diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index e090891ee9..000cac3509 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -196,6 +196,7 @@ jobs: # - verify-manifests # - verifyImages - webhooks + - background-only needs: prepare-images name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: diff --git a/test/conformance/chainsaw/_config/common.yaml b/test/conformance/chainsaw/_config/common.yaml index 2dcab9a9ae..25ebcb202b 100755 --- a/test/conformance/chainsaw/_config/common.yaml +++ b/test/conformance/chainsaw/_config/common.yaml @@ -3,6 +3,9 @@ kind: Configuration metadata: name: congiguration spec: + timeouts: + assert: 90s + error: 90s parallel: 1 fullName: true failFast: true diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml new file mode 100644 index 0000000000..6c087165bc --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/03-event.yaml @@ -0,0 +1,12 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: background-event.yaml + - error: + file: admission-event.yaml + catch: + - events: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md new file mode 100644 index 0000000000..cbc68bc783 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission ezvent is created. +One background event is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/admission-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/admission-event.yaml new file mode 100644 index 0000000000..a2e37ce4a1 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/admission-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/background-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/background-event.yaml new file mode 100644 index 0000000000..8a25b544c0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/background-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-scan diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml new file mode 100644 index 0000000000..6ab8d0f56b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/03-report.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: report +spec: + try: + - error: + file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/README.md new file mode 100644 index 0000000000..2ca354e9f6 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/admission-report.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/admission-report.yaml new file mode 100644 index 0000000000..a1e4032e41 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1alpha2 +kind: AdmissionReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/README.md b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/README.md new file mode 100644 index 0000000000..89489ef465 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy-assert.yaml new file mode 100644 index 0000000000..4e2954e278 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml new file mode 100644 index 0000000000..9ba9837c46 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml new file mode 100644 index 0000000000..3c31d1bdec --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/03-event.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: event +spec: + try: + - assert: + file: background-event.yaml + - error: + file: admission-event.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md new file mode 100644 index 0000000000..cbc68bc783 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission ezvent is created. +One background event is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/admission-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/admission-event.yaml new file mode 100644 index 0000000000..a2e37ce4a1 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/admission-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/background-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/background-event.yaml new file mode 100644 index 0000000000..8a25b544c0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/background-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-scan diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml new file mode 100644 index 0000000000..8a89845d54 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/02-resource.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml new file mode 100644 index 0000000000..6ab8d0f56b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/03-report.yaml @@ -0,0 +1,8 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: report +spec: + try: + - error: + file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-report/README.md new file mode 100644 index 0000000000..2ca354e9f6 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/admission-report.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/admission-report.yaml new file mode 100644 index 0000000000..a1e4032e41 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: kyverno.io/v1alpha2 +kind: AdmissionReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml new file mode 100644 index 0000000000..23a6d5c84e --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/02-resource.yaml @@ -0,0 +1,9 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + creationTimestamp: null + name: resource +spec: + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/README.md b/test/conformance/chainsaw/background-only/policy/not-rejected/README.md new file mode 100644 index 0000000000..89489ef465 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/policy-assert.yaml new file mode 100644 index 0000000000..d3196721f2 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml new file mode 100644 index 0000000000..92bab90832 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/resource.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/resource.yaml new file mode 100644 index 0000000000..3e067cb88b --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80