mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/admissionpolicy/validate_test.go
Charles-Edouard Brétéché 02fceb64f7
feat: implement background scan (#12101) 
* feat: implement background scan

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* scanner

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor request

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-02-06 05:49:41 +02:00

137 lines
3.7 KiB
Go
Raw Blame History

package admissionpolicy
import (
"reflect"
"testing"
yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"
)
func TestGetKinds(t *testing.T) {
type test struct {
name string
policy []byte
wantKinds []string
}
tests := []test{
{
name: "Matching pods",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-1"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods"]
validations:
- expression: "object.metadata.name.matches('nginx')"
`),
wantKinds: []string{"v1/Pod"},
},
{
name: "Matching deployments, replicasets, daemonsets and statefulsets",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-2"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
validations:
- expression: "object.spec.replicas <= 5"
`),
wantKinds: []string{"apps/v1/Deployment", "apps/v1/Replicaset", "apps/v1/Daemonset", "apps/v1/Statefulset"},
},
{
name: "Matching deployments/scale",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-3"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments/scale"]
validations:
- expression: "object.spec.replicas <= 5"
`),
wantKinds: []string{"apps/v1/Deployment/scale"},
},
{
name: "Matching jobs and cronjobs",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-4"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["batch"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["jobs", "cronjobs"]
validations:
- expression: "object.spec.jobTemplate.spec.template.spec.containers.all(container, has(container.securityContext) && has(container.securityContext.readOnlyRootFilesystem) && container.securityContext.readOnlyRootFilesystem == true)"
`),
wantKinds: []string{"batch/v1/Job", "batch/v1/Cronjob"},
},
{
name: "Multiple resource rules",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-5"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: [""]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["pods"]
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
- apiGroups: ["batch"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["jobs", "cronjobs"]
validations:
- expression: "object.spec.replicas <= 5"
`),
wantKinds: []string{"v1/Pod", "apps/v1/Deployment", "apps/v1/Replicaset", "apps/v1/Daemonset", "apps/v1/Statefulset", "batch/v1/Job", "batch/v1/Cronjob"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_, policy, _, _, _ := yamlutils.GetPolicy(tt.policy)
kinds := GetKinds(policy[0].Spec.MatchConstraints)
if !reflect.DeepEqual(kinds, tt.wantKinds) {
t.Errorf("Expected %v, got %v", tt.wantKinds, kinds)
}
})
}
}
View git blame Copy permalink