mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/utils/yaml/loadpolicy_test.go
Mariam Fahmy 4c950dcb32
feat: use v1 of ValidatingAdmissionPolicies (#12050) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-01-31 14:21:43 +00:00

518 lines
11 KiB
Go
Raw Blame History

package yaml
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestGetPolicy(t *testing.T) {
type args struct {
bytes []byte
}
type policy struct {
kind string
namespace string
}
tests := []struct {
name string
args args
wantPolicies []policy
vaps []policy
vapBindings []policy
wantErr bool
}{{
name: "policy",
args: args{
[]byte(`
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: generate-policy
namespace: ns-1
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
},
wantPolicies: []policy{
{"Policy", "ns-1"},
},
wantErr: false,
}, {
name: "policy without ns",
args: args{
[]byte(`
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: generate-policy
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
},
wantPolicies: []policy{
{"Policy", "default"},
},
wantErr: false,
}, {
name: "cluster policy",
args: args{
[]byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-policy
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
},
wantPolicies: []policy{
{"ClusterPolicy", ""},
},
wantErr: false,
}, {
name: "cluster policy with ns",
args: args{
[]byte(`
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-policy
namespace: ns-1
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
},
wantPolicies: []policy{
{"ClusterPolicy", ""},
},
wantErr: false,
}, {
name: "policy and cluster policy",
args: args{
[]byte(`
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: generate-policy
namespace: ns-1
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-policy
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
},
wantPolicies: []policy{
{"Policy", "ns-1"},
{"ClusterPolicy", ""},
},
wantErr: false,
}, {
name: "policy and cluster policy in list",
args: args{
[]byte(`
apiVersion: v1
kind: List
items:
- apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: generate-policy
namespace: ns-1
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-policy
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
},
wantPolicies: []policy{
{"Policy", "ns-1"},
{"ClusterPolicy", ""},
},
wantErr: false,
}, {
name: "ValidatingAdmissionPolicy",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"
`),
}, vaps: []policy{
{"ValidatingAdmissionPolicy", ""},
},
wantErr: false,
}, {
name: "ValidatingAdmissionPolicy and Policy",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"
---
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: generate-policy
namespace: ns-1
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
}, wantPolicies: []policy{
{"Policy", "ns-1"},
},
vaps: []policy{
{"ValidatingAdmissionPolicy", ""},
},
wantErr: false,
}, {
name: "ValidatingAdmissionPolicy and ClusterPolicy",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-policy
spec:
rules:
- name: copy-game-demo
match:
resources:
kinds:
- Namespace
exclude:
resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
kind: ConfigMap
name: game-demo
namespace: "{{request.object.metadata.name}}"
synchronize: true
clone:
namespace: default
name: game-demo
`),
}, wantPolicies: []policy{
{"ClusterPolicy", ""},
},
vaps: []policy{
{"ValidatingAdmissionPolicy", ""},
},
wantErr: false,
}, {
name: "ValidatingAdmissionPolicyBinding",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "demo-binding-test.example.com"
spec:
policyName: "demo-policy.example.com"
validationActions: [Deny]
matchResources:
namespaceSelector:
matchLabels:
environment: test
`),
}, vapBindings: []policy{
{"ValidatingAdmissionPolicyBinding", ""},
},
wantErr: false,
}, {
name: "ValidatingAdmissionPolicy and its binding",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["apps"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "demo-binding-test.example.com"
spec:
policyName: "demo-policy.example.com"
validationActions: [Deny]
matchResources:
namespaceSelector:
matchLabels:
environment: test
`),
}, vaps: []policy{
{"ValidatingAdmissionPolicy", ""},
}, vapBindings: []policy{
{"ValidatingAdmissionPolicyBinding", ""},
},
wantErr: false,
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotPolicies, gotValidatingAdmissionPolicies, gotBindings, _, err := GetPolicy(tt.args.bytes)
if tt.wantErr {
assert.Error(t, err)
} else {
assert.NoError(t, err)
if assert.Equal(t, len(tt.wantPolicies), len(gotPolicies)) {
for i := range tt.wantPolicies {
assert.Equal(t, tt.wantPolicies[i].kind, gotPolicies[i].GetKind())
assert.Equal(t, tt.wantPolicies[i].namespace, gotPolicies[i].GetNamespace())
}
}
if assert.Equal(t, len(tt.vaps), len(gotValidatingAdmissionPolicies)) {
for i := range tt.vaps {
assert.Equal(t, tt.vaps[i].kind, gotValidatingAdmissionPolicies[i].Kind)
}
}
if assert.Equal(t, len(tt.vapBindings), len(gotBindings)) {
for i := range tt.vapBindings {
assert.Equal(t, tt.vapBindings[i].kind, gotBindings[i].Kind)
}
}
}
})
}
}
View git blame Copy permalink