mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Added e2e test for JSON patch mutate policy (#2966)

Browse source 
* Adds e2e test for JSON patch mutate policy

Signed-off-by: afzal442 <afzal442@gmail.com>

* modifies the config to use the optimal version of that policy

Signed-off-by: afzal442 <afzal442@gmail.com>

* Fixes the lint issuue

Signed-off-by: afzal442 <afzal442@gmail.com>

* modifies test to pass

Signed-off-by: afzal442 <afzal442@gmail.com>

* adds changes to resources

Signed-off-by: afzal442 <afzal442@gmail.com>

Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Afzal Ansari 2022-02-10 10:48:26 +05:30 committed by GitHub
parent 0293368504
commit fc658da1e3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 175 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
test/e2e/mutate/config.go
View file

@ -86,6 +86,16 @@ var tests = []struct {
ResourceRaw: kyverno_2316_resource,
ExpectedPatternRaw: kyverno_2316_pattern,
},
{
TestDescription: "checks that policy mutate env variables of an array with specific index numbers",
PolicyName: "add-image-as-env-var",
PolicyRaw: kyverno_mutate_json_patch,
ResourceName: "foo",
ResourceNamespace: "test-mutate-env-array",
ResourceGVR: podGVR,
ResourceRaw: podWithEnvVar,
ExpectedPatternRaw: podWithEnvVarPattern,
},
{
TestDescription: "checks that preconditions are substituted correctly",
PolicyName: "replace-docker-hub",

167
test/e2e/mutate/resources.go
View file

@ -286,6 +286,169 @@ spec:
runAsNonRoot: true
`)
var kyverno_mutate_json_patch = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-image-as-env-var
# env array needs to exist (least one env var is present)
annotations:
pod-policies.kyverno.io/autogen-controllers: None
policies.kyverno.io/title: Add Image as Environment Variable
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
policies.kyverno.io/minversion: 1.4.3
policies.kyverno.io/subject: Pod, Deployment
policies.kyverno.io/description: >-
The Kubernetes downward API only has the ability to express so many
options as environment variables. The image consumed in a Pod is commonly
needed to make the application aware of some logic it must take. This policy
takes the value of the 'image' field and adds it as an environment variable
to bare Pods and Deployments having no more than two containers. The 'env' array must already exist for the policy
to operate correctly. This policy may be easily extended to support other higher-level
Pod controllers as well as more containers by following the established rules.
spec:
background: false
schemaValidation: false
rules:
# One Pod
- name: pod-containers-1-inject-image
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.object.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 1
mutate:
patchesJson6902: |-
- op: add
path: "/spec/containers/0/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
# Two or more Pods
- name: pod-containers-2-inject-image
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{request.object.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 2
mutate:
patchesJson6902: |-
- op: add
path: "/spec/containers/1/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"}
# Deployment with one Pod
- name: deploy-containers-1-inject-image
match:
resources:
kinds:
- Deployment
preconditions:
all:
- key: "{{request.object.spec.template.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 1
mutate:
patchesJson6902: |-
- op: add
path: "/spec/template/spec/containers/0/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[0].image}}"}
# Deployment with two or more Pods
- name: deploy-containers-2-inject-image
match:
resources:
kinds:
- Deployment
preconditions:
all:
- key: "{{request.object.spec.template.spec.containers[] | length(@)}}"
operator: GreaterThanOrEquals
value: 2
mutate:
patchesJson6902: |-
- op: add
path: "/spec/template/spec/containers/1/env/-"
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[1].image}}"}
`)
var podWithEnvVar = []byte(`
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: test-mutate-env-array
spec:
containers:
- command:
- sleep infinity
env:
- name: K8S_IMAGE
value: docker.io/busybox:1.11
image: busybox:1.11
name: busybox
securityContext:
capabilities:
drop:
- SETUID
initContainers:
- command:
- sleep infinity
image: nginx:1.14
name: nginx
securityContext:
capabilities:
drop:
- SETUID
`)
var podWithEnvVarPattern = []byte(`
apiVersion: v1
kind: Pod
metadata:
name: foo
namespace: test-mutate-env-array
spec:
containers:
- command:
- sleep infinity
env:
- name: K8S_IMAGE
value: docker.io/busybox:1.11
image: busybox:1.11
name: busybox
securityContext:
capabilities:
drop:
- SETUID
- command:
- sleep infinity
env:
- name: K8S_IMAGE
value: linkerd:1.21
image: linkerd:1.21
name: linkerd
securityContext:
capabilities:
drop:
- NET_RAW
- SOME_THING
initContainers:
- command:
- sleep infinity
image: nginx:1.14
name: nginx
securityContext:
capabilities:
drop:
- SETUID
`)
var kyverno_2316_policy = []byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -328,11 +491,11 @@ spec:
replicas: 1
selector:
matchLabels:
appa: busybox
app: busybox
template:
metadata:
labels:
appa: busybox
app: busybox
# foo: blaaah
spec:
containers: