validate-fail:
  - description: Policy with background enabled and referencing clusterRoles in match/exclude statements should be rejected
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/validate/fail/background-match-clusterroles.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-clusterroles.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule:
          invalid variable used at path: spec/rules[0]/match/any[0]/clusterRoles 
  - description: Policy with background enabled and referencing roles in match/exclude statements should be rejected
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/validate/fail/background-match-roles.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-roles.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule:
          invalid variable used at path: spec/rules[0]/match/any[0]/roles
  - description: Policy with background enabled and referencing the var request.roles should be rejected.
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/validate/fail/background-vars-roles.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-roles.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed 
  - description: Policy with background enabled and referencing the var request.userInfo should be rejected.
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/validate/fail/background-vars-userinfo.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-userinfo.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed 
  - description: Policy with background enabled and referencing the var request.serviceaccountname should be rejected.
    kubectl:
      args:
        - create
        - -f 
        - test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml
      expect:
        exitcode: 1
        stderr: >-
          Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml":
          admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
          Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed 
  - description: Best practice policies should create fine
    kubectl:
      args:
        - create
        - -f 
        - test/best_practices
      expect:
        exitcode: 0
        stdout: |-
          clusterpolicy.kyverno.io/add-networkpolicy created
          clusterpolicy.kyverno.io/add-ns-quota created
          clusterpolicy.kyverno.io/add-safe-to-evict created
          clusterpolicy.kyverno.io/disallow-bind-mounts created
          clusterpolicy.kyverno.io/disallow-host-network-port created
          clusterpolicy.kyverno.io/disallow-host-pid-ipc created
          clusterpolicy.kyverno.io/disallow-latest-tag created
          clusterpolicy.kyverno.io/disallow-privileged created
          clusterpolicy.kyverno.io/disallow-sysctls created
          clusterpolicy.kyverno.io/require-certain-labels created
          clusterpolicy.kyverno.io/require-labels created
          clusterpolicy.kyverno.io/require-pod-requests-limits created
          clusterpolicy.kyverno.io/select-secrets created
  - description: Best practice policies should become ready
    kubectl:
      args:
        - wait
        - --for
        - condition=ready
        - cpol
        - --all
        - --timeout
        - 90s
      expect:
        exitcode: 0
        stdout: |-
          clusterpolicy.kyverno.io/add-networkpolicy condition met
          clusterpolicy.kyverno.io/add-ns-quota condition met
          clusterpolicy.kyverno.io/add-safe-to-evict condition met
          clusterpolicy.kyverno.io/disallow-bind-mounts condition met
          clusterpolicy.kyverno.io/disallow-host-network-port condition met
          clusterpolicy.kyverno.io/disallow-host-pid-ipc condition met
          clusterpolicy.kyverno.io/disallow-latest-tag condition met
          clusterpolicy.kyverno.io/disallow-privileged condition met
          clusterpolicy.kyverno.io/disallow-sysctls condition met
          clusterpolicy.kyverno.io/require-certain-labels condition met
          clusterpolicy.kyverno.io/require-labels condition met
          clusterpolicy.kyverno.io/require-pod-requests-limits condition met
          clusterpolicy.kyverno.io/select-secrets condition met