kyverno/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/README.md at f3c9be9d0f703c54dd40759db392bad2aca66958

mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00

feat: add chainsaw tests for pod security in exceptions (#9667 )

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

2024-02-06 13:07:58 +00:00

1.4 KiB

Raw Blame History

Description

This test creates a policy that enforces the restricted profile and a policy exception that exempts any pod whose image is nginx in the staging-ns namespace and sets the spec.containers[*].securityContext.runAsUser field to 0.

Steps

- Create a cluster policy
- Assert the policy becomes ready
- Create a policy exception for the cluster policy created above.
- Try to create a pod named good-pod-1 in the default namespace that doesn't violate the restricted profile, expecting the creation to succeed.
- Try to create a pod named good-pod-2 whose image is nginx in the staging-ns namespace and the spec.containers[*].securityContext.runAsUser is set to 0, expecting the creation to succeed.
- Try to create a pod named bad-pod-1 whose image is nginx in the staging-ns namespace and the spec.containers[*].securityContext.runAsUser is set to 0 and the spec.initContainers[*].securityContext.runAsNonRoot is set to 0, expecting the creation to fail.
- Try to create a pod named bad-pod-2 whose image is busybox in the staging-ns namespace and the spec.containers[*].securityContext.runAsUser is set to 0, expecting the creation to fail.
- Try to create a pod named bad-pod-3 whose image is nginx in the default namespace and the spec.containers[*].securityContext.runAsUser is set to 0, expecting the creation to fail.

1.4 KiB Raw Blame History

Description

Steps

1.4 KiB

Raw Blame History