mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
chore: add tests that use spec.webhookConfiguration (#10526)
* chore: add tests that use spec.webhookConfiguration Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
b7bf894fe9
commit
e892a0531e
50 changed files with 732 additions and 23 deletions
|
|
@ -119,8 +119,8 @@ type Spec struct {
|
|||
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
|
||||
}
|
||||
|
||||
func (s *Spec) CustomWebhookConfiguration() bool {
|
||||
return s.WebhookConfiguration != nil
|
||||
func (s *Spec) CustomWebhookMatchConditions() bool {
|
||||
return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
|
||||
}
|
||||
|
||||
func (s *Spec) SetRules(rules []Rule) {
|
||||
|
|
|
|||
|
|
@ -81,8 +81,8 @@ type Spec struct {
|
|||
WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
|
||||
}
|
||||
|
||||
func (s *Spec) CustomWebhookConfiguration() bool {
|
||||
return s.WebhookConfiguration != nil
|
||||
func (s *Spec) CustomWebhookMatchConditions() bool {
|
||||
return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
|
||||
}
|
||||
|
||||
func (s *Spec) SetRules(rules []Rule) {
|
||||
|
|
|
|||
|
|
@ -113,7 +113,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
}
|
||||
return err
|
||||
}
|
||||
if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookConfiguration() {
|
||||
if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookMatchConditions() {
|
||||
if policy.IsReady() {
|
||||
return c.cache.Set(key, policy, c.client.Discovery())
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -702,7 +702,7 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte
|
|||
if p.AdmissionProcessingEnabled() {
|
||||
spec := p.GetSpec()
|
||||
if spec.HasMutateStandard() || spec.HasVerifyImages() {
|
||||
if spec.CustomWebhookConfiguration() {
|
||||
if spec.CustomWebhookMatchConditions() {
|
||||
fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p)
|
||||
fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p)
|
||||
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
||||
|
|
@ -871,7 +871,7 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con
|
|||
if p.AdmissionProcessingEnabled() {
|
||||
spec := p.GetSpec()
|
||||
if spec.HasValidate() || spec.HasGenerate() || spec.HasMutateExisting() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() {
|
||||
if spec.CustomWebhookConfiguration() {
|
||||
if spec.CustomWebhookMatchConditions() {
|
||||
fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p)
|
||||
fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p)
|
||||
if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ func newWebhookPerPolicy(timeout int32, failurePolicy admissionregistrationv1.Fa
|
|||
Namespace: policy.GetNamespace(),
|
||||
Name: policy.GetName(),
|
||||
}
|
||||
if policy.GetSpec().CustomWebhookConfiguration() {
|
||||
if policy.GetSpec().CustomWebhookMatchConditions() {
|
||||
webhook.matchConditions = policy.GetSpec().GetMatchConditions()
|
||||
}
|
||||
return webhook
|
||||
|
|
|
|||
|
|
@ -133,7 +133,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
|||
spec := policy.GetSpec()
|
||||
background := spec.BackgroundProcessingEnabled()
|
||||
mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate()
|
||||
if policy.GetSpec().CustomWebhookConfiguration() &&
|
||||
if policy.GetSpec().CustomWebhookMatchConditions() &&
|
||||
!kubeutils.HigherThanKubernetesVersion(client.GetKubeClient().Discovery(), logging.GlobalLogger(), 1, 27, 0) {
|
||||
return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy with `failurePolicy: Fail` but the configuration has `forceWebhookFailurePolicyIgnore: true`.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Webhooks should be configured with `failurePolicy: Ignore` regardless of the failure policy configured in the policies.
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: fail
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- assert:
|
||||
file: webhooks-assert.yaml
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-labels
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
failurePolicy: Fail
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: require-team
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: 'The label `team` is required.'
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec:
|
||||
failurePolicy: Fail
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: add-labels
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
- Service
|
||||
- ConfigMap
|
||||
- Secret
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
labels:
|
||||
webhook.kyverno.io/managed-by: kyverno
|
||||
name: kyverno-resource-validating-webhook-cfg
|
||||
webhooks:
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
clientConfig:
|
||||
service:
|
||||
name: kyverno-svc
|
||||
namespace: kyverno
|
||||
path: /validate/ignore
|
||||
port: 443
|
||||
failurePolicy: Ignore
|
||||
matchPolicy: Equivalent
|
||||
name: validate.kyverno.svc-ignore
|
||||
sideEffects: NoneOnDryRun
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
labels:
|
||||
webhook.kyverno.io/managed-by: kyverno
|
||||
name: kyverno-resource-mutating-webhook-cfg
|
||||
webhooks:
|
||||
- admissionReviewVersions:
|
||||
- v1
|
||||
clientConfig:
|
||||
service:
|
||||
name: kyverno-svc
|
||||
namespace: kyverno
|
||||
path: /mutate/ignore
|
||||
port: 443
|
||||
failurePolicy: Ignore
|
||||
matchPolicy: Equivalent
|
||||
name: mutate.kyverno.svc-ignore
|
||||
sideEffects: NoneOnDryRun
|
||||
|
|
@ -5,7 +5,6 @@ metadata:
|
|||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
failurePolicy: Fail
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
|
|
@ -21,13 +20,14 @@ spec:
|
|||
metadata:
|
||||
labels:
|
||||
team: '?*'
|
||||
webhookConfiguration:
|
||||
failurePolicy: Fail
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-labels
|
||||
spec:
|
||||
failurePolicy: Fail
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
rules:
|
||||
|
|
@ -45,3 +45,5 @@ spec:
|
|||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
webhookConfiguration:
|
||||
failurePolicy: Fail
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
## Description
|
||||
|
||||
This test tries to create policies with invalid timeouts (`< 1` or `> 30`).
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Policies should be rejected.
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: invalid-timeout
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: policy-1.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: policy-2.yaml
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: deny
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: -1
|
||||
rules:
|
||||
- name: deny
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
deny: {}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: deny
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: 31
|
||||
rules:
|
||||
- name: deny
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
deny: {}
|
||||
|
|
@ -4,7 +4,6 @@ metadata:
|
|||
name: deny
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: -1
|
||||
rules:
|
||||
- name: deny
|
||||
match:
|
||||
|
|
@ -14,3 +13,5 @@ spec:
|
|||
- Pod
|
||||
validate:
|
||||
deny: {}
|
||||
webhookConfiguration:
|
||||
timeoutSeconds: -1
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ metadata:
|
|||
name: deny
|
||||
spec:
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: 31
|
||||
rules:
|
||||
- name: deny
|
||||
match:
|
||||
|
|
@ -14,3 +13,5 @@ spec:
|
|||
- Pod
|
||||
validate:
|
||||
deny: {}
|
||||
webhookConfiguration:
|
||||
timeoutSeconds: 31
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test is migrated from e2e. It tests basic YAML manifest signature validation functionality.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The `test-deployment` (defined in `bad.yaml`) should fail because it matches the policy conditions yet has not been signed while the `test-deployment` (defined in `02-good-deployment.yaml`) should pass because it also matches yet has been signed and the signature is valid according to the public key defined in the policy.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
name: test-deployment
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- image: nginx:1.14.2
|
||||
name: nginx
|
||||
ports:
|
||||
- containerPort: 80
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/wBaAaX+H4sIAAAAAAAA/+ySz27bMAzGffZT8AUcSf6TpDrvuMMOw64DazOeEP2bxBZtn35wnXhegOW4oYB/F9rg930gQYlnTOIU7EApC/8mlDye7c9xqNk/Stc49902rn1ppZRy9OKr6IOLiXI2fqwYUzW+KXmQDw9tUx8FU+ZqoGjDqyPPu1d0tigm775t3+th371XWc//E12zL1Rbq042XacOhWzquusKkMU/4CkzpkLKdH4awh1dZjyd7vQvuyz1g4DRfKOUTfAaMMYsnlV5Nn7Q8Gk5Y+mIcUBGXQJYfCSbpy+YDBr8aPxLCeDRkYabF1DmSP0kThSt6TFrUCVAJks9hzTHOOT+x+dV7k0yk4sWmS7q1TAT9g/jjRXgOsBEHzyj8ZRW8gqMw5EuFq12qt3VS/e61u+8mRgSr0LmoCX+S0is4SjL/33djY2Njb/zKwAA//+MAMwjAAgAAAEAAP//7NcJ9loBAAA=
|
||||
cosign.sigstore.dev/signature: MEUCICLCfb3LGKXcdKV3gTXl6qba3T2goZMbVX/54gyNR05UAiEAlvPuWVsCPuBx5wVqvtyT7hr/AfR9Fl7cNLDACaNIbx8=
|
||||
labels:
|
||||
app: nginx
|
||||
name: test-deployment
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- image: nginx:1.14.2
|
||||
name: nginx
|
||||
ports:
|
||||
- containerPort: 80
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: yaml-signing
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- script:
|
||||
content: "if kubectl apply -f bad.yaml\nthen \n echo \"Tested failed. Deployment
|
||||
was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test
|
||||
succeeded. Deployment was not created as intended.\"\n exit 0\nfi\n"
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-resources
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-resources
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: validate-resources
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- Pod
|
||||
name: test*
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kube-system
|
||||
name: replicaset-controller
|
||||
- resources:
|
||||
kinds:
|
||||
- ReplicaSet
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kube-system
|
||||
name: deployment-controller
|
||||
validate:
|
||||
manifests:
|
||||
attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
|
||||
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -5,8 +5,6 @@ metadata:
|
|||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: validate-resources
|
||||
match:
|
||||
|
|
@ -47,3 +45,6 @@ spec:
|
|||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
webhookConfiguration:
|
||||
timeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy to verify manifests signatures.
|
||||
The policy specifies that two signatures are expected to be valid.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Resource with no signature should be rejected.
|
||||
Resource with one signature should be rejected.
|
||||
Resource with two signatures should be accepted.
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: multi-signatures
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: resource-no-signature.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: resource-one-signature.yaml
|
||||
- apply:
|
||||
file: resource-two-signatures.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: resource-bad-signatures.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-yaml
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-yaml
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: validate-yaml
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Service
|
||||
validate:
|
||||
manifests:
|
||||
attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
|
||||
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
|
||||
FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
|
||||
-----END PUBLIC KEY-----
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
|
||||
cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
|
||||
cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
|
||||
name: test-service3
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: NotMyApp
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: test-service1
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: MyApp
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA
|
||||
cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y=
|
||||
name: test-service2
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: MyApp
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
|
||||
cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
|
||||
cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
|
||||
name: test-service3
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: MyApp
|
||||
|
|
@ -5,8 +5,6 @@ metadata:
|
|||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: validate-yaml
|
||||
match:
|
||||
|
|
@ -40,3 +38,6 @@ spec:
|
|||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
webhookConfiguration:
|
||||
timeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
## Description
|
||||
|
||||
This test creates a policy to verify manifests signatures.
|
||||
The policy specifies that at least one signature is expected to be valid.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Resource with no signature should be rejected.
|
||||
Resource with one signature should be accepted.
|
||||
Resource with two signatures should be accepted.
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: single-signature
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: resource-no-signature.yaml
|
||||
- apply:
|
||||
file: resource-one-signature.yaml
|
||||
- apply:
|
||||
file: resource-two-signatures.yaml
|
||||
- apply:
|
||||
expect:
|
||||
- check:
|
||||
($error != null): true
|
||||
file: resource-bad-signatures.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-yaml
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-yaml
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: validate-yaml
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Service
|
||||
validate:
|
||||
manifests:
|
||||
attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
|
||||
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
|
||||
-----END PUBLIC KEY-----
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
|
||||
FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
|
||||
-----END PUBLIC KEY-----
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
|
||||
cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
|
||||
cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
|
||||
name: test-service3
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: NotMyApp
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: test-service1
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: MyApp
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA
|
||||
cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y=
|
||||
name: test-service2
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: MyApp
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
annotations:
|
||||
cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
|
||||
cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
|
||||
cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
|
||||
name: test-service3
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9376
|
||||
selector:
|
||||
app: MyApp
|
||||
|
|
@ -5,8 +5,6 @@ metadata:
|
|||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: false
|
||||
webhookTimeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
rules:
|
||||
- name: validate-yaml
|
||||
match:
|
||||
|
|
@ -31,3 +29,6 @@ spec:
|
|||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
|
||||
FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
|
||||
-----END PUBLIC KEY-----
|
||||
webhookConfiguration:
|
||||
timeoutSeconds: 30
|
||||
failurePolicy: Fail
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The pod should be created successfully.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/6742
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-fail
|
||||
namespace: failure-policy-test-noconfigmap-diffimage-success
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/kyverno/test-verify-image:signed
|
||||
name: test-fail
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: failure-policy-test-noconfigmap-diffimage-success
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: failure-policy-test-noconfigmap-diffimage-success
|
||||
spec:
|
||||
timeouts:
|
||||
delete: 2m
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-ready.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- apply:
|
||||
file: chainsaw-step-02-apply-1.yaml
|
||||
- name: step-03
|
||||
try:
|
||||
- apply:
|
||||
file: bad-pod.yaml
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: image-verify-polset-failurepolicy-ignore
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
name: image-verify-polset-failurepolicy-ignore
|
||||
spec:
|
||||
background: false
|
||||
failurePolicy: Ignore
|
||||
rules:
|
||||
- context:
|
||||
- configMap:
|
||||
name: myconfigmap
|
||||
namespace: mynamespace
|
||||
name: myconfigmap
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: image-verify-pol1
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- ghcr.io/*
|
||||
mutateDigest: false
|
||||
verifyDigest: false
|
||||
attestors:
|
||||
- entries:
|
||||
- keys:
|
||||
publicKeys: '{{myconfigmap.data.configmapkey}}'
|
||||
rekor:
|
||||
url: https://rekor.sigstore.dev
|
||||
ignoreTlog: true
|
||||
ctlog:
|
||||
ignoreSCT: true
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: 30
|
||||
|
|
@ -6,7 +6,6 @@ metadata:
|
|||
name: image-verify-polset-failurepolicy-ignore
|
||||
spec:
|
||||
background: false
|
||||
failurePolicy: Ignore
|
||||
rules:
|
||||
- context:
|
||||
- configMap:
|
||||
|
|
@ -34,4 +33,6 @@ spec:
|
|||
ctlog:
|
||||
ignoreSCT: true
|
||||
validationFailureAction: Audit
|
||||
webhookTimeoutSeconds: 30
|
||||
webhookConfiguration:
|
||||
timeoutSeconds: 30
|
||||
failurePolicy: Ignore
|
||||
|
|
|
|||
Loading…
Reference in a new issue