* feat: return single result from validating policy evaluation
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* feat: support audit annotations for validating policies
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* fix error message
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* feat: return single result from validating policy evaluation
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* feat: support audit annotations for validating policies
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* fix error message
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* fix testcase
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
* rebase with main
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
---------
Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
* feat: Add flags for target resources and add fake client initialization
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Add fake discovery client and cluster bool in the policy processor
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Use the full mutation engine policy response in the engine response
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Extract mutated targets from the policy responses and print them out
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Add TargetResources field in the cli test schema
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Generate CLI crds
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: modify checkResult to take an arbitrary actual resource and resource name
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: change getAndCompareResource to take a resource name and cascade it to GetResourceFromPath
Signed-off-by: aerosouund <aerosound161@gmail.com>
* test: Create a simple test to test mutate existing in the CLI
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Allow GetResourceFromPath to select a resource with a name from a multi resource yaml
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Modify the runTest command to return the TestResponse type
- Create a fake client, load the target resources in it and use it in the PolicyProcessor.
- Create the TestResponse which contains Trigger and Target fields, each is a map of gvk/name to the responses corresponding to that resource.
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Rewrite output.go to use the TestResponse type
- Check for both target and trigger
- Create logic for appending the resource array in case no resources are passed
- Move row creation logic into a separate method to avoid code duplication
- Extract the proper target resource based on rule type
- Create a function to extract mutated target from the engine response
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Move tests to the correct folder
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Use apiVersion/Kind/Name as the key in the test responses
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Use the apiVersion/Kind/name key schema in checking results and fix invalid resource name checking for generate policies
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Use better variable names for rows
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Account for Generate resources being an array
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Use generated resource name in checking the results and printing output
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Uncomment checks printing
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Remove bug in engine response creation
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Move the generate logic into an else block
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Fix namespace fetching bug in cel validator
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Use pointer to int in the test counter
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Remove redundant method
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Skip resources not being found in the manifests
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Create another field in the engine to denote if this is a cluster engine or an offline engine
Simply checking for the client being nil is no longer enough because for cli operations the client will be a fake client
A pointer to bool is chosen because callers who don't necessarily know what to pass should be able to pass nil
Signed-off-by: ammar <ammar.yasser@vodafone.com>
* fix: Add extra argument in fake client initiation
Signed-off-by: ammar <ammar.yasser@vodafone.com>
* fix: add extra argument in fuzz test
Signed-off-by: ammar <ammar.yasser@vodafone.com>
* fix: Add extra arg
Signed-off-by: ammar <ammar.yasser@vodafone.com>
* fix: Handle resources specified as ns/name as this schema will be deprecated in favor of apiVersion/Kind/Name
Signed-off-by: ammar <ammar.yasser@vodafone.com>
* fix: Fix linter complaints
Signed-off-by: ammar <ammar.yasser@vodafone.com>
* fix: Use comma separation as array separators as kubernetes names don't support commas
To avoid undefined array length on splitting on /
using commas will result in a fixed length since all resources will have an apiVersion, kind, namespace and name
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Change resource array type to an array of any instead of array of string
To support the use of a string or a TestResourceSpec
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Expect the resource array to be an array of string or array of TestResourceSpec
Assert that an array element is either of these types and match the resources in both cases according to the element type
Expect that the key in responses is now separated by commas instead of slashes
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Expect that the resource array is now of type array of any and modify tests that use it
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Skip response check if the policy name isnt whats in the result
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Match the name if its specified as ns/name
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Fix linter complaint
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Run codegen
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Create CLI CRDs
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Run codegen
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Fix linter complaints
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Cleanup invalid code used in FixTest to adapt it to the schema changes
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Check if resource is nil before extracting
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: use the loadResources method to open targets in a directory
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Account for target resources with the same name but different namespaces
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Add CLI test for mutate existing with the same name
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Infer resource name and namespace from the actual resource and account for resources with the same name and namespace but different kinds
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: remove extra line
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Add printing mutate existing resources to the output or to a file
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Minor fixes
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: fix linter complaint
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: codegen
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Revert result back to error
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Use io discard to not print resources in the test command
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Update vague comments and remove outdated ones
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Integrate mutate existing changes with diff generation
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Move resource key generation into a function
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Add a mutate existing test that fails
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: fix linter complaint
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Remove redundant comment
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Fix array of any assignment in cli test
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Dont check duplicate strings for field that is an array of any
Signed-off-by: aerosouund <aerosound161@gmail.com>
* bug: Fix appending to the wrong array
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: run fix tests
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Run fix tests
Signed-off-by: aerosouund <aerosound161@gmail.com>
---------
Signed-off-by: aerosouund <aerosound161@gmail.com>
Signed-off-by: ammar <ammar.yasser@vodafone.com>
Signed-off-by: Ammar Yasser <aerosound161@gmail.com>
Co-authored-by: ammar <ammar.yasser@vodafone.com>
Co-authored-by: shuting <shuting@nirmata.com>
* change label to hash if exceed 63 limit char
Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com>
* Distribute GVR labels into 'group', 'version', and 'resource' to avoid exceeding character limits
Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com>
---------
Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com>
Co-authored-by: Kamaal <kamaal@macs-MacBook-Air.local>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
* feature: Add LabelSelector as a field of resource spec to allow fetching by labels
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Generate CRDs
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Add the capability to fetch with label selector
- Add the label selector as a parameter to GetResources of the engine api client and the dclient.
- Use the label selector with list options in the dclient.
- convert a metav1.LabelSelector to a labels.Selector before fetching to be able to convert it to a string to be used with ListOptions.
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Pass label selector to the GetResources method
Signed-off-by: aerosouund <aerosound161@gmail.com>
* feat: Return the resource selector when resolving spec
Signed-off-by: aerosouund <aerosound161@gmail.com>
* fix: Instantiate the fake client schema using the passed gvrToListKind map and by inferring schema from passed resources
All tests that use List will fail because the fake client doesn't infer the schema from the passed resources.
gvrToListKind can't be fully deprecated as some parts of kyverno use the fake client without passing resources to it (resource generation). And so both approaches have to be supported.
References:
- https://github.com/kubernetes/client-go/issues/983
- 46c1ad3baa
Signed-off-by: aerosouund <aerosound161@gmail.com>
* test: Add labelSelector unit test to mutate existing test.
- Remove the unwanted call to GetResource.
- Pass an empty map of GVR to string to the fake client constructor.
Signed-off-by: aerosouund <aerosound161@gmail.com>
* test: Add chainsaw test
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Run codegen
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Generate helm CRDs
Signed-off-by: aerosouund <aerosound161@gmail.com>
* refactor: Put the LabelSelector in a separate struct
Many types use the ResourceSpec struct and not all of them support label selectors.
This removes the field into a separate schema dedicated to target selection called TargetSelector.
It has the ResourceSpec and the selector.
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Run codegen after modifying selector comment
Signed-off-by: aerosouund <aerosound161@gmail.com>
* chore: Run codegen
Signed-off-by: aerosouund <aerosound161@gmail.com>
---------
Signed-off-by: aerosouund <aerosound161@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
