mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
c796bb765c
* fix: return policies with either audit or enforce rules from the cache Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: introduce validationFailureAction under verifyImage rules Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: add chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> |
||
|---|---|---|
| .. | ||
| chainsaw-test.yaml | ||
| exception.yaml | ||
| ns.yaml | ||
| pod-allowed-1.yaml | ||
| pod-allowed-2.yaml | ||
| pod-rejected-1.yaml | ||
| pod-rejected-2.yaml | ||
| policy-assert.yaml | ||
| policy.yaml | ||
| README.md | ||
Description
This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose namespace is staging-ns namespace and sets the spec.securityContext.sysctls[*].name to fake.value.
Steps
-
- Create a cluster policy
- Assert the policy becomes ready
-
- Create a policy exception for the cluster policy created above.
-
- Try to create a pod named
good-pod-1in thedefaultnamespace whosespec.securityContext.sysctls[0].namefield is set tonet.ipv4.ip_unprivileged_port_start, expecting the creation to succeed. - Try to create a pod named
good-pod-2in thestaging-nsnamespace whosespec.securityContext.sysctls[0].namefield is set tofake.value, expecting the creation to succeed. - Try to create a pod named
bad-pod-1in thestaging-nsnamespace whosespec.securityContext.sysctls[0].namefield is set tounknown, expecting the creation to fail. - Try to create a pod named
bad-pod-2in thedefaultnamespace whosespec.securityContext.sysctls[0].namefield is set tofake.value, expecting the creation to fail.
- Try to create a pod named