mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
5b8ab3842b
* initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com>
425 lines
8.7 KiB
Go
425 lines
8.7 KiB
Go
package engine
|
|
|
|
import (
|
|
"encoding/json"
|
|
"testing"
|
|
|
|
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
|
"gotest.tools/assert"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
func TestGetAnchorsFromMap_ThereAreNoAnchors(t *testing.T) {
|
|
rawMap := []byte(`{
|
|
"name":"nirmata-*",
|
|
"notAnchor1":123,
|
|
"namespace":"kube-?olicy",
|
|
"notAnchor2":"sample-text",
|
|
"object":{
|
|
"key1":"value1",
|
|
"(key2)":"value2"
|
|
}
|
|
}`)
|
|
|
|
var unmarshalled map[string]interface{}
|
|
json.Unmarshal(rawMap, &unmarshalled)
|
|
|
|
actualMap := getAnchorsFromMap(unmarshalled)
|
|
assert.Assert(t, len(actualMap) == 0)
|
|
}
|
|
|
|
// Match multiple kinds
|
|
func TestResourceDescriptionMatch_MultipleKind(t *testing.T) {
|
|
rawResource := []byte(`{
|
|
"apiVersion": "apps/v1",
|
|
"kind": "Deployment",
|
|
"metadata": {
|
|
"name": "nginx-deployment",
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"replicas": 3,
|
|
"selector": {
|
|
"matchLabels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"template": {
|
|
"metadata": {
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "nginx",
|
|
"image": "nginx:1.7.9",
|
|
"ports": [
|
|
{
|
|
"containerPort": 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}`)
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
if err != nil {
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
}
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
Kinds: []string{"Deployment", "Pods"},
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: nil,
|
|
MatchExpressions: nil,
|
|
},
|
|
}
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}}
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
}
|
|
|
|
// Match resource name
|
|
func TestResourceDescriptionMatch_Name(t *testing.T) {
|
|
rawResource := []byte(`{
|
|
"apiVersion": "apps/v1",
|
|
"kind": "Deployment",
|
|
"metadata": {
|
|
"name": "nginx-deployment",
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"replicas": 3,
|
|
"selector": {
|
|
"matchLabels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"template": {
|
|
"metadata": {
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "nginx",
|
|
"image": "nginx:1.7.9",
|
|
"ports": [
|
|
{
|
|
"containerPort": 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}`)
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
if err != nil {
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
}
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
Kinds: []string{"Deployment"},
|
|
Name: "nginx-deployment",
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: nil,
|
|
MatchExpressions: nil,
|
|
},
|
|
}
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}}
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
}
|
|
|
|
// Match resource regex
|
|
func TestResourceDescriptionMatch_Name_Regex(t *testing.T) {
|
|
rawResource := []byte(`{
|
|
"apiVersion": "apps/v1",
|
|
"kind": "Deployment",
|
|
"metadata": {
|
|
"name": "nginx-deployment",
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"replicas": 3,
|
|
"selector": {
|
|
"matchLabels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"template": {
|
|
"metadata": {
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "nginx",
|
|
"image": "nginx:1.7.9",
|
|
"ports": [
|
|
{
|
|
"containerPort": 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}`)
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
if err != nil {
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
}
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
Kinds: []string{"Deployment"},
|
|
Name: "nginx-*",
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: nil,
|
|
MatchExpressions: nil,
|
|
},
|
|
}
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}}
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
}
|
|
|
|
// Match expressions for labels to not match
|
|
func TestResourceDescriptionMatch_Label_Expression_NotMatch(t *testing.T) {
|
|
rawResource := []byte(`{
|
|
"apiVersion": "apps/v1",
|
|
"kind": "Deployment",
|
|
"metadata": {
|
|
"name": "nginx-deployment",
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"replicas": 3,
|
|
"selector": {
|
|
"matchLabels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"template": {
|
|
"metadata": {
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "nginx",
|
|
"image": "nginx:1.7.9",
|
|
"ports": [
|
|
{
|
|
"containerPort": 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}`)
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
if err != nil {
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
}
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
Kinds: []string{"Deployment"},
|
|
Name: "nginx-*",
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: nil,
|
|
MatchExpressions: []metav1.LabelSelectorRequirement{
|
|
metav1.LabelSelectorRequirement{
|
|
Key: "label2",
|
|
Operator: "NotIn",
|
|
Values: []string{
|
|
"sometest1",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}}
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
}
|
|
|
|
// Match label expression in matching set
|
|
func TestResourceDescriptionMatch_Label_Expression_Match(t *testing.T) {
|
|
rawResource := []byte(`{
|
|
"apiVersion": "apps/v1",
|
|
"kind": "Deployment",
|
|
"metadata": {
|
|
"name": "nginx-deployment",
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"replicas": 3,
|
|
"selector": {
|
|
"matchLabels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"template": {
|
|
"metadata": {
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "nginx",
|
|
"image": "nginx:1.7.9",
|
|
"ports": [
|
|
{
|
|
"containerPort": 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}`)
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
if err != nil {
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
}
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
Kinds: []string{"Deployment"},
|
|
Name: "nginx-*",
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: nil,
|
|
MatchExpressions: []metav1.LabelSelectorRequirement{
|
|
metav1.LabelSelectorRequirement{
|
|
Key: "app",
|
|
Operator: "NotIn",
|
|
Values: []string{
|
|
"nginx1",
|
|
"nginx2",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}}
|
|
|
|
assert.Assert(t, MatchesResourceDescription(*resource, rule))
|
|
}
|
|
|
|
// check for exclude conditions
|
|
func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) {
|
|
rawResource := []byte(`{
|
|
"apiVersion": "apps/v1",
|
|
"kind": "Deployment",
|
|
"metadata": {
|
|
"name": "nginx-deployment",
|
|
"labels": {
|
|
"app": "nginx",
|
|
"block": "true"
|
|
}
|
|
},
|
|
"spec": {
|
|
"replicas": 3,
|
|
"selector": {
|
|
"matchLabels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"template": {
|
|
"metadata": {
|
|
"labels": {
|
|
"app": "nginx"
|
|
}
|
|
},
|
|
"spec": {
|
|
"containers": [
|
|
{
|
|
"name": "nginx",
|
|
"image": "nginx:1.7.9",
|
|
"ports": [
|
|
{
|
|
"containerPort": 80
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
}`)
|
|
resource, err := ConvertToUnstructured(rawResource)
|
|
if err != nil {
|
|
t.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
}
|
|
resourceDescription := kyverno.ResourceDescription{
|
|
Kinds: []string{"Deployment"},
|
|
Name: "nginx-*",
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: nil,
|
|
MatchExpressions: []metav1.LabelSelectorRequirement{
|
|
metav1.LabelSelectorRequirement{
|
|
Key: "app",
|
|
Operator: "NotIn",
|
|
Values: []string{
|
|
"nginx1",
|
|
"nginx2",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
resourceDescriptionExclude := kyverno.ResourceDescription{
|
|
Selector: &metav1.LabelSelector{
|
|
MatchLabels: map[string]string{
|
|
"block": "true",
|
|
},
|
|
},
|
|
}
|
|
|
|
rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription},
|
|
ExcludeResources: kyverno.ExcludeResources{ResourceDescription: resourceDescriptionExclude}}
|
|
|
|
assert.Assert(t, !MatchesResourceDescription(*resource, rule))
|
|
}
|
|
|
|
func TestRemoveAnchor_ConditionAnchor(t *testing.T) {
|
|
assert.Equal(t, removeAnchor("(abc)"), "abc")
|
|
}
|
|
|
|
func TestRemoveAnchor_ExistanceAnchor(t *testing.T) {
|
|
assert.Equal(t, removeAnchor("^(abc)"), "abc")
|
|
}
|
|
|
|
func TestRemoveAnchor_EmptyExistanceAnchor(t *testing.T) {
|
|
assert.Equal(t, removeAnchor("^()"), "")
|
|
}
|