mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 01:46:55 +00:00
274 lines
9.4 KiB
Go
274 lines
9.4 KiB
Go
package mutate
|
|
|
|
import (
|
|
"github.com/blang/semver/v4"
|
|
"github.com/kyverno/kyverno/test/e2e/common"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
)
|
|
|
|
// MutateTests is E2E Test Config for mutation
|
|
var MutateTests = []struct {
|
|
// TestName - Name of the Test
|
|
TestName string
|
|
// Data - The Yaml file of the ClusterPolicy
|
|
Data []byte
|
|
// ResourceNamespace - Namespace of the Resource
|
|
ResourceNamespace string
|
|
// PolicyName - Name of the Policy
|
|
PolicyName string
|
|
}{
|
|
{
|
|
TestName: "test-mutate-with-context",
|
|
Data: configMapMutationYaml,
|
|
ResourceNamespace: "test-mutate",
|
|
PolicyName: "mutate-policy",
|
|
},
|
|
{
|
|
TestName: "test-mutate-with-logic-in-context",
|
|
Data: configMapMutationWithContextLogicYaml,
|
|
ResourceNamespace: "test-mutate",
|
|
PolicyName: "mutate-policy",
|
|
},
|
|
{
|
|
TestName: "test-mutate-with-context-label-selection",
|
|
Data: configMapMutationWithContextLabelSelectionYaml,
|
|
ResourceNamespace: "test-mutate",
|
|
PolicyName: "mutate-policy",
|
|
},
|
|
}
|
|
|
|
// Note: sometimes deleting namespaces takes time.
|
|
// Using different names for namespaces prevents collisions.
|
|
var tests = []struct {
|
|
// TestDescription - Description of the Test
|
|
TestDescription string
|
|
// PolicyName - Name of the Policy
|
|
PolicyName string
|
|
// PolicyRaw - The Yaml file of the ClusterPolicy
|
|
PolicyRaw []byte
|
|
// ResourceName - Name of the Resource
|
|
ResourceName string
|
|
// ResourceNamespace - Namespace of the Resource
|
|
ResourceNamespace string
|
|
// ResourceGVR - GVR of the Resource
|
|
ResourceGVR schema.GroupVersionResource
|
|
// ResourceRaw - The Yaml file of the ClusterPolicy
|
|
ResourceRaw []byte
|
|
// ExpectedPatternRaw - The Yaml file that contains validate pattern for the expected result
|
|
// This is not the final result. It is just used to validate the result from the engine.
|
|
ExpectedPatternRaw []byte
|
|
}{
|
|
{
|
|
TestDescription: "checks that runAsNonRoot is added to security context and containers elements security context",
|
|
PolicyName: "set-runasnonroot-true",
|
|
PolicyRaw: setRunAsNonRootTrue,
|
|
ResourceName: "foo",
|
|
ResourceNamespace: "test-mutate",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: podWithContainers,
|
|
ExpectedPatternRaw: podWithContainersPattern,
|
|
},
|
|
{
|
|
TestDescription: "checks that runAsNonRoot is added to security context and containers elements security context and initContainers elements security context",
|
|
PolicyName: "set-runasnonroot-true",
|
|
PolicyRaw: setRunAsNonRootTrue,
|
|
ResourceName: "foo",
|
|
ResourceNamespace: "test-mutate1",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: podWithContainersAndInitContainers,
|
|
ExpectedPatternRaw: podWithContainersAndInitContainersPattern,
|
|
},
|
|
{
|
|
TestDescription: "checks that variables in the keys are working correctly",
|
|
PolicyName: "structured-logs-sidecar",
|
|
PolicyRaw: kyverno_2316_policy,
|
|
ResourceName: "busybox",
|
|
ResourceNamespace: "test-mutate2",
|
|
ResourceGVR: deploymentGVR,
|
|
ResourceRaw: kyverno_2316_resource,
|
|
ExpectedPatternRaw: kyverno_2316_pattern,
|
|
},
|
|
{
|
|
TestDescription: "checks that policy mutate env variables of an array with specific index numbers",
|
|
PolicyName: "add-image-as-env-var",
|
|
PolicyRaw: kyverno_mutate_json_patch,
|
|
ResourceName: "foo",
|
|
ResourceNamespace: "test-mutate-env-array",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: podWithEnvVar,
|
|
ExpectedPatternRaw: podWithEnvVarPattern,
|
|
},
|
|
{
|
|
TestDescription: "checks that preconditions are substituted correctly",
|
|
PolicyName: "replace-docker-hub",
|
|
PolicyRaw: kyverno_2971_policy,
|
|
ResourceName: "nginx",
|
|
ResourceNamespace: "test-mutate-img",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: kyverno_2971_resource,
|
|
ExpectedPatternRaw: kyverno_2971_pattern,
|
|
},
|
|
{
|
|
TestDescription: "checks the global anchor variables for emptyDir",
|
|
PolicyName: "add-safe-to-evict",
|
|
PolicyRaw: annotate_host_path_policy,
|
|
ResourceName: "pod-with-emptydir",
|
|
ResourceNamespace: "emptydir",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: podWithEmptyDirAsVolume,
|
|
ExpectedPatternRaw: podWithVolumePattern,
|
|
},
|
|
{
|
|
TestDescription: "checks the global anchor variables for hostPath",
|
|
PolicyName: "add-safe-to-evict",
|
|
PolicyRaw: annotate_host_path_policy,
|
|
ResourceName: "pod-with-hostpath",
|
|
ResourceNamespace: "hostpath",
|
|
ResourceGVR: podGVR,
|
|
ResourceRaw: podWithHostPathAsVolume,
|
|
ExpectedPatternRaw: podWithVolumePattern,
|
|
},
|
|
}
|
|
|
|
var ingressTests = struct {
|
|
testNamespace string
|
|
cpol []byte
|
|
policyName string
|
|
tests []struct {
|
|
testName string
|
|
group, version, rsc, resourceName string
|
|
resource []byte
|
|
skip bool
|
|
}
|
|
}{
|
|
testNamespace: "test-ingress",
|
|
cpol: mutateIngressCpol,
|
|
policyName: "mutate-ingress-host",
|
|
tests: []struct {
|
|
testName string
|
|
group, version, rsc, resourceName string
|
|
resource []byte
|
|
skip bool
|
|
}{
|
|
{
|
|
testName: "test-networking-v1-ingress",
|
|
group: "networking.k8s.io",
|
|
version: "v1",
|
|
rsc: "ingresses",
|
|
resourceName: "kuard-v1",
|
|
resource: ingressNetworkingV1,
|
|
skip: common.GetKubernetesVersion().LT(semver.MustParse("1.19.0")),
|
|
},
|
|
// the following test can be removed after 1.22 cluster
|
|
{
|
|
testName: "test-networking-v1beta1-ingress",
|
|
group: "networking.k8s.io",
|
|
version: "v1beta1",
|
|
rsc: "ingresses",
|
|
resourceName: "kuard-v1beta1",
|
|
resource: ingressNetworkingV1beta1,
|
|
skip: common.GetKubernetesVersion().GTE(semver.MustParse("1.22.0")),
|
|
},
|
|
},
|
|
}
|
|
|
|
type mutateExistingOperation string
|
|
|
|
const (
|
|
createTrigger mutateExistingOperation = "createTrigger"
|
|
deleteTrigger mutateExistingOperation = "deleteTrigger"
|
|
createPolicy mutateExistingOperation = "createPolicy"
|
|
)
|
|
|
|
// Note: sometimes deleting namespaces takes time.
|
|
// Using different names for namespaces prevents collisions.
|
|
var mutateExistingTests = []struct {
|
|
// TestDescription - Description of the Test
|
|
TestDescription string
|
|
// Operation describes how to trigger the policy
|
|
Operation mutateExistingOperation
|
|
// PolicyName - Name of the Policy
|
|
PolicyName string
|
|
// PolicyRaw - The Yaml file of the ClusterPolicy
|
|
PolicyRaw []byte
|
|
// TriggerName - Name of the Trigger Resource
|
|
TriggerName string
|
|
// TriggerNamespace - Namespace of the Trigger Resource
|
|
TriggerNamespace string
|
|
// TriggerGVR - GVR of the Trigger Resource
|
|
TriggerGVR schema.GroupVersionResource
|
|
// TriggerRaw - The Yaml file of the Trigger Resource
|
|
TriggerRaw []byte
|
|
// TargetName - Name of the Target Resource
|
|
TargetName string
|
|
// TargetNamespace - Namespace of the Target Resource
|
|
TargetNamespace string
|
|
// TargetGVR - GVR of the Target Resource
|
|
TargetGVR schema.GroupVersionResource
|
|
// TargetRaw - The Yaml file of the Target ClusterPolicy
|
|
TargetRaw []byte
|
|
// ExpectedTargetRaw - The Yaml file that contains validate pattern for the expected result
|
|
// This is not the final result. It is just used to validate the result from the engine.
|
|
ExpectedTargetRaw []byte
|
|
}{
|
|
{
|
|
TestDescription: "mutate existing on resource creation",
|
|
Operation: createTrigger,
|
|
PolicyName: "test-post-mutation-create-trigger",
|
|
PolicyRaw: policyCreateTrigger,
|
|
TriggerName: "dictionary-1",
|
|
TriggerNamespace: "staging-1",
|
|
TriggerGVR: configmGVR,
|
|
TriggerRaw: triggerCreateTrigger,
|
|
TargetName: "test-secret-1",
|
|
TargetNamespace: "staging-1",
|
|
TargetGVR: secretGVR,
|
|
TargetRaw: targetCreateTrigger,
|
|
ExpectedTargetRaw: expectedTargetCreateTrigger,
|
|
},
|
|
{
|
|
TestDescription: "mutate existing on resource deletion",
|
|
Operation: deleteTrigger,
|
|
PolicyName: "test-post-mutation-delete-trigger",
|
|
PolicyRaw: policyDeleteTrigger,
|
|
TriggerName: "dictionary-2",
|
|
TriggerNamespace: "staging-2",
|
|
TriggerGVR: configmGVR,
|
|
TriggerRaw: triggerDeleteTrigger,
|
|
TargetName: "test-secret-2",
|
|
TargetNamespace: "staging-2",
|
|
TargetGVR: secretGVR,
|
|
TargetRaw: targetDeleteTrigger,
|
|
ExpectedTargetRaw: expectedTargetDeleteTrigger,
|
|
},
|
|
{
|
|
TestDescription: "mutate existing on policy creation",
|
|
Operation: createPolicy,
|
|
PolicyName: "test-post-mutation-create-policy",
|
|
PolicyRaw: policyCreatePolicy,
|
|
TriggerName: "dictionary-3",
|
|
TriggerNamespace: "staging-3",
|
|
TriggerGVR: configmGVR,
|
|
TriggerRaw: triggerCreatePolicy,
|
|
TargetName: "test-secret-3",
|
|
TargetNamespace: "staging-3",
|
|
TargetGVR: secretGVR,
|
|
TargetRaw: targetCreatePolicy,
|
|
ExpectedTargetRaw: expectedTargetCreatePolicy,
|
|
},
|
|
{
|
|
TestDescription: "mutate existing (patchesJson6902) on resource creation",
|
|
Operation: createTrigger,
|
|
PolicyName: "test-post-mutation-json-patch-create-trigger",
|
|
PolicyRaw: policyCreateTriggerJsonPatch,
|
|
TriggerName: "dictionary-4",
|
|
TriggerNamespace: "staging-4",
|
|
TriggerGVR: configmGVR,
|
|
TriggerRaw: triggerCreateTriggerJsonPatch,
|
|
TargetName: "test-secret-4",
|
|
TargetNamespace: "staging-4",
|
|
TargetGVR: secretGVR,
|
|
TargetRaw: targetCreateTriggerJsonPatch,
|
|
ExpectedTargetRaw: expectedCreateTriggerJsonPatch,
|
|
},
|
|
}
|