From fee67e8bc8cb87a1fe5eb9086b74eaca5c172b46 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 20 Nov 2023 19:26:37 +0200 Subject: [PATCH] chore: run generate VAP test suite using chainsaw (#8958) Signed-off-by: Mariam Fahmy --- .github/workflows/conformance.yaml | 140 ++++++++++++++++++ .../cpol-all-match-resource/01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 10 ++ .../cpol-all-match-resource/policy.yaml | 26 ++++ .../validatingadmissionpolicy.yaml | 32 ++++ .../validatingadmissionpolicybinding.yaml | 13 ++ .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 10 ++ .../policy.yaml | 40 +++++ .../validatingadmissionpolicy.yaml | 31 ++++ .../validatingadmissionpolicybinding.yaml | 13 ++ .../cpol-any-match-resource/01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 10 ++ .../cpol-any-match-resource/policy.yaml | 31 ++++ .../validatingadmissionpolicy.yaml | 37 +++++ .../validatingadmissionpolicybinding.yaml | 13 ++ .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 39 +++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 33 +++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../skip-generate/cpol-exclude/01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../cpol-exclude/policy-assert.yaml | 12 ++ .../skip-generate/cpol-exclude/policy.yaml | 26 ++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 27 ++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 23 +++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 23 +++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 32 ++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../cpol-multiple-rules/01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../cpol-multiple-rules/policy-assert.yaml | 12 ++ .../cpol-multiple-rules/policy.yaml | 28 ++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 26 ++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../cpol-non-cel-rule/01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../cpol-non-cel-rule/policy-assert.yaml | 12 ++ .../cpol-non-cel-rule/policy.yaml | 19 +++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../01-policy.yaml | 10 ++ .../02-validatingadmissionpolicy.yaml | 10 ++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 23 +++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + 85 files changed, 1271 insertions(+) create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index c7b0052ae3..53affccb8e 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -247,6 +247,146 @@ jobs: - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs + + chainsaw-validatingadmissionpolicies-v1alpha1: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: validating-admission-policies + values: + - standard + - generate-validating-admission-policy + k8s-version: + - name: v1.27 + version: v1.27.3 + tests: + - generate-validating-admission-policy + needs: prepare-images + name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: run-conformance + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Create kind cluster + shell: bash + run: | + set -e + export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} + export KIND_CONFIG=vap-v1alpha1 + make kind-create-cluster + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + make kind-load-image-archive + - name: Install kyverno + shell: bash + run: | + set -e + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + - name: Install Chainsaw + uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main + with: + release: v0.0.6-alpha.1 + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + chainsaw test --config ./test/conformance/chainsaw/_config/common.yaml --test-dir ./test/conformance/chainsaw/${{ matrix.tests }} --no-color=false + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + chainsaw-validatingadmissionpolicies-v1beta1: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: validating-admission-policies + values: + - standard + - generate-validating-admission-policy + k8s-version: + - name: v1.28 + version: v1.28.0 + tests: + - generate-validating-admission-policy + needs: prepare-images + name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: run-conformance + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Create kind cluster + shell: bash + run: | + set -e + export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} + export KIND_CONFIG=vap-v1beta1 + make kind-create-cluster + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + make kind-load-image-archive + - name: Install kyverno + shell: bash + run: | + set -e + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + - name: Install Chainsaw + uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main + with: + release: v0.0.6-alpha.1 + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + chainsaw test --config ./test/conformance/chainsaw/_config/common.yaml --test-dir ./test/conformance/chainsaw/${{ matrix.tests }} --no-color=false + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: ttl: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..05abab3d96 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy-assert.yaml new file mode 100644 index 0000000000..fccfb6ff13 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t9 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml new file mode 100644 index 0000000000..65f78e9b8c --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t9 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + all: + - resources: + kinds: + - Deployment + - StatefulSet + operations: + - CREATE + - UPDATE + selector: + matchLabels: + app: critical + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d0c85132b2 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml @@ -0,0 +1,32 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t9 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t9 +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + objectSelector: + matchLabels: + app: critical + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..592fc8bc91 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t9-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t9 +spec: + policyName: disallow-host-path-t9 + validationActions: [Audit, Warn] diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..05abab3d96 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy-assert.yaml new file mode 100644 index 0000000000..9c88b7a2cf --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t8 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml new file mode 100644 index 0000000000..e8115feafa --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t8 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + - resources: + kinds: + - StatefulSet + operations: + - CREATE + - UPDATE + - resources: + kinds: + - ReplicaSet + operations: + - CREATE + - UPDATE + - resources: + kinds: + - DaemonSet + operations: + - CREATE + - UPDATE + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..67a158f569 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t8 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t8 +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + - replicasets + - daemonsets + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..225c7f87b3 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t8-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t8 +spec: + policyName: disallow-host-path-t8 + validationActions: [Audit, Warn] diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..05abab3d96 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy-assert.yaml new file mode 100644 index 0000000000..77b0a34dbd --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t7 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml new file mode 100644 index 0000000000..2c3dc0e456 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t7 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + - ReplicaSet + - DaemonSet + operations: + - CREATE + - UPDATE + namespaceSelector: + matchExpressions: + - key: type + operator: In + values: + - connector + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..98035a08a7 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml @@ -0,0 +1,37 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t7 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t7 +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + - replicasets + - daemonsets + namespaceSelector: + matchExpressions: + - key: type + operator: In + values: + - connector + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..50a1326202 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml @@ -0,0 +1,13 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t7-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t7 +spec: + policyName: disallow-host-path-t7 + validationActions: [Audit, Warn] diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy-assert.yaml new file mode 100644 index 0000000000..c9d17aa00e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml new file mode 100644 index 0000000000..3a0b12028e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t1 +spec: + validationFailureAction: Audit + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + namespaceSelector: + matchExpressions: + - key: type + operator: In + values: + - connector + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + namespaceSelector: + matchExpressions: + - key: type + operator: In + values: + - compute + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..b305b151de --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t1 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..aec947ec60 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t1-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy-assert.yaml new file mode 100644 index 0000000000..98b1754f99 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t2 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml new file mode 100644 index 0000000000..ba70f77d78 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t2 +spec: + validationFailureAction: Audit + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + selector: + matchLabels: + app: critical + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + selector: + matchLabels: + app: normal + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..7ef8a90803 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t2 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..b09455254d --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t2-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy-assert.yaml new file mode 100644 index 0000000000..1ab5a9ae42 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t10 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml new file mode 100644 index 0000000000..4fc7d33ef6 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t10 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + exclude: + any: + - clusterRoles: + - cluster-admin + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..750e1ef29b --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t10 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..104941162f --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t10 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy-assert.yaml new file mode 100644 index 0000000000..d3f9a92d87 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t3 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml new file mode 100644 index 0000000000..c1fa1a95b6 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t3 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + subjects: + - kind: User + name: mary@somecorp.com + clusterRoles: + - cluster-admin + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..65174785e1 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t3 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..a54e87cfc2 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t3-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy-assert.yaml new file mode 100644 index 0000000000..2ec6beea96 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t4 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy.yaml new file mode 100644 index 0000000000..adad14cc25 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t4 +spec: + validationFailureAction: Audit + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + namespaces: + - prod + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..4ac31e925c --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t4 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..26629c6e7a --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t4-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy-assert.yaml new file mode 100644 index 0000000000..c3d69e0267 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t5 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml new file mode 100644 index 0000000000..d5dd4e4b1a --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t5 +spec: + validationFailureAction: Audit + rules: + - name: host-path + match: + any: + - resources: + annotations: + imageregistry: "https://hub.docker.com/" + kinds: + - Deployment + operations: + - CREATE + - UPDATE + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..1547d82798 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t5 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..67f132036f --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t5-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy-assert.yaml new file mode 100644 index 0000000000..7c73691cf1 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t6 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml new file mode 100644 index 0000000000..9da54abdf3 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t6 +spec: + validationFailureAction: Audit + rules: + - name: host-path + match: + all: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + selector: + matchLabels: + app: critical + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + names: + - app + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..75df84c9be --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t6 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..f5e36de56b --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t6-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy-assert.yaml new file mode 100644 index 0000000000..df4ca39630 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml new file mode 100644 index 0000000000..f0bcea5790 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + rules: + - name: require-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !container.image.matches('^[a-zA-Z]+:[0-9]*$'))" + message: "An image tag is required." + - name: validate-image-tag + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "object.spec.containers.all(container, !container.image.contains('latest'))" + message: "Using a mutable image tag e.g. 'latest' is not allowed." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..894373e61b --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-latest-tag +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..7641bcdbbb --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-rules/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-latest-tag-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy-assert.yaml new file mode 100644 index 0000000000..23b9b4f439 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml new file mode 100644 index 0000000000..419a8045a3 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app +spec: + validationFailureAction: Audit + validationFailureActionOverrides: + - action: Enforce + namespaces: + - default + - action: Audit + namespaces: + - test + rules: + - name: check-label-app + match: + any: + - resources: + kinds: + - Pod + validate: + message: "The label `app` is required." + pattern: + metadata: + labels: + app: "?*" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..13c33a9c0a --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..f0ece6cfc2 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy-assert.yaml new file mode 100644 index 0000000000..44abe1bb6c --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-ns-purpose-label +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml new file mode 100644 index 0000000000..7429ec4cf1 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-ns-purpose-label +spec: + validationFailureAction: Enforce + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..8ab0dfbd56 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-ns-purpose-label +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..4337c29c98 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: require-ns-purpose-label-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml new file mode 100644 index 0000000000..744135ecd0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/01-policy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: policy +spec: + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..5e445918af --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/02-validatingadmissionpolicy.yaml @@ -0,0 +1,10 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: TestStep +metadata: + name: validatingadmissionpolicy +spec: + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy-assert.yaml new file mode 100644 index 0000000000..648f5587c5 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml new file mode 100644 index 0000000000..ad47622478 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app1 +spec: + validationFailureAction: Audit + validationFailureActionOverrides: + - action: Enforce + namespaces: + - default + rules: + - name: check-label-app + match: + any: + - resources: + kinds: + - Pod + validate: + message: "The label `app` is required." + pattern: + metadata: + labels: + app: "?*" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..46b0d1dcff --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app1 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml new file mode 100644 index 0000000000..11cc784ea3 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app1-binding +spec: {}