diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index d598390ca9..0b15957df0 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -57,6 +57,7 @@ jobs: version: v1.27.1 tests: - autogen + - background-only - cleanup - deferred - events diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/01-policy.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/02-resource.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/03-event.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/03-event.yaml new file mode 100644 index 0000000000..fa9bfc5079 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/03-event.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- background-event.yaml +error: +- admission-event.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/README.md b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/README.md new file mode 100644 index 0000000000..cbc68bc783 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission ezvent is created. +One background event is created. diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/admission-event.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/admission-event.yaml new file mode 100644 index 0000000000..bdeaba721d --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/admission-event.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +source: + component: kyverno-admission diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/background-event.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/background-event.yaml new file mode 100644 index 0000000000..17360de3f4 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/background-event.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +source: + component: kyverno-scan diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/policy-assert.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/policy.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/resource.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-event/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/01-policy.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/02-resource.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/03-report.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/03-report.yaml new file mode 100644 index 0000000000..27998cc017 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/03-report.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +error: +- admission-report.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/README.md b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/README.md new file mode 100644 index 0000000000..2ca354e9f6 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/admission-report.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/admission-report.yaml new file mode 100644 index 0000000000..a1e4032e41 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1alpha2 +kind: AdmissionReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/policy-assert.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/policy.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/resource.yaml b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/no-admission-report/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/background-only/cluster-policy/not-rejected/01-policy.yaml b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/not-rejected/02-resource.yaml b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/background-only/cluster-policy/not-rejected/README.md b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/README.md new file mode 100644 index 0000000000..89489ef465 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/kuttl/background-only/cluster-policy/not-rejected/policy-assert.yaml b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/background-only/cluster-policy/not-rejected/policy.yaml b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/background-only/cluster-policy/not-rejected/resource.yaml b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/kuttl/background-only/cluster-policy/not-rejected/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/01-policy.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/02-resource.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/03-event.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/03-event.yaml new file mode 100644 index 0000000000..fa9bfc5079 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/03-event.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- background-event.yaml +error: +- admission-event.yaml diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/README.md b/test/conformance/kuttl/background-only/policy/no-admission-event/README.md new file mode 100644 index 0000000000..cbc68bc783 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission ezvent is created. +One background event is created. diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/admission-event.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/admission-event.yaml new file mode 100644 index 0000000000..bdeaba721d --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/admission-event.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +source: + component: kyverno-admission diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/background-event.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/background-event.yaml new file mode 100644 index 0000000000..17360de3f4 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/background-event.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +source: + component: kyverno-scan diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/policy-assert.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/policy.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/background-only/policy/no-admission-event/resource.yaml b/test/conformance/kuttl/background-only/policy/no-admission-event/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-event/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/01-policy.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/02-resource.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/03-report.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/03-report.yaml new file mode 100644 index 0000000000..27998cc017 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/03-report.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +error: +- admission-report.yaml diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/README.md b/test/conformance/kuttl/background-only/policy/no-admission-report/README.md new file mode 100644 index 0000000000..2ca354e9f6 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/admission-report.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/admission-report.yaml new file mode 100644 index 0000000000..a1e4032e41 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1alpha2 +kind: AdmissionReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/policy-assert.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/policy.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/background-only/policy/no-admission-report/resource.yaml b/test/conformance/kuttl/background-only/policy/no-admission-report/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/no-admission-report/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/background-only/policy/not-rejected/01-policy.yaml b/test/conformance/kuttl/background-only/policy/not-rejected/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/not-rejected/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/background-only/policy/not-rejected/02-resource.yaml b/test/conformance/kuttl/background-only/policy/not-rejected/02-resource.yaml new file mode 100644 index 0000000000..94a47ca2d1 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/not-rejected/02-resource.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- resource.yaml diff --git a/test/conformance/kuttl/background-only/policy/not-rejected/README.md b/test/conformance/kuttl/background-only/policy/not-rejected/README.md new file mode 100644 index 0000000000..89489ef465 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/not-rejected/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/kuttl/background-only/policy/not-rejected/policy-assert.yaml b/test/conformance/kuttl/background-only/policy/not-rejected/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/not-rejected/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/background-only/policy/not-rejected/policy.yaml b/test/conformance/kuttl/background-only/policy/not-rejected/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/not-rejected/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/background-only/policy/not-rejected/resource.yaml b/test/conformance/kuttl/background-only/policy/not-rejected/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/kuttl/background-only/policy/not-rejected/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/kuttl/policy-validation/policy/admission-disabled/01-policy.yaml b/test/conformance/kuttl/policy-validation/policy/admission-disabled/01-policy.yaml new file mode 100644 index 0000000000..9a38481ada --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/admission-disabled/01-policy.yaml @@ -0,0 +1,8 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-validate.yaml +- file: policy-mutate.yaml + shouldFail: true +- file: policy-verify-image.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/admission-disabled/README.md b/test/conformance/kuttl/policy-validation/policy/admission-disabled/README.md new file mode 100644 index 0000000000..610d979c5e --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/admission-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies with `admission` set to `false`. + +## Expected Behavior + +Policies containing mutation, image verification or generation rules should be rejected. diff --git a/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml new file mode 100644 index 0000000000..b46ee4b2b8 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-mutate.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: mutate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: mutate + match: + resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar diff --git a/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-validate.yaml b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-validate.yaml new file mode 100644 index 0000000000..8a334b28d6 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-validate.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-verify-image.yaml b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-verify-image.yaml new file mode 100644 index 0000000000..10f32ee1e1 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/admission-disabled/policy-verify-image.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: verify-image +spec: + validationFailureAction: Audit + admission: false + background: true + rules: + - name: verify-image + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "ghcr.io/kyverno/test-verify-image:*" + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM + 5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA== + -----END PUBLIC KEY----- diff --git a/test/conformance/kuttl/policy-validation/policy/all-disabled/01-policy.yaml b/test/conformance/kuttl/policy-validation/policy/all-disabled/01-policy.yaml new file mode 100644 index 0000000000..cc374cb853 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/all-disabled/01-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/all-disabled/README.md b/test/conformance/kuttl/policy-validation/policy/all-disabled/README.md new file mode 100644 index 0000000000..7e39604238 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/all-disabled/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create a policy with both `admission` and `background` set to `false`. + +## Expected Behavior + +Policy should be rejected. diff --git a/test/conformance/kuttl/policy-validation/policy/all-disabled/policy.yaml b/test/conformance/kuttl/policy-validation/policy/all-disabled/policy.yaml new file mode 100644 index 0000000000..207a93769b --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/all-disabled/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: all-disabled +spec: + validationFailureAction: Audit + admission: false + background: false + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {}