mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00
Code Activity
kyverno/test/conformance/chainsaw/exceptions/exclude-selinux
History
Mariam Fahmy 2140a0239b
chore: rename validationFailureAction to failureAction under the rule (#10893) 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2024-08-27 20:07:57 +00:00
..
chainsaw-test.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
exception.yaml chore: use v2 for exceptions in chainsaw tests (#10529) 2024-06-24 11:54:57 +00:00
ns.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-allowed-1.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-allowed-2.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-1.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-2.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-3.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
pod-rejected-4.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
policy-assert.yaml feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00
policy.yaml chore: rename validationFailureAction to failureAction under the rule (#10893) 2024-08-27 20:07:57 +00:00
README.md feat: add chainsaw tests for pod security in exceptions (#9667) 2024-02-06 13:07:58 +00:00

README.md

Description

This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and fields:

  1. spec.containers[*].securityContext.seLinuxOptions.type is set to foo.
  2. spec.initContainers[*].securityContext.seLinuxOptions.type is set to bar.

Steps

    • Create a cluster policy
    • Assert the policy becomes ready
    • Create a policy exception for the cluster policy created above.
    • Try to create a pod named good-pod-1 in the default namespace that doesn't violate the baseline profile, expecting the creation to succeed.
    • Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.initContainers[*].securityContext.seLinuxOptions.type set to bar, expecting the creation to succeed.
    • Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to bar and spec.initContainers[*].securityContext.seLinuxOptions.type set to foo, expecting the creation to fail.
    • Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.initContainers[*].securityContext.seLinuxOptions.type set to bar, expecting the creation to fail.
    • Try to create a pod named bad-pod-3 whose image is nginx in the staging-ns namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.ephemeralContainers[*].securityContext.capabilities.add set to bar, expecting the creation to fail.
    • Try to create a pod named bad-pod-4 whose image is nginx in the default namespace with spec.containers[*].securityContext.seLinuxOptions.type set to foo and spec.initContainers[*].securityContext.seLinuxOptions.type set to bar, expecting the creation to fail.