mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-12 02:46:56 +00:00
3a8d26e17d
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
111 lines
5.6 KiB
YAML
111 lines
5.6 KiB
YAML
validate-fail:
|
|
- description: Policy with background enabled and referencing clusterRoles in match/exclude statements should be rejected
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/validate/fail/background-match-clusterroles.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-clusterroles.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule:
|
|
invalid variable used at path: spec/rules[0]/match/any[0]/clusterRoles
|
|
- description: Policy with background enabled and referencing roles in match/exclude statements should be rejected
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/validate/fail/background-match-roles.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/validate/fail/background-match-roles.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule:
|
|
invalid variable used at path: spec/rules[0]/match/any[0]/roles
|
|
- description: Policy with background enabled and referencing the var request.roles should be rejected.
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/validate/fail/background-vars-roles.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-roles.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule: variable {{request.roles}} is not allowed
|
|
- description: Policy with background enabled and referencing the var request.userInfo should be rejected.
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/validate/fail/background-vars-userinfo.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-userinfo.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule: variable {{request.userInfo}} is not allowed
|
|
- description: Policy with background enabled and referencing the var request.serviceaccountname should be rejected.
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml
|
|
expect:
|
|
exitcode: 1
|
|
stderr: >-
|
|
Error from server: error when creating "test/conformance/manifests/validate/fail/background-vars-serviceaccountname.yaml":
|
|
admission webhook "validate-policy.kyverno.svc" denied the request: only select variables are allowed in background mode.
|
|
Set spec.background=false to disable background mode for this policy rule: variable {{serviceAccountName}} is not allowed
|
|
- description: Best practice policies should create fine
|
|
kubectl:
|
|
args:
|
|
- create
|
|
- -f
|
|
- test/best_practices
|
|
expect:
|
|
exitcode: 0
|
|
stdout: |-
|
|
clusterpolicy.kyverno.io/add-networkpolicy created
|
|
clusterpolicy.kyverno.io/add-ns-quota created
|
|
clusterpolicy.kyverno.io/add-safe-to-evict created
|
|
clusterpolicy.kyverno.io/disallow-bind-mounts created
|
|
clusterpolicy.kyverno.io/disallow-host-network-port created
|
|
clusterpolicy.kyverno.io/disallow-host-pid-ipc created
|
|
clusterpolicy.kyverno.io/disallow-latest-tag created
|
|
clusterpolicy.kyverno.io/disallow-privileged created
|
|
clusterpolicy.kyverno.io/disallow-sysctls created
|
|
clusterpolicy.kyverno.io/require-certain-labels created
|
|
clusterpolicy.kyverno.io/require-labels created
|
|
clusterpolicy.kyverno.io/require-pod-requests-limits created
|
|
clusterpolicy.kyverno.io/select-secrets created
|
|
- description: Best practice policies should become ready
|
|
kubectl:
|
|
args:
|
|
- wait
|
|
- --for
|
|
- condition=ready
|
|
- cpol
|
|
- --all
|
|
- --timeout
|
|
- 90s
|
|
expect:
|
|
exitcode: 0
|
|
stdout: |-
|
|
clusterpolicy.kyverno.io/add-networkpolicy condition met
|
|
clusterpolicy.kyverno.io/add-ns-quota condition met
|
|
clusterpolicy.kyverno.io/add-safe-to-evict condition met
|
|
clusterpolicy.kyverno.io/disallow-bind-mounts condition met
|
|
clusterpolicy.kyverno.io/disallow-host-network-port condition met
|
|
clusterpolicy.kyverno.io/disallow-host-pid-ipc condition met
|
|
clusterpolicy.kyverno.io/disallow-latest-tag condition met
|
|
clusterpolicy.kyverno.io/disallow-privileged condition met
|
|
clusterpolicy.kyverno.io/disallow-sysctls condition met
|
|
clusterpolicy.kyverno.io/require-certain-labels condition met
|
|
clusterpolicy.kyverno.io/require-labels condition met
|
|
clusterpolicy.kyverno.io/require-pod-requests-limits condition met
|
|
clusterpolicy.kyverno.io/select-secrets condition met
|