mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/README.md
Mariam Fahmy ace5b59003
feat: add chainsaw tests for pod security in exceptions (#9667) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-02-06 13:07:58 +00:00

2 KiB
Raw Blame History

Description

This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and fields:

  1. spec.containers[*].securityContext.capabilities.add is set to foo.
  2. spec.initContainers[*].securityContext.capabilities.add is set to baz.

Steps

    • Create a cluster policy
    • Assert the policy becomes ready
    • Create a policy exception for the cluster policy created above.
    • Try to create a pod named good-pod-1 in the default namespace with spec.containers[*].securityContext.capabilities.add set to NET_BIND_SERVICE, expecting the creation to succeed.
    • Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.initContainers[*].securityContext.capabilities.add set to baz, expecting the creation to succeed.
    • Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to baz and spec.initContainers[*].securityContext.capabilities.add set to foo, expecting the creation to fail.
    • Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.initContainers[*].securityContext.capabilities.add set to baz, expecting the creation to fail.
    • Try to create a pod named bad-pod-3 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.ephemeralContainers[*].securityContext.capabilities.add set to baz, expecting the creation to fail.
    • Try to create a pod named bad-pod-4 whose image is nginx in the default namespace with spec.containers[*].securityContext.capabilities.add set to foo and spec.initContainers[*].securityContext.capabilities.add set to baz, expecting the creation to fail.