mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

add unit tests

Browse source
This commit is contained in:
shivkumar dudhani 2019-10-10 17:34:20 -07:00
parent f6367cfe4a
commit fd72ee3178
2 changed files with 174 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/engine/anchor.go
View file

@ -50,7 +50,7 @@ func (nh NegationHandler) Handle(resourceMap map[string]interface{}, originPatte
// if anchor is present in the resource then fail
if _, ok := resourceMap[anchorKey]; ok {
// no need to process elements in value as key cannot be present in resource
return currentPath, fmt.Errorf("validation rule failed at %s, field %s is disallowed", currentPath, anchorKey)
return currentPath, fmt.Errorf("Validation rule failed at %s, field %s is disallowed", currentPath, anchorKey)
}
// key is not defined in the resource
return "", nil

173
pkg/engine/validation_test.go
View file

@ -2767,3 +2767,176 @@ func TestValidate_existenceAnchor_pass(t *testing.T) {
}
assert.Assert(t, er.IsSuccesful())
}
func TestValidate_negationAnchor_deny(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "validate-host-path"
},
"spec": {
"rules": [
{
"name": "validate-host-path",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Host path is not allowed",
"pattern": {
"spec": {
"volumes": [
{
"name": "*",
"X(hostPath)": null
}
]
}
}
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "image-with-hostpath",
"labels": {
"app.type": "prod",
"namespace": "my-namespace"
}
},
"spec": {
"containers": [
{
"name": "image-with-hostpath",
"image": "docker.io/nautiker/curl",
"volumeMounts": [
{
"name": "var-lib-etcd",
"mountPath": "/var/lib"
}
]
}
],
"volumes": [
{
"name": "var-lib-etcd",
"hostPath": {
"path": "/var/lib1"
}
}
]
}
} `)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'validate-host-path' failed at '/spec/volumes/0/hostPath/' for resource Pod//image-with-hostpath. Host path is not allowed"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, !er.IsSuccesful())
}
func TestValidate_negationAnchor_pass(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "validate-host-path"
},
"spec": {
"rules": [
{
"name": "validate-host-path",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Host path is not allowed",
"pattern": {
"spec": {
"volumes": [
{
"name": "*",
"X(hostPath)": null
}
]
}
}
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "image-with-hostpath",
"labels": {
"app.type": "prod",
"namespace": "my-namespace"
}
},
"spec": {
"containers": [
{
"name": "image-with-hostpath",
"image": "docker.io/nautiker/curl",
"volumeMounts": [
{
"name": "var-lib-etcd",
"mountPath": "/var/lib"
}
]
}
],
"volumes": [
{
"name": "var-lib-etcd",
"emptyDir": {}
}
]
}
}
`)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'validate-host-path' succesfully validated"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, er.IsSuccesful())
}