_from_lists +- kind: Pod + patchedResource: patchedResource1.yaml + policy: add-label + resources: + - practice/resource-equal-to-patch-res-for-cp + result: skip + rule: add-label +- kind: Pod + patchedResource: patchedResource2.yaml + policy: add-label + resources: + - testing/same-name-but-diff-namespace + result: pass + rule: add-label diff --git a/test/cli/test/any-all-wildcard/kyverno-test.yaml b/test/cli/test/any-all-wildcard/kyverno-test.yaml index e58ad9c6de..eb4aad000a 100644 --- a/test/cli/test/any-all-wildcard/kyverno-test.yaml +++ b/test/cli/test/any-all-wildcard/kyverno-test.yaml @@ -5,24 +5,9 @@ resources: - resource.yaml results: - kind: Pod - namespace: namespace1 policy: disallow-protected-namespaces resources: - - test1 + - namespace2/test2 + - namespace1/test1 result: fail rule: disallow -- kind: Pod - namespace: namespace2 - policy: disallow-protected-namespaces - resources: - - test2 - result: fail - rule: disallow -# TODO CEB FIX -# - kind: Pod -# namespace: namespace3 -# policy: disallow-protected-namespaces -# resources: -# - test3 -# result: skip -# rule: disallow diff --git a/test/cli/test/any-namespaceSelector/kyverno-test.yaml b/test/cli/test/any-namespaceSelector/kyverno-test.yaml index 0e83c147cd..8e51fb3eee 100644 --- a/test/cli/test/any-namespaceSelector/kyverno-test.yaml +++ b/test/cli/test/any-namespaceSelector/kyverno-test.yaml @@ -5,10 +5,9 @@ resources: - resource.yaml results: - kind: Pod - namespace: test1 policy: enforce-pod-name resources: - - test-nginx + - test1/test-nginx result: pass rule: validate-name variables: value.yaml diff --git a/test/cli/test/exec-subresource/kyverno-test.yaml b/test/cli/test/exec-subresource/kyverno-test.yaml index 59041c0dbd..258b2b7f1d 100644 --- a/test/cli/test/exec-subresource/kyverno-test.yaml +++ b/test/cli/test/exec-subresource/kyverno-test.yaml @@ -5,10 +5,9 @@ resources: - resource.yaml results: - kind: PodExecOptions - namespace: default policy: deny-exec-by-pod-label resources: - - execpod + - default/execpod result: fail rule: deny-exec-by-label values: diff --git a/test/cli/test/images/digest/kyverno-test.yaml b/test/cli/test/images/digest/kyverno-test.yaml index abc6ba41c4..c58e3eeade 100644 --- a/test/cli/test/images/digest/kyverno-test.yaml +++ b/test/cli/test/images/digest/kyverno-test.yaml @@ -5,16 +5,14 @@ resources: - resources.yaml results: - kind: Pod - namespace: test policy: require-image-digest resources: - - no-digest + - test/no-digest result: fail rule: check-digest - kind: Pod - namespace: test policy: require-image-digest resources: - - with-digest + - test/with-digest result: pass rule: check-digest diff --git a/test/cli/test/jmespath-brackets/kyverno-test.yaml b/test/cli/test/jmespath-brackets/kyverno-test.yaml index a347222289..46a1aebe15 100644 --- a/test/cli/test/jmespath-brackets/kyverno-test.yaml +++ b/test/cli/test/jmespath-brackets/kyverno-test.yaml @@ -5,7 +5,7 @@ resources: - resources.yaml results: - kind: Pod - policy: test-jmespath + policy: default/test-jmespath resources: - test-valid1 - test-valid2 @@ -13,7 +13,7 @@ results: result: pass rule: test-jmespath - kind: Pod - policy: test-jmespath + policy: default/test-jmespath resources: - test-invalid result: fail diff --git a/test/cli/test/jmespath-brackets/policy.yaml b/test/cli/test/jmespath-brackets/policy.yaml index 89d670ec5f..24d4ef7823 100644 --- a/test/cli/test/jmespath-brackets/policy.yaml +++ b/test/cli/test/jmespath-brackets/policy.yaml @@ -2,6 +2,7 @@ apiVersion: kyverno.io/v1 kind: Policy metadata: name: test-jmespath + namespace: default annotations: pod-policies.kyverno.io/autogen-controllers: none spec: diff --git a/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml b/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml index 91545a2ceb..646ebae57f 100644 --- a/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml +++ b/test/cli/test/limit-configmap-for-sa/kyverno-test.yaml @@ -5,16 +5,15 @@ resources: - resource.yaml results: - kind: ConfigMap - namespace: any-namespace policy: limit-configmap-for-sa resources: - - any-configmap-name-good + - any-namespace/any-configmap-name-good result: fail rule: limit-configmap-for-sa-developer - kind: ConfigMap policy: limit-configmap-for-sa resources: - - any-configmap-name-bad + - any-namespace/any-configmap-name-bad result: skip rule: limit-configmap-for-sa-developer variables: variables.yaml diff --git a/test/cli/test/mixed/kyverno-test.yaml b/test/cli/test/mixed/kyverno-test.yaml index 74cfdc8a57..c0a99ea19f 100644 --- a/test/cli/test/mixed/kyverno-test.yaml +++ b/test/cli/test/mixed/kyverno-test.yaml @@ -5,33 +5,21 @@ resources: - resource.yaml results: - kind: Pod - namespace: user-space + policy: ondemand + resources: + - user-foo/nodeselector-without-labels-on-mutation + result: fail + rule: ondemand-managed_by +- kind: Pod patchedResource: patched-resource.yaml policy: ondemand resources: - - nodeselector-with-labels-on-mutation + - user-space/nodeselector-with-labels-on-mutation result: pass rule: ondemand-nodeselector - kind: Pod - namespace: user-space policy: ondemand resources: - - nodeselector-with-labels-on-mutation + - user-space/nodeselector-with-labels-on-mutation result: pass rule: ondemand-managed_by -# TODO CEB FIX -# - kind: Pod -# namespace: user-foo -# patchedResource: patched-resource1.yaml -# policy: ondemand -# resources: -# - nodeselector-without-labels-on-mutation -# result: skip -# rule: ondemand-nodeselector -- kind: Pod - namespace: user-foo - policy: ondemand - resources: - - nodeselector-without-labels-on-mutation - result: fail - rule: ondemand-managed_by diff --git a/test/cli/test/scale-subresource/kyverno-test.yaml b/test/cli/test/scale-subresource/kyverno-test.yaml index f7dcf70a9c..9e81025b80 100644 --- a/test/cli/test/scale-subresource/kyverno-test.yaml +++ b/test/cli/test/scale-subresource/kyverno-test.yaml @@ -5,10 +5,9 @@ resources: - resource.yaml results: - kind: Scale - namespace: default policy: enforce-replicas-for-scale-subresource resources: - - nginx-test + - default/nginx-test result: fail rule: validate-nginx-test variables: values.yaml diff --git a/test/cli/test/simple/kyverno-test.yaml b/test/cli/test/simple/kyverno-test.yaml index fd32482dcc..fe5c63321a 100644 --- a/test/cli/test/simple/kyverno-test.yaml +++ b/test/cli/test/simple/kyverno-test.yaml @@ -5,76 +5,62 @@ resources: - resources.yaml results: - kind: Pod - namespace: test + policy: disallow-latest-tag + resources: + - test/test-validate-image-tag-fail + result: fail + rule: validate-image-tag +- kind: Pod policy: duration-test resources: - - test-lifetime-fail + - test/test-lifetime-fail result: fail rule: greater-than - kind: Pod - namespace: test + policy: disallow-latest-tag + resources: + - test/test-validate-image-tag-pass + result: pass + rule: validate-image-tag +- kind: Pod policy: duration-test resources: - - test-lifetime-fail + - test/test-lifetime-fail + result: pass + rule: less-equal-than +- kind: Pod + policy: disallow-latest-tag + resources: + - test/test-require-image-tag-pass + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - test/test-require-image-tag-fail + result: fail + rule: require-image-tag +- kind: Pod + policy: duration-test + resources: + - test/test-lifetime-fail result: pass rule: less-than - kind: Pod - namespace: test policy: duration-test resources: - - test-lifetime-fail + - test/test-lifetime-fail result: fail rule: greater-equal-than -- kind: Pod - namespace: test - policy: restrict-pod-counts - resources: - - test-require-image-tag-pass - - test-require-image-tag-fail - - test-validate-image-tag-fail - - test-validate-image-tag-pass - result: fail - rule: restrict-pod-count -- kind: Pod - namespace: test - policy: disallow-latest-tag - resources: - - test-require-image-tag-pass - result: pass - rule: require-image-tag -- kind: Pod - namespace: test - policy: disallow-latest-tag - resources: - - test-require-image-tag-fail - result: fail - rule: require-image-tag -- kind: Pod - namespace: test - policy: disallow-latest-tag - resources: - - test-validate-image-tag-pass - result: pass - rule: validate-image-tag -- kind: Pod - namespace: test - policy: disallow-latest-tag - resources: - - test-validate-image-tag-fail - result: fail - rule: validate-image-tag -- kind: Pod - namespace: test - policy: duration-test - resources: - - test-lifetime-fail - result: pass - rule: less-equal-than - kind: Pod policy: restrict-pod-counts resources: - myapp-pod - test-validate-image-tag-ignore + - test/test-require-image-tag-pass + - test/test-require-image-tag-fail + - test/test-validate-image-tag-fail + - test/test-validate-image-tag-pass result: fail rule: restrict-pod-count variables: values.yaml