kyverno

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-07 00:17:13 +00:00

History

Mariam Fahmy ace5b59003 feat: add chainsaw tests for pod security in exceptions (#9667 ) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>		2024-02-06 13:07:58 +00:00
..
chainsaw-test.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
exception.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
ns.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-allowed-1.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-allowed-2.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-1.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-2.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-3.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
pod-rejected-4.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
policy-assert.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
policy.yaml	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00
README.md	feat: add chainsaw tests for pod security in exceptions (#9667 )	2024-02-06 13:07:58 +00:00

README.md

Description

This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and fields:

spec.containers[*].securityContext.seLinuxOptions.type is set to foo.
spec.initContainers[*].securityContext.seLinuxOptions.type is set to bar.

Steps

- Create a cluster policy
- Assert the policy becomes ready
- Create a policy exception for the cluster policy created above.
- Try to create a pod named good-pod-1 in the default namespace that doesn't violate the baseline profile, expecting the creation to succeed.
- Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.initContainers[*].securityContext.seLinuxOptions.type set to bar, expecting the creation to succeed.
- Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to bar and spec.initContainers[*].securityContext.seLinuxOptions.type set to foo, expecting the creation to fail.
- Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.initContainers[*].securityContext.seLinuxOptions.type set to bar, expecting the creation to fail.
- Try to create a pod named bad-pod-3 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.ephemeralContainers[*].securityContext.capabilities.add set to bar, expecting the creation to fail.
- Try to create a pod named bad-pod-4 whose image is nginx in the default namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.initContainers[*].securityContext.seLinuxOptions.type set to bar, expecting the creation to fail.