kyverno

mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

History

Charles-Edouard Brétéché df267dd829 chore: use more chainsaw step templates (#11311 ) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>		2024-10-03 11:56:30 +00:00
..
chainsaw-test.yaml	chore: use more chainsaw step templates (#11311 )	2024-10-03 11:56:30 +00:00
exception.yaml	chore: use v2 for exceptions in chainsaw tests (#10529 )	2024-06-24 11:54:57 +00:00
ns.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-allowed-1.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-allowed-2.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-1.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-2.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-3.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-4.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
policy.yaml	chore: rename validationFailureAction to failureAction under the rule (#10893 )	2024-08-27 20:07:57 +00:00
README.md	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00

README.md

Description

This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and fields:

spec.containers[*].securityContext.capabilities.add is set to foo.
spec.initContainers[*].securityContext.capabilities.add is set to baz.

Steps

- Create a cluster policy
- Assert the policy becomes ready
- Create a policy exception for the cluster policy created above.
- Try to create a pod named good-pod-1 in the default namespace with spec.containers[*].securityContext.capabilities.add set to NET_BIND_SERVICE, expecting the creation to succeed.
- Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.initContainers[*].securityContext.capabilities.add set to baz, expecting the creation to succeed.
- Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to baz and spec.initContainers[*].securityContext.capabilities.add set to foo, expecting the creation to fail.
- Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.initContainers[*].securityContext.capabilities.add set to baz, expecting the creation to fail.
- Try to create a pod named bad-pod-3 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.ephemeralContainers[*].securityContext.capabilities.add set to baz, expecting the creation to fail.
- Try to create a pod named bad-pod-4 whose image is nginx in the default namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.initContainers[*].securityContext.capabilities.add set to baz, expecting the creation to fail.