From e004d8ae8d836b33741e28a97a25060f5c3d094f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 31 Jul 2024 17:50:20 +0200 Subject: [PATCH] chore: bump chainsaw (#10687) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: bump chainsaw Signed-off-by: Charles-Edouard Brétéché * bump Signed-off-by: Charles-Edouard Brétéché * fix tests Signed-off-by: Charles-Edouard Brétéché * v0.2.8-beta.1 Signed-off-by: Charles-Edouard Brétéché * v0.2.8-beta.2 Signed-off-by: Charles-Edouard Brétéché * beta 3 Signed-off-by: Charles-Edouard Brétéché * cli Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- .github/workflows/conformance.yaml | 22 +++++++++---------- .../_step-templates/apply-policy.yaml | 10 +++++++++ .../autogen/conditions/chainsaw-test.yaml | 9 +++----- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../validate-reference/chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 6 ++--- .../chainsaw-test.yaml | 4 ++-- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- .../chainsaw-test.yaml | 2 +- 18 files changed, 42 insertions(+), 35 deletions(-) create mode 100644 test/conformance/chainsaw/_step-templates/apply-policy.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 5f9efdf636..b2a83b9c7c 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -128,7 +128,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -197,7 +197,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -271,7 +271,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -340,7 +340,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -413,7 +413,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -489,7 +489,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -564,7 +564,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -643,7 +643,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster and setup Sigstore Scaffolding uses: sigstore/scaffolding/actions/setup@634364a897dff805b1a26ab18abaefe379616785 @@ -733,7 +733,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -842,7 +842,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 - name: Download kyverno CLI archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: @@ -967,7 +967,7 @@ jobs: with: name: kubectl-kyverno - name: Install chainsaw - uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 diff --git a/test/conformance/chainsaw/_step-templates/apply-policy.yaml b/test/conformance/chainsaw/_step-templates/apply-policy.yaml new file mode 100644 index 0000000000..c9fe519481 --- /dev/null +++ b/test/conformance/chainsaw/_step-templates/apply-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: StepTemplate +metadata: + name: apply-policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/conditions/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/conditions/chainsaw-test.yaml index be01acaeff..8633b3cf59 100755 --- a/test/conformance/chainsaw/autogen/conditions/chainsaw-test.yaml +++ b/test/conformance/chainsaw/autogen/conditions/chainsaw-test.yaml @@ -1,3 +1,4 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: @@ -5,9 +6,5 @@ metadata: name: conditions spec: steps: - - name: step-01 - try: - - apply: - file: policy.yaml - - assert: - file: policy-assert.yaml + - use: + template: ../../_step-templates/apply-policy.yaml diff --git a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/chainsaw-test.yaml b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/chainsaw-test.yaml index 3ee268cc0c..9a99811b36 100644 --- a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/chainsaw-test.yaml +++ b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/chainsaw-test.yaml @@ -22,7 +22,7 @@ spec: - script: content: kyverno apply policy.yaml --exception exception.yaml --cluster --namespace ns-1 check: - ($stdout): |- + (trim_space($stdout)): |- Applying 3 policy rule(s) to 1 resource(s) with 1 exception(s)... pass: 0, fail: 0, warn: 0, error: 0, skip: 1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml index 4d21d81823..4feecbe58c 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml @@ -49,5 +49,5 @@ spec: content: kubectl get updaterequests -n kyverno check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- No resources found in kyverno namespace. diff --git a/test/conformance/chainsaw/globalcontext/validate-reference/chainsaw-test.yaml b/test/conformance/chainsaw/globalcontext/validate-reference/chainsaw-test.yaml index 9686910128..944f8c0b2d 100755 --- a/test/conformance/chainsaw/globalcontext/validate-reference/chainsaw-test.yaml +++ b/test/conformance/chainsaw/globalcontext/validate-reference/chainsaw-test.yaml @@ -12,5 +12,5 @@ spec: check: ($error != null): false # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Warning: Global context entry name is not provided diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace(deprecated)/chainsaw-test.yaml index e75deeaabd..5b845b82e5 100755 --- a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace(deprecated)/chainsaw-test.yaml +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace(deprecated)/chainsaw-test.yaml @@ -40,5 +40,5 @@ spec: content: kubectl get updaterequests -n kyverno check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- No resources found in kyverno namespace. diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace/chainsaw-test.yaml index e75deeaabd..5b845b82e5 100755 --- a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/delete-trigger-namespace/chainsaw-test.yaml @@ -40,5 +40,5 @@ spec: content: kubectl get updaterequests -n kyverno check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- No resources found in kyverno namespace. diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources(deprecated)/chainsaw-test.yaml index 561f5c5873..971e9d752e 100755 --- a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources(deprecated)/chainsaw-test.yaml +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources(deprecated)/chainsaw-test.yaml @@ -37,5 +37,5 @@ spec: content: kubectl get updaterequests -n kyverno check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- No resources found in kyverno namespace. diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml index 561f5c5873..971e9d752e 100755 --- a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml @@ -37,5 +37,5 @@ spec: content: kubectl get updaterequests -n kyverno check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- No resources found in kyverno namespace. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml index d1a0ba0537..31aed3b990 100755 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-exceptions/chainsaw-test.yaml @@ -12,7 +12,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "exception-1.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: [spec.podSecurity[0].controlName: Invalid value: "Capabilities": exclude.images must be specified for the container level control, spec.podSecurity[3].controlName: Invalid value: "Privilege Escalation": exclude.images must be specified for the container level control] - name: Apply the second policy exception try: @@ -21,7 +21,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "exception-2.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].values: Forbidden: values is required - name: Apply the third policy exception try: @@ -30,5 +30,5 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "exception-3.yaml": admission webhook "kyverno-svc.kyverno.svc" denied the request: spec.podSecurity[0].restrictedField: Forbidden: restrictedField is required diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml index 3c3f838808..0f795dc051 100755 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/chainsaw-test.yaml @@ -12,7 +12,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "policy-1.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: spec.rules[0].podSecurity.exclude[0].values: Forbidden: values is required - name: Apply the second policy try: @@ -21,5 +21,5 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "policy-2.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: spec.rules[0].podSecurity.exclude[0].restrictedField: Forbidden: restrictedField is required diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/chainsaw-test.yaml index c1b16a36e8..a2d3792c6b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/chainsaw-test.yaml @@ -23,7 +23,7 @@ spec: content: kubectl apply -f resource.yaml check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "resource.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Namespace//asdfhl was blocked due to the following policies diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/chainsaw-test.yaml index c1b16a36e8..a2d3792c6b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure/chainsaw-test.yaml @@ -23,7 +23,7 @@ spec: content: kubectl apply -f resource.yaml check: # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "resource.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Namespace//asdfhl was blocked due to the following policies diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/chainsaw-test.yaml index f1f748bdef..2b4812a8d4 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/chainsaw-test.yaml @@ -18,7 +18,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/default/test was blocked due to the following policies diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/chainsaw-test.yaml index f1f748bdef..2b4812a8d4 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution/chainsaw-test.yaml @@ -18,7 +18,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/default/test was blocked due to the following policies diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/chainsaw-test.yaml index 0a99116d08..42e0387475 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/chainsaw-test.yaml @@ -18,7 +18,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/default/ba was blocked due to the following policies diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml index 0a99116d08..42e0387475 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml @@ -18,7 +18,7 @@ spec: check: ($error != null): true # This check ensures the contents of stderr are exactly as shown. - ($stderr): |- + (trim_space($stderr)): |- Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: resource Pod/default/ba was blocked due to the following policies