mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user
History
Mariam Fahmy ace5b59003
feat: add chainsaw tests for pod security in exceptions (#9667) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-02-06 13:07:58 +00:00
..
chainsaw-test.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
exception.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
ns.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-allowed-1.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-allowed-2.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-1.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-2.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-3.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
policy-assert.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
policy.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
README.md feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00

README.md

Description

This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and sets the spec.containers[*].securityContext.runAsUser field to 0.

Steps

    • Create a cluster policy
    • Assert the policy becomes ready
    • Create a policy exception for the cluster policy created above.
    • Try to create a pod named good-pod-1 in the default namespace that doesn't violate the restricted profile, expecting the creation to succeed.
    • Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace and the spec.containers[*].securityContext.runAsUser is set to 0, expecting the creation to succeed.
    • Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace and the spec.containers[*].securityContext.runAsUser is set to 0 and the spec.initContainers[*].securityContext.runAsNonRoot is set to 0, expecting the creation to fail.
    • Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace and the spec.containers[*].securityContext.runAsUser is set to 0, expecting the creation to fail.
    • Try to create a pod named bad-pod-3 whose image is nginx in the default namespace and the spec.containers[*].securityContext.runAsUser is set to 0, expecting the creation to fail.