diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index b2e87215dd..e665933912 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -119,8 +119,8 @@ type Spec struct { WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` } -func (s *Spec) CustomWebhookConfiguration() bool { - return s.WebhookConfiguration != nil +func (s *Spec) CustomWebhookMatchConditions() bool { + return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0 } func (s *Spec) SetRules(rules []Rule) { diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index b0a5e713a0..d6e7a4eb6b 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -81,8 +81,8 @@ type Spec struct { WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` } -func (s *Spec) CustomWebhookConfiguration() bool { - return s.WebhookConfiguration != nil +func (s *Spec) CustomWebhookMatchConditions() bool { + return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0 } func (s *Spec) SetRules(rules []Rule) { diff --git a/pkg/controllers/policycache/controller.go b/pkg/controllers/policycache/controller.go index e65fa9297e..f5073dff22 100644 --- a/pkg/controllers/policycache/controller.go +++ b/pkg/controllers/policycache/controller.go @@ -113,7 +113,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam } return err } - if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookConfiguration() { + if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookMatchConditions() { if policy.IsReady() { return c.cache.Set(key, policy, c.client.Discovery()) } else { diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index 38da70e4aa..4c2a2a8786 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -702,7 +702,7 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte if p.AdmissionProcessingEnabled() { spec := p.GetSpec() if spec.HasMutateStandard() || spec.HasVerifyImages() { - if spec.CustomWebhookConfiguration() { + if spec.CustomWebhookMatchConditions() { fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p) fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p) if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { @@ -871,7 +871,7 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con if p.AdmissionProcessingEnabled() { spec := p.GetSpec() if spec.HasValidate() || spec.HasGenerate() || spec.HasMutateExisting() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() { - if spec.CustomWebhookConfiguration() { + if spec.CustomWebhookMatchConditions() { fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p) fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p) if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { diff --git a/pkg/controllers/webhook/utils.go b/pkg/controllers/webhook/utils.go index 4cc330b100..3e59eec937 100644 --- a/pkg/controllers/webhook/utils.go +++ b/pkg/controllers/webhook/utils.go @@ -65,7 +65,7 @@ func newWebhookPerPolicy(timeout int32, failurePolicy admissionregistrationv1.Fa Namespace: policy.GetNamespace(), Name: policy.GetName(), } - if policy.GetSpec().CustomWebhookConfiguration() { + if policy.GetSpec().CustomWebhookMatchConditions() { webhook.matchConditions = policy.GetSpec().GetMatchConditions() } return webhook diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 336e955068..e7fba25a6a 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -133,7 +133,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf spec := policy.GetSpec() background := spec.BackgroundProcessingEnabled() mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate() - if policy.GetSpec().CustomWebhookConfiguration() && + if policy.GetSpec().CustomWebhookMatchConditions() && !kubeutils.HigherThanKubernetesVersion(client.GetKubeClient().Discovery(), logging.GlobalLogger(), 1, 27, 0) { return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above") } diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md new file mode 100644 index 0000000000..ed2abbd212 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy with `failurePolicy: Fail` but the configuration has `forceWebhookFailurePolicyIgnore: true`. + +## Expected Behavior + +Webhooks should be configured with `failurePolicy: Ignore` regardless of the failure policy configured in the policies. diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..3f8de96975 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: fail +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks-assert.yaml diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..1676676194 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml new file mode 100644 index 0000000000..79d3bec1fb --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml @@ -0,0 +1,47 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + failurePolicy: Fail + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - Pod + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: + failurePolicy: Fail + validationFailureAction: Enforce + background: false + rules: + - name: add-labels + match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml new file mode 100644 index 0000000000..1a0d490d55 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml @@ -0,0 +1,39 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kyverno-svc + namespace: kyverno + path: /validate/ignore + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: validate.kyverno.svc-ignore + sideEffects: NoneOnDryRun +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-mutating-webhook-cfg +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kyverno-svc + namespace: kyverno + path: /mutate/ignore + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: mutate.kyverno.svc-ignore + sideEffects: NoneOnDryRun diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml index 79d3bec1fb..ad83cf9b6e 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - failurePolicy: Fail validationFailureAction: Enforce background: false rules: @@ -21,13 +20,14 @@ spec: metadata: labels: team: '?*' + webhookConfiguration: + failurePolicy: Fail --- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-labels spec: - failurePolicy: Fail validationFailureAction: Enforce background: false rules: @@ -45,3 +45,5 @@ spec: metadata: labels: foo: bar + webhookConfiguration: + failurePolicy: Fail diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md new file mode 100644 index 0000000000..8c81c1c150 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create policies with invalid timeouts (`< 1` or `> 30`). + +## Expected Behavior + +Policies should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..3d487ec0b9 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: invalid-timeout +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml new file mode 100644 index 0000000000..2c73d95718 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: -1 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml new file mode 100644 index 0000000000..c7510ba423 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: 31 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml index 2c73d95718..3f48c1eb06 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml @@ -4,7 +4,6 @@ metadata: name: deny spec: validationFailureAction: Audit - webhookTimeoutSeconds: -1 rules: - name: deny match: @@ -14,3 +13,5 @@ spec: - Pod validate: deny: {} + webhookConfiguration: + timeoutSeconds: -1 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml index c7510ba423..11a0a39da1 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml @@ -4,7 +4,6 @@ metadata: name: deny spec: validationFailureAction: Audit - webhookTimeoutSeconds: 31 rules: - name: deny match: @@ -14,3 +13,5 @@ spec: - Pod validate: deny: {} + webhookConfiguration: + timeoutSeconds: 31 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md new file mode 100644 index 0000000000..421d1f1220 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests basic YAML manifest signature validation functionality. + +## Expected Behavior + +The `test-deployment` (defined in `bad.yaml`) should fail because it matches the policy conditions yet has not been signed while the `test-deployment` (defined in `02-good-deployment.yaml`) should pass because it also matches yet has been signed and the signature is valid according to the public key defined in the policy. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml new file mode 100644 index 0000000000..2d62719135 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: test-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 0000000000..ffd1fdeca1 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wBaAaX+H4sIAAAAAAAA/+ySz27bMAzGffZT8AUcSf6TpDrvuMMOw64DazOeEP2bxBZtn35wnXhegOW4oYB/F9rg930gQYlnTOIU7EApC/8mlDye7c9xqNk/Stc49902rn1ppZRy9OKr6IOLiXI2fqwYUzW+KXmQDw9tUx8FU+ZqoGjDqyPPu1d0tigm775t3+th371XWc//E12zL1Rbq042XacOhWzquusKkMU/4CkzpkLKdH4awh1dZjyd7vQvuyz1g4DRfKOUTfAaMMYsnlV5Nn7Q8Gk5Y+mIcUBGXQJYfCSbpy+YDBr8aPxLCeDRkYabF1DmSP0kThSt6TFrUCVAJks9hzTHOOT+x+dV7k0yk4sWmS7q1TAT9g/jjRXgOsBEHzyj8ZRW8gqMw5EuFq12qt3VS/e61u+8mRgSr0LmoCX+S0is4SjL/33djY2Njb/zKwAA//+MAMwjAAgAAAEAAP//7NcJ9loBAAA= + cosign.sigstore.dev/signature: MEUCICLCfb3LGKXcdKV3gTXl6qba3T2goZMbVX/54gyNR05UAiEAlvPuWVsCPuBx5wVqvtyT7hr/AfR9Fl7cNLDACaNIbx8= + labels: + app: nginx + name: test-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..b0f5898802 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: yaml-signing +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - script: + content: "if kubectl apply -f bad.yaml\nthen \n echo \"Tested failed. Deployment + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Deployment was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..85287d431e --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-resources +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml new file mode 100644 index 0000000000..031a39261d --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-resources +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-resources + match: + any: + - resources: + kinds: + - Deployment + - Pod + name: test* + exclude: + any: + - resources: + kinds: + - Pod + subjects: + - kind: ServiceAccount + namespace: kube-system + name: replicaset-controller + - resources: + kinds: + - ReplicaSet + subjects: + - kind: ServiceAccount + namespace: kube-system + name: deployment-controller + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml index 031a39261d..bab429a6ac 100644 --- a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml @@ -5,8 +5,6 @@ metadata: spec: validationFailureAction: Enforce background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail rules: - name: validate-resources match: @@ -47,3 +45,6 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md new file mode 100644 index 0000000000..ce47d1280c --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that two signatures are expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be rejected. +Resource with two signatures should be accepted. diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..8092e845b9 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: multi-signatures +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource-no-signature.yaml + - apply: + expect: + - check: + ($error != null): true + file: resource-one-signature.yaml + - apply: + file: resource-two-signatures.yaml + - apply: + expect: + - check: + ($error != null): true + file: resource-bad-signatures.yaml diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..582ac4e67a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml new file mode 100644 index 0000000000..e862e67b54 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml new file mode 100644 index 0000000000..736b82c127 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: NotMyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml new file mode 100644 index 0000000000..87100c787a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml new file mode 100644 index 0000000000..3de473b4ee --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml new file mode 100644 index 0000000000..50a69cf200 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml index e862e67b54..b0a27bf77d 100644 --- a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml @@ -4,9 +4,7 @@ metadata: name: validate-yaml spec: validationFailureAction: Enforce - background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail + background: false rules: - name: validate-yaml match: @@ -40,3 +38,6 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md new file mode 100644 index 0000000000..cf5eb1c5b2 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that at least one signature is expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be accepted. +Resource with two signatures should be accepted. diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..04656217ff --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: single-signature +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource-no-signature.yaml + - apply: + file: resource-one-signature.yaml + - apply: + file: resource-two-signatures.yaml + - apply: + expect: + - check: + ($error != null): true + file: resource-bad-signatures.yaml diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml new file mode 100644 index 0000000000..582ac4e67a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml new file mode 100644 index 0000000000..156eda52fe --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml new file mode 100644 index 0000000000..736b82c127 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: NotMyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml new file mode 100644 index 0000000000..87100c787a --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml new file mode 100644 index 0000000000..3de473b4ee --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml new file mode 100644 index 0000000000..50a69cf200 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml index 156eda52fe..755b343c29 100644 --- a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml @@ -4,9 +4,7 @@ metadata: name: validate-yaml spec: validationFailureAction: Enforce - background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail + background: false rules: - name: validate-yaml match: @@ -31,3 +29,6 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== -----END PUBLIC KEY----- + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md new file mode 100644 index 0000000000..c40477b6f5 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables. + +## Expected Behavior + +The pod should be created successfully. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6742 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml new file mode 100644 index 0000000000..0d38ac01a6 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-fail + namespace: failure-policy-test-noconfigmap-diffimage-success +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-fail diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml new file mode 100755 index 0000000000..6f5564258f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: failure-policy-test-noconfigmap-diffimage-success diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml new file mode 100755 index 0000000000..be39aaf6cf --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: failure-policy-test-noconfigmap-diffimage-success +spec: + timeouts: + delete: 2m + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - apply: + file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml new file mode 100644 index 0000000000..cfdc4c1e1c --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-verify-polset-failurepolicy-ignore +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml new file mode 100644 index 0000000000..2b70672960 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: image-verify-polset-failurepolicy-ignore +spec: + background: false + failurePolicy: Ignore + rules: + - context: + - configMap: + name: myconfigmap + namespace: mynamespace + name: myconfigmap + match: + any: + - resources: + kinds: + - Pod + name: image-verify-pol1 + verifyImages: + - imageReferences: + - ghcr.io/* + mutateDigest: false + verifyDigest: false + attestors: + - entries: + - keys: + publicKeys: '{{myconfigmap.data.configmapkey}}' + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + validationFailureAction: Audit + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml index 2b70672960..10a3818996 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -6,7 +6,6 @@ metadata: name: image-verify-polset-failurepolicy-ignore spec: background: false - failurePolicy: Ignore rules: - context: - configMap: @@ -34,4 +33,6 @@ spec: ctlog: ignoreSCT: true validationFailureAction: Audit - webhookTimeoutSeconds: 30 + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Ignore