kyverno/test/conformance/chainsaw/exceptions/exclude-privileged-containers/README.md at f3c9be9d0f703c54dd40759db392bad2aca66958

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00

feat: add chainsaw tests for pod security in exceptions (#9667 )

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

2024-02-06 13:07:58 +00:00

1.4 KiB

Raw Blame History

Description

This test creates a policy that enforces the baseline profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and sets the securityContext.privileged field in containers and initContainers only.

Steps

- Create a cluster policy
- Assert the policy becomes ready
- Create a policy exception for the cluster policy created above.
- Try to create a pod named good-pod-1 with securityContext.privileged set to false in the default namespace, expecting the creation to succeed.
- Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace and the securityContext.privileged is set to true in containers and initContainers, expecting the creation to succeed.
- Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace and the securityContext.privileged is set to true in containers, initContainers and ephemeralContainers, expecting the creation to fail.
- Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace and the securityContext.privileged is set to true in containers and initContainers, expecting the creation to fail.
- Try to create a pod named bad-pod-3 whose image is nginx in the default namespace and the securityContext.privileged is set to true, expecting the creation to fail.

1.4 KiB Raw Blame History

Description

Steps

1.4 KiB

Raw Blame History