should-fail: - description: Policy with backgound enabled and referencing user infos should be rejected kubectl: args: - create - -f - test/conformance/manifests/should-fail/background-userinfo-1.yaml expect: exitcode: 1 stderr: >- Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed - description: Policy with backgound enabled and referencing user infos should be rejected kubectl: args: - create - -f - test/conformance/manifests/should-fail/background-userinfo-2.yaml expect: exitcode: 1 stderr: >- Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-2.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: invalid variable used at path: spec/rules[0]/match/clusterRoles - description: Policy with backgound enabled and referencing user infos should be rejected kubectl: args: - create - -f - test/conformance/manifests/should-fail/background-userinfo-3.yaml expect: exitcode: 1 stderr: >- Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed - description: Policy with backgound enabled and referencing user infos should be rejected kubectl: args: - create - -f - test/conformance/manifests/should-fail/background-userinfo-4.yaml expect: exitcode: 1 stderr: >- Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode. Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed - description: Best practice policies should create fine kubectl: args: - create - -f - test/best_practices expect: exitcode: 0 stdout: |- clusterpolicy.kyverno.io/add-networkpolicy created clusterpolicy.kyverno.io/add-ns-quota created clusterpolicy.kyverno.io/add-safe-to-evict created clusterpolicy.kyverno.io/disallow-bind-mounts created clusterpolicy.kyverno.io/disallow-host-network-port created clusterpolicy.kyverno.io/disallow-host-pid-ipc created clusterpolicy.kyverno.io/disallow-latest-tag created clusterpolicy.kyverno.io/disallow-privileged created clusterpolicy.kyverno.io/disallow-sysctls created clusterpolicy.kyverno.io/require-certain-labels created clusterpolicy.kyverno.io/require-labels created clusterpolicy.kyverno.io/require-pod-requests-limits created clusterpolicy.kyverno.io/select-secrets created - description: Best practice policies should become ready kubectl: args: - wait - --for - condition=ready - cpol - --all - --timeout - 90s expect: exitcode: 0 stdout: |- clusterpolicy.kyverno.io/add-networkpolicy condition met clusterpolicy.kyverno.io/add-ns-quota condition met clusterpolicy.kyverno.io/add-safe-to-evict condition met clusterpolicy.kyverno.io/disallow-bind-mounts condition met clusterpolicy.kyverno.io/disallow-host-network-port condition met clusterpolicy.kyverno.io/disallow-host-pid-ipc condition met clusterpolicy.kyverno.io/disallow-latest-tag condition met clusterpolicy.kyverno.io/disallow-privileged condition met clusterpolicy.kyverno.io/disallow-sysctls condition met clusterpolicy.kyverno.io/require-certain-labels condition met clusterpolicy.kyverno.io/require-labels condition met clusterpolicy.kyverno.io/require-pod-requests-limits condition met clusterpolicy.kyverno.io/select-secrets condition met