mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
|
|
||
|---|---|---|
| .. | ||
| chainsaw-test.yaml | ||
| exception.yaml | ||
| ns.yaml | ||
| pod-allowed-1.yaml | ||
| pod-allowed-2.yaml | ||
| pod-rejected-1.yaml | ||
| pod-rejected-2.yaml | ||
| pod-rejected-3.yaml | ||
| policy-assert.yaml | ||
| policy.yaml | ||
| README.md | ||
Description
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and sets the securityContext.privileged field in containers and initContainers only.
Steps
-
- Create a cluster policy
- Assert the policy becomes ready
-
- Create a policy exception for the cluster policy created above.
-
- Try to create a pod named
good-pod-1withsecurityContext.privilegedset tofalsein thedefaultnamespace, expecting the creation to succeed. - Try to create a pod named
good-pod-2whose image isnginxin thestaging-nsnamespace and thesecurityContext.privilegedis set totruein containers and initContainers, expecting the creation to succeed. - Try to create a pod named
bad-pod-1whose image isnginxin thestaging-nsnamespace and thesecurityContext.privilegedis set totruein containers, initContainers and ephemeralContainers, expecting the creation to fail. - Try to create a pod named
bad-pod-2whose image isbusyboxin thestaging-nsnamespace and thesecurityContext.privilegedis set totruein containers and initContainers, expecting the creation to fail. - Try to create a pod named
bad-pod-3whose image isnginxin thedefaultnamespace and thesecurityContext.privilegedis set totrue, expecting the creation to fail.
- Try to create a pod named