diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index ed1b01e1a8..a8a6874680 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -358,6 +358,8 @@ The chart values are organised per component. | admissionController.featuresOverride | object | `{"admissionReports":{"backPressureThreshold":1000}}` | Overrides features defined at the root level | | admissionController.featuresOverride.admissionReports.backPressureThreshold | int | `1000` | Max number of admission reports allowed in flight until the admission controller stops creating new ones | | admissionController.rbac.create | bool | `true` | Create RBAC resources | +| admissionController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| admissionController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name | | admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | @@ -454,6 +456,8 @@ The chart values are organised per component. | backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level | | backgroundController.enabled | bool | `true` | Enable background controller. | | backgroundController.rbac.create | bool | `true` | Create RBAC resources | +| backgroundController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| backgroundController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name | | backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | @@ -606,6 +610,8 @@ The chart values are organised per component. | reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level | | reportsController.enabled | bool | `true` | Enable reports controller. | | reportsController.rbac.create | bool | `true` | Create RBAC resources | +| reportsController.rbac.createViewRoleBinding | bool | `true` | Create rolebinding to view role | +| reportsController.rbac.viewRoleName | string | `"view"` | The view role to use in the rolebinding | | reportsController.rbac.serviceAccount.name | string | `nil` | Service account name | | reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount | | reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. | diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml index 25f1ade81a..c6e8e7e0fd 100644 --- a/charts/kyverno/templates/admission-controller/clusterrole.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml @@ -7,6 +7,8 @@ metadata: {{- include "kyverno.admission-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-admission-controller: "true" - matchLabels: {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }} --- diff --git a/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml b/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml index 6272deec4d..4cd35b6164 100644 --- a/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml +++ b/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml @@ -13,4 +13,21 @@ subjects: - kind: ServiceAccount name: {{ template "kyverno.admission-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.admissionController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.admission-controller.roleName" . }}:view + labels: + {{- include "kyverno.admission-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.admissionController.rbac.viewRoleName }} +subjects: + - kind: ServiceAccount + name: {{ template "kyverno.admission-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- end -}} {{- end -}} diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml index 6017e9ad23..d8728b8e72 100644 --- a/charts/kyverno/templates/admission-controller/deployment.yaml +++ b/charts/kyverno/templates/admission-controller/deployment.yaml @@ -131,6 +131,7 @@ spec: - --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca - --tlsSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair - --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }} + - --reportsServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.reports-controller.serviceAccountName" . }} - --servicePort={{ .Values.admissionController.service.port }} - --webhookServerPort={{ .Values.admissionController.webhookServer.port }} {{- if .Values.admissionController.tracing.enabled }} diff --git a/charts/kyverno/templates/background-controller/clusterrole.yaml b/charts/kyverno/templates/background-controller/clusterrole.yaml index 2c47558136..c680ef262e 100644 --- a/charts/kyverno/templates/background-controller/clusterrole.yaml +++ b/charts/kyverno/templates/background-controller/clusterrole.yaml @@ -8,6 +8,8 @@ metadata: {{- include "kyverno.background-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-background-controller: "true" - matchLabels: {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }} --- @@ -28,7 +30,9 @@ rules: - kyverno.io resources: - policies + - policies/status - clusterpolicies + - clusterpolicies/status - policyexceptions - updaterequests - updaterequests/status diff --git a/charts/kyverno/templates/background-controller/clusterrolebinding.yaml b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml index 7dcbfffe6c..6e8073030b 100644 --- a/charts/kyverno/templates/background-controller/clusterrolebinding.yaml +++ b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml @@ -11,8 +11,25 @@ roleRef: kind: ClusterRole name: {{ template "kyverno.background-controller.roleName" . }} subjects: +- kind: ServiceAccount + name: {{ template "kyverno.background-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.backgroundController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.background-controller.roleName" . }}:view + labels: + {{- include "kyverno.background-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.backgroundController.rbac.viewRoleName }} +subjects: - kind: ServiceAccount name: {{ template "kyverno.background-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml index 4584dba1c5..68a9d96a62 100644 --- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml +++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml @@ -8,6 +8,8 @@ metadata: {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-cleanup-controller: "true" - matchLabels: {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }} --- diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml index b21ac21786..f42b217418 100644 --- a/charts/kyverno/templates/reports-controller/clusterrole.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml @@ -8,6 +8,8 @@ metadata: {{- include "kyverno.reports-controller.labels" . | nindent 4 }} aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" - matchLabels: {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }} --- @@ -27,7 +29,6 @@ rules: - apiGroups: - '' resources: - - secrets - configmaps - namespaces verbs: diff --git a/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml b/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml index 58742e6de8..a2b760085f 100644 --- a/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml +++ b/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml @@ -11,8 +11,25 @@ roleRef: kind: ClusterRole name: {{ template "kyverno.reports-controller.roleName" . }} subjects: +- kind: ServiceAccount + name: {{ template "kyverno.reports-controller.serviceAccountName" . }} + namespace: {{ template "kyverno.namespace" . }} +{{- if .Values.reportsController.rbac.createViewRoleBinding }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.reports-controller.roleName" . }}:view + labels: + {{- include "kyverno.reports-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.reportsController.rbac.viewRoleName }} +subjects: - kind: ServiceAccount name: {{ template "kyverno.reports-controller.serviceAccountName" . }} namespace: {{ template "kyverno.namespace" . }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/charts/kyverno/templates/reports-controller/role.yaml b/charts/kyverno/templates/reports-controller/role.yaml index 5c1b5c07da..6b163b7561 100644 --- a/charts/kyverno/templates/reports-controller/role.yaml +++ b/charts/kyverno/templates/reports-controller/role.yaml @@ -19,6 +19,14 @@ rules: resourceNames: - {{ include "kyverno.config.configMapName" . }} - {{ include "kyverno.config.metricsConfigMapName" . }} + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch - apiGroups: - coordination.k8s.io resources: diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 2f8cf434dc..aa7d05cb25 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -697,6 +697,12 @@ admissionController: # -- Create RBAC resources create: true + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + serviceAccount: # -- The ServiceAccount name name: @@ -709,15 +715,7 @@ admissionController: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. # @default -- See [values.yaml](values.yaml) - extraResources: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch + extraResources: [] clusterRole: # -- Extra resource permissions to add in the cluster role @@ -1108,6 +1106,12 @@ backgroundController: # -- Create RBAC resources create: true + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + serviceAccount: # -- Service account name name: @@ -1121,14 +1125,6 @@ backgroundController: # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. # @default -- See [values.yaml](values.yaml) extraResources: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - networking.k8s.io resources: @@ -1154,7 +1150,6 @@ backgroundController: - '' resources: - configmaps - - secrets - resourcequotas - limitranges verbs: @@ -1718,6 +1713,12 @@ reportsController: # -- Create RBAC resources create: true + # -- Create rolebinding to view role + createViewRoleBinding: true + + # -- The view role to use in the rolebinding + viewRoleName: view + serviceAccount: # -- Service account name name: @@ -1730,15 +1731,7 @@ reportsController: # -- Extra resource permissions to add in the core cluster role. # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. # @default -- See [values.yaml](values.yaml) - extraResources: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch + extraResources: [] clusterRole: # -- Extra resource permissions to add in the cluster role diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command.go b/cmd/cli/kubectl-kyverno/commands/apply/command.go index 97c9ea3baa..4368109c6c 100644 --- a/cmd/cli/kubectl-kyverno/commands/apply/command.go +++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go @@ -273,7 +273,8 @@ func (c *ApplyCommandConfig) applyPolicytoResource( validPolicies := make([]kyvernov1.PolicyInterface, 0, len(policies)) for _, pol := range policies { // TODO we should return this info to the caller - _, err := policyvalidation.Validate(pol, nil, nil, nil, true, config.KyvernoUserName(config.KyvernoServiceAccountName())) + sa := config.KyvernoUserName(config.KyvernoServiceAccountName()) + _, err := policyvalidation.Validate(pol, nil, nil, nil, true, sa, sa) if err != nil { log.Log.Error(err, "policy validation error") rc.IncrementError(1) diff --git a/cmd/cli/kubectl-kyverno/commands/oci/push/options.go b/cmd/cli/kubectl-kyverno/commands/oci/push/options.go index 93f8151161..3e0e0778fe 100644 --- a/cmd/cli/kubectl-kyverno/commands/oci/push/options.go +++ b/cmd/cli/kubectl-kyverno/commands/oci/push/options.go @@ -40,7 +40,8 @@ func (o options) execute(ctx context.Context, dir string, keychain authn.Keychai return fmt.Errorf("unable to read policy file or directory %s (%w)", dir, err) } for _, policy := range results.Policies { - if _, err := policyvalidation.Validate(policy, nil, nil, nil, true, config.KyvernoUserName(config.KyvernoServiceAccountName())); err != nil { + sa := config.KyvernoUserName(config.KyvernoServiceAccountName()) + if _, err := policyvalidation.Validate(policy, nil, nil, nil, true, sa, sa); err != nil { return fmt.Errorf("validating policy %s: %v", policy.GetName(), err) } } diff --git a/cmd/cli/kubectl-kyverno/commands/test/test.go b/cmd/cli/kubectl-kyverno/commands/test/test.go index cb4ab7bdfc..4b0e276cf0 100644 --- a/cmd/cli/kubectl-kyverno/commands/test/test.go +++ b/cmd/cli/kubectl-kyverno/commands/test/test.go @@ -153,7 +153,8 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool) ([]engi validPolicies := make([]kyvernov1.PolicyInterface, 0, len(results.Policies)) for _, pol := range results.Policies { // TODO we should return this info to the caller - _, err := policyvalidation.Validate(pol, nil, nil, nil, true, config.KyvernoUserName(config.KyvernoServiceAccountName())) + sa := config.KyvernoUserName(config.KyvernoServiceAccountName()) + _, err := policyvalidation.Validate(pol, nil, nil, nil, true, sa, sa) if err != nil { log.Log.Error(err, "skipping invalid policy", "name", pol.GetName()) continue diff --git a/cmd/internal/flag.go b/cmd/internal/flag.go index 714446b616..496d4a4a0c 100644 --- a/cmd/internal/flag.go +++ b/cmd/internal/flag.go @@ -144,8 +144,8 @@ type options struct { func newOptions() options { return options{ - clientRateLimitQPS: 20, - clientRateLimitBurst: 50, + clientRateLimitQPS: 100, + clientRateLimitBurst: 200, eventsRateLimitQPS: 1000, eventsRateLimitBurst: 2000, } diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 72d52f7df4..8189af0270 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -247,6 +247,7 @@ func main() { servicePort int webhookServerPort int backgroundServiceAccountName string + reportsServiceAccountName string maxAPICallResponseLength int64 renewBefore time.Duration maxAuditWorkers int @@ -267,7 +268,8 @@ func main() { flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.") flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.") flagset.IntVar(&webhookServerPort, "webhookServerPort", 9443, "Port used by the webhook server.") - flagset.StringVar(&backgroundServiceAccountName, "backgroundServiceAccountName", "", "Background service account name.") + flagset.StringVar(&backgroundServiceAccountName, "backgroundServiceAccountName", "", "Background controller service account name.") + flagset.StringVar(&reportsServiceAccountName, "reportsServiceAccountName", "", "Reports controller service account name.") flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.") flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.") flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls") @@ -516,6 +518,7 @@ func main() { setup.KyvernoDynamicClient, setup.KyvernoClient, backgroundServiceAccountName, + reportsServiceAccountName, ) ephrs, err := StartAdmissionReportsCounter(signalCtx, setup.MetadataClient) if err != nil { @@ -544,6 +547,7 @@ func main() { eventGenerator, admissionReports, backgroundServiceAccountName, + reportsServiceAccountName, setup.Jp, maxAuditWorkers, maxAuditCapacity, diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index a4e4ddc6ce..542b0e1c9e 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -47215,6 +47215,8 @@ metadata: app.kubernetes.io/version: latest aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-admission-controller: "true" - matchLabels: app.kubernetes.io/component: admission-controller app.kubernetes.io/instance: kyverno @@ -47346,14 +47348,6 @@ rules: - get - list - watch - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -47366,6 +47360,8 @@ metadata: app.kubernetes.io/version: latest aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-background-controller: "true" - matchLabels: app.kubernetes.io/component: background-controller app.kubernetes.io/instance: kyverno @@ -47391,7 +47387,9 @@ rules: - kyverno.io resources: - policies + - policies/status - clusterpolicies + - clusterpolicies/status - policyexceptions - updaterequests - updaterequests/status @@ -47427,14 +47425,6 @@ rules: - patch - update - watch - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch - apiGroups: - networking.k8s.io resources: @@ -47460,7 +47450,6 @@ rules: - "" resources: - configmaps - - secrets - resourcequotas - limitranges verbs: @@ -47480,6 +47469,8 @@ metadata: app.kubernetes.io/version: latest aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-cleanup-controller: "true" - matchLabels: app.kubernetes.io/component: cleanup-controller app.kubernetes.io/instance: kyverno @@ -47770,6 +47761,8 @@ metadata: app.kubernetes.io/version: latest aggregationRule: clusterRoleSelectors: + - matchLabels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" - matchLabels: app.kubernetes.io/component: reports-controller app.kubernetes.io/instance: kyverno @@ -47794,7 +47787,6 @@ rules: - apiGroups: - '' resources: - - secrets - configmaps - namespaces verbs: @@ -47856,14 +47848,6 @@ rules: verbs: - create - patch - - apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -47885,6 +47869,24 @@ subjects: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:admission-controller:view + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: + - kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kyverno:background-controller labels: @@ -47903,6 +47905,24 @@ subjects: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:background-controller:view + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kyverno:cleanup-controller labels: @@ -47937,6 +47957,24 @@ subjects: name: kyverno-reports-controller namespace: kyverno --- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:reports-controller:view + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: latest +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: +- kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -48119,6 +48157,14 @@ rules: resourceNames: - kyverno - kyverno-metrics + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch - apiGroups: - coordination.k8s.io resources: @@ -48441,6 +48487,7 @@ spec: - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller + - --reportsServiceAccountName=system:serviceaccount:kyverno:kyverno-reports-controller - --servicePort=443 - --webhookServerPort=9443 - --disableMetrics=false diff --git a/pkg/policy/auth/auth.go b/pkg/policy/auth/auth.go index bbb47acd8c..41acfe5df8 100644 --- a/pkg/policy/auth/auth.go +++ b/pkg/policy/auth/auth.go @@ -2,22 +2,21 @@ package auth import ( "context" + "fmt" + "strings" "github.com/go-logr/logr" "github.com/kyverno/kyverno/pkg/auth" "github.com/kyverno/kyverno/pkg/clients/dclient" ) -// Operations provides methods to performing operations on resource -type Operations interface { - // CanICreate returns 'true' if self can 'create' resource - CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) - // CanIUpdate returns 'true' if self can 'update' resource - CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) - // CanIDelete returns 'true' if self can 'delete' resource - CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) - // CanIGet returns 'true' if self can 'get' resource - CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) +// AuthChecks provides methods to performing operations on resource +type AuthChecks interface { + // User returns the subject + User() string + // CanI returns 'true' if user has permissions for all specified verbs. + // When the result is 'false' a message with details on missing verbs is returned. + CanI(ctx context.Context, verbs []string, gvk, namespace, name, subresource string) (bool, string, error) } // Auth provides implementation to check if caller/self/kyverno has access to perofrm operations @@ -37,9 +36,36 @@ func NewAuth(client dclient.Interface, user string, log logr.Logger) *Auth { return &a } +func (a *Auth) User() string { + return a.user +} + +func (a *Auth) CanI(ctx context.Context, verbs []string, gvk, namespace, name, subresource string) (bool, string, error) { + var failedVerbs []string + for _, v := range verbs { + if ok, err := a.check(ctx, v, gvk, namespace, name, subresource); err != nil { + return false, "", err + } else if !ok { + failedVerbs = append(failedVerbs, v) + } + } + + if len(failedVerbs) > 0 { + msg := buildMessage(gvk, subresource, failedVerbs, a.user, namespace) + return false, msg, nil + } + + return true, "", nil +} + // CanICreate returns 'true' if self can 'create' resource func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "create", "", a.user) + return a.check(ctx, "create", gvk, namespace, name, subresource) +} + +func (a *Auth) check(ctx context.Context, verb, gvk, namespace, name, subresource string) (bool, error) { + subjectReview := a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews() + canI := auth.NewCanI(a.client.Discovery(), subjectReview, gvk, namespace, name, verb, subresource, a.user) ok, _, err := canI.RunAccessCheck(ctx) if err != nil { return false, err @@ -47,32 +73,16 @@ func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, name, subresource return ok, nil } -// CanIUpdate returns 'true' if self can 'update' resource -func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "update", "", a.user) - ok, _, err := canI.RunAccessCheck(ctx) - if err != nil { - return false, err +func buildMessage(gvk string, subresource string, failedVerbs []string, user string, namespace string) string { + resource := gvk + if subresource != "" { + resource = gvk + "/" + subresource } - return ok, nil -} -// CanIDelete returns 'true' if self can 'delete' resource -func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "delete", "", a.user) - ok, _, err := canI.RunAccessCheck(ctx) - if err != nil { - return false, err + permissions := strings.Join(failedVerbs, ",") + msg := fmt.Sprintf("%s requires permissions %s for resource %s", user, permissions, resource) + if namespace != "" { + msg = fmt.Sprintf("%s in namespace %s", msg, namespace) } - return ok, nil -} - -// CanIGet returns 'true' if self can 'get' resource -func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "get", "", a.user) - ok, _, err := canI.RunAccessCheck(ctx) - if err != nil { - return false, err - } - return ok, nil + return msg } diff --git a/pkg/policy/auth/fake/auth.go b/pkg/policy/auth/fake/auth.go index 0492ecbada..6d31971e8a 100644 --- a/pkg/policy/auth/fake/auth.go +++ b/pkg/policy/auth/fake/auth.go @@ -11,6 +11,14 @@ func NewFakeAuth() *FakeAuth { return &a } +func (a *FakeAuth) User() string { + return "fake" +} + +func (a *FakeAuth) CanI(ctx context.Context, verbs []string, gvk, namespace, name, subresource string) (bool, string, error) { + return true, "", nil +} + // CanICreate returns 'true' func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, name, sub string) (bool, error) { return true, nil diff --git a/pkg/policy/generate/fake.go b/pkg/policy/generate/fake.go index 25a8f16893..bd30293fe8 100644 --- a/pkg/policy/generate/fake.go +++ b/pkg/policy/generate/fake.go @@ -17,7 +17,7 @@ type FakeGenerate struct { func NewFakeGenerate(rule kyvernov1.Generation) *FakeGenerate { g := FakeGenerate{} g.rule = rule - g.authCheck = fake.NewFakeAuth() + g.authChecker = fake.NewFakeAuth() g.log = logging.GlobalLogger() return &g } diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go index 0048ae9573..3cefef8ddd 100644 --- a/pkg/policy/generate/validate.go +++ b/pkg/policy/generate/validate.go @@ -17,33 +17,30 @@ import ( // Generate provides implementation to validate 'generate' rule type Generate struct { - user string - // rule to hold 'generate' rule specifications - rule kyvernov1.Generation - // authCheck to check access for operations - authCheck auth.Operations - // logger - log logr.Logger + user string + rule kyvernov1.Generation + authChecker auth.AuthChecks + log logr.Logger } // NewGenerateFactory returns a new instance of Generate validation checker func NewGenerateFactory(client dclient.Interface, rule kyvernov1.Generation, user string, log logr.Logger) *Generate { g := Generate{ - user: user, - rule: rule, - authCheck: auth.NewAuth(client, user, log), - log: log, + user: user, + rule: rule, + authChecker: auth.NewAuth(client, user, log), + log: log, } return &g } // Validate validates the 'generate' rule -func (g *Generate) Validate(ctx context.Context) (string, error) { +func (g *Generate) Validate(ctx context.Context) (warnings []string, path string, err error) { rule := g.rule if rule.CloneList.Selector != nil { if wildcard.ContainsWildcard(rule.CloneList.Selector.String()) { - return "selector", fmt.Errorf("wildcard characters `*/?` not supported") + return nil, "selector", fmt.Errorf("wildcard characters `*/?` not supported") } } @@ -51,7 +48,7 @@ func (g *Generate) Validate(ctx context.Context) (string, error) { // TODO: is this required ?? as anchors can only be on pattern and not resource // we can add this check by not sure if its needed here if path, err := common.ValidatePattern(target, "/", nil); err != nil { - return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err) + return nil, fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err) } } @@ -62,19 +59,20 @@ func (g *Generate) Validate(ctx context.Context) (string, error) { // If kind and namespace contain variables, then we cannot resolve then so we skip the processing if rule.ForEachGeneration != nil { for _, forEach := range rule.ForEachGeneration { - if err := g.canIGeneratePatterns(ctx, forEach.GeneratePatterns); err != nil { - return "foreach", err + if err := g.validateAuth(ctx, forEach.GeneratePatterns); err != nil { + return nil, "foreach", err } } } else { - if err := g.canIGeneratePatterns(ctx, rule.GeneratePatterns); err != nil { - return "", err + if err := g.validateAuth(ctx, rule.GeneratePatterns); err != nil { + return nil, "", err } } - return "", nil + return nil, "", nil } -func (g *Generate) canIGeneratePatterns(ctx context.Context, generate kyvernov1.GeneratePatterns) error { +// validateAuth returns a error if kyverno cannot perform operations +func (g *Generate) validateAuth(ctx context.Context, generate kyvernov1.GeneratePatterns) error { if len(generate.CloneList.Kinds) != 0 { for _, kind := range generate.CloneList.Kinds { gvk, sub := parseCloneKind(kind) @@ -87,44 +85,24 @@ func (g *Generate) canIGeneratePatterns(ctx context.Context, generate kyvernov1. return nil } -// canIGenerate returns a error if kyverno cannot perform operations func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource string) error { - // Skip if there is variable defined - authCheck := g.authCheck - if !regex.IsVariable(gvk) { - ok, err := authCheck.CanICreate(ctx, gvk, namespace, "", subresource) - if err != nil { - return err - } - if !ok { - return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) - } + if regex.IsVariable(gvk) { + g.log.V(2).Info("resource Kind uses variables; skipping authorization checks.") + return nil + } - ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, "", subresource) - if err != nil { - return err - } - if !ok { - return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) - } + verbs := []string{"get", "create"} + if g.rule.Synchronize { + verbs = []string{"get", "create", "update", "delete"} + } - ok, err = authCheck.CanIGet(ctx, gvk, namespace, "", subresource) - if err != nil { - return err - } - if !ok { - return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) - } + ok, msg, err := g.authChecker.CanI(ctx, verbs, gvk, namespace, "", subresource) + if err != nil { + return err + } - ok, err = authCheck.CanIDelete(ctx, gvk, namespace, "", subresource) - if err != nil { - return err - } - if !ok { - return fmt.Errorf("%s does not have permissions to 'delete' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) - } - } else { - g.log.V(2).Info("resource Kind uses variables, so cannot be resolved. Skipping Auth Checks.") + if !ok { + return fmt.Errorf(msg) } return nil diff --git a/pkg/policy/generate/validate_test.go b/pkg/policy/generate/validate_test.go index b466d6b835..e5f6c5a345 100644 --- a/pkg/policy/generate/validate_test.go +++ b/pkg/policy/generate/validate_test.go @@ -36,7 +36,7 @@ func Test_Validate_Generate_HasAnchors(t *testing.T) { err = json.Unmarshal(rawGenerate, &genRule) assert.NilError(t, err) checker := NewFakeGenerate(genRule) - if _, err := checker.Validate(context.TODO()); err != nil { + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } @@ -53,7 +53,7 @@ func Test_Validate_Generate_HasAnchors(t *testing.T) { err = json.Unmarshal(rawGenerate, &genRule) assert.NilError(t, err) checker = NewFakeGenerate(genRule) - if _, err := checker.Validate(context.TODO()); err != nil { + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go index 88c311fe03..59bef50c69 100644 --- a/pkg/policy/mutate/validate.go +++ b/pkg/policy/mutate/validate.go @@ -6,8 +6,11 @@ import ( "strings" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/engine/variables/regex" + "github.com/kyverno/kyverno/pkg/logging" "github.com/kyverno/kyverno/pkg/policy/auth" + "github.com/kyverno/kyverno/pkg/policy/auth/fake" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" "go.uber.org/multierr" ) @@ -15,48 +18,53 @@ import ( // Mutate provides implementation to validate 'mutate' rule type Mutate struct { mutation kyvernov1.Mutation - user string - authChecker auth.Operations + authChecker auth.AuthChecks } // NewMutateFactory returns a new instance of Mutate validation checker -func NewMutateFactory(m kyvernov1.Mutation, authChecker auth.Operations, user string) *Mutate { +func NewMutateFactory(m kyvernov1.Mutation, client dclient.Interface, mock bool, backgroundSA string) *Mutate { + var authCheck auth.AuthChecks + if mock { + authCheck = fake.NewFakeAuth() + } else { + authCheck = auth.NewAuth(client, backgroundSA, logging.GlobalLogger()) + } + return &Mutate{ mutation: m, - user: user, - authChecker: authChecker, + authChecker: authCheck, } } // Validate validates the 'mutate' rule -func (m *Mutate) Validate(ctx context.Context) (string, error) { +func (m *Mutate) Validate(ctx context.Context) (warnings []string, path string, err error) { if m.hasForEach() { if m.hasPatchStrategicMerge() || m.hasPatchesJSON6902() { - return "foreach", fmt.Errorf("only one of `foreach`, `patchStrategicMerge`, or `patchesJson6902` is allowed") + return nil, "foreach", fmt.Errorf("only one of `foreach`, `patchStrategicMerge`, or `patchesJson6902` is allowed") } return m.validateForEach("", m.mutation.ForEachMutation) } if m.hasPatchesJSON6902() && m.hasPatchStrategicMerge() { - return "foreach", fmt.Errorf("only one of `patchStrategicMerge` or `patchesJson6902` is allowed") + return nil, "foreach", fmt.Errorf("only one of `patchStrategicMerge` or `patchesJson6902` is allowed") } if m.mutation.Targets != nil { if err := m.validateAuth(ctx, m.mutation.Targets); err != nil { - return "targets", fmt.Errorf("auth check fails, additional privileges are required for the service account '%s': %v", m.user, err) + return nil, "targets", fmt.Errorf("auth check fails, additional privileges are required for the service account '%s': %v", m.authChecker.User(), err) } } - return "", nil + return nil, "", nil } -func (m *Mutate) validateForEach(tag string, foreach []kyvernov1.ForEachMutation) (string, error) { +func (m *Mutate) validateForEach(tag string, foreach []kyvernov1.ForEachMutation) (warnings []string, path string, err error) { for i, fe := range foreach { tag = tag + fmt.Sprintf("foreach[%d]", i) fem := fe.GetForEachMutation() if len(fem) > 0 { - if fe.Context != nil || fe.AnyAllConditions != nil || fe.PatchesJSON6902 != "" || fe.GetPatchStrategicMerge() != nil { - return tag, fmt.Errorf("a nested foreach cannot contain other declarations") + if fe.Context != nil || fe.AnyAllConditions != nil || fe.PatchesJSON6902 != "" || fe.RawPatchStrategicMerge != nil { + return nil, tag, fmt.Errorf("a nested foreach cannot contain other declarations") } return m.validateNestedForEach(tag, fem) @@ -64,19 +72,19 @@ func (m *Mutate) validateForEach(tag string, foreach []kyvernov1.ForEachMutation psm := fe.GetPatchStrategicMerge() if (fe.PatchesJSON6902 == "" && psm == nil) || (fe.PatchesJSON6902 != "" && psm != nil) { - return tag, fmt.Errorf("only one of `patchStrategicMerge` or `patchesJson6902` is allowed") + return nil, tag, fmt.Errorf("only one of `patchStrategicMerge` or `patchesJson6902` is allowed") } } - return "", nil + return nil, "", nil } -func (m *Mutate) validateNestedForEach(tag string, j []kyvernov1.ForEachMutation) (string, error) { +func (m *Mutate) validateNestedForEach(tag string, j []kyvernov1.ForEachMutation) (warnings []string, path string, err error) { if j != nil { return m.validateForEach(tag, j) } - return "", nil + return nil, "", nil } func (m *Mutate) hasForEach() bool { @@ -94,25 +102,20 @@ func (m *Mutate) hasPatchesJSON6902() bool { func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.TargetResourceSpec) error { var errs []error for _, target := range targets { - if !regex.IsVariable(target.Kind) { - _, _, k, sub := kubeutils.ParseKindSelector(target.Kind) - srcKey := k - if sub != "" { - srcKey = srcKey + "/" + sub - } - - if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil { - errs = append(errs, err) - } else if !ok { - errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "update", target.APIVersion, srcKey, target.Namespace)) - } - - if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil { - errs = append(errs, err) - } else if !ok { - errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "get", target.APIVersion, srcKey, target.Namespace)) - } + if regex.IsVariable(target.Kind) { + continue + } + _, _, k, sub := kubeutils.ParseKindSelector(target.Kind) + gvk := strings.Join([]string{target.APIVersion, k}, "/") + verbs := []string{"get", "update"} + ok, msg, err := m.authChecker.CanI(ctx, verbs, gvk, target.Namespace, target.Name, sub) + if err != nil { + return err + } + if !ok { + errs = append(errs, fmt.Errorf(msg)) } } + return multierr.Combine(errs...) } diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go index 161e69293d..277e1e48f9 100644 --- a/pkg/policy/validate/validate.go +++ b/pkg/policy/validate/validate.go @@ -5,32 +5,53 @@ import ( "fmt" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/ext/wildcard" + "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/engine/anchor" + "github.com/kyverno/kyverno/pkg/logging" + "github.com/kyverno/kyverno/pkg/policy/auth" + "github.com/kyverno/kyverno/pkg/policy/auth/fake" "github.com/kyverno/kyverno/pkg/policy/common" ) // Validate validates a 'validate' rule type Validate struct { - // rule to hold 'validate' rule specifications - rule *kyvernov1.Validation + rule *kyvernov1.Rule + validationRule *kyvernov1.Validation + authChecker auth.AuthChecks } // NewValidateFactory returns a new instance of Mutate validation checker -func NewValidateFactory(rule *kyvernov1.Validation) *Validate { - m := Validate{ - rule: rule, +func NewValidateFactory(rule *kyvernov1.Rule, client dclient.Interface, mock bool, reportsSA string) *Validate { + var authChecker auth.AuthChecks + if mock { + authChecker = fake.NewFakeAuth() + } else { + authChecker = auth.NewAuth(client, reportsSA, logging.GlobalLogger()) } - return &m + return &Validate{ + rule: rule, + validationRule: &rule.Validation, + authChecker: authChecker, + } +} + +func NewMockValidateFactory(rule *kyvernov1.Rule) *Validate { + return &Validate{ + rule: rule, + validationRule: &rule.Validation, + authChecker: fake.NewFakeAuth(), + } } // Validate validates the 'validate' rule -func (v *Validate) Validate(ctx context.Context) (string, error) { +func (v *Validate) Validate(ctx context.Context) (warnings []string, path string, err error) { if err := v.validateElements(); err != nil { - return "", err + return nil, "", err } - if target := v.rule.GetPattern(); target != nil { + if target := v.validationRule.GetPattern(); target != nil { if path, err := common.ValidatePattern(target, "/", func(a anchor.Anchor) bool { return anchor.IsCondition(a) || anchor.IsExistence(a) || @@ -38,14 +59,14 @@ func (v *Validate) Validate(ctx context.Context) (string, error) { anchor.IsNegation(a) || anchor.IsGlobal(a) }); err != nil { - return fmt.Sprintf("pattern.%s", path), err + return nil, fmt.Sprintf("pattern.%s", path), err } } - if target := v.rule.GetAnyPattern(); target != nil { - anyPattern, err := v.rule.DeserializeAnyPattern() + if target := v.validationRule.GetAnyPattern(); target != nil { + anyPattern, err := v.validationRule.DeserializeAnyPattern() if err != nil { - return "anyPattern", fmt.Errorf("failed to deserialize anyPattern, expect array: %v", err) + return nil, "anyPattern", fmt.Errorf("failed to deserialize anyPattern, expect array: %v", err) } for i, pattern := range anyPattern { if path, err := common.ValidatePattern(pattern, "/", func(a anchor.Anchor) bool { @@ -55,76 +76,102 @@ func (v *Validate) Validate(ctx context.Context) (string, error) { anchor.IsNegation(a) || anchor.IsGlobal(a) }); err != nil { - return fmt.Sprintf("anyPattern[%d].%s", i, path), err + return nil, fmt.Sprintf("anyPattern[%d].%s", i, path), err } } } - if v.rule.ForEachValidation != nil { - for _, foreach := range v.rule.ForEachValidation { + if v.validationRule.ForEachValidation != nil { + for _, foreach := range v.validationRule.ForEachValidation { if err := v.validateForEach(foreach); err != nil { - return "", err + return nil, "", err } } } - if v.rule.CEL != nil { - for _, expression := range v.rule.CEL.Expressions { + if v.validationRule.CEL != nil { + for _, expression := range v.validationRule.CEL.Expressions { if expression.Expression == "" { - return "", fmt.Errorf("cel.expressions.expression is required") + return nil, "", fmt.Errorf("cel.expressions.expression is required") } } - if v.rule.CEL.ParamKind != nil { - if v.rule.CEL.ParamKind.APIVersion == "" { - return "", fmt.Errorf("cel.paramKind.apiVersion is required") + if v.validationRule.CEL.ParamKind != nil { + if v.validationRule.CEL.ParamKind.APIVersion == "" { + return nil, "", fmt.Errorf("cel.paramKind.apiVersion is required") } - if v.rule.CEL.ParamKind.Kind == "" { - return "", fmt.Errorf("cel.paramKind.kind is required") + if v.validationRule.CEL.ParamKind.Kind == "" { + return nil, "", fmt.Errorf("cel.paramKind.kind is required") } - if v.rule.CEL.ParamRef == nil { - return "", fmt.Errorf("cel.paramRef is required") + if v.validationRule.CEL.ParamRef == nil { + return nil, "", fmt.Errorf("cel.paramRef is required") } } - if v.rule.CEL.ParamRef != nil { - if v.rule.CEL.ParamRef.Name == "" && v.rule.CEL.ParamRef.Selector == nil { - return "", fmt.Errorf("one of cel.paramRef.name or cel.paramRef.selector must be set") + if v.validationRule.CEL.ParamRef != nil { + if v.validationRule.CEL.ParamRef.Name == "" && v.validationRule.CEL.ParamRef.Selector == nil { + return nil, "", fmt.Errorf("one of cel.paramRef.name or cel.paramRef.selector must be set") } - if v.rule.CEL.ParamRef.Name != "" && v.rule.CEL.ParamRef.Selector != nil { - return "", fmt.Errorf("one of cel.paramRef.name or cel.paramRef.selector must be set") + if v.validationRule.CEL.ParamRef.Name != "" && v.validationRule.CEL.ParamRef.Selector != nil { + return nil, "", fmt.Errorf("one of cel.paramRef.name or cel.paramRef.selector must be set") } - if v.rule.CEL.ParamRef.ParameterNotFoundAction == nil { - return "", fmt.Errorf("cel.paramRef.parameterNotFoundAction is required") + if v.validationRule.CEL.ParamRef.ParameterNotFoundAction == nil { + return nil, "", fmt.Errorf("cel.paramRef.parameterNotFoundAction is required") } - if v.rule.CEL.ParamKind == nil { - return "", fmt.Errorf("cel.paramKind is required") + if v.validationRule.CEL.ParamKind == nil { + return nil, "", fmt.Errorf("cel.paramKind is required") } } - if v.rule.CEL.AuditAnnotations != nil { - for _, auditAnnotation := range v.rule.CEL.AuditAnnotations { + if v.validationRule.CEL.AuditAnnotations != nil { + for _, auditAnnotation := range v.validationRule.CEL.AuditAnnotations { if auditAnnotation.Key == "" { - return "", fmt.Errorf("cel.auditAnnotation.key is required") + return nil, "", fmt.Errorf("cel.auditAnnotation.key is required") } if auditAnnotation.ValueExpression == "" { - return "", fmt.Errorf("cel.auditAnnotation.valueExpression is required") + return nil, "", fmt.Errorf("cel.auditAnnotation.valueExpression is required") } } } } - return "", nil + if w, err := v.validateAuth(ctx); err != nil { + return nil, "", err + } else if len(w) > 0 { + warnings = append(warnings, w...) + } + + return warnings, "", nil +} + +func (v *Validate) validateAuth(ctx context.Context) (warnings []string, err error) { + kinds := v.rule.MatchResources.GetKinds() + for _, k := range kinds { + if wildcard.ContainsWildcard(k) { + return nil, nil + } + + verbs := []string{"get", "list", "watch"} + ok, msg, err := v.authChecker.CanI(ctx, verbs, k, "", "", "") + if err != nil { + return nil, err + } + if !ok { + return []string{msg}, nil + } + } + + return nil, nil } func (v *Validate) validateElements() error { - count := validationElemCount(v.rule) + count := validationElemCount(v.validationRule) if count == 0 { return fmt.Errorf("one of pattern, anyPattern, deny, foreach, cel must be specified") } diff --git a/pkg/policy/validate/validate_test.go b/pkg/policy/validate/validate_test.go index da6fa0868c..329263ba6e 100644 --- a/pkg/policy/validate/validate_test.go +++ b/pkg/policy/validate/validate_test.go @@ -13,12 +13,12 @@ func Test_Validate_OverlayPattern_Empty(t *testing.T) { rawValidation := []byte(` {}`) - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) + var rule kyverno.Rule + err := json.Unmarshal(rawValidation, &rule) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&rule) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } @@ -31,8 +31,8 @@ func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } @@ -69,8 +69,8 @@ func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } @@ -107,8 +107,8 @@ func Test_Validate_OverlayPattern_Valid(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.NilError(t, err) } } @@ -140,8 +140,8 @@ func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } @@ -170,8 +170,8 @@ func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } @@ -203,8 +203,8 @@ func Test_Validate_ExistingAnchor_Valid(t *testing.T) { err = json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } rawValidation = []byte(` @@ -228,8 +228,8 @@ func Test_Validate_ExistingAnchor_Valid(t *testing.T) { } `) err = json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker = NewValidateFactory(&validation) - if _, err := checker.Validate(context.TODO()); err != nil { + checker = NewMockValidateFactory(&kyverno.Rule{Validation: validation}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } @@ -269,8 +269,8 @@ func Test_Validate_Validate_ValidAnchor(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker := NewValidateFactory(&validate) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validate}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.NilError(t, err) } @@ -291,8 +291,8 @@ func Test_Validate_Validate_ValidAnchor(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker = NewValidateFactory(&validate) - if _, err := checker.Validate(context.TODO()); err != nil { + checker = NewMockValidateFactory(&kyverno.Rule{Validation: validate}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.NilError(t, err) } } @@ -318,8 +318,8 @@ func Test_Validate_Validate_Mismatched(t *testing.T) { var validate kyverno.Validation err := json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker := NewValidateFactory(&validate) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validate}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } } @@ -348,8 +348,8 @@ func Test_Validate_Validate_Unsupported(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker := NewValidateFactory(&validate) - if _, err := checker.Validate(context.TODO()); err != nil { + checker := NewMockValidateFactory(&kyverno.Rule{Validation: validate}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } @@ -374,8 +374,8 @@ func Test_Validate_Validate_Unsupported(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker = NewValidateFactory(&validate) - if _, err := checker.Validate(context.TODO()); err != nil { + checker = NewMockValidateFactory(&kyverno.Rule{Validation: validate}) + if _, _, err := checker.Validate(context.TODO()); err != nil { assert.Assert(t, err != nil) } diff --git a/pkg/validation/cleanuppolicy/validate.go b/pkg/validation/cleanuppolicy/validate.go index 99da17f89c..0bedaa8175 100644 --- a/pkg/validation/cleanuppolicy/validate.go +++ b/pkg/validation/cleanuppolicy/validate.go @@ -73,18 +73,15 @@ func validateAuth(ctx context.Context, client dclient.Interface, policy kyvernov resourceFilters := spec.MatchResources.GetResourceFilters() for _, res := range resourceFilters { for _, kind := range res.Kinds { - if len(res.Names) == 0 { - err := canI(ctx, client, kind, namespace, "", "") + names := res.Names + if len(names) == 0 { + names = append(names, "") + } + for _, name := range names { + err := canI(ctx, client, kind, namespace, name, "") if err != nil { return err } - } else { - for _, name := range res.Names { - err := canI(ctx, client, kind, namespace, name, "") - if err != nil { - return err - } - } } } } diff --git a/pkg/validation/policy/actions.go b/pkg/validation/policy/actions.go index 1cbbe3b2ae..6dba3fb157 100644 --- a/pkg/validation/policy/actions.go +++ b/pkg/validation/policy/actions.go @@ -9,8 +9,6 @@ import ( authChecker "github.com/kyverno/kyverno/pkg/auth/checker" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/logging" - "github.com/kyverno/kyverno/pkg/policy/auth" - "github.com/kyverno/kyverno/pkg/policy/auth/fake" "github.com/kyverno/kyverno/pkg/policy/generate" "github.com/kyverno/kyverno/pkg/policy/mutate" "github.com/kyverno/kyverno/pkg/policy/validate" @@ -20,51 +18,47 @@ import ( // Validation provides methods to validate a rule type Validation interface { - Validate(ctx context.Context) (string, error) + Validate(ctx context.Context) (warnings []string, path string, err error) } // validateAction performs validation on the rule actions // - Mutate // - Validation // - Generate -func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mock bool, username string) (string, error) { +func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mock bool, backgroundSA, reportsSA string) (warnings []string, err error) { if rule == nil { - return "", nil + return nil, nil } var checker Validation + // Mutate if rule.HasMutate() { - var authChecker auth.Operations - if mock { - authChecker = fake.NewFakeAuth() - } else { - authChecker = auth.NewAuth(client, username, logging.GlobalLogger()) - } - checker = mutate.NewMutateFactory(rule.Mutation, authChecker, username) - if path, err := checker.Validate(context.TODO()); err != nil { - return "", fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err) + checker = mutate.NewMutateFactory(rule.Mutation, client, mock, backgroundSA) + if w, path, err := checker.Validate(context.TODO()); err != nil { + return nil, fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err) + } else if w != nil { + warnings = append(warnings, w...) } } // Validate if rule.HasValidate() { - checker = validate.NewValidateFactory(&rule.Validation) - if path, err := checker.Validate(context.TODO()); err != nil { - return "", fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err) + checker = validate.NewValidateFactory(rule, client, mock, reportsSA) + if w, path, err := checker.Validate(context.TODO()); err != nil { + return nil, fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err) + } else if w != nil { + warnings = append(warnings, w...) } - // In case generateValidatingAdmissionPolicy flag is set to true, check the required permissions. if rule.HasValidateCEL() && toggle.FromContext(context.TODO()).GenerateValidatingAdmissionPolicy() { authCheck := authChecker.NewSelfChecker(client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews()) - // check if the controller has the required permissions to generate validating admission policies. if !validatingadmissionpolicy.HasValidatingAdmissionPolicyPermission(authCheck) { - return "insufficient permissions to generate ValidatingAdmissionPolicies", nil + warnings = append(warnings, "insufficient permissions to generate ValidatingAdmissionPolicies") } - // check if the controller has the required permissions to generate validating admission policy bindings. if !validatingadmissionpolicy.HasValidatingAdmissionPolicyBindingPermission(authCheck) { - return "insufficient permissions to generate ValidatingAdmissionPolicyBindings", nil + warnings = append(warnings, "insufficient permissions to generate ValidatingAdmissionPolicies") } } } @@ -76,20 +70,24 @@ func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mo // this need to modified to use different implementation for online and offline mode if mock { checker = generate.NewFakeGenerate(rule.Generation) - if path, err := checker.Validate(context.TODO()); err != nil { - return "", fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err) + if w, path, err := checker.Validate(context.TODO()); err != nil { + return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err) + } else if warnings != nil { + warnings = append(warnings, w...) } } else { - checker = generate.NewGenerateFactory(client, rule.Generation, username, logging.GlobalLogger()) - if path, err := checker.Validate(context.TODO()); err != nil { - return "", fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err) + checker = generate.NewGenerateFactory(client, rule.Generation, backgroundSA, logging.GlobalLogger()) + if w, path, err := checker.Validate(context.TODO()); err != nil { + return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err) + } else if warnings != nil { + warnings = append(warnings, w...) } } if slices.Contains(rule.MatchResources.Kinds, rule.Generation.Kind) { - return "", fmt.Errorf("generation kind and match resource kind should not be the same") + return nil, fmt.Errorf("generation kind and match resource kind should not be the same") } } - return "", nil + return warnings, nil } diff --git a/pkg/validation/policy/fuzz_test.go b/pkg/validation/policy/fuzz_test.go index 953f3a9b38..77c7d7d1e0 100644 --- a/pkg/validation/policy/fuzz_test.go +++ b/pkg/validation/policy/fuzz_test.go @@ -14,6 +14,6 @@ func FuzzValidatePolicy(f *testing.F) { p := &kyverno.ClusterPolicy{} ff.GenerateStruct(p) - Validate(p, nil, nil, nil, true, "admin") + Validate(p, nil, nil, nil, true, "admin", "admin") }) } diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 1c232d47b3..2a6d977484 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -128,7 +128,7 @@ func checkValidationFailureAction(validationFailureAction kyvernov1.ValidationFa } // Validate checks the policy and rules declarations for required configurations -func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interface, kyvernoClient versioned.Interface, mock bool, username string) ([]string, error) { +func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interface, kyvernoClient versioned.Interface, mock bool, backgroundSA, reportsSA string) ([]string, error) { var warnings []string spec := policy.GetSpec() background := spec.BackgroundProcessingEnabled() @@ -322,13 +322,11 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } } - msg, err := validateActions(i, &rules[i], client, mock, username) + w, err := validateActions(i, &rules[i], client, mock, backgroundSA, reportsSA) if err != nil { return warnings, err - } else { - if len(msg) != 0 { - warnings = append(warnings, msg) - } + } else if len(w) > 0 { + warnings = append(warnings, w...) } if rule.HasVerifyImages() { diff --git a/pkg/webhooks/policy/handlers.go b/pkg/webhooks/policy/handlers.go index 5dc2d0652b..44e2265059 100644 --- a/pkg/webhooks/policy/handlers.go +++ b/pkg/webhooks/policy/handlers.go @@ -17,13 +17,15 @@ type policyHandlers struct { client dclient.Interface kyvernoClient versioned.Interface backgroundServiceAccountName string + reportsServiceAccountName string } -func NewHandlers(client dclient.Interface, kyvernoClient versioned.Interface, serviceaccount string) webhooks.PolicyHandlers { +func NewHandlers(client dclient.Interface, kyvernoClient versioned.Interface, backgroundSA, reportsSA string) webhooks.PolicyHandlers { return &policyHandlers{ client: client, kyvernoClient: kyvernoClient, - backgroundServiceAccountName: serviceaccount, + backgroundServiceAccountName: backgroundSA, + reportsServiceAccountName: reportsSA, } } @@ -33,7 +35,7 @@ func (h *policyHandlers) Validate(ctx context.Context, logger logr.Logger, reque logger.Error(err, "failed to unmarshal policies from admission request") return admissionutils.Response(request.UID, err) } - warnings, err := policyvalidate.Validate(policy, oldPolicy, h.client, h.kyvernoClient, false, h.backgroundServiceAccountName) + warnings, err := policyvalidate.Validate(policy, oldPolicy, h.client, h.kyvernoClient, false, h.backgroundServiceAccountName, h.reportsServiceAccountName) if err != nil { logger.Error(err, "policy validation errors") } diff --git a/pkg/webhooks/resource/generation/handler.go b/pkg/webhooks/resource/generation/handler.go index 6e52d32868..75a792bb3b 100644 --- a/pkg/webhooks/resource/generation/handler.go +++ b/pkg/webhooks/resource/generation/handler.go @@ -43,6 +43,7 @@ func NewGenerationHandler( eventGen event.Interface, metrics metrics.MetricsConfigManager, backgroundServiceAccountName string, + reportsServiceAccountName string, ) GenerationHandler { return &generationHandler{ log: log, @@ -57,6 +58,7 @@ func NewGenerationHandler( eventGen: eventGen, metrics: metrics, backgroundServiceAccountName: backgroundServiceAccountName, + reportsServiceAccountName: reportsServiceAccountName, } } @@ -73,6 +75,7 @@ type generationHandler struct { eventGen event.Interface metrics metrics.MetricsConfigManager backgroundServiceAccountName string + reportsServiceAccountName string } func (h *generationHandler) Handle( diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 96deb10a86..8ebc55168b 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -63,6 +63,7 @@ type resourceHandlers struct { admissionReports bool backgroundServiceAccountName string + reportsServiceAccountName string auditPool *pond.WorkerPool reportsBreaker breaker.Breaker } @@ -82,6 +83,7 @@ func NewHandlers( eventGen event.Interface, admissionReports bool, backgroundServiceAccountName string, + reportsServiceAccountName string, jp jmespath.Interface, maxAuditWorkers int, maxAuditCapacity int, @@ -103,6 +105,7 @@ func NewHandlers( pcBuilder: webhookutils.NewPolicyContextBuilder(configuration, jp), admissionReports: admissionReports, backgroundServiceAccountName: backgroundServiceAccountName, + reportsServiceAccountName: reportsServiceAccountName, auditPool: pond.New(maxAuditWorkers, maxAuditCapacity, pond.Strategy(pond.Lazy())), reportsBreaker: reportsBreaker, } diff --git a/pkg/webhooks/resource/updaterequest.go b/pkg/webhooks/resource/updaterequest.go index feb7f7e7e6..2b6cae6a4a 100644 --- a/pkg/webhooks/resource/updaterequest.go +++ b/pkg/webhooks/resource/updaterequest.go @@ -106,7 +106,7 @@ func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logge return } - gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName) + gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName, h.reportsServiceAccountName) var policies []kyvernov1.PolicyInterface for _, p := range generatePolicies { new := skipBackgroundRequests(p, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username) diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/chainsaw-test.yaml index df15d93cba..d1964878ee 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/permissions.yaml new file mode 100644 index 0000000000..e1089d7d37 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-091a1b + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/chainsaw-test.yaml index 6a0eb4cef0..b5eaea5c20 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/permissions.yaml new file mode 100644 index 0000000000..7d37caa418 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-list-sync-same-trigger-source-update-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-819b1b + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/chainsaw-test.yaml index 08e8243740..18d3668fc9 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/permissions.yaml new file mode 100644 index 0000000000..609a266898 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-role-and-rolebinding/permissions.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:role-and-rolebinding + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/chainsaw-test.yaml index 284a4ec633..953163607d 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/permissions.yaml new file mode 100644 index 0000000000..e9154e1f87 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-source-name-exceeds-63-characters/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-19hs91 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/chainsaw-test.yaml index 36f290fca6..ebe48a92a0 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/permissions.yaml new file mode 100644 index 0000000000..58ca62565e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-la91n1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/chainsaw-test.yaml index 8570fe7697..b4bfea8c2c 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/permissions.yaml new file mode 100644 index 0000000000..057c2387df --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/clone-sync-same-trigger-source-update-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1pq1b + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/chainsaw-test.yaml index bf5b9bb388..798ca2d618 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/permissions.yaml new file mode 100644 index 0000000000..8d636db5f0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-create-on-trigger-deletion/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-91ys8 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml index 03b1501ce3..5ecedd59ff 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/permissions.yaml new file mode 100644 index 0000000000..e301dbf5d5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-k8312 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/chainsaw-test.yaml index 03b1501ce3..5ecedd59ff 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/permissions.yaml new file mode 100644 index 0000000000..aa58472a02 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kao19a + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/chainsaw-test.yaml index 0d345023ff..06e1795675 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/permissions.yaml new file mode 100644 index 0000000000..7220b4241d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-create-source-after-policy/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kaa11 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml index 9f026339e6..e67f26774f 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/permissions.yaml new file mode 100644 index 0000000000..40fb30b44a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/permissions.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:view + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:generate + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-test.yaml index 9f026339e6..e67f26774f 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/permissions.yaml new file mode 100644 index 0000000000..7b15e7e9db --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-018m1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-test.yaml index 02cf82aa20..6eea95f977 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/permissions.yaml new file mode 100644 index 0000000000..72bd88377b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-10ga3 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/chainsaw-test.yaml index be85707693..fcb84b6760 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/permissions.yaml new file mode 100644 index 0000000000..babd6a4a45 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-trigger-source-multiple-targets/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1kq1a + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/chainsaw-test.yaml index 69b6e17fb7..6314626ce7 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/permissions.yaml new file mode 100644 index 0000000000..7c0c9e748e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-create-on-trigger-deletion/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-mabt11 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/chainsaw-test.yaml index 5ffd23bd25..a7e3c240ce 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/permissions.yaml new file mode 100644 index 0000000000..48a5dbfd03 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-create-upon-generated-resource/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-nqu34 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/chainsaw-test.yaml index 2f38831512..94aefce3f1 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/permissions.yaml new file mode 100644 index 0000000000..77734c3bc0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-no-creation-upon-generated-resource/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-l1k10 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml index e524146ca0..51ef47cf3d 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/permissions.yaml new file mode 100644 index 0000000000..2b29c7b7b7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/permissions.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-view-91ja1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:edit-1k1o2 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-test.yaml index e524146ca0..51ef47cf3d 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/permissions.yaml new file mode 100644 index 0000000000..1800c0cb60 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-a12xk + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml index 4feecbe58c..70e7e1ae0e 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/chainsaw-test.yaml @@ -10,6 +10,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: roles.yaml - name: step-02 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/permissions.yaml new file mode 100644 index 0000000000..36bb686b73 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-trigger-not-present/permissions.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/chainsaw-test.yaml index 97a4971697..840738ce5d 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/permissions.yaml new file mode 100644 index 0000000000..1db18bfeaa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/data-role-and-rolebinding/permissions.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/cluster-role.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/cluster-role.yaml index f8a1c99522..0ab333407b 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/cluster-role.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/cluster-role.yaml @@ -12,4 +12,38 @@ rules: resources: - deployments verbs: - - update \ No newline at end of file + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-jqo11 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:manage-1lh1k + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml index f8a1c99522..5ee2d548d9 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml @@ -12,4 +12,38 @@ rules: resources: - deployments verbs: - - update \ No newline at end of file + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kak13 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets:manage-ja51n + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/chainsaw-test.yaml index 335aeaf504..601405f1ab 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/permissions.yaml new file mode 100644 index 0000000000..8d5241fc77 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/multiple/sync/basic-create/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-lal13 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/chainsaw-test.yaml index c7caff71eb..516a48aae4 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/permissions.yaml new file mode 100644 index 0000000000..18e48f48c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-create/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kqo1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/chainsaw-test.yaml index 585a3b211e..d9c162f9c0 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/permissions.yaml new file mode 100644 index 0000000000..dc879693f2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-k113f + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/chainsaw-test.yaml index 8a6273d8b6..342d9551f1 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/chainsaw-test.yaml @@ -13,6 +13,8 @@ spec: file: policy-ready.yaml - name: step-02 try: + - apply: + file: permissions.yaml - apply: file: ns.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/permissions.yaml new file mode 100644 index 0000000000..6730d0e55c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-policy/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-skh1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/chainsaw-test.yaml index f11bf80a6d..ea9fed45b1 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/permissions.yaml new file mode 100644 index 0000000000..7d3933d3fb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-rule/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-0191s + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/chainsaw-test.yaml index af8cfbae68..2472baae27 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/permissions.yaml new file mode 100644 index 0000000000..a3645305b4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-la1lk + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/chainsaw-test.yaml index b49266d25d..b05b9cf8c9 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/permissions.yaml new file mode 100644 index 0000000000..1dd1fb9ba8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-delete-trigger/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-ka32a + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/chainsaw-test.yaml index d5250dc1e1..ef88908c3a 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/permissions.yaml new file mode 100644 index 0000000000..80e8e451b1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-oa11s + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/chainsaw-test.yaml index 663599fea7..c05c5f026b 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/permissions.yaml new file mode 100644 index 0000000000..39c16da2a6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-modify-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-nsalj + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml index c8e4486781..557c6f6ac0 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/permissions.yaml new file mode 100644 index 0000000000..c723194b76 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/nosync/cpol-clone-nosync-update-trigger-no-match/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-lkjso + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/chainsaw-test.yaml index 519798f9e0..5522a5e1db 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/permissions.yaml new file mode 100644 index 0000000000..419957961e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-xaeqi + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/chainsaw-test.yaml index c9aa7db436..300c95a925 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/permissions.yaml new file mode 100644 index 0000000000..a1329e8c61 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kal1v + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/chainsaw-test.yaml index f5e4b34e68..f17b93aef4 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-00 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/permissions.yaml new file mode 100644 index 0000000000..d5afc57b2b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-msqhqi + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/chainsaw-test.yaml index 4a158101be..761abb003a 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/permissions.yaml new file mode 100644 index 0000000000..5317220819 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-create/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-19sq9 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/chainsaw-test.yaml index e8a1c05b9f..3028ed3e6e 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/permissions.yaml new file mode 100644 index 0000000000..322d2671c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-akao1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/chainsaw-test.yaml index 036e069de6..897b88abb1 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: duration: 3s - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/permissions.yaml new file mode 100644 index 0000000000..4445c62997 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1k9q + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/chainsaw-test.yaml index 33168627ae..fe238c4245 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: duration: 3s - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/permissions.yaml new file mode 100644 index 0000000000..44225d25e0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-lak1231 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/chainsaw-test.yaml index 7e70683c25..a45af2da77 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: duration: 3s - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/permissions.yaml new file mode 100644 index 0000000000..e59461fd86 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-jksu + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/chainsaw-test.yaml index 013279f45a..4eb6f29746 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/permissions.yaml new file mode 100644 index 0000000000..bbef4efc7a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-trigger/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kjsqu + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml index f20146f12c..b39acf0cc2 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/permissions.yaml new file mode 100644 index 0000000000..65a6533085 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1019j + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/chainsaw-test.yaml index e54568df30..f7cfe919ad 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: duration: 3s - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/permissions.yaml new file mode 100644 index 0000000000..26f9fc9239 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream-apply/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-9181k + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/chainsaw-test.yaml index ef8f512b25..376f1a1602 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: duration: 3s - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/permissions.yaml new file mode 100644 index 0000000000..791704b1e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1iaa + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/chainsaw-test.yaml index 588a6c92c9..97c5443577 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/chainsaw-test.yaml @@ -7,6 +7,10 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml + - assert: + file: permissions-ready.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/permissions-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/permissions-ready.yaml new file mode 100644 index 0000000000..d25454a6ba --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/permissions-ready.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kao11k + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/permissions.yaml new file mode 100644 index 0000000000..0f21d11c71 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kao11k + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/chainsaw-test.yaml index 62dcf71050..5684774f16 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/permissions.yaml new file mode 100644 index 0000000000..ba760cebda --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-no-existing-update-trigger-no-precondition/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-0191v + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/chainsaw-test.yaml index f8df55731f..535fc0ccb8 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/permissions.yaml new file mode 100644 index 0000000000..a86d3c4945 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-update-trigger-no-match/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-klqo1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/chainsaw-test.yaml index 911052ec42..551c0cf441 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/permissions.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/permissions.yaml new file mode 100644 index 0000000000..56f827939d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-iaj1s + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/chainsaw-test.yaml index aff2501215..d6b39408a3 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/permissions.yaml new file mode 100644 index 0000000000..d0359aa04b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-create/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kaj19 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/chainsaw-test.yaml index c9b688bfdd..67b567465a 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/permissions.yaml new file mode 100644 index 0000000000..d2a66024a8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-laj191 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/chainsaw-test.yaml index 4e2bdca7d9..d3ae5f55b1 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/permissions.yaml new file mode 100644 index 0000000000..731f0a8e8d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-moi11 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/chainsaw-test.yaml index 07f42ee9ba..2e94d7c611 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/permissions.yaml new file mode 100644 index 0000000000..e8c79473e4 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-i101a + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/chainsaw-test.yaml index eb2894d819..4319e40b11 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/permissions.yaml new file mode 100644 index 0000000000..5300a803f6 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-lhw + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/chainsaw-test.yaml index 3da2652c52..7dbf48f558 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/permissions.yaml new file mode 100644 index 0000000000..b4ffde0449 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-trigger/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1918d + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/chainsaw-test.yaml index edf0f56054..688820532c 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - script: content: "if kubectl apply -f policy1.yaml\nthen \n echo \"Tested failed. Policy was created when it shouldn't have been.\"\n exit 1 \nelse \n echo diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/permissions.yaml new file mode 100644 index 0000000000..290eb87649 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-101j9 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/chainsaw-test.yaml index 60ab800051..bbcbc0866b 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/permissions.yaml new file mode 100644 index 0000000000..d0359aa04b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kaj19 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/chainsaw-test.yaml index cea078dd9e..a181618fb3 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/permissions.yaml new file mode 100644 index 0000000000..041f5b3ed7 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kai191 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml index 15cae060a7..ea99391435 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/permissions.yaml new file mode 100644 index 0000000000..a05e122e35 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/nosync/pol-clone-nosync-update-trigger-no-match/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-k1o1v + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/chainsaw-test.yaml index 16a4f72543..3a65a3d0aa 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/permissions.yaml new file mode 100644 index 0000000000..bc7d92b154 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-9181f + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/chainsaw-test.yaml index 5ddcc23ee0..505516dabf 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/permissions.yaml new file mode 100644 index 0000000000..602beb20cd --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-111s + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/chainsaw-test.yaml index 349f192b5e..1e18125ead 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: manifests.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/permissions.yaml new file mode 100644 index 0000000000..4614590ef0 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-msqpo1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/chainsaw-test.yaml index 077bad6913..4f7a9eba19 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/permissions.yaml new file mode 100644 index 0000000000..812e2b1e93 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-mqpi + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/chainsaw-test.yaml index 0a4779b129..05711b77a4 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/permissions.yaml new file mode 100644 index 0000000000..bd41f2ee89 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-delete-trigger/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-akl19 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/chainsaw-test.yaml index d08f8e6960..b255ff14ec 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - script: content: "if kubectl apply -f policy1.yaml\nthen \n echo \"Tested failed. Policy was created when it shouldn't have been.\"\n exit 1 \nelse \n echo diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/permissions.yaml new file mode 100644 index 0000000000..cef55b5075 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-invalid/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-ak11a + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/chainsaw-test.yaml index 7019d73eb9..6fe1885073 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/permissions.yaml new file mode 100644 index 0000000000..1330e4a7ae --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-downstream/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-kqp1m + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/chainsaw-test.yaml index 6ebda2c1b6..b03b7cc6df 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/permissions.yaml new file mode 100644 index 0000000000..a087ce9e10 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-modify-source/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-ako1 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/chainsaw-test.yaml index c894d5ec4c..9ec94fc199 100755 --- a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/permissions.yaml new file mode 100644 index 0000000000..c4158db888 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/clone/sync/pol-clone-sync-update-trigger-no-match/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1n10f + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-test.yaml index 3816ff9cab..657ffa545e 100755 --- a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - apply: diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/permissions.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/permissions.yaml new file mode 100644 index 0000000000..aba689e1c5 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-01901 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/chainsaw-test.yaml index 58eeb8b7c0..01afeba971 100755 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1-1.yaml - name: step-02 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/permissions.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/permissions.yaml new file mode 100644 index 0000000000..a3a5fc60c4 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/cloneList/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-1018c + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/chainsaw-test.yaml index 678d66fd63..f9c4ed2367 100755 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: policy.yaml - assert: diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/permissions.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/permissions.yaml new file mode 100644 index 0000000000..405fe6098b --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/immutable-clone/permissions.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-navq7 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/chainsaw-test.yaml index 8871cb6e51..d12dd978a2 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: file: crd.yaml - assert: file: crd-assert.yaml + - apply: + file: permissions.yaml - name: step-02 try: - apply: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/permissions.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/permissions.yaml new file mode 100644 index 0000000000..eb6ef5827b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:namespaceconstraint + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rules.example.com + resources: + - namespaceconstraints + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml index 30669f7f89..ce5e6a67a6 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml @@ -17,6 +17,8 @@ spec: file: crd.yaml - assert: file: crd-assert.yaml + - apply: + file: permissions.yaml - name: step-03 try: - apply: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/permissions.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/permissions.yaml new file mode 100644 index 0000000000..0171a698cb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/permissions.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:ssrl + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rules.example.com + resources: + - statefulsetreplicalimits + - deploymentreplicalimits + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml index cf831afab8..31d46aa04a 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml @@ -7,6 +7,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: ns.yaml - assert: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/permissions.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/permissions.yaml new file mode 100644 index 0000000000..9221b6c534 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:ssrl2 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rules.example.com + resources: + - statefulsetreplicalimits + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/chainsaw-test.yaml index 8871cb6e51..d12dd978a2 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/chainsaw-test.yaml @@ -11,6 +11,8 @@ spec: file: crd.yaml - assert: file: crd-assert.yaml + - apply: + file: permissions.yaml - name: step-02 try: - apply: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/permissions.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/permissions.yaml new file mode 100644 index 0000000000..eb6ef5827b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:namespaceconstraint + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rules.example.com + resources: + - namespaceconstraints + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml index 30669f7f89..aa2f469fdf 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml @@ -13,6 +13,8 @@ spec: file: ns.yaml - name: step-02 try: + - apply: + file: permissions.yaml - apply: file: crd.yaml - assert: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/permissions.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/permissions.yaml new file mode 100644 index 0000000000..7505464d91 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:drl + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rules.example.com + resources: + - deploymentreplicalimits + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml index cf831afab8..c30b1e52ad 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml @@ -17,6 +17,8 @@ spec: file: crd.yaml - assert: file: crd-assert.yaml + - apply: + file: permissions.yaml - name: step-03 try: - apply: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/permissions.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/permissions.yaml new file mode 100644 index 0000000000..59d23915d8 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:ssrl + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - rules.example.com + resources: + - statefulsetreplicalimits + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/chainsaw-test.yaml index 80af7056f4..db1e74dd4a 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa/concurrent-policy-execution/chainsaw-test.yaml @@ -11,7 +11,7 @@ spec: #!/bin/bash set -eu - helm --repo https://kyverno.github.io/kyverno/ install kyverno-policies kyverno-policies --set=podSecurityStandard=restricted --set=background=true --set=validationFailureAction=Enforce + helm --repo https://kyverno.github.io/kyverno/ -n kyverno install kyverno-policies kyverno-policies --set=podSecurityStandard=restricted --set=background=true --set=validationFailureAction=Enforce - assert: file: policy-asserts.yaml - name: apply-test-pods @@ -33,4 +33,4 @@ spec: #!/bin/bash set -eu - helm uninstall kyverno-policies + helm uninstall kyverno-policies -n kyverno diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml index 18a1f53bd8..7d1f4ffc4e 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-test.yaml @@ -9,6 +9,8 @@ spec: steps: - name: step-01 try: + - apply: + file: permissions.yaml - apply: file: chainsaw-step-01-apply-1.yaml - apply: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/permissions.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/permissions.yaml new file mode 100644 index 0000000000..e48ca89d8f --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:secrets-lak12 + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" +rules: +- apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch