From ff60dc05fd0294864b96b127c900528675124248 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Fri, 6 Sep 2019 10:03:24 -0700 Subject: [PATCH] add policies --- ...utate_pod_disable_automountingapicred.yaml | 16 ++++++++ ...lidate_image_latest_ifnotpresent_deny.yaml | 18 +++++++++ ...idate_image_pullpolicy_notalways_deny.yaml | 17 +++++++++ .../policy_validate_image_tag.yaml | 29 ++++++++++++++ ...policy_validate_image_tag_latest_deny.yaml | 17 +++++++++ ..._validate_image_tag_notspecified_deny.yaml | 17 +++++++++ .../policy_validate_pod_probes.yaml | 25 ++++++++++++ .../policy_validate_pod_resources.yaml | 26 +++++++++++++ .../resource_default_namespace.yaml | 10 +++++ ...utate_pod_disable_automountingapicred.yaml | 12 ++++++ ...lidate_image_latest_ifnotpresent_deny.yaml | 11 ++++++ ...lidate_image_latest_ifnotpresent_pass.yaml | 11 ++++++ ...idate_image_pullpolicy_notalways_deny.yaml | 11 ++++++ ...idate_image_pullpolicy_notalways_pass.yaml | 11 ++++++ ...source_validate_image_tag_latest_deny.yaml | 10 +++++ ...source_validate_image_tag_latest_pass.yaml | 10 +++++ ..._validate_image_tag_notspecified_deny.yaml | 10 +++++ ..._validate_image_tag_notspecified_pass.yaml | 10 +++++ .../resource_validate_pod_resources.yaml | 10 +++++ .../validate_default_namespace.yaml | 18 +++++++++ pkg/testrunner/testrunner_test.go | 38 +++++++++++++++++++ ...mutate_pod_disable_automoutingapicred.yaml | 16 ++++++++ ...utate_pod_disable_automountingapicred.yaml | 19 ++++++++++ ...lidate_image_latest_ifnotpresent_deny.yaml | 18 +++++++++ ...lidate_image_latest_ifnotpresent_pass.yaml | 18 +++++++++ ...idate_image_pullpolicy_notalways_deny.yaml | 18 +++++++++ ...idate_image_pullpolicy_notalways_pass.yaml | 18 +++++++++ ...enario_validate_image_tag_latest_deny.yaml | 18 +++++++++ ...enario_validate_image_tag_latest_pass.yaml | 18 +++++++++ ..._validate_image_tag_notspecified_deny.yaml | 18 +++++++++ ..._validate_image_tag_notspecified_pass.yaml | 18 +++++++++ 31 files changed, 516 insertions(+) create mode 100644 examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml create mode 100644 examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml create mode 100644 examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml create mode 100644 examples/best_practices/policy_validate_image_tag.yaml create mode 100644 examples/best_practices/policy_validate_image_tag_latest_deny.yaml create mode 100644 examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml create mode 100644 examples/best_practices/policy_validate_pod_probes.yaml create mode 100644 examples/best_practices/policy_validate_pod_resources.yaml create mode 100644 examples/best_practices/resource_default_namespace.yaml create mode 100644 examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml create mode 100644 examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml create mode 100644 examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml create mode 100644 examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml create mode 100644 examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml create mode 100644 examples/best_practices/resource_validate_image_tag_latest_deny.yaml create mode 100644 examples/best_practices/resource_validate_image_tag_latest_pass.yaml create mode 100644 examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml create mode 100644 examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml create mode 100644 examples/best_practices/resource_validate_pod_resources.yaml create mode 100644 examples/best_practices/validate_default_namespace.yaml create mode 100644 test/output/output_mutate_pod_disable_automoutingapicred.yaml create mode 100644 test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml create mode 100644 test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml create mode 100644 test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml create mode 100644 test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml create mode 100644 test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml create mode 100644 test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml create mode 100644 test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml create mode 100644 test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml create mode 100644 test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml diff --git a/examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml b/examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml new file mode 100644 index 0000000000..6a3732547f --- /dev/null +++ b/examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml @@ -0,0 +1,16 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: mutate-pod-disable-automoutingapicred +spec: + rules: + - name: pod-disable-automoutingapicred + match: + resources: + kinds: + - Pod + mutate: + overlay: + spec: + (serviceAccountName): "*" + automountServiceAccountToken: false \ No newline at end of file diff --git a/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml b/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml new file mode 100644 index 0000000000..84a4dddce8 --- /dev/null +++ b/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml @@ -0,0 +1,18 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-image +spec: + rules: + - name: validate-tag + match: + resources: + kinds: + - Pod + validate: + message: "imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'" + pattern: + spec: + containers: + - (image): "*:latest" + imagePullPolicy: "!IfNotPresent" \ No newline at end of file diff --git a/examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml b/examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml new file mode 100644 index 0000000000..afe14d572f --- /dev/null +++ b/examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml @@ -0,0 +1,17 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-image-pullpolicy-notalways +spec: + rules: + - name: image-pullpolicy-notalways + match: + resources: + kinds: + - Pod + validate: + message: "image pull policy 'Always' forbidden" + pattern: + spec: + containers: + - imagePullPolicy: "!Always" diff --git a/examples/best_practices/policy_validate_image_tag.yaml b/examples/best_practices/policy_validate_image_tag.yaml new file mode 100644 index 0000000000..5cb43f4040 --- /dev/null +++ b/examples/best_practices/policy_validate_image_tag.yaml @@ -0,0 +1,29 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-image +spec: + rules: + - name: validate-tag + match: + resources: + kinds: + - Pod + validate: + message: "An image tag is required" + pattern: + spec: + containers: + - image: "*:*" + - name: validate-latest + match: + resources: + kinds: + - Pod + validate: + message: "imagePullPolicy 'Always' required with tag 'latest'" + pattern: + spec: + containers: + - (image): "*latest" + imagePullPolicy: Always \ No newline at end of file diff --git a/examples/best_practices/policy_validate_image_tag_latest_deny.yaml b/examples/best_practices/policy_validate_image_tag_latest_deny.yaml new file mode 100644 index 0000000000..9dc3aa3d0c --- /dev/null +++ b/examples/best_practices/policy_validate_image_tag_latest_deny.yaml @@ -0,0 +1,17 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-image-tag-notlatest +spec: + rules: + - name: image-tag-notlatest + match: + resources: + kinds: + - Pod + validate: + message: "image tag 'latest' forbidden" + pattern: + spec: + containers: + - image: "!*:latest" \ No newline at end of file diff --git a/examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml b/examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml new file mode 100644 index 0000000000..870f92e79a --- /dev/null +++ b/examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml @@ -0,0 +1,17 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-image-tag-notspecified +spec: + rules: + - name: image-tag-notspecified + match: + resources: + kinds: + - Pod + validate: + message: "image tag not specified" + pattern: + spec: + containers: + - image: "*:*" diff --git a/examples/best_practices/policy_validate_pod_probes.yaml b/examples/best_practices/policy_validate_pod_probes.yaml new file mode 100644 index 0000000000..b720695b3a --- /dev/null +++ b/examples/best_practices/policy_validate_pod_probes.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-probes +spec: + validationFailureAction: "audit" + rules: + - name: check-probes + match: + resources: + kinds: + - Pod + # exclude: + # namespaces: + # - kube-system + validate: + message: "Liveness and readiness probes are required" + pattern: + spec: + containers: + livenessProbe: + periodSeconds: ">0" + readinessProbe: + periodSeconds: ">0" + diff --git a/examples/best_practices/policy_validate_pod_resources.yaml b/examples/best_practices/policy_validate_pod_resources.yaml new file mode 100644 index 0000000000..6a11351305 --- /dev/null +++ b/examples/best_practices/policy_validate_pod_resources.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: check-resources +spec: + # validationFailureAction: "audit" + rules: + - name: check-pod-resources + message: "CPU and memory resource requests and limits are required" + match: + resources: + kinds: + - Pod + name: myapp-pod + validate: + pattern: + spec: + containers: + - name: "*" + resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + cpu: "?*" diff --git a/examples/best_practices/resource_default_namespace.yaml b/examples/best_practices/resource_default_namespace.yaml new file mode 100644 index 0000000000..c83c830f72 --- /dev/null +++ b/examples/best_practices/resource_default_namespace.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml b/examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml new file mode 100644 index 0000000000..50e2d156fc --- /dev/null +++ b/examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + serviceAccountName: default + containers: + - name: nginx + image: nginx + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml b/examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml new file mode 100644 index 0000000000..14d51172cb --- /dev/null +++ b/examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:latest + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml b/examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml new file mode 100644 index 0000000000..23fcb3810b --- /dev/null +++ b/examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:1.12 + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml b/examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml new file mode 100644 index 0000000000..1a67c0de8e --- /dev/null +++ b/examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: Always \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml b/examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml new file mode 100644 index 0000000000..2abe7eecd8 --- /dev/null +++ b/examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_tag_latest_deny.yaml b/examples/best_practices/resource_validate_image_tag_latest_deny.yaml new file mode 100644 index 0000000000..904f3719e0 --- /dev/null +++ b/examples/best_practices/resource_validate_image_tag_latest_deny.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_tag_latest_pass.yaml b/examples/best_practices/resource_validate_image_tag_latest_pass.yaml new file mode 100644 index 0000000000..5e83577bb7 --- /dev/null +++ b/examples/best_practices/resource_validate_image_tag_latest_pass.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:1.12 \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml b/examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml new file mode 100644 index 0000000000..c83c830f72 --- /dev/null +++ b/examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml b/examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml new file mode 100644 index 0000000000..904f3719e0 --- /dev/null +++ b/examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/examples/best_practices/resource_validate_pod_resources.yaml b/examples/best_practices/resource_validate_pod_resources.yaml new file mode 100644 index 0000000000..c83c830f72 --- /dev/null +++ b/examples/best_practices/resource_validate_pod_resources.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/examples/best_practices/validate_default_namespace.yaml b/examples/best_practices/validate_default_namespace.yaml new file mode 100644 index 0000000000..adb1791656 --- /dev/null +++ b/examples/best_practices/validate_default_namespace.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: validate-namespace +spec: + rules: + - name: check-default-namespace + match: + resources: + kinds: + - Pod + validate: + message: "A namespace is required" + anyPattern: + - metadata: + namespace: "?*" + - metadata: + namespace: "!default" diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 25636c78cf..05e4fafa8f 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -33,3 +33,41 @@ func Test_validate_nonRootUsers(t *testing.T) { func Test_generate_networkPolicy(t *testing.T) { testScenario(t, "/test/scenarios/test/scenario_generate_networkPolicy.yaml") } + +// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver +func Test_validate_image_latest_ifnotpresent_deny(t *testing.T) { + testScenario(t, "/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml") + +} + +func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml") +} + +func Test_validate_image_tag_notspecified_deny(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml") +} + +func Test_validate_image_tag_notspecified_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml") +} + +func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml") +} + +func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml") +} + +func Test_validate_image_tag_latest_deny(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml") +} + +func Test_validate_image_tag_latest_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml") +} + +func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml") +} diff --git a/test/output/output_mutate_pod_disable_automoutingapicred.yaml b/test/output/output_mutate_pod_disable_automoutingapicred.yaml new file mode 100644 index 0000000000..8a34589f14 --- /dev/null +++ b/test/output/output_mutate_pod_disable_automoutingapicred.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: + labels: + app: myapp + name: myapp-pod +spec: + automountServiceAccountToken: false + containers: + - image: nginx + imagePullPolicy: IfNotPresent + name: nginx + resources: {} + serviceAccountName: default +status: {} diff --git a/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml new file mode 100644 index 0000000000..189ca4e6e2 --- /dev/null +++ b/test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml @@ -0,0 +1,19 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml + resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml +expected: + mutation: + patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml + policyresponse: + policy: mutate-pod-disable-automoutingapicred + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: pod-disable-automoutingapicred + type: Mutation + message: "succesfully process overlay" + success: true \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml new file mode 100644 index 0000000000..95071e9e96 --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml + resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml +expected: + validation: + policyresponse: + policy: validate-image + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: validate-tag + type: Validation + message: "Validation rule 'validate-tag' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'" + success: false diff --git a/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml new file mode 100644 index 0000000000..730e94ef45 --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml + resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml +expected: + validation: + policyresponse: + policy: validate-image + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: validate-tag + type: Validation + message: "Validation rule 'validate-tag' succesfully validated" + success: true diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml new file mode 100644 index 0000000000..a057acd15e --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml + resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml +expected: + validation: + policyresponse: + policy: validate-image-pullpolicy-notalways + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-pullpolicy-notalways + type: Validation + message: "Validation rule 'image-pullpolicy-notalways' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. image pull policy 'Always' forbidden" + success: false diff --git a/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml new file mode 100644 index 0000000000..50f3b84e8f --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml + resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml +expected: + validation: + policyresponse: + policy: validate-image-pullpolicy-notalways + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-pullpolicy-notalways + type: Validation + message: "Validation rule 'image-pullpolicy-notalways' succesfully validated" + success: true diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml new file mode 100644 index 0000000000..009107a320 --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml + resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml +expected: + validation: + policyresponse: + policy: validate-image-tag-notlatest + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-tag-notlatest + type: Validation + message: "Validation rule 'image-tag-notlatest' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag 'latest' forbidden" + success: false \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml new file mode 100644 index 0000000000..3b96ed2342 --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml + resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml +expected: + validation: + policyresponse: + policy: validate-image-tag-notlatest + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-tag-notlatest + type: Validation + message: "Validation rule 'image-tag-notlatest' succesfully validated" + success: true \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml new file mode 100644 index 0000000000..aaeb3d9626 --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml + resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml +expected: + validation: + policyresponse: + policy: validate-image-tag-notspecified + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-tag-notspecified + type: Validation + message: "Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag not specified" + success: false diff --git a/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml new file mode 100644 index 0000000000..22b1fe3864 --- /dev/null +++ b/test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml + resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml +expected: + validation: + policyresponse: + policy: validate-image-tag-notspecified + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: image-tag-notspecified + type: Validation + message: "Validation rule 'image-tag-notspecified' succesfully validated" + success: true