mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-12 10:56:54 +00:00
35491d248e
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
99 lines
4.7 KiB
YAML
99 lines
4.7 KiB
YAML
should-fail:
|
|
- description: Policy with backgound enabled and referencing user infos should be rejected
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/should-fail/background-userinfo-1.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-1.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule: variable "{{request.roles}} is not allowed
|
|
- description: Policy with backgound enabled and referencing user infos should be rejected
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/should-fail/background-userinfo-2.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-2.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request:
|
|
only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule:
|
|
invalid variable used at path: spec/rules[0]/match/clusterRoles
|
|
- description: Policy with backgound enabled and referencing user infos should be rejected
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/should-fail/background-userinfo-3.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-3.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule: variable "{{request.userInfo}} is not allowed
|
|
- description: Policy with backgound enabled and referencing user infos should be rejected
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/should-fail/background-userinfo-4.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/should-fail/background-userinfo-4.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule: variable "{{serviceAccountName}} is not allowed
|
|
- description: Best practice policies should create fine
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/best_practices
|
|
expect:
|
|
exitcode: 0
|
|
stdout: |-
|
|
clusterpolicy.kyverno.io/add-networkpolicy created
|
|
clusterpolicy.kyverno.io/add-ns-quota created
|
|
clusterpolicy.kyverno.io/add-safe-to-evict created
|
|
clusterpolicy.kyverno.io/disallow-bind-mounts created
|
|
clusterpolicy.kyverno.io/disallow-host-network-port created
|
|
clusterpolicy.kyverno.io/disallow-host-pid-ipc created
|
|
clusterpolicy.kyverno.io/disallow-latest-tag created
|
|
clusterpolicy.kyverno.io/disallow-privileged created
|
|
clusterpolicy.kyverno.io/disallow-sysctls created
|
|
clusterpolicy.kyverno.io/require-certain-labels created
|
|
clusterpolicy.kyverno.io/require-labels created
|
|
clusterpolicy.kyverno.io/require-pod-requests-limits created
|
|
clusterpolicy.kyverno.io/select-secrets created
|
|
- description: Best practice policies should become ready
|
|
kubectl:
|
|
args:
|
|
- wait
|
|
- --for
|
|
- condition=ready
|
|
- cpol
|
|
- --all
|
|
- --timeout
|
|
- 90s
|
|
expect:
|
|
exitcode: 0
|
|
stdout: |-
|
|
clusterpolicy.kyverno.io/add-networkpolicy condition met
|
|
clusterpolicy.kyverno.io/add-ns-quota condition met
|
|
clusterpolicy.kyverno.io/add-safe-to-evict condition met
|
|
clusterpolicy.kyverno.io/disallow-bind-mounts condition met
|
|
clusterpolicy.kyverno.io/disallow-host-network-port condition met
|
|
clusterpolicy.kyverno.io/disallow-host-pid-ipc condition met
|
|
clusterpolicy.kyverno.io/disallow-latest-tag condition met
|
|
clusterpolicy.kyverno.io/disallow-privileged condition met
|
|
clusterpolicy.kyverno.io/disallow-sysctls condition met
|
|
clusterpolicy.kyverno.io/require-certain-labels condition met
|
|
clusterpolicy.kyverno.io/require-labels condition met
|
|
clusterpolicy.kyverno.io/require-pod-requests-limits condition met
|
|
clusterpolicy.kyverno.io/select-secrets condition met
|