From 429b05544a084e1ac4018ffc0e93866360ea7dd0 Mon Sep 17 00:00:00 2001 From: Anushka Mittal <138426011+anushkamittal2001@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:32:04 +0530 Subject: [PATCH 01/44] fix: compute operations for mutatingwebhookconf (#10639) * fix: compute operations for mutatingwebhookconf Signed-off-by: anushkamittal20 * chore: add unit test Signed-off-by: anushkamittal20 --------- Signed-off-by: anushkamittal20 Co-authored-by: anushkamittal20 --- pkg/controllers/webhook/controller.go | 14 ++-- pkg/controllers/webhook/controller_test.go | 86 ++++++++++++++++++++++ 2 files changed, 94 insertions(+), 6 deletions(-) diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index 4c2a2a87861a..a0411f64be4e 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -820,12 +820,14 @@ func (c *controller) buildDefaultResourceValidatingWebhookConfiguration(_ contex func addOpnForMutatingWebhookConf(rules []kyvernov1.Rule, mapResourceToOpnType map[string][]admissionregistrationv1.OperationType) map[string][]admissionregistrationv1.OperationType { var mapResourceToOpn map[string]map[string]bool for _, r := range rules { - var resources []string - operationStatusMap := getOperationStatusMap() - operationStatusMap = computeOperationsForMutatingWebhookConf(r, operationStatusMap) - resources = computeResourcesOfRule(r) - for _, r := range resources { - mapResourceToOpn, mapResourceToOpnType = appendResource(r, mapResourceToOpn, operationStatusMap, mapResourceToOpnType) + if r.HasMutate() || r.HasVerifyImages() { + var resources []string + operationStatusMap := getOperationStatusMap() + operationStatusMap = computeOperationsForMutatingWebhookConf(r, operationStatusMap) + resources = computeResourcesOfRule(r) + for _, r := range resources { + mapResourceToOpn, mapResourceToOpnType = appendResource(r, mapResourceToOpn, operationStatusMap, mapResourceToOpnType) + } } } return mapResourceToOpnType diff --git a/pkg/controllers/webhook/controller_test.go b/pkg/controllers/webhook/controller_test.go index 9cd20f6db4db..c539b0b3be83 100644 --- a/pkg/controllers/webhook/controller_test.go +++ b/pkg/controllers/webhook/controller_test.go @@ -4,10 +4,12 @@ import ( "cmp" "reflect" "slices" + "sort" "testing" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) func TestAddOperationsForValidatingWebhookConfMultiplePolicies(t *testing.T) { @@ -318,3 +320,87 @@ func TestAddOperationsForMutatingtingWebhookConf(t *testing.T) { }) } } + +func TestAddOperationsForMutatingtingWebhookConfMultiplePolicies(t *testing.T) { + testCases := []struct { + name string + policies []kyverno.ClusterPolicy + expectedResult map[string][]admissionregistrationv1.OperationType + }{ + { + name: "test-1", + policies: []kyverno.ClusterPolicy{ + { + Spec: kyverno.Spec{ + Rules: []kyverno.Rule{ + { + Mutation: kyverno.Mutation{ + RawPatchStrategicMerge: &apiextensionsv1.JSON{Raw: []byte(`"nodeSelector": {<"public-ip-type": "elastic"}, +"priorityClassName": "elastic-ip-required"`)}}, + MatchResources: kyverno.MatchResources{ + ResourceDescription: kyverno.ResourceDescription{ + Kinds: []string{"Pod"}, + }, + }, + }, + }, + }, + }, + { + Spec: kyverno.Spec{ + Rules: []kyverno.Rule{ + { + Generation: kyverno.Generation{}, + MatchResources: kyverno.MatchResources{ + ResourceDescription: kyverno.ResourceDescription{ + Kinds: []string{"Deployments", "StatefulSet", "DaemonSet", "Job"}, + }, + }, + }, + }, + }, + }, + }, + expectedResult: map[string][]admissionregistrationv1.OperationType{ + "Pod": {"CREATE", "UPDATE"}, + }, + }, + } + + var mapResourceToOpnType map[string][]admissionregistrationv1.OperationType + for _, test := range testCases { + t.Run(test.name, func(t *testing.T) { + for _, p := range test.policies { + mapResourceToOpnType = addOpnForMutatingWebhookConf(p.GetSpec().Rules, mapResourceToOpnType) + } + if !compareMaps(mapResourceToOpnType, test.expectedResult) { + t.Errorf("Expected %v, but got %v", test.expectedResult, mapResourceToOpnType) + } + }) + } +} + +func compareMaps(a, b map[string][]admissionregistrationv1.OperationType) bool { + if len(a) != len(b) { + return false + } + + for key, aValue := range a { + bValue, ok := b[key] + if !ok { + return false + } + + sort.Slice(aValue, func(i, j int) bool { + return cmp.Compare(aValue[i], aValue[j]) < 0 + }) + sort.Slice(bValue, func(i, j int) bool { + return cmp.Compare(bValue[i], bValue[j]) < 0 + }) + + if !reflect.DeepEqual(aValue, bValue) { + return false + } + } + + return true +} From 9904718d0874b8c248065d6d205defdd450cf4cf Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Wed, 10 Jul 2024 18:01:19 +0530 Subject: [PATCH 02/44] fix: rename level 1 logs to INFO from DEBUG (#10617) Signed-off-by: Vishal Choudhary Co-authored-by: shuting --- pkg/logging/log.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/pkg/logging/log.go b/pkg/logging/log.go index f79f491f1318..9a7c18fe561d 100644 --- a/pkg/logging/log.go +++ b/pkg/logging/log.go @@ -59,8 +59,10 @@ func Setup(logFormat string, loggingTimestampFormat string, level int) error { switch logFormat { case TextFormat: zc = zap.NewDevelopmentConfig() + zc.EncoderConfig.EncodeLevel = zapLevelEncoderText case JSONFormat: zc = zap.NewProductionConfig() + zc.EncoderConfig.EncodeLevel = zapLevelEncoderJson default: return errors.New("log format not recognized, pass `text` for text mode or `json` to enable JSON logging") } @@ -186,3 +188,21 @@ func (a *writerAdapter) Write(p []byte) (int, error) { func StdLogger(logger logr.Logger, prefix string) *stdlog.Logger { return stdlog.New(&writerAdapter{logger: logger}, prefix, stdlog.LstdFlags) } + +func zapLevelEncoderText(l zapcore.Level, enc zapcore.PrimitiveArrayEncoder) { + enc.AppendString(zapLevelToString(l)) +} + +func zapLevelEncoderJson(l zapcore.Level, enc zapcore.PrimitiveArrayEncoder) { + enc.AppendString(strings.ToLower(zapLevelToString(l))) +} + +func zapLevelToString(zapLevel zapcore.Level) string { + if zapLevel <= 0 && zapLevel >= -2 { + return "INFO" + } else if zapLevel <= -3 { + return "DEBUG" + } else { + return zapLevel.CapitalString() + } +} From 5b715420a3d1e84856e0398b0983b73d69e09426 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Wed, 10 Jul 2024 18:31:32 +0400 Subject: [PATCH 03/44] fix: truncate event messages to 1024 chars (#10636) * fix: truncate event messages to 1024 chars Signed-off-by: Mariam Fahmy * add chainsaw test Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy Co-authored-by: Jim Bugwadia --- pkg/event/controller.go | 6 ++++- pkg/event/events.go | 8 +----- pkg/event/events_test.go | 25 ------------------- .../chainsaw-test.yaml | 21 ++++++++++++++++ .../event-assert.yaml | 17 +++++++++++++ .../policy-assert.yaml | 10 ++++++++ .../policy.yaml | 18 +++++++++++++ .../resource.yaml | 14 +++++++++++ 8 files changed, 86 insertions(+), 33 deletions(-) delete mode 100644 pkg/event/events_test.go create mode 100755 test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/event-assert.yaml create mode 100644 test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy-assert.yaml create mode 100644 test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml create mode 100644 test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/resource.yaml diff --git a/pkg/event/controller.go b/pkg/event/controller.go index 0b71ff8de1a2..18a085185065 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -175,6 +175,10 @@ func (gen *controller) emitEvent(key Info) { if namespace == "" { namespace = metav1.NamespaceDefault } + message := key.Message + if len(message) > 1024 { + message = message[0:1021] + "..." + } event := &eventsv1.Event{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("%v.%x", refRegarding.Name, t.UnixNano()), @@ -188,7 +192,7 @@ func (gen *controller) emitEvent(key Info) { Reason: string(key.Reason), Regarding: *refRegarding, Related: refRelated, - Note: key.Message, + Note: message, Type: eventType, } diff --git a/pkg/event/events.go b/pkg/event/events.go index d4de317fdc51..f21c5c14c1ad 100644 --- a/pkg/event/events.go +++ b/pkg/event/events.go @@ -58,13 +58,7 @@ func buildPolicyEventMessage(resp engineapi.RuleResponse, resource engineapi.Res if resp.Message() != "" { fmt.Fprintf(&b, "; %s", resp.Message()) } - - msg := b.String() - if len(msg) > 1024 { - msg = msg[0:1021] + "..." - } - - return msg + return b.String() } func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineResponse) Info { diff --git a/pkg/event/events_test.go b/pkg/event/events_test.go deleted file mode 100644 index 94ac657410fb..000000000000 --- a/pkg/event/events_test.go +++ /dev/null @@ -1,25 +0,0 @@ -package event - -import ( - "testing" - - engineapi "github.com/kyverno/kyverno/pkg/engine/api" - "gotest.tools/assert" -) - -func TestMessageLength(t *testing.T) { - msg := "policy psa/baseline fail: Validation rule 'baseline' failed. It violates PodSecurity \"restricted:latest\": (Forbidden reason: allowPrivilegeEscalation != false, field error list: [spec.containers[0].securityContext.allowPrivilegeEscalation is forbidden, forbidden values found: nil])(Forbidden reason: unrestricted capabilities, field error list: [spec.containers[0].securityContext.capabilities.drop: Required value])(Forbidden reason: host namespaces, field error list: [spec.hostNetwork is forbidden, forbidden values found: true])(Forbidden reason: hostPath volumes, field error list: [spec.volumes[1].hostPath is forbidden, forbidden values found: /run/xtables.lock, spec.volumes[2].hostPath is forbidden, forbidden values found: /lib/modules])(Forbidden reason: privileged, field error list: [spec.containers[0].securityContext.privileged is forbidden, forbidden values found: true])(Forbidden reason: restricted volume types, field error list: [spec.volumes[1].hostPath: Forbidden, spec.volumes[2].hostPath: Forbidden])(Forbidden reason: runAsNonRoot != true, field error list: [spec.containers[0].securityContext.runAsNonRoot: Required value])(Forbidden reason: seccompProfile, field error list: [spec.containers[0].securityContext.seccompProfile.type: Required value])" - assert.Assert(t, len(msg) > 1024) - - resp := engineapi.NewRuleResponse("podSecurity", engineapi.Validation, msg, engineapi.RuleStatusFail) - - resource := &engineapi.ResourceSpec{ - Kind: "Pod", - APIVersion: "v1", - Namespace: "default", - UID: "9005aec3-f779-4d19-985b-3ff51a695cca", - } - - eventMsg := buildPolicyEventMessage(*resp, *resource, true) - assert.Equal(t, 1024, len(eventMsg)) -} diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/chainsaw-test.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/chainsaw-test.yaml new file mode 100755 index 000000000000..72fa2c5aeb21 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: message-exceeds-1024-characters +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/event-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/event-assert.yaml new file mode 100644 index 000000000000..133b4926d1b1 --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/event-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: v1 + kind: Pod + name: badpod01 + namespace: default +type: Warning +reason: PolicyViolation +action: Resource Passed +reportingComponent: kyverno-scan +message: 'policy podsecurity-subrule-restricted/restricted fail: Validation rule + ''restricted'' failed. It violates PodSecurity "restricted:latest": (Forbidden + reason: unrestricted capabilities, field error list: [spec.containers[0].securityContext.capabilities.drop: + Required value])' diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy-assert.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy-assert.yaml new file mode 100644 index 000000000000..745e0ae3aafc --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml new file mode 100644 index 000000000000..3d6ea0ae684f --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-restricted +spec: + background: true + validationFailureAction: Audit + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/resource.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/resource.yaml new file mode 100644 index 000000000000..00ac4d55756d --- /dev/null +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/resource.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: default +spec: + containers: + - name: container01 + image: dummyimagename + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault \ No newline at end of file From 5ca0db58b6c90aa4bd94fce1d0b7d2be45579fdb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 09:13:41 +0000 Subject: [PATCH 04/44] chore(deps): bump actions/setup-python from 5.1.0 to 5.1.1 (#10647) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/82c7e631bb3cdc910f68e0081d67478d79c6982d...39cd14951b08e74b54015e9e001cdefcf80e669f) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/helm-release.yaml | 2 +- .github/workflows/helm-test.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index f28f2ff2e103..41b8c37245b8 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -25,7 +25,7 @@ jobs: - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 - - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.7 - name: Set up chart-testing diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index 4cb8a85f737e..a246d3bcd69d 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -33,7 +33,7 @@ jobs: uses: ./.github/actions/setup-build-env timeout-minutes: 10 - name: Setup python - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.7 - name: Set up chart-testing From 66e9d16dbe9b4cff6a8fe739f95947d461a4a0de Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:15:07 +0000 Subject: [PATCH 05/44] chore(deps): bump github.com/alitto/pond from 1.9.0 to 1.9.1 (#10649) Bumps [github.com/alitto/pond](https://github.com/alitto/pond) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/alitto/pond/releases) - [Commits](https://github.com/alitto/pond/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/alitto/pond dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5cc53535799b..26b8fecdc80b 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d github.com/IGLOU-EU/go-wildcard v1.0.3 github.com/Masterminds/sprig/v3 v3.2.3 - github.com/alitto/pond v1.9.0 + github.com/alitto/pond v1.9.1 github.com/aquilax/truncate v1.0.0 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240525144225-0fe7eafab216 diff --git a/go.sum b/go.sum index c77def66cbe4..e3b29a731ec2 100644 --- a/go.sum +++ b/go.sum @@ -135,8 +135,8 @@ github.com/alibabacloud-go/tea-utils v1.4.5/go.mod h1:KNcT0oXlZZxOXINnZBs6YvgOd5 github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0= github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8= -github.com/alitto/pond v1.9.0 h1:B8BrvXyKe97NK9LHuRsQAOmpRnsp6GJ7mCg1Cgitczo= -github.com/alitto/pond v1.9.0/go.mod h1:xQn3P/sHTYcU/1BR3i86IGIrilcrGC2LiS+E2+CJWsI= +github.com/alitto/pond v1.9.1 h1:OfCpIrMyrWJpn34f647DcFmUxjK8+7Nu3eoVN/WTP+o= +github.com/alitto/pond v1.9.1/go.mod h1:xQn3P/sHTYcU/1BR3i86IGIrilcrGC2LiS+E2+CJWsI= github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= github.com/aliyun/credentials-go v1.3.4 h1:X5nse+8s7ft00ANpoG3+bFJIqZVpjHbOg7G9gWQshVY= github.com/aliyun/credentials-go v1.3.4/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM= From 3fbb5923fa5dbca364249dc06352c342915a687f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 05:33:53 +0000 Subject: [PATCH 06/44] chore(deps): bump sigstore/scaffolding from 0.7.3 to 0.7.4 (#10646) Bumps [sigstore/scaffolding](https://github.com/sigstore/scaffolding) from 0.7.3 to 0.7.4. - [Release notes](https://github.com/sigstore/scaffolding/releases) - [Changelog](https://github.com/sigstore/scaffolding/blob/main/release.md) - [Commits](https://github.com/sigstore/scaffolding/compare/bfc40f4d3aa430f28cec9c68b628df983601810e...26f31cb72ca848bb0273fcbd7a4ebf187ec4d711) --- updated-dependencies: - dependency-name: sigstore/scaffolding dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/conformance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index f8055be01d99..2a26feaac5a9 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -646,7 +646,7 @@ jobs: uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@bfc40f4d3aa430f28cec9c68b628df983601810e + uses: sigstore/scaffolding/actions/setup@26f31cb72ca848bb0273fcbd7a4ebf187ec4d711 with: version: main k8s-version: ${{ matrix.k8s-version.version }} From 484e9aab3e9e2bf53ec939f373a625f5fc799049 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Jul 2024 08:42:47 +0000 Subject: [PATCH 07/44] chore(deps): bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#10631) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.23.0 to 0.24.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/7c2007bcb556501da015201bcba5aa14069b74e2...6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/devcontainer-build.yaml | 2 +- .github/workflows/images-build.yaml | 2 +- .github/workflows/images-publish.yaml | 2 +- .github/workflows/release.yaml | 2 +- .github/workflows/report-on-vulnerabilities.yaml | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/devcontainer-build.yaml b/.github/workflows/devcontainer-build.yaml index fb9090ba9db3..064c2bba4fd6 100644 --- a/.github/workflows/devcontainer-build.yaml +++ b/.github/workflows/devcontainer-build.yaml @@ -23,7 +23,7 @@ jobs: - name: Build devcontainer image run: docker build .devcontainer - name: Trivy Scan Image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: scan-type: 'fs' ignore-unfixed: true diff --git a/.github/workflows/images-build.yaml b/.github/workflows/images-build.yaml index 3b6f0dfcf46b..90b6b5e45e57 100644 --- a/.github/workflows/images-build.yaml +++ b/.github/workflows/images-build.yaml @@ -31,7 +31,7 @@ jobs: - name: ko build run: VERSION=${{ github.ref_name }} make ko-build-all - name: Trivy Scan Image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: scan-type: 'fs' ignore-unfixed: true diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml index 4801aa79c681..3bd54fd9be09 100644 --- a/.github/workflows/images-publish.yaml +++ b/.github/workflows/images-publish.yaml @@ -40,7 +40,7 @@ jobs: uses: ./.github/actions/setup-build-env timeout-minutes: 30 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: scan-type: 'fs' ignore-unfixed: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8effe82e8aca..d5b95d21118e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -35,7 +35,7 @@ jobs: uses: ./.github/actions/setup-build-env timeout-minutes: 30 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: scan-type: 'fs' ignore-unfixed: true diff --git a/.github/workflows/report-on-vulnerabilities.yaml b/.github/workflows/report-on-vulnerabilities.yaml index f0d0685ac841..aec28c50230d 100644 --- a/.github/workflows/report-on-vulnerabilities.yaml +++ b/.github/workflows/report-on-vulnerabilities.yaml @@ -30,7 +30,7 @@ jobs: echo "releasebranch2=$releasebranch2" >> $GITHUB_OUTPUT - name: Scan for vulnerabilities in latest image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.8.0 (Trivy v0.34.0) + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0) with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest @@ -40,7 +40,7 @@ jobs: output: scan1.json - name: Scan for vulnerabilities in latest-1 image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.8.0 (Trivy v0.34.0) + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0) with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch1 }} format: json @@ -49,7 +49,7 @@ jobs: output: scan2.json - name: Scan for vulnerabilities in latest-2 image - uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.8.0 (Trivy v0.34.0) + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0) with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch2 }} format: json From 35494bd8bb36159218d8217f584958bdcc415e3b Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 16 Jul 2024 15:14:47 +0300 Subject: [PATCH 08/44] feat add chainsaw tests for pod security and exceptions (#10664) * feat add chainsaw tests for pod security and exceptions Signed-off-by: Mariam Fahmy * fix: enable ProcMountType in the kind config Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy --- go.mod | 2 +- go.sum | 4 +- pkg/pss/evaluate_test.go | 2 +- scripts/config/kind/default.yaml | 1 + .../exceptions/psa-run-as-non-root/README.md | 32 +++++++++++++++ .../psa-run-as-non-root/bad-pod-01.yaml | 39 ++++++++++++++++++ .../psa-run-as-non-root/bad-pod-02.yaml | 38 ++++++++++++++++++ .../psa-run-as-non-root/chainsaw-test.yaml | 35 ++++++++++++++++ .../psa-run-as-non-root/exception.yaml | 21 ++++++++++ .../psa-run-as-non-root/good-pod.yaml | 40 +++++++++++++++++++ .../psa-run-as-non-root/policy-assert.yaml | 9 +++++ .../psa-run-as-non-root/policy.yaml | 31 ++++++++++++++ .../cornercases/psa-run-as-non-root/README.md | 30 ++++++++++++++ .../psa-run-as-non-root/bad-pod-01.yaml | 39 ++++++++++++++++++ .../psa-run-as-non-root/bad-pod-02.yaml | 38 ++++++++++++++++++ .../psa-run-as-non-root/chainsaw-test.yaml | 32 +++++++++++++++ .../psa-run-as-non-root/good-pod.yaml | 40 +++++++++++++++++++ .../psa-run-as-non-root/policy-assert.yaml | 9 +++++ .../psa-run-as-non-root/policy.yaml | 31 ++++++++++++++ 19 files changed, 469 insertions(+), 4 deletions(-) create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/README.md create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-01.yaml create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-02.yaml create mode 100755 test/conformance/chainsaw/exceptions/psa-run-as-non-root/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/exception.yaml create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/good-pod.yaml create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-01.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-02.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml diff --git a/go.mod b/go.mod index 26b8fecdc80b..3a3a627acb4a 100644 --- a/go.mod +++ b/go.mod @@ -390,5 +390,5 @@ replace ( github.com/prometheus/client_golang v1.19.0 => github.com/prometheus/client_golang v1.18.0 github.com/prometheus/common v0.48.0 => github.com/prometheus/common v0.44.0 github.com/sigstore/cosign/v2 v2.2.4 => github.com/kyverno/cosign/v2 v2.2.4-deps-fix - k8s.io/pod-security-admission v0.30.1 => github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240603173423-11663473ae49 + k8s.io/pod-security-admission v0.30.1 => github.com/kyverno/pod-security-admission v0.0.0-20240715131510-7fb54a8d376d ) diff --git a/go.sum b/go.sum index e3b29a731ec2..9691f54b1a1e 100644 --- a/go.sum +++ b/go.sum @@ -88,8 +88,6 @@ github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0k github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY+9ef8E= github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= -github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240603173423-11663473ae49 h1:dwYC6vA5cR+2YFeEasNoJGVj/NrsXCSIWww3qQxeQFY= -github.com/YTGhost/pod-security-admission v0.22.0-beta.0.0.20240603173423-11663473ae49/go.mod h1:wJpTzOGwDdTbVbIqwBuAX7io1eDQIuW/UfMaK5/Xzn0= github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0= @@ -613,6 +611,8 @@ github.com/kyverno/kyverno-json v0.0.3 h1:EImI/YV41dG4hDQer/W0qMZHfxqul1yiHrBEXx github.com/kyverno/kyverno-json v0.0.3/go.mod h1:KUgXPXwUh0Sm/UgtHPomZAfEX8v79I3B5RZbUlzNihg= github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c h1:lAolpR9H8BwM5lRRvgCQ8JowswyxZRH+fgtIQzHFVCk= github.com/kyverno/pkg/ext v0.0.0-20240418121121-df8add26c55c/go.mod h1:02vxM0GNXz9+B/i6+rMfWAIwibUuAH+qFsd73IFskgQ= +github.com/kyverno/pod-security-admission v0.0.0-20240715131510-7fb54a8d376d h1:JNgsQw8TtxEeGA3lkra0qMG+B4fMhUwZiMRdJ8NQah4= +github.com/kyverno/pod-security-admission v0.0.0-20240715131510-7fb54a8d376d/go.mod h1:wJpTzOGwDdTbVbIqwBuAX7io1eDQIuW/UfMaK5/Xzn0= github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7 h1:k/1ku0yehLCPqERCHkIHMDqDg1R02AcCScRuHbamU3s= github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7/go.mod h1:YR/zYthNdWfO8+0IOyHDcIDBBBS2JMnYUIwSsnwmRqU= github.com/letsencrypt/boulder v0.0.0-20240127020530-97a19b18d21e h1:7QjzPboPE+0pVMsZP1sz1mN26m6vew78YmcIZz1FMrg= diff --git a/pkg/pss/evaluate_test.go b/pkg/pss/evaluate_test.go index f0d3770971e1..f2d266081029 100644 --- a/pkg/pss/evaluate_test.go +++ b/pkg/pss/evaluate_test.go @@ -7408,7 +7408,7 @@ var restricted_runAsNonRoot = []testCase{ ] } }`), - allowed: true, + allowed: false, }, { name: "restricted_runAsNonRoot_defines_all_violate_spec_true_container_true_spec_level_allowed_positive", diff --git a/scripts/config/kind/default.yaml b/scripts/config/kind/default.yaml index 1e1322d51ec7..4a4d00cc2152 100644 --- a/scripts/config/kind/default.yaml +++ b/scripts/config/kind/default.yaml @@ -37,3 +37,4 @@ nodes: featureGates: "JobPodFailurePolicy": true "PodDisruptionConditions": true + "ProcMountType": true diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/README.md b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/README.md new file mode 100644 index 000000000000..4c1082aaed55 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/README.md @@ -0,0 +1,32 @@ +## Description + +This test creates an exception for the init containers to set the `runAsNonRoot` to false + +## Expected Behavior + +1. Create a policy that applies the restricted profile. + +2. Create an exception for the init containters to set the `runAsNonRoot` to false. + +3. Create a pod with the following characteristics: + - The pod has an init container that sets the `runAsNonRoot` field to `false`. + - The pod has a container that doesn't set the `runAsNonRoot` field. + + It is expected that the pod will be blocked with a message reporting the violation of the container. The init container is already excluded by the exception. + +3. Create a pod with the following characteristics: + - The pod has an init container that sets the `runAsNonRoot` field to `true`. + - The pod has a container that doesn't set the `runAsNonRoot` field. + + It is expected that the pod will be blocked with a message reporting the violation of the container. + +4. Create a pod with the following characteristics: + - The pod has an init container that sets the `runAsNonRoot` field to `false`. + - The pod has a container that doesn't set the `runAsNonRoot` field. + - `runAsNonRoot` is set to `true` in the pod spec. + + It is expected that the pod will be created successfully. + +## Reference Issue(s) + +#10581 diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-01.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-01.yaml new file mode 100644 index 000000000000..b0029e12bf0a --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-01.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: test-pod + name: test-pod + namespace: default +spec: + containers: + - image: nginx + name: test-pod + resources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 50m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + initContainers: + - args: + - istio-iptables + env: + - name: TERMINATION_DRAIN_DURATION_SECONDS + value: "30" + image: some.registry/istio/proxyv2:1.18.7 + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-02.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-02.yaml new file mode 100644 index 000000000000..39cd3b611732 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/bad-pod-02.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: test-pod + name: test-pod +spec: + containers: + - image: nginx + name: test-pod + resources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 50m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + initContainers: + - args: + - istio-iptables + env: + - name: TERMINATION_DRAIN_DURATION_SECONDS + value: "30" + image: some.registry/istio/proxyv2:1.18.7 + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/chainsaw-test.yaml new file mode 100755 index 000000000000..72643d2ba74e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: psa-run-as-non-root +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: exception.yaml + - name: step-03 + try: + - script: + content: kubectl apply -f bad-pod-01.yaml + check: + ($error != null): true + (contains($stderr, 'spec.containers[0].securityContext.runAsNonRoot')): true + - name: step-04 + try: + - script: + content: kubectl apply -f bad-pod-02.yaml + check: + ($error != null): true + (contains($stderr, 'spec.containers[0].securityContext.runAsNonRoot')): true + - name: step-05 + try: + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/exception.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/exception.yaml new file mode 100644 index 000000000000..db84c0ff8975 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: pod-security-exception +spec: + exceptions: + - policyName: psp-restricted-limited + ruleNames: + - restricted + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Running as Non-root + images: + - '*/istio/proxyv2*' + restrictedField: spec.initContainers[*].securityContext.runAsNonRoot + values: + - "false" diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/good-pod.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/good-pod.yaml new file mode 100644 index 000000000000..16161d43d43e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/good-pod.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: test-pod + name: test-pod +spec: + securityContext: + runAsNonRoot: true + containers: + - image: nginx + name: test-pod + resources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 50m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + initContainers: + - args: + - istio-iptables + env: + - name: TERMINATION_DRAIN_DURATION_SECONDS + value: "30" + image: some.registry/istio/proxyv2:1.18.7 + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy-assert.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy-assert.yaml new file mode 100644 index 000000000000..e5855a5d4f9c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-restricted-limited +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml new file mode 100644 index 000000000000..a8140c18c8ae --- /dev/null +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-restricted-limited + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + namespaces: + - default + validate: + podSecurity: + level: restricted + version: v1.29 + exclude: + - controlName: Volume Types + - controlName: Seccomp + - controlName: Seccomp + images: + - '*' + - controlName: Capabilities + images: + - "*" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/README.md new file mode 100644 index 000000000000..8ab7ec2d26c9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/README.md @@ -0,0 +1,30 @@ +## Description + +This test ensures that pods whose container don't set the `runAsNonRoot` field but init container sets the field to `false` are blocked by the `psa-run-as-non-root` policy with messages reporting both violations. + +## Expected Behavior + +1. Create a policy that applies the restricted profile. + +2. Create a pod with the following characteristics: + - The pod has an init container that sets the `runAsNonRoot` field to `false`. + - The pod has a container that doesn't set the `runAsNonRoot` field. + + It is expected that the pod will be blocked with a message reporting both violations. + +3. Create a pod with the following characteristics: + - The pod has an init container that sets the `runAsNonRoot` field to `true`. + - The pod has a container that doesn't set the `runAsNonRoot` field. + + It is expected that the pod will be blocked with a message reporting the violation of the container. + +4. Create a pod with the following characteristics: + - The pod has an init container that sets the `runAsNonRoot` field to `true`. + - The pod has a container that doesn't set the `runAsNonRoot` field. + - `runAsNonRoot` is set to `true` in the pod spec. + + It is expected that the pod will be created successfully. + +## Reference Issue(s) + +#10581 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-01.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-01.yaml new file mode 100644 index 000000000000..b0029e12bf0a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-01.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: test-pod + name: test-pod + namespace: default +spec: + containers: + - image: nginx + name: test-pod + resources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 50m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + initContainers: + - args: + - istio-iptables + env: + - name: TERMINATION_DRAIN_DURATION_SECONDS + value: "30" + image: some.registry/istio/proxyv2:1.18.7 + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-02.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-02.yaml new file mode 100644 index 000000000000..39cd3b611732 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/bad-pod-02.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: test-pod + name: test-pod +spec: + containers: + - image: nginx + name: test-pod + resources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 50m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + initContainers: + - args: + - istio-iptables + env: + - name: TERMINATION_DRAIN_DURATION_SECONDS + value: "30" + image: some.registry/istio/proxyv2:1.18.7 + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/chainsaw-test.yaml new file mode 100755 index 000000000000..f93bf46a26c7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: psa-run-as-non-root +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - script: + content: kubectl apply -f bad-pod-01.yaml + check: + ($error != null): true + (contains($stderr, 'spec.initContainers[0].securityContext.runAsNonRoot')): true + (contains($stderr, 'spec.containers[0].securityContext.runAsNonRoot')): true + - name: step-03 + try: + - script: + content: kubectl apply -f bad-pod-02.yaml + check: + ($error != null): true + (contains($stderr, 'spec.containers[0].securityContext.runAsNonRoot')): true + - name: step-04 + try: + - apply: + file: good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/good-pod.yaml new file mode 100644 index 000000000000..7a831200a093 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/good-pod.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: test-pod + name: test-pod +spec: + securityContext: + runAsNonRoot: true + containers: + - image: nginx + name: test-pod + resources: + limits: + cpu: "2" + memory: 4Gi + requests: + cpu: 50m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + initContainers: + - args: + - istio-iptables + env: + - name: TERMINATION_DRAIN_DURATION_SECONDS + value: "30" + image: some.registry/istio/proxyv2:1.18.7 + imagePullPolicy: IfNotPresent + name: istio-init + resources: + limits: + cpu: "2" + memory: 1Gi + requests: + cpu: 10m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy-assert.yaml new file mode 100644 index 000000000000..e5855a5d4f9c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-restricted-limited +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml new file mode 100644 index 000000000000..a8140c18c8ae --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-restricted-limited + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + background: true + validationFailureAction: Enforce + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + namespaces: + - default + validate: + podSecurity: + level: restricted + version: v1.29 + exclude: + - controlName: Volume Types + - controlName: Seccomp + - controlName: Seccomp + images: + - '*' + - controlName: Capabilities + images: + - "*" From b0cef72df12c9de2312c4d59ec8bbbb9094d26a7 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 16 Jul 2024 18:06:58 +0300 Subject: [PATCH 09/44] feat: support exclude block in generating VAPs (#10215) Signed-off-by: Mariam Fahmy --- pkg/validatingadmissionpolicy/builder.go | 116 ++++++++++++---- .../kyvernopolicy_checker.go | 130 ++++++++++++------ .../kyvernopolicy_checker_test.go | 2 +- .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 10 ++ .../policy.yaml | 8 +- .../validatingadmissionpolicy.yaml | 41 ++++++ .../validatingadmissionpolicybinding.yaml | 15 ++ .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 10 ++ .../policy.yaml | 35 +++++ .../validatingadmissionpolicy.yaml | 43 ++++++ .../validatingadmissionpolicybinding.yaml | 15 ++ .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 10 ++ .../policy.yaml | 35 +++++ .../validatingadmissionpolicy.yaml | 43 ++++++ .../validatingadmissionpolicybinding.yaml | 15 ++ .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 10 ++ .../cpol-any-exclude-resource/policy.yaml | 35 +++++ .../validatingadmissionpolicy.yaml | 43 ++++++ .../validatingadmissionpolicybinding.yaml | 15 ++ .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 10 ++ .../cpol-match-all-exclude-one/policy.yaml | 30 ++++ .../validatingadmissionpolicy.yaml | 41 ++++++ .../validatingadmissionpolicybinding.yaml | 15 ++ .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 12 ++ .../policy.yaml | 33 +++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + .../chainsaw-test.yaml | 19 +++ .../policy-assert.yaml | 0 .../policy.yaml | 36 +++++ .../validatingadmissionpolicy.yaml | 0 .../validatingadmissionpolicybinding.yaml | 0 .../chainsaw-test.yaml | 2 +- .../policy-assert.yaml | 0 .../policy.yaml | 7 +- .../validatingadmissionpolicy.yaml | 0 .../validatingadmissionpolicybinding.yaml | 0 .../chainsaw-test.yaml | 2 +- .../policy-assert.yaml | 12 ++ .../cpol-exclude-user-and-roles/policy.yaml | 25 ++++ .../validatingadmissionpolicy.yaml | 7 + .../validatingadmissionpolicybinding.yaml | 7 + 48 files changed, 939 insertions(+), 78 deletions(-) create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy-assert.yaml rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/{skip-generate/cpol-exclude => generate/cpol-any-exclude-namespace-match-resource}/policy.yaml (83%) create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml create mode 100755 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/chainsaw-test.yaml rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude => cpol-exclude-resources-with-namespace-selector}/policy-assert.yaml (100%) create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude => cpol-exclude-resources-with-namespace-selector}/validatingadmissionpolicy.yaml (100%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude => cpol-exclude-resources-with-namespace-selector}/validatingadmissionpolicybinding.yaml (100%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude => cpol-exclude-resources-with-object-selector}/chainsaw-test.yaml (87%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude-namespace => cpol-exclude-resources-with-object-selector}/policy-assert.yaml (100%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude-namespace => cpol-exclude-resources-with-object-selector}/policy.yaml (77%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude-namespace => cpol-exclude-resources-with-object-selector}/validatingadmissionpolicy.yaml (100%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude-namespace => cpol-exclude-resources-with-object-selector}/validatingadmissionpolicybinding.yaml (100%) rename test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/{cpol-exclude-namespace => cpol-exclude-user-and-roles}/chainsaw-test.yaml (91%) create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml create mode 100644 test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go index 9a1619680929..8ae2e5b4c4c1 100644 --- a/pkg/validatingadmissionpolicy/builder.go +++ b/pkg/validatingadmissionpolicy/builder.go @@ -14,7 +14,11 @@ import ( ) // BuildValidatingAdmissionPolicy is used to build a Kubernetes ValidatingAdmissionPolicy from a Kyverno policy -func BuildValidatingAdmissionPolicy(discoveryClient dclient.IDiscovery, vap *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, cpol kyvernov1.PolicyInterface) error { +func BuildValidatingAdmissionPolicy( + discoveryClient dclient.IDiscovery, + vap *admissionregistrationv1alpha1.ValidatingAdmissionPolicy, + cpol kyvernov1.PolicyInterface, +) error { // set owner reference vap.OwnerReferences = []metav1.OwnerReference{ { @@ -25,30 +29,51 @@ func BuildValidatingAdmissionPolicy(discoveryClient dclient.IDiscovery, vap *adm }, } - // construct validating admission policy resource rules + // construct the rules var matchResources admissionregistrationv1alpha1.MatchResources - var matchRules []admissionregistrationv1alpha1.NamedRuleWithOperations + var matchRules, excludeRules []admissionregistrationv1alpha1.NamedRuleWithOperations rule := cpol.GetSpec().Rules[0] + + // convert the match block match := rule.MatchResources if !match.ResourceDescription.IsEmpty() { - if err := translateResource(discoveryClient, &matchResources, &matchRules, match.ResourceDescription); err != nil { + if err := translateResource(discoveryClient, &matchResources, &matchRules, match.ResourceDescription, true); err != nil { return err } } if match.Any != nil { - if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.Any); err != nil { + if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.Any, true); err != nil { return err } } if match.All != nil { - if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.All); err != nil { + if err := translateResourceFilters(discoveryClient, &matchResources, &matchRules, match.All, true); err != nil { + return err + } + } + + // convert the exclude block + exclude := rule.ExcludeResources + if !exclude.ResourceDescription.IsEmpty() { + if err := translateResource(discoveryClient, &matchResources, &excludeRules, exclude.ResourceDescription, false); err != nil { + return err + } + } + + if exclude.Any != nil { + if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.Any, false); err != nil { + return err + } + } + if exclude.All != nil { + if err := translateResourceFilters(discoveryClient, &matchResources, &excludeRules, exclude.All, false); err != nil { return err } } - // set validating admission policy spec + // set policy spec vap.Spec = admissionregistrationv1alpha1.ValidatingAdmissionPolicySpec{ MatchConstraints: &matchResources, ParamKind: rule.Validation.CEL.ParamKind, @@ -64,7 +89,10 @@ func BuildValidatingAdmissionPolicy(discoveryClient dclient.IDiscovery, vap *adm } // BuildValidatingAdmissionPolicyBinding is used to build a Kubernetes ValidatingAdmissionPolicyBinding from a Kyverno policy -func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, cpol kyvernov1.PolicyInterface) error { +func BuildValidatingAdmissionPolicyBinding( + vapbinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, + cpol kyvernov1.PolicyInterface, +) error { // set owner reference vapbinding.OwnerReferences = []metav1.OwnerReference{ { @@ -98,9 +126,14 @@ func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1al return nil } -func translateResourceFilters(discoveryClient dclient.IDiscovery, matchResources *admissionregistrationv1alpha1.MatchResources, rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations, resFilters kyvernov1.ResourceFilters) error { +func translateResourceFilters(discoveryClient dclient.IDiscovery, + matchResources *admissionregistrationv1alpha1.MatchResources, + rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations, + resFilters kyvernov1.ResourceFilters, + isMatch bool, +) error { for _, filter := range resFilters { - err := translateResource(discoveryClient, matchResources, rules, filter.ResourceDescription) + err := translateResource(discoveryClient, matchResources, rules, filter.ResourceDescription, isMatch) if err != nil { return err } @@ -108,32 +141,47 @@ func translateResourceFilters(discoveryClient dclient.IDiscovery, matchResources return nil } -func translateResource(discoveryClient dclient.IDiscovery, matchResources *admissionregistrationv1alpha1.MatchResources, rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations, res kyvernov1.ResourceDescription) error { - err := constructValidatingAdmissionPolicyRules(discoveryClient, rules, res) +func translateResource( + discoveryClient dclient.IDiscovery, + matchResources *admissionregistrationv1alpha1.MatchResources, + rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations, + res kyvernov1.ResourceDescription, + isMatch bool, +) error { + err := constructValidatingAdmissionPolicyRules(discoveryClient, rules, res, isMatch) if err != nil { return err } - matchResources.ResourceRules = *rules - if len(res.Namespaces) > 0 { - namespaceSelector := &metav1.LabelSelector{ - MatchExpressions: []metav1.LabelSelectorRequirement{ - { - Key: "kubernetes.io/metadata.name", - Operator: "In", - Values: res.Namespaces, + if isMatch { + matchResources.ResourceRules = *rules + if len(res.Namespaces) > 0 { + namespaceSelector := &metav1.LabelSelector{ + MatchExpressions: []metav1.LabelSelectorRequirement{ + { + Key: "kubernetes.io/metadata.name", + Operator: "In", + Values: res.Namespaces, + }, }, - }, + } + matchResources.NamespaceSelector = namespaceSelector + } else { + matchResources.NamespaceSelector = res.NamespaceSelector } - matchResources.NamespaceSelector = namespaceSelector + matchResources.ObjectSelector = res.Selector } else { - matchResources.NamespaceSelector = res.NamespaceSelector + matchResources.ExcludeResourceRules = *rules } - matchResources.ObjectSelector = res.Selector return nil } -func constructValidatingAdmissionPolicyRules(discoveryClient dclient.IDiscovery, rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations, res kyvernov1.ResourceDescription) error { +func constructValidatingAdmissionPolicyRules( + discoveryClient dclient.IDiscovery, + rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations, + res kyvernov1.ResourceDescription, + isMatch bool, +) error { // translate operations to their corresponding values in validating admission policy. ops := translateOperations(res.GetOperations()) @@ -191,6 +239,22 @@ func constructValidatingAdmissionPolicyRules(discoveryClient dclient.IDiscovery, } } } + + // if exclude block has namespaces but no kinds, we need to add a rule for the namespaces + if !isMatch && len(res.Namespaces) > 0 && len(res.Kinds) == 0 { + r := admissionregistrationv1alpha1.NamedRuleWithOperations{ + ResourceNames: res.Namespaces, + RuleWithOperations: admissionregistrationv1.RuleWithOperations{ + Rule: admissionregistrationv1.Rule{ + Resources: []string{"namespaces"}, + APIGroups: []string{""}, + APIVersions: []string{"v1"}, + }, + Operations: ops, + }, + } + *rules = append(*rules, r) + } return nil } @@ -227,7 +291,7 @@ func translateOperations(operations []string) []admissionregistrationv1.Operatio } } - // set default values for operations since it's a required field in validating admission policies + // set default values for operations since it's a required field in ValidatingAdmissionPolicies if len(vapOperations) == 0 { vapOperations = append(vapOperations, admissionregistrationv1.Create) vapOperations = append(vapOperations, admissionregistrationv1.Update) diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go index 4d482c34ce0c..cbaa38eb3bbd 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go @@ -8,14 +8,12 @@ import ( // CanGenerateVAP check if Kyverno policy can be translated to a Kubernetes ValidatingAdmissionPolicy func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) { var msg string - if len(spec.Rules) > 1 { - msg = "skip generating ValidatingAdmissionPolicy: multiple rules are not applicable." + if ok, msg := checkRuleCount(spec); !ok { return false, msg } rule := spec.Rules[0] - if !rule.HasValidateCEL() { - msg = "skip generating ValidatingAdmissionPolicy for non CEL rules." + if ok, msg := checkRuleType(rule); !ok { return false, msg } @@ -32,65 +30,74 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) { // check the matched/excluded resources of the CEL rule. match, exclude := rule.MatchResources, rule.ExcludeResources - if !exclude.UserInfo.IsEmpty() || !exclude.ResourceDescription.IsEmpty() || exclude.All != nil || exclude.Any != nil { - msg = "skip generating ValidatingAdmissionPolicy: Exclude is not applicable." + if ok, msg := checkUserInfo(match.UserInfo); !ok { return false, msg } - if ok, msg := checkUserInfo(match.UserInfo); !ok { + if ok, msg := checkUserInfo(exclude.UserInfo); !ok { return false, msg } - if ok, msg := checkResources(match.ResourceDescription); !ok { + + if ok, msg := checkResources(match.ResourceDescription, true); !ok { + return false, msg + } + if ok, msg := checkResources(exclude.ResourceDescription, false); !ok { return false, msg } - var ( - containsNamespaceSelector = false - containsObjectSelector = false - ) + if ok, msg := checkResourceFilter(match.Any, true); !ok { + return false, msg + } - // since 'any' specify resources which will be ORed, it can be converted into multiple NamedRuleWithOperations in ValidatingAdmissionPolicy - for _, value := range match.Any { - if ok, msg := checkUserInfo(value.UserInfo); !ok { - return false, msg - } - if ok, msg := checkResources(value.ResourceDescription); !ok { - return false, msg - } + if len(match.All) > 1 { + msg = "skip generating ValidatingAdmissionPolicy: multiple 'all' in the match block is not applicable." + return false, msg + } + if ok, msg := checkResourceFilter(match.All, true); !ok { + return false, msg + } - if value.NamespaceSelector != nil { - containsNamespaceSelector = true - } - if value.Selector != nil { - containsObjectSelector = true - } + if ok, msg := checkResourceFilter(exclude.Any, false); !ok { + return false, msg + } + + if len(exclude.All) > 1 { + msg = "skip generating ValidatingAdmissionPolicy: multiple 'all' in the exclude block is not applicable." + return false, msg } - // since namespace/object selectors are applied to all NamedRuleWithOperations in ValidatingAdmissionPolicy, then - // we can't have more than one resource with namespace/object selectors. - if len(match.Any) > 1 && (containsNamespaceSelector || containsObjectSelector) { - msg = "skip generating ValidatingAdmissionPolicy: NamespaceSelector / ObjectSelector across multiple resources are not applicable." + if ok, msg := checkResourceFilter(exclude.All, false); !ok { return false, msg } - // since 'all' specify resources which will be ANDed, we can't have more than one resource. - if match.All != nil { - if len(match.All) > 1 { - msg = "skip generating ValidatingAdmissionPolicy: multiple 'all' is not applicable." - return false, msg - } else { - if ok, msg := checkUserInfo(match.All[0].UserInfo); !ok { - return false, msg - } - if ok, msg := checkResources(match.All[0].ResourceDescription); !ok { - return false, msg - } - } + return true, msg +} + +func checkRuleCount(spec *kyvernov1.Spec) (bool, string) { + var msg string + if len(spec.Rules) > 1 { + msg = "skip generating ValidatingAdmissionPolicy: multiple rules are not applicable." + return false, msg } + return true, msg +} +func checkRuleType(rule kyvernov1.Rule) (bool, string) { + var msg string + if !rule.HasValidateCEL() { + msg = "skip generating ValidatingAdmissionPolicy for non CEL rules." + return false, msg + } return true, msg } -func checkResources(resource kyvernov1.ResourceDescription) (bool, string) { +func checkResources(resource kyvernov1.ResourceDescription, isMatch bool) (bool, string) { var msg string + if !isMatch { + if len(resource.Kinds) != 0 && len(resource.Namespaces) != 0 { + msg = "skip generating ValidatingAdmissionPolicy: excluding a resource within a namespace is not applicable." + return false, msg + } + } + if len(resource.Annotations) != 0 { msg = "skip generating ValidatingAdmissionPolicy: Annotations in resource description is not applicable." return false, msg @@ -122,3 +129,38 @@ func checkUserInfo(info kyvernov1.UserInfo) (bool, string) { } return true, msg } + +func checkResourceFilter(resFilters kyvernov1.ResourceFilters, isMatch bool) (bool, string) { + var msg string + containsNamespaceSelector := false + containsObjectSelector := false + + for _, value := range resFilters { + if ok, msg := checkUserInfo(value.UserInfo); !ok { + return false, msg + } + if ok, msg := checkResources(value.ResourceDescription, isMatch); !ok { + return false, msg + } + + if value.NamespaceSelector != nil { + containsNamespaceSelector = true + } + if value.Selector != nil { + containsObjectSelector = true + } + } + + if !isMatch { + if containsNamespaceSelector || containsObjectSelector { + msg = "skip generating ValidatingAdmissionPolicy: NamespaceSelector / ObjectSelector in the exclude block is not applicable." + return false, msg + } + } else { + if len(resFilters) > 1 && (containsNamespaceSelector || containsObjectSelector) { + return false, "skip generating ValidatingAdmissionPolicy: NamespaceSelector / ObjectSelector across multiple resources in the match block are not applicable." + } + } + + return true, msg +} diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go index 6b1c63c7c53d..b024fdae18a9 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go @@ -131,7 +131,7 @@ func Test_Check_Resources(t *testing.T) { var res kyvernov1.ResourceDescription err := json.Unmarshal(test.resource, &res) assert.NilError(t, err) - out, _ := checkResources(res) + out, _ := checkResources(res, true) assert.Equal(t, out, test.expected) }) } diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/chainsaw-test.yaml new file mode 100755 index 000000000000..893004702550 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-any-exclude-namespace-match-resource +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy-assert.yaml new file mode 100644 index 000000000000..9fa3bfcebca3 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t16 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml similarity index 83% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml index 4fc7d33ef698..3d20b85f7968 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-host-path-t10 + name: disallow-host-path-t16 spec: validationFailureAction: Audit background: false @@ -17,8 +17,10 @@ spec: - UPDATE exclude: any: - - clusterRoles: - - cluster-admin + - resources: + namespaces: + - testing-ns + - staging-ns validate: cel: expressions: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..ff6bd06c977e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t16 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t16 +spec: + failurePolicy: Fail + matchConstraints: + excludeResourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resourceNames: + - testing-ns + - staging-ns + resources: + - namespaces + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..cd6a1c5cfe82 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t16-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t16 +spec: + policyName: disallow-host-path-t16 + validationActions: + - Audit + - Warn diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/chainsaw-test.yaml new file mode 100755 index 000000000000..26b0a4ec9dca --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-any-exclude-resource-match-with-namespace-selector +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy-assert.yaml new file mode 100644 index 000000000000..ae2648855904 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t14 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml new file mode 100644 index 000000000000..97904eed4b2b --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t14 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + namespaceSelector: + matchLabels: + app: critical + exclude: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + names: + - "testing" + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..ee3b71964492 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml @@ -0,0 +1,43 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t14 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t14 +spec: + failurePolicy: Fail + matchConstraints: + excludeResourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resourceNames: + - testing + resources: + - deployments + namespaceSelector: + matchLabels: + app: critical + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..68b1530a0025 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t14-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t14 +spec: + policyName: disallow-host-path-t14 + validationActions: + - Audit + - Warn diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/chainsaw-test.yaml new file mode 100755 index 000000000000..52dd315eff86 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-any-exclude-resource-match-with-object-selector +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy-assert.yaml new file mode 100644 index 000000000000..ef00059ee37c --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t15 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml new file mode 100644 index 000000000000..893891a1dd06 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t15 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + selector: + matchLabels: + app: critical + exclude: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + names: + - "testing" + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..ff95f39ec058 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml @@ -0,0 +1,43 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t15 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t15 +spec: + failurePolicy: Fail + matchConstraints: + excludeResourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resourceNames: + - testing + resources: + - deployments + objectSelector: + matchLabels: + app: critical + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..91425be107d5 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t15-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t15 +spec: + policyName: disallow-host-path-t15 + validationActions: + - Audit + - Warn diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/chainsaw-test.yaml new file mode 100755 index 000000000000..e000eb8680f1 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-any-exclude-resource +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy-assert.yaml new file mode 100644 index 000000000000..a1336840e0e8 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t13 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml new file mode 100644 index 000000000000..1c7b71926ec7 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t13 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + - StatefulSet + - ReplicaSet + - DaemonSet + operations: + - CREATE + - UPDATE + exclude: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + names: + - "testing" + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..3fff6855ff68 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml @@ -0,0 +1,43 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t13 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t13 +spec: + failurePolicy: Fail + matchConstraints: + excludeResourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resourceNames: + - testing + resources: + - deployments + resourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - deployments + - statefulsets + - replicasets + - daemonsets + validations: + - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, + !has(volume.hostPath))' + message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath + must be unset. diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..ee724d9083d3 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t13-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path-t13 +spec: + policyName: disallow-host-path-t13 + validationActions: + - Audit + - Warn diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml new file mode 100755 index 000000000000..46411c7d3f8a --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-match-kind-with-wildcard +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: validatingadmissionpolicy.yaml + - assert: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy-assert.yaml new file mode 100644 index 000000000000..1832ab5a1d8c --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app5 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml new file mode 100644 index 000000000000..cae60e95935e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app5 +spec: + validationFailureAction: Audit + background: false + rules: + - name: check-label-app + match: + all: + - resources: + kinds: + - '*' + operations: + - CREATE + namespaces: + - production + - staging + exclude: + all: + - resources: + kinds: + - "Deployment" + operations: + - CREATE + validate: + cel: + expressions: + - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..86a4d5c2989a --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml @@ -0,0 +1,41 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app5 + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-label-app5 +spec: + failurePolicy: Fail + matchConstraints: + excludeResourceRules: + - apiGroups: + - apps + apiVersions: + - v1 + operations: + - CREATE + resources: + - deployments + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - production + - staging + resourceRules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + resources: + - '*' + scope: '*' + validations: + - expression: '''app'' in object.metadata.labels' diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..6cf61b5a0f4f --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml @@ -0,0 +1,15 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app5-binding + ownerReferences: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-label-app5 +spec: + policyName: check-label-app5 + validationActions: + - Audit + - Warn diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/chainsaw-test.yaml new file mode 100755 index 000000000000..664c4cab7550 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-exclude-resources-in-specific-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy-assert.yaml new file mode 100644 index 000000000000..7532997b0a79 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t17 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml new file mode 100644 index 000000000000..3628adb12053 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t17 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + exclude: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + namespaces: + - testing-ns + - staging-ns + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..562fc2293e5c --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t17 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..27c0bdbf09e5 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: disallow-host-path-t17-binding +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/chainsaw-test.yaml new file mode 100755 index 000000000000..c0ab0cea450d --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-exclude-resources-with-namespace-selector +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/policy-assert.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml new file mode 100644 index 000000000000..e1b5129be21e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path-t10 +spec: + validationFailureAction: Audit + background: false + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + exclude: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + - UPDATE + namespaceSelector: + matchExpressions: + - key: type + operator: In + values: + - connector + validate: + cel: + expressions: + - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset." diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml similarity index 100% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicy.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml similarity index 100% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/validatingadmissionpolicybinding.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/chainsaw-test.yaml similarity index 87% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/chainsaw-test.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/chainsaw-test.yaml index 4f0057848f62..129dde192b6a 100755 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/chainsaw-test.yaml @@ -2,7 +2,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: cpol-exclude + name: cpol-exclude-resources-with-object-selector spec: steps: - name: step-01 diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy-assert.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy-assert.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml similarity index 77% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml index ee95434c316c..5c3c08affda5 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml @@ -14,8 +14,11 @@ spec: exclude: any: - resources: - namespaces: - - default + kinds: + - Pod + selector: + matchLabels: + app: critical validate: cel: expressions: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml similarity index 100% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/validatingadmissionpolicy.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicy.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml similarity index 100% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/validatingadmissionpolicybinding.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/chainsaw-test.yaml similarity index 91% rename from test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/chainsaw-test.yaml rename to test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/chainsaw-test.yaml index d8997f4fb2e0..a909c7d5ebb2 100755 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/chainsaw-test.yaml @@ -2,7 +2,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: cpol-exclude-namespace + name: cpol-exclude-user-and-roles spec: steps: - name: step-01 diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy-assert.yaml new file mode 100644 index 000000000000..648f5587c55e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app1 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml new file mode 100644 index 000000000000..e477a4381ec1 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app1 +spec: + validationFailureAction: Audit + background: false + rules: + - name: check-label-app + match: + any: + - resources: + kinds: + - Pod + exclude: + any: + - clusterRoles: + - cluster-admin + - subjects: + - kind: User + name: John + validate: + cel: + expressions: + - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..46b0d1dcff65 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app1 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..11cc784ea350 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app1-binding +spec: {} From f3c9be9d0f703c54dd40759db392bad2aca66958 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Wed, 17 Jul 2024 07:52:38 +0300 Subject: [PATCH 10/44] chore: rename deprecated chainsaw tests (#10668) Signed-off-by: Mariam Fahmy --- .../{fail(deprecated) => fail-deprecated}/README.md | 0 .../{fail(deprecated) => fail-deprecated}/chainsaw-test.yaml | 0 .../{fail(deprecated) => fail-deprecated}/policy-assert.yaml | 0 .../{fail(deprecated) => fail-deprecated}/policy.yaml | 0 .../{fail(deprecated) => fail-deprecated}/webhooks-assert.yaml | 0 .../README.md | 0 .../chainsaw-step-01-apply-1-1.yaml | 0 .../chainsaw-step-01-assert-1-1.yaml | 0 .../chainsaw-step-02-apply-1-1.yaml | 0 .../chainsaw-step-02-apply-1-2.yaml | 0 .../chainsaw-step-02-apply-1-3.yaml | 0 .../chainsaw-step-02-apply-1-4.yaml | 0 .../chainsaw-step-02-apply-1-5.yaml | 0 .../chainsaw-step-02-assert-1-1.yaml | 0 .../chainsaw-step-02-assert-1-2.yaml | 0 .../chainsaw-step-04-apply-1-1.yaml | 0 .../chainsaw-step-05-apply-1-1.yaml | 0 .../chainsaw-step-06-error-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../update-mycm.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../policy-1.yaml | 0 .../policy-2.yaml | 0 .../chainsaw-test.yaml | 0 .../labelled-resource.yaml | 0 .../namespace.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../unlabelled-resource.yaml | 0 .../README.md | 0 .../chainsaw-step-05-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../ns.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../service.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../pod-fail.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../policy-1.yaml | 0 .../policy-2.yaml | 0 .../policy-assert1.yaml | 0 .../policy-assert2.yaml | 0 .../resource.yaml | 0 .../README.md | 0 .../chainsaw-step-04-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../resource-assert.yaml | 0 .../resource.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../cluster-policy-ready.yaml | 0 .../cluster-policy.yaml | 0 .../keda-ready.yaml | 0 .../keda.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../pod.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../chainsaw-step-00-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../event-assert.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../resource.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../event-assert.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../report-pass-assert.yaml | 0 .../resource.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../report-skip-assert.yaml | 0 .../resource.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../pod.yaml | 0 .../policy-assert.yaml | 0 .../policy.yaml | 0 .../lazyload/README.md | 0 .../lazyload/chainsaw-step-01-apply-1-1.yaml | 0 .../lazyload/chainsaw-step-01-apply-1-2.yaml | 0 .../lazyload/chainsaw-step-01-apply-1-3.yaml | 0 .../lazyload/chainsaw-step-01-assert-1-1.yaml | 0 .../lazyload/chainsaw-step-01-assert-1-2.yaml | 0 .../lazyload/chainsaw-test.yaml | 0 .../subjectaccessreview/README.md | 0 .../subjectaccessreview/chainsaw-step-01-apply-1-1.yaml | 0 .../subjectaccessreview/chainsaw-step-01-apply-1-2.yaml | 0 .../subjectaccessreview/chainsaw-step-01-apply-1-3.yaml | 0 .../subjectaccessreview/chainsaw-step-01-apply-1-4.yaml | 0 .../subjectaccessreview/chainsaw-step-01-assert-1-1.yaml | 0 .../subjectaccessreview/chainsaw-test.yaml | 0 .../subjectaccessreview/cm-default-ns.yaml | 0 .../subjectaccessreview/cm-test-ns.yaml | 0 .../background-match-clusterRoles/README.md | 0 .../background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml | 0 .../background-match-clusterRoles/chainsaw-test.yaml | 0 .../background-match-clusterRoles/manifests.yaml | 0 .../background-match-roles/README.md | 0 .../background-match-roles/chainsaw-step-02-error-1-1.yaml | 0 .../background-match-roles/chainsaw-test.yaml | 0 .../background-match-roles/manifests.yaml | 0 .../background-vars-roles/README.md | 0 .../background-vars-roles/chainsaw-step-02-error-1-1.yaml | 0 .../background-vars-roles/chainsaw-test.yaml | 0 .../background-vars-roles/manifests.yaml | 0 .../background-vars-serviceAccountName/README.md | 0 .../chainsaw-step-02-error-1-1.yaml | 0 .../background-vars-serviceAccountName/chainsaw-test.yaml | 0 .../background-vars-serviceAccountName/manifests.yaml | 0 .../background-vars-userInfo/README.md | 0 .../background-vars-userInfo/chainsaw-step-02-error-1-1.yaml | 0 .../background-vars-userInfo/chainsaw-test.yaml | 0 .../background-vars-userInfo/manifests.yaml | 0 .../configmap-context-lookup/README.md | 0 .../configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml | 0 .../configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml | 0 .../configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml | 0 .../configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml | 0 .../configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml | 0 .../configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml | 0 .../configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml | 0 .../configmap-context-lookup/chainsaw-test.yaml | 0 .../authorizor-checks/with-permissions/chainsaw-test.yaml | 0 .../authorizor-checks/with-permissions/pod.yaml | 0 .../authorizor-checks/with-permissions/policy.yaml | 0 .../authorizor-checks/with-permissions/rbac.yaml | 0 .../authorizor-checks/with-permissions/serviceaccount.yaml | 0 .../authorizor-checks/without-permissions/chainsaw-test.yaml | 0 .../authorizor-checks/without-permissions/deployment.yaml | 0 .../authorizor-checks/without-permissions/policy.yaml | 0 .../authorizor-checks/without-permissions/rbac.yaml | 0 .../authorizor-checks/without-permissions/serviceaccount.yaml | 0 .../cel-preconditions/README.md | 0 .../cel-preconditions/chainsaw-test.yaml | 0 .../cel-preconditions/pod-fail.yaml | 0 .../cel-preconditions/pod-pass.yaml | 0 .../cel-preconditions/policy-assert.yaml | 0 .../cel-preconditions/policy.yaml | 0 .../{cel(deprecated) => cel-deprecated}/cel-variables/README.md | 0 .../cel-variables/chainsaw-test.yaml | 0 .../cel-variables/deployments-fail.yaml | 0 .../cel-variables/deployments-pass.yaml | 0 .../{cel(deprecated) => cel-deprecated}/cel-variables/ns.yaml | 0 .../cel-variables/policy-assert.yaml | 0 .../{cel(deprecated) => cel-deprecated}/cel-variables/policy.yaml | 0 .../check-statefulset-namespace/README.md | 0 .../check-statefulset-namespace/chainsaw-test.yaml | 0 .../check-statefulset-namespace/ns.yaml | 0 .../check-statefulset-namespace/policy-assert.yaml | 0 .../check-statefulset-namespace/policy.yaml | 0 .../check-statefulset-namespace/statefulset-fail.yaml | 0 .../check-statefulset-namespace/statefulset-pass.yaml | 0 .../disallow-host-port/README.md | 0 .../disallow-host-port/chainsaw-test.yaml | 0 .../disallow-host-port/pod-fail.yaml | 0 .../disallow-host-port/pod-pass.yaml | 0 .../disallow-host-port/policy-assert.yaml | 0 .../disallow-host-port/policy.yaml | 0 .../parameter-resources/clusterscoped/README.md | 0 .../parameter-resources/clusterscoped/chainsaw-test.yaml | 0 .../parameter-resources/clusterscoped/crd-assert.yaml | 0 .../parameter-resources/clusterscoped/crd.yaml | 0 .../parameter-resources/clusterscoped/namespaceConstraint.yaml | 0 .../parameter-resources/clusterscoped/ns-fail.yaml | 0 .../parameter-resources/clusterscoped/ns-pass.yaml | 0 .../parameter-resources/clusterscoped/policy-assert.yaml | 0 .../parameter-resources/clusterscoped/policy.yaml | 0 .../namespaced/match-clusterscoped-resource/README.md | 0 .../namespaced/match-clusterscoped-resource/chainsaw-test.yaml | 0 .../namespaced/match-clusterscoped-resource/crd-assert.yaml | 0 .../namespaced/match-clusterscoped-resource/crd.yaml | 0 .../namespaced/match-clusterscoped-resource/nameConstraint.yaml | 0 .../namespaced/match-clusterscoped-resource/ns.yaml | 0 .../namespaced/match-clusterscoped-resource/policy-assert.yaml | 0 .../namespaced/match-clusterscoped-resource/policy.yaml | 0 .../namespaced/set-paramref-namespace/README.md | 0 .../namespaced/set-paramref-namespace/chainsaw-test.yaml | 0 .../namespaced/set-paramref-namespace/crd-assert.yaml | 0 .../namespaced/set-paramref-namespace/crd.yaml | 0 .../namespaced/set-paramref-namespace/deployment-fail.yaml | 0 .../namespaced/set-paramref-namespace/deployment-pass.yaml | 0 .../parameter-resources/namespaced/set-paramref-namespace/ns.yaml | 0 .../namespaced/set-paramref-namespace/policy-assert.yaml | 0 .../namespaced/set-paramref-namespace/policy.yaml | 0 .../namespaced/set-paramref-namespace/replicaLimit.yaml | 0 .../namespaced/unset-paramref-namespace/README.md | 0 .../namespaced/unset-paramref-namespace/chainsaw-test.yaml | 0 .../namespaced/unset-paramref-namespace/crd-assert.yaml | 0 .../namespaced/unset-paramref-namespace/crd.yaml | 0 .../namespaced/unset-paramref-namespace/ns.yaml | 0 .../namespaced/unset-paramref-namespace/policy-assert.yaml | 0 .../namespaced/unset-paramref-namespace/policy.yaml | 0 .../namespaced/unset-paramref-namespace/replicaLimit.yaml | 0 .../namespaced/unset-paramref-namespace/statefulset-fail.yaml | 0 .../namespaced/unset-paramref-namespace/statefulset-pass.yaml | 0 .../{debug(deprecated) => debug-deprecated}/with-pod/README.md | 0 .../with-pod/chainsaw-test.yaml | 0 .../with-pod/policies-assert.yaml | 0 .../with-pod/policies.yaml | 0 .../with-pod/resources.yaml | 0 .../with-subresource/README.md | 0 .../with-subresource/chainsaw-test.yaml | 0 .../with-subresource/policies-assert.yaml | 0 .../with-subresource/policies.yaml | 0 .../with-subresource/resources.yaml | 0 .../with-wildcard/README.md | 0 .../with-wildcard/chainsaw-test.yaml | 0 .../with-wildcard/policies-assert.yaml | 0 .../with-wildcard/policies.yaml | 0 .../with-wildcard/resources.yaml | 0 .../api-initiated-pod-eviction/README.md | 0 .../api-initiated-pod-eviction/api-initiated-eviction.sh | 0 .../api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml | 0 .../api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml | 0 .../api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml | 0 .../api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml | 0 .../api-initiated-pod-eviction/chainsaw-test.yaml | 0 .../api-initiated-pod-eviction/eviction.json | 0 .../block-pod-exec-requests/README.md | 0 .../block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml | 0 .../block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml | 0 .../block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml | 0 .../block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml | 0 .../block-pod-exec-requests/chainsaw-test.yaml | 0 .../bypass-with-policy-exception/README.md | 0 .../bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml | 0 .../bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml | 0 .../bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml | 0 .../bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml | 0 .../bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml | 0 .../bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml | 0 .../bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml | 0 .../bypass-with-policy-exception/chainsaw-test.yaml | 0 .../{enforce(deprecated) => enforce-deprecated}/csr/README.md | 0 .../csr/chainsaw-test.yaml | 0 .../csr/csr-mutated.yaml | 0 .../{enforce(deprecated) => enforce-deprecated}/csr/csr.yaml | 0 .../csr/policy-ready.yaml | 0 .../{enforce(deprecated) => enforce-deprecated}/csr/policy.yaml | 0 .../enforce-validate-existing/README.md | 0 .../enforce-validate-existing/bad-pod-ready.yaml | 0 .../enforce-validate-existing/bad-pod-update-test.sh | 0 .../enforce-validate-existing/bad-pod.yaml | 0 .../enforce-validate-existing/chainsaw-test.yaml | 0 .../enforce-validate-existing/good-pod-ready.yaml | 0 .../enforce-validate-existing/good-pod-update-test.sh | 0 .../enforce-validate-existing/good-pod.yaml | 0 .../enforce-validate-existing/policy-ready.yaml | 0 .../enforce-validate-existing/policy.yaml | 0 .../enforce-validate-existing/update-bad-pod-to-comply.sh | 0 .../failure-policy-ignore-anchor/README.md | 0 .../failure-policy-ignore-anchor/chainsaw-test.yaml | 0 .../failure-policy-ignore-anchor/pod.yaml | 0 .../failure-policy-ignore-anchor/policy-assert.yaml | 0 .../failure-policy-ignore-anchor/policy.yaml | 0 .../ns-selector-with-wildcard-kind/README.md | 0 .../ns-selector-with-wildcard-kind/chainsaw-test.yaml | 0 .../ns-selector-with-wildcard-kind/ns.yaml | 0 .../ns-selector-with-wildcard-kind/pod-fail.yaml | 0 .../ns-selector-with-wildcard-kind/pod-pass.yaml | 0 .../ns-selector-with-wildcard-kind/policy-assert.yaml | 0 .../ns-selector-with-wildcard-kind/policy.yaml | 0 .../operator-allnotin-01/README.md | 0 .../operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml | 0 .../operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml | 0 .../operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml | 0 .../operator-allnotin-01/chainsaw-test.yaml | 0 .../operator-allnotin-01/resource.yaml | 0 .../operator-anyin-boolean/README.md | 0 .../operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml | 0 .../operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml | 0 .../operator-anyin-boolean/chainsaw-test.yaml | 0 .../operator-anyin-boolean/pod.yaml | 0 .../resource-apply-block/README.md | 0 .../resource-apply-block/chainsaw-step-01-apply-1-1.yaml | 0 .../resource-apply-block/chainsaw-step-01-assert-1-1.yaml | 0 .../resource-apply-block/chainsaw-step-03-error-1-1.yaml | 0 .../resource-apply-block/chainsaw-test.yaml | 0 .../resource-apply-block/resource.yaml | 0 .../scaling-with-kubectl-scale/README.md | 0 .../scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml | 0 .../scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml | 0 .../scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml | 0 .../scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml | 0 .../scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml | 0 .../scaling-with-kubectl-scale/chainsaw-test.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/README.md | 0 .../{gvk(deprecated) => gvk-deprecated}/chainsaw-test.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/crd-1.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/crd-ready-1.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/crd-ready.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/crd.yaml | 0 .../{gvk(deprecated) => gvk-deprecated}/policy-ready.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/policy.yaml | 0 .../standard/{gvk(deprecated) => gvk-deprecated}/task.yaml | 0 .../seccomp-latest-check-no-exclusion/README.md | 0 .../seccomp-latest-check-no-exclusion/bad-pod-1.yaml | 0 .../seccomp-latest-check-no-exclusion/bad-pod-2.yaml | 0 .../seccomp-latest-check-no-exclusion/chainsaw-test.yaml | 0 .../seccomp-latest-check-no-exclusion/good-pod.yaml | 0 .../seccomp-latest-check-no-exclusion/policy-assert.yaml | 0 .../seccomp-latest-check-no-exclusion/policy.yaml | 0 .../test-deletion-request/README.md | 0 .../test-deletion-request/chainsaw-test.yaml | 0 .../test-deletion-request/manifests.yaml | 0 .../test-deletion-request/policy-assert.yaml | 0 .../test-deletion-request/policy.yaml | 0 .../test-exclusion-capabilities/README.md | 0 .../test-exclusion-capabilities/bad-pod.yaml | 0 .../test-exclusion-capabilities/chainsaw-test.yaml | 0 .../test-exclusion-capabilities/excluded-pod.yaml | 0 .../test-exclusion-capabilities/good-pod.yaml | 0 .../test-exclusion-capabilities/policy-assert.yaml | 0 .../test-exclusion-capabilities/policy.yaml | 0 .../test-exclusion-host-namespaces/README.md | 0 .../test-exclusion-host-namespaces/bad-pod.yaml | 0 .../test-exclusion-host-namespaces/chainsaw-test.yaml | 0 .../test-exclusion-host-namespaces/excluded-pod.yaml | 0 .../test-exclusion-host-namespaces/good-pod.yaml | 0 .../test-exclusion-host-namespaces/policy-assert.yaml | 0 .../test-exclusion-host-namespaces/policy.yaml | 0 .../test-exclusion-host-ports/README.md | 0 .../test-exclusion-host-ports/bad-pod.yaml | 0 .../test-exclusion-host-ports/chainsaw-test.yaml | 0 .../test-exclusion-host-ports/excluded-pod.yaml | 0 .../test-exclusion-host-ports/good-pod.yaml | 0 .../test-exclusion-host-ports/policy-assert.yaml | 0 .../test-exclusion-host-ports/policy.yaml | 0 .../test-exclusion-hostpath-volume/README.md | 0 .../test-exclusion-hostpath-volume/bad-pod.yaml | 0 .../test-exclusion-hostpath-volume/chainsaw-test.yaml | 0 .../test-exclusion-hostpath-volume/excluded-pod.yaml | 0 .../test-exclusion-hostpath-volume/good-pod.yaml | 0 .../test-exclusion-hostpath-volume/policy-assert.yaml | 0 .../test-exclusion-hostpath-volume/policy.yaml | 0 .../test-exclusion-hostprocesses/README.md | 0 .../test-exclusion-hostprocesses/bad-pod.yaml | 0 .../test-exclusion-hostprocesses/chainsaw-test.yaml | 0 .../test-exclusion-hostprocesses/excluded-pod.yaml | 0 .../test-exclusion-hostprocesses/good-pod.yaml | 0 .../test-exclusion-hostprocesses/policy-assert.yaml | 0 .../test-exclusion-hostprocesses/policy.yaml | 0 .../test-exclusion-privilege-escalation/README.md | 0 .../test-exclusion-privilege-escalation/bad-pod.yaml | 0 .../test-exclusion-privilege-escalation/chainsaw-test.yaml | 0 .../test-exclusion-privilege-escalation/excluded-pod.yaml | 0 .../test-exclusion-privilege-escalation/good-pod.yaml | 0 .../test-exclusion-privilege-escalation/policy-assert.yaml | 0 .../test-exclusion-privilege-escalation/policy.yaml | 0 .../test-exclusion-privileged-containers/README.md | 0 .../test-exclusion-privileged-containers/bad-pod.yaml | 0 .../test-exclusion-privileged-containers/chainsaw-test.yaml | 0 .../test-exclusion-privileged-containers/excluded-pod.yaml | 0 .../test-exclusion-privileged-containers/good-pod.yaml | 0 .../test-exclusion-privileged-containers/policy-assert.yaml | 0 .../test-exclusion-privileged-containers/policy.yaml | 0 .../test-exclusion-restricted-capabilities/README.md | 0 .../test-exclusion-restricted-capabilities/bad-pod.yaml | 0 .../test-exclusion-restricted-capabilities/chainsaw-test.yaml | 0 .../test-exclusion-restricted-capabilities/excluded-pod.yaml | 0 .../test-exclusion-restricted-capabilities/good-pod.yaml | 0 .../test-exclusion-restricted-capabilities/policy-assert.yaml | 0 .../test-exclusion-restricted-capabilities/policy.yaml | 0 .../test-exclusion-restricted-seccomp/README.md | 0 .../test-exclusion-restricted-seccomp/bad-pod.yaml | 0 .../test-exclusion-restricted-seccomp/chainsaw-test.yaml | 0 .../test-exclusion-restricted-seccomp/excluded-pod.yaml | 0 .../test-exclusion-restricted-seccomp/good-pod.yaml | 0 .../test-exclusion-restricted-seccomp/policy-assert.yaml | 0 .../test-exclusion-restricted-seccomp/policy.yaml | 0 .../test-exclusion-running-as-nonroot-user/README.md | 0 .../test-exclusion-running-as-nonroot-user/bad-pod.yaml | 0 .../test-exclusion-running-as-nonroot-user/chainsaw-test.yaml | 0 .../test-exclusion-running-as-nonroot-user/excluded-pod.yaml | 0 .../test-exclusion-running-as-nonroot-user/good-pod.yaml | 0 .../test-exclusion-running-as-nonroot-user/policy-assert.yaml | 0 .../test-exclusion-running-as-nonroot-user/policy.yaml | 0 .../test-exclusion-running-as-nonroot/README.md | 0 .../test-exclusion-running-as-nonroot/bad-pod.yaml | 0 .../test-exclusion-running-as-nonroot/chainsaw-test.yaml | 0 .../test-exclusion-running-as-nonroot/excluded-pod.yaml | 0 .../test-exclusion-running-as-nonroot/good-pod.yaml | 0 .../test-exclusion-running-as-nonroot/policy-assert.yaml | 0 .../test-exclusion-running-as-nonroot/policy.yaml | 0 .../test-exclusion-seccomp/README.md | 0 .../test-exclusion-seccomp/bad-pod.yaml | 0 .../test-exclusion-seccomp/chainsaw-test.yaml | 0 .../test-exclusion-seccomp/excluded-pod.yaml | 0 .../test-exclusion-seccomp/good-pod.yaml | 0 .../test-exclusion-seccomp/policy-assert.yaml | 0 .../test-exclusion-seccomp/policy.yaml | 0 .../test-exclusion-selinux/README.md | 0 .../test-exclusion-selinux/bad-pod.yaml | 0 .../test-exclusion-selinux/chainsaw-test.yaml | 0 .../test-exclusion-selinux/excluded-pod.yaml | 0 .../test-exclusion-selinux/good-pod.yaml | 0 .../test-exclusion-selinux/policy-assert.yaml | 0 .../test-exclusion-selinux/policy.yaml | 0 .../test-exclusion-sysctls/README.md | 0 .../test-exclusion-sysctls/bad-pod.yaml | 0 .../test-exclusion-sysctls/chainsaw-test.yaml | 0 .../test-exclusion-sysctls/excluded-pod.yaml | 0 .../test-exclusion-sysctls/good-pod.yaml | 0 .../test-exclusion-sysctls/policy-assert.yaml | 0 .../test-exclusion-sysctls/policy.yaml | 0 .../test-exclusion-volume-types/README.md | 0 .../test-exclusion-volume-types/bad-pod.yaml | 0 .../test-exclusion-volume-types/chainsaw-test.yaml | 0 .../test-exclusion-volume-types/excluded-pod.yaml | 0 .../test-exclusion-volume-types/good-pod.yaml | 0 .../test-exclusion-volume-types/policy-assert.yaml | 0 .../test-exclusion-volume-types/policy.yaml | 0 .../{subresource copy => subresource-deprecated}/README.md | 0 .../chainsaw-test.yaml | 0 .../policies-assert.yaml | 0 .../{subresource copy => subresource-deprecated}/policies.yaml | 0 .../{subresource copy => subresource-deprecated}/resources.yaml | 0 .../{conditions(deprecated) => conditions-deprecated}/README.md | 0 .../chainsaw-test.yaml | 0 .../pod-bad.yaml | 0 .../pod-good.yaml | 0 .../policy-2.yaml | 0 .../policy-assert.yaml | 0 .../{conditions(deprecated) => conditions-deprecated}/policy.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../chainsaw-step-01-apply-1-1.yaml | 0 .../chainsaw-step-01-apply-1-2.yaml | 0 .../chainsaw-step-01-apply-1-3.yaml | 0 .../chainsaw-step-01-assert-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../README.md | 0 .../bad.yaml | 0 .../chainsaw-step-02-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../chainsaw-step-01-apply-1-1.yaml | 0 .../chainsaw-step-01-apply-1-2.yaml | 0 .../chainsaw-step-01-assert-1-1.yaml | 0 .../chainsaw-step-01-assert-1-2.yaml | 0 .../chainsaw-test.yaml | 0 .../postgresqls-ready.yaml | 0 .../postgresqls.yaml | 0 .../resource.yaml | 0 .../README.md | 0 .../chainsaw-test.yaml | 0 .../ns-ready.yaml | 0 .../ns-update.yaml | 0 .../ns.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../bad.yaml | 0 .../chainsaw-step-02-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../{x509-decode(deprecated) => x509-decode-deprecated}/README.md | 0 .../{x509-decode(deprecated) => x509-decode-deprecated}/bad.yaml | 0 .../chainsaw-step-03-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../bad.yaml | 0 .../chainsaw-step-02-apply-1-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 .../README.md | 0 .../bad-pod.yaml | 0 .../chainsaw-step-02-apply-1.yaml | 0 .../chainsaw-test.yaml | 0 .../policy-ready.yaml | 0 .../policy.yaml | 0 500 files changed, 0 insertions(+), 0 deletions(-) rename test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/{fail(deprecated) => fail-deprecated}/README.md (100%) rename test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/{fail(deprecated) => fail-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/{fail(deprecated) => fail-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/{fail(deprecated) => fail-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/{fail(deprecated) => fail-deprecated}/webhooks-assert.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/README.md (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-apply-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-apply-1-2.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-apply-1-3.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-apply-1-4.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-apply-1-5.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-assert-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-02-assert-1-2.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-04-apply-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-05-apply-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-step-06-error-1-1.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/mutate/clusterpolicy/cornercases/{variables-mutate-existing(deprecated) => variables-mutate-existing-deprecated}/update-mycm.yaml (100%) rename test/conformance/chainsaw/policy-validation/cluster-policy/{invalid-timeout(deprecated) => invalid-timeout-deprecated}/README.md (100%) rename test/conformance/chainsaw/policy-validation/cluster-policy/{invalid-timeout(deprecated) => invalid-timeout-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/policy-validation/cluster-policy/{invalid-timeout(deprecated) => invalid-timeout-deprecated}/policy-1.yaml (100%) rename test/conformance/chainsaw/policy-validation/cluster-policy/{invalid-timeout(deprecated) => invalid-timeout-deprecated}/policy-2.yaml (100%) rename test/conformance/chainsaw/validate/anchors/{conditional(deprecated) => conditional-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/anchors/{conditional(deprecated) => conditional-deprecated}/labelled-resource.yaml (100%) rename test/conformance/chainsaw/validate/anchors/{conditional(deprecated) => conditional-deprecated}/namespace.yaml (100%) rename test/conformance/chainsaw/validate/anchors/{conditional(deprecated) => conditional-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/anchors/{conditional(deprecated) => conditional-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/anchors/{conditional(deprecated) => conditional-deprecated}/unlabelled-resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/chainsaw-step-05-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{apply-on-deletion(deprecated) => apply-on-deletion-deprecated}/service.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{cel-messages-upon-resource-failure(deprecated) => cel-messages-upon-resource-failure-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{cel-messages-upon-resource-failure(deprecated) => cel-messages-upon-resource-failure-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{cel-messages-upon-resource-failure(deprecated) => cel-messages-upon-resource-failure-deprecated}/pod-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{cel-messages-upon-resource-failure(deprecated) => cel-messages-upon-resource-failure-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{cel-messages-upon-resource-failure(deprecated) => cel-messages-upon-resource-failure-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/policy-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/policy-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/policy-assert1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/policy-assert2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{check-message-upon-resource-failure(deprecated) => check-message-upon-resource-failure-deprecated}/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/chainsaw-step-04-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/resource-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{ephemeral-containers(deprecated) => ephemeral-containers-deprecated}/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/cluster-policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/cluster-policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/keda-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/keda.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{external-metrics(deprecated) => external-metrics-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{invalid-jmespath-variable-substitution(deprecated) => invalid-jmespath-variable-substitution-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{invalid-jmespath-variable-substitution(deprecated) => invalid-jmespath-variable-substitution-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{invalid-jmespath-variable-substitution(deprecated) => invalid-jmespath-variable-substitution-deprecated}/pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{invalid-jmespath-variable-substitution(deprecated) => invalid-jmespath-variable-substitution-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{invalid-jmespath-variable-substitution(deprecated) => invalid-jmespath-variable-substitution-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{schema-validation-for-mutateExisting(deprecated) => schema-validation-for-mutateExisting-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{schema-validation-for-mutateExisting(deprecated) => schema-validation-for-mutateExisting-deprecated}/chainsaw-step-00-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{schema-validation-for-mutateExisting(deprecated) => schema-validation-for-mutateExisting-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{schema-validation-for-mutateExisting(deprecated) => schema-validation-for-mutateExisting-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{schema-validation-for-mutateExisting(deprecated) => schema-validation-for-mutateExisting-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-fail(deprecated) => validate-pattern-should-fail-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-fail(deprecated) => validate-pattern-should-fail-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-fail(deprecated) => validate-pattern-should-fail-deprecated}/event-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-fail(deprecated) => validate-pattern-should-fail-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-fail(deprecated) => validate-pattern-should-fail-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-fail(deprecated) => validate-pattern-should-fail-deprecated}/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/event-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/report-pass-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-pass(deprecated) => validate-pattern-should-pass-deprecated}/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-skip(deprecated) => validate-pattern-should-skip-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-skip(deprecated) => validate-pattern-should-skip-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-skip(deprecated) => validate-pattern-should-skip-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-skip(deprecated) => validate-pattern-should-skip-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-skip(deprecated) => validate-pattern-should-skip-deprecated}/report-skip-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{validate-pattern-should-skip(deprecated) => validate-pattern-should-skip-deprecated}/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{variable-substitution-failure-messages(deprecated) => variable-substitution-failure-messages-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{variable-substitution-failure-messages(deprecated) => variable-substitution-failure-messages-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{variable-substitution-failure-messages(deprecated) => variable-substitution-failure-messages-deprecated}/pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{variable-substitution-failure-messages(deprecated) => variable-substitution-failure-messages-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/cornercases/{variable-substitution-failure-messages(deprecated) => variable-substitution-failure-messages-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/chainsaw-step-01-assert-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/lazyload/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/cm-default-ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{apicalls(deprecated) => apicalls-deprecated}/subjectaccessreview/cm-test-ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-clusterRoles/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-clusterRoles/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-clusterRoles/manifests.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-roles/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-roles/chainsaw-step-02-error-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-roles/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-match-roles/manifests.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-roles/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-roles/chainsaw-step-02-error-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-roles/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-roles/manifests.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-serviceAccountName/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-serviceAccountName/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-serviceAccountName/manifests.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-userInfo/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-userInfo/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/background-vars-userInfo/manifests.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{audit(deprecated) => audit-deprecated}/configmap-context-lookup/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/with-permissions/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/with-permissions/pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/with-permissions/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/with-permissions/rbac.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/with-permissions/serviceaccount.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/without-permissions/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/without-permissions/deployment.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/without-permissions/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/without-permissions/rbac.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/authorizor-checks/without-permissions/serviceaccount.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-preconditions/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-preconditions/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-preconditions/pod-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-preconditions/pod-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-preconditions/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-preconditions/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/deployments-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/deployments-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/cel-variables/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/statefulset-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/check-statefulset-namespace/statefulset-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/disallow-host-port/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/disallow-host-port/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/disallow-host-port/pod-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/disallow-host-port/pod-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/disallow-host-port/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/disallow-host-port/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/crd-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/crd.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/namespaceConstraint.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/ns-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/ns-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/clusterscoped/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/crd.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{cel(deprecated) => cel-deprecated}/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-pod/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-pod/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-pod/policies-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-pod/policies.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-pod/resources.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-subresource/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-subresource/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-subresource/policies-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-subresource/policies.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-subresource/resources.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-wildcard/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-wildcard/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-wildcard/policies-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-wildcard/policies.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{debug(deprecated) => debug-deprecated}/with-wildcard/resources.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/api-initiated-eviction.sh (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/api-initiated-pod-eviction/eviction.json (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/block-pod-exec-requests/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/block-pod-exec-requests/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/bypass-with-policy-exception/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/csr/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/csr/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/csr/csr-mutated.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/csr/csr.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/csr/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/csr/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/bad-pod-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/bad-pod-update-test.sh (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/good-pod-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/good-pod-update-test.sh (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/enforce-validate-existing/update-bad-pod-to-comply.sh (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/failure-policy-ignore-anchor/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/failure-policy-ignore-anchor/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/failure-policy-ignore-anchor/pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/failure-policy-ignore-anchor/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/failure-policy-ignore-anchor/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/ns.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/pod-fail.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/pod-pass.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/ns-selector-with-wildcard-kind/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-allnotin-01/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-allnotin-01/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-allnotin-01/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-anyin-boolean/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-anyin-boolean/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/operator-anyin-boolean/pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/resource-apply-block/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/resource-apply-block/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/resource-apply-block/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/resource-apply-block/chainsaw-step-03-error-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/resource-apply-block/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/resource-apply-block/resource.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{enforce(deprecated) => enforce-deprecated}/scaling-with-kubectl-scale/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/crd-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/crd-ready-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/crd-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/crd.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{gvk(deprecated) => gvk-deprecated}/task.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/bad-pod-1.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/bad-pod-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/seccomp-latest-check-no-exclusion/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-deletion-request/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-deletion-request/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-deletion-request/manifests.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-deletion-request/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-deletion-request/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-capabilities/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-namespaces/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-host-ports/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostpath-volume/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-hostprocesses/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privilege-escalation/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-privileged-containers/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-capabilities/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-restricted-seccomp/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot-user/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-running-as-nonroot/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-seccomp/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-selinux/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-sysctls/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/bad-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/excluded-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/good-pod.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{psa(deprecated) => psa-deprecated}/test-exclusion-volume-types/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{subresource copy => subresource-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{subresource copy => subresource-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{subresource copy => subresource-deprecated}/policies-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{subresource copy => subresource-deprecated}/policies.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/{subresource copy => subresource-deprecated}/resources.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/pod-bad.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/pod-good.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/policy-2.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/policy-assert.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/{conditions(deprecated) => conditions-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/{block-verifyimage(deprecated) => block-verifyimage-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/{block-verifyimage(deprecated) => block-verifyimage-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/{block-verifyimage(deprecated) => block-verifyimage-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{adding-key-to-config-map(deprecated) => adding-key-to-config-map-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{adding-key-to-config-map(deprecated) => adding-key-to-config-map-deprecated}/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{adding-key-to-config-map(deprecated) => adding-key-to-config-map-deprecated}/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{adding-key-to-config-map(deprecated) => adding-key-to-config-map-deprecated}/chainsaw-step-01-apply-1-3.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{adding-key-to-config-map(deprecated) => adding-key-to-config-map-deprecated}/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{adding-key-to-config-map(deprecated) => adding-key-to-config-map-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{global-anchor copy(deprecated) => global-anchor-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{global-anchor copy(deprecated) => global-anchor-deprecated}/bad.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{global-anchor copy(deprecated) => global-anchor-deprecated}/chainsaw-step-02-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{global-anchor copy(deprecated) => global-anchor-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{global-anchor copy(deprecated) => global-anchor-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{global-anchor copy(deprecated) => global-anchor-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/chainsaw-step-01-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/chainsaw-step-01-apply-1-2.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/chainsaw-step-01-assert-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/chainsaw-step-01-assert-1-2.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/postgresqls-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/postgresqls.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{lowercase-kind-crd(deprecated) => lowercase-kind-crd-deprecated}/resource.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/ns-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/ns-update.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/ns.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{old-object-exists(deprecated) => old-object-exists-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{trusted-images(deprecated) => trusted-images-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{trusted-images(deprecated) => trusted-images-deprecated}/bad.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{trusted-images(deprecated) => trusted-images-deprecated}/chainsaw-step-02-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{trusted-images(deprecated) => trusted-images-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{trusted-images(deprecated) => trusted-images-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{trusted-images(deprecated) => trusted-images-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{x509-decode(deprecated) => x509-decode-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{x509-decode(deprecated) => x509-decode-deprecated}/bad.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{x509-decode(deprecated) => x509-decode-deprecated}/chainsaw-step-03-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{x509-decode(deprecated) => x509-decode-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{x509-decode(deprecated) => x509-decode-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{x509-decode(deprecated) => x509-decode-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{yaml-signing(deprecated) => yaml-signing-deprecated}/README.md (100%) rename test/conformance/chainsaw/validate/e2e/{yaml-signing(deprecated) => yaml-signing-deprecated}/bad.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{yaml-signing(deprecated) => yaml-signing-deprecated}/chainsaw-step-02-apply-1-1.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{yaml-signing(deprecated) => yaml-signing-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{yaml-signing(deprecated) => yaml-signing-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/validate/e2e/{yaml-signing(deprecated) => yaml-signing-deprecated}/policy.yaml (100%) rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{failure-policy-test-noconfigmap-diffimage-success(deprecated) => failure-policy-test-noconfigmap-diffimage-success-deprecated}/README.md (100%) rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{failure-policy-test-noconfigmap-diffimage-success(deprecated) => failure-policy-test-noconfigmap-diffimage-success-deprecated}/bad-pod.yaml (100%) rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{failure-policy-test-noconfigmap-diffimage-success(deprecated) => failure-policy-test-noconfigmap-diffimage-success-deprecated}/chainsaw-step-02-apply-1.yaml (100%) rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{failure-policy-test-noconfigmap-diffimage-success(deprecated) => failure-policy-test-noconfigmap-diffimage-success-deprecated}/chainsaw-test.yaml (100%) rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{failure-policy-test-noconfigmap-diffimage-success(deprecated) => failure-policy-test-noconfigmap-diffimage-success-deprecated}/policy-ready.yaml (100%) rename test/conformance/chainsaw/verifyImages/clusterpolicy/standard/{failure-policy-test-noconfigmap-diffimage-success(deprecated) => failure-policy-test-noconfigmap-diffimage-success-deprecated}/policy.yaml (100%) diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md rename to test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/README.md diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml rename to test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/webhooks-assert.yaml similarity index 100% rename from test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml rename to test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/webhooks-assert.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/README.md rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/README.md diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-2.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-2.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-2.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-3.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-3.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-3.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-4.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-4.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-4.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-4.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-5.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-5.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-apply-1-5.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-apply-1-5.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-assert-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-assert-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-assert-1-2.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-assert-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-02-assert-1-2.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-02-assert-1-2.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-04-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-04-apply-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-04-apply-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-05-apply-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-05-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-05-apply-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-05-apply-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-06-error-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-06-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-step-06-error-1-1.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-step-06-error-1-1.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/update-mycm.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/update-mycm.yaml similarity index 100% rename from test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing(deprecated)/update-mycm.yaml rename to test/conformance/chainsaw/mutate/clusterpolicy/cornercases/variables-mutate-existing-deprecated/update-mycm.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md rename to test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/README.md diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml similarity index 100% rename from test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml rename to test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml similarity index 100% rename from test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml rename to test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/anchors/conditional-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/anchors/conditional(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/anchors/conditional-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/labelled-resource.yaml b/test/conformance/chainsaw/validate/anchors/conditional-deprecated/labelled-resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/anchors/conditional(deprecated)/labelled-resource.yaml rename to test/conformance/chainsaw/validate/anchors/conditional-deprecated/labelled-resource.yaml diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/namespace.yaml b/test/conformance/chainsaw/validate/anchors/conditional-deprecated/namespace.yaml similarity index 100% rename from test/conformance/chainsaw/validate/anchors/conditional(deprecated)/namespace.yaml rename to test/conformance/chainsaw/validate/anchors/conditional-deprecated/namespace.yaml diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/anchors/conditional-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/anchors/conditional-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/anchors/conditional-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/anchors/conditional(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/anchors/conditional-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/anchors/conditional(deprecated)/unlabelled-resource.yaml b/test/conformance/chainsaw/validate/anchors/conditional-deprecated/unlabelled-resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/anchors/conditional(deprecated)/unlabelled-resource.yaml rename to test/conformance/chainsaw/validate/anchors/conditional-deprecated/unlabelled-resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-step-05-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/chainsaw-step-05-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-step-05-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/chainsaw-step-05-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/service.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/service.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion(deprecated)/service.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/apply-on-deletion-deprecated/service.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/pod-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/pod-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-assert1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-assert1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-assert2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/policy-assert2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/policy-assert2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure(deprecated)/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/check-message-upon-resource-failure-deprecated/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/chainsaw-step-04-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-step-04-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/chainsaw-step-04-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/resource-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/resource-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers(deprecated)/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/ephemeral-containers-deprecated/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/cluster-policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/cluster-policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/cluster-policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/cluster-policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/cluster-policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/keda-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/keda-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/keda.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/keda.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/keda.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/external-metrics-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/invalid-jmespath-variable-substitution-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/chainsaw-step-00-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/chainsaw-step-00-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/chainsaw-step-00-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/chainsaw-step-00-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/schema-validation-for-mutateExisting-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/event-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/event-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/event-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/event-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail(deprecated)/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-fail-deprecated/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/event-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/event-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/event-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/event-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/report-pass-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/report-pass-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/report-pass-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/report-pass-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass(deprecated)/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-pass-deprecated/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/report-skip-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/report-skip-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/report-skip-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/report-skip-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip(deprecated)/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/validate-pattern-should-skip-deprecated/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-assert-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-step-01-assert-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-step-01-assert-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/lazyload/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/lazyload/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-apply-1-4.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-default-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/cm-default-ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-default-ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/cm-default-ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-test-ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/cm-test-ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls(deprecated)/subjectaccessreview/cm-test-ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/apicalls-deprecated/subjectaccessreview/cm-test-ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-clusterRoles/manifests.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-clusterRoles/manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/chainsaw-step-02-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-step-02-error-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-match-roles/manifests.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-match-roles/manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/chainsaw-step-02-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-step-02-error-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-roles/manifests.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-roles/manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-serviceAccountName/manifests.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-serviceAccountName/manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/chainsaw-step-02-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/background-vars-userInfo/manifests.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/background-vars-userInfo/manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-02-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-02-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-step-03-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/audit(deprecated)/configmap-context-lookup/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/audit-deprecated/configmap-context-lookup/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/rbac.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/rbac.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/rbac.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/serviceaccount.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/serviceaccount.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/with-permissions/serviceaccount.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/deployment.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/deployment.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/deployment.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/deployment.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/rbac.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/rbac.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/rbac.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/rbac.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/serviceaccount.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/serviceaccount.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/serviceaccount.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/authorizor-checks/without-permissions/serviceaccount.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/pod-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/pod-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/pod-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/pod-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-preconditions/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/deployments-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/deployments-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/deployments-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/deployments-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/deployments-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/cel-variables/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/statefulset-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/statefulset-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/statefulset-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/statefulset-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/check-statefulset-namespace/statefulset-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/pod-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/pod-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/pod-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/pod-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/disallow-host-port/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/crd-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/crd.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/crd.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/crd.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/namespaceConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/namespaceConstraint.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/namespaceConstraint.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/namespaceConstraint.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/ns-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/ns-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/ns-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/ns-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/ns-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/clusterscoped/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/crd.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/nameConstraint.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/crd.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/crd.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/crd.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/deployment-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/deployment-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/set-paramref-namespace/replicaLimit.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/crd-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/crd.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/replicaLimit.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/statefulset-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/cel-deprecated/parameter-resources/namespaced/unset-paramref-namespace/statefulset-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/policies-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/policies.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/policies.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/policies.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/resources.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-pod/resources.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-pod/resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/policies-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/policies.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/policies.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/policies.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/resources.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-subresource/resources.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-subresource/resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/policies-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/policies.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/policies.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/policies.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/resources.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/debug(deprecated)/with-wildcard/resources.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/debug-deprecated/with-wildcard/resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/api-initiated-eviction.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/api-initiated-eviction.sh similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/api-initiated-eviction.sh rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/api-initiated-eviction.sh diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/eviction.json b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/eviction.json similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/api-initiated-pod-eviction/eviction.json rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/api-initiated-pod-eviction/eviction.json diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/block-pod-exec-requests/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/block-pod-exec-requests/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-assert-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/bypass-with-policy-exception/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/bypass-with-policy-exception/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr-mutated.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/csr-mutated.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr-mutated.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/csr-mutated.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/csr.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/csr.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/csr.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/csr/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/csr/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/bad-pod-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/bad-pod-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/bad-pod-update-test.sh similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod-update-test.sh rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/bad-pod-update-test.sh diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/good-pod-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/good-pod-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/good-pod-update-test.sh similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod-update-test.sh rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/good-pod-update-test.sh diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/update-bad-pod-to-comply.sh similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/enforce-validate-existing/update-bad-pod-to-comply.sh rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/enforce-validate-existing/update-bad-pod-to-comply.sh diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/failure-policy-ignore-anchor/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/failure-policy-ignore-anchor/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/ns.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/ns.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/ns.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/pod-fail.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-fail.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/pod-fail.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/pod-pass.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/pod-pass.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/pod-pass.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/ns-selector-with-wildcard-kind/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/ns-selector-with-wildcard-kind/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-step-03-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-allnotin-01/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-allnotin-01/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/chainsaw-step-02-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/operator-anyin-boolean/pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/operator-anyin-boolean/pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-03-error-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-step-03-error-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-step-03-error-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-step-03-error-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/resource.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/resource-apply-block/resource.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/resource-apply-block/resource.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-step-01-assert-1-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/enforce(deprecated)/scaling-with-kubectl-scale/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/enforce-deprecated/scaling-with-kubectl-scale/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd-ready-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd-ready-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/crd.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/crd.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/task.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/task.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/gvk(deprecated)/task.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/gvk-deprecated/task.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/bad-pod-1.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/bad-pod-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/bad-pod-1.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/bad-pod-1.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/bad-pod-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/bad-pod-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/bad-pod-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/bad-pod-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/seccomp-latest-check-no-exclusion/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/seccomp-latest-check-no-exclusion/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/manifests.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/manifests.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/manifests.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-deletion-request/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-deletion-request/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-capabilities/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-capabilities/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-namespaces/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-namespaces/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-host-ports/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-host-ports/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostpath-volume/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostpath-volume/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-hostprocesses/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-hostprocesses/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privilege-escalation/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privilege-escalation/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-privileged-containers/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-privileged-containers/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-capabilities/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-capabilities/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-restricted-seccomp/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-restricted-seccomp/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot-user/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot-user/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-running-as-nonroot/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-running-as-nonroot/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-seccomp/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-seccomp/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-selinux/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-selinux/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-sysctls/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-sysctls/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/bad-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/bad-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/excluded-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/excluded-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/excluded-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/excluded-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/good-pod.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/good-pod.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/good-pod.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/psa(deprecated)/test-exclusion-volume-types/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/psa-deprecated/test-exclusion-volume-types/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/policies-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/policies-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/policies.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/policies.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/policies.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/resources.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/subresource copy/resources.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/subresource-deprecated/resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-bad.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/pod-bad.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-bad.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/pod-bad.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-good.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/pod-good.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/pod-good.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/pod-good.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-2.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/policy-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-2.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/policy-2.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/policy-assert.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy-assert.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/policy-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/variables/lazyload/conditions-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/README.md rename to test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/standard/wildcard/block-verifyimage-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-apply-1-3.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-apply-1-3.yaml rename to test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-apply-1-3.yaml diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/adding-key-to-config-map(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/adding-key-to-config-map-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/bad.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/bad.yaml rename to test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/chainsaw-step-02-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/chainsaw-step-02-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/global-anchor copy(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/e2e/global-anchor-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-apply-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-apply-1-2.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-apply-1-2.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-assert-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-assert-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-2.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-assert-1-2.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-step-01-assert-1-2.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-step-01-assert-1-2.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls-ready.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/postgresqls-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls-ready.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/postgresqls-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/postgresqls.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/postgresqls.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/postgresqls.yaml diff --git a/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/resource.yaml b/test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/resource.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/lowercase-kind-crd(deprecated)/resource.yaml rename to test/conformance/chainsaw/validate/e2e/lowercase-kind-crd-deprecated/resource.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-ready.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/ns-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-ready.yaml rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/ns-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-update.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/ns-update.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns-update.yaml rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/ns-update.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/ns.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/ns.yaml rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/ns.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/old-object-exists(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/e2e/old-object-exists-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/bad.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/bad.yaml rename to test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/chainsaw-step-02-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/chainsaw-step-02-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/trusted-images(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/e2e/trusted-images-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/bad.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/bad.yaml rename to test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/chainsaw-step-03-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-step-03-apply-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/chainsaw-step-03-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/x509-decode(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/e2e/x509-decode-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md rename to test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/README.md diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/bad.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml rename to test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/bad.yaml diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/chainsaw-step-02-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/chainsaw-step-02-apply-1-1.yaml diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml rename to test/conformance/chainsaw/validate/e2e/yaml-signing-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/README.md diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/bad-pod.yaml similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/chainsaw-step-02-apply-1.yaml similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/chainsaw-step-02-apply-1.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml rename to test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml From 8a01d6db3129f062e0cd9d27823d3a1120c8dce8 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 17 Jul 2024 00:09:46 -0700 Subject: [PATCH 11/44] update governance (#10669) Signed-off-by: Jim Bugwadia --- CODE_OF_CONDUCT.md | 36 +----------- CONTRIBUTING.md | 137 ++++----------------------------------------- GOVERNANCE.md | 38 +------------ README.md | 6 +- 4 files changed, 18 insertions(+), 199 deletions(-) diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 7d3ef13fea21..f8848736e2a9 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,36 +1,6 @@ -# Kyverno Community Code of Conduct v1.0 +# Code of Conduct -## Contributor Code of Conduct +[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the Code of Conduct published and maintained at https://github.com/kyverno/community/blob/main/CODE_OF_CONDUCT.md. + -As contributors and maintainers of this project, and in the interest of fostering -an open and welcoming community, we pledge to respect all people who contribute -through reporting issues, posting feature requests, updating documentation, -submitting pull requests or patches, and other activities. -We are committed to making participation in this project a harassment-free experience for -everyone, regardless of level of experience, gender, gender identity and expression, -sexual orientation, disability, personal appearance, body size, race, ethnicity, age, -religion, or nationality. - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery -* Personal attacks -* Trolling or insulting/derogatory comments -* Public or private harassment -* Publishing other's private information, such as physical or electronic addresses, without explicit permission -* Other unethical or unprofessional conduct. - -Project maintainers have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are not -aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers -commit themselves to fairly and consistently applying these principles to every aspect -of managing this project. Project maintainers who do not follow or enforce the Code of -Conduct may be permanently removed from the project team. - -This code of conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. - -Instances of abusive, harassing, or otherwise unacceptable behavior in Kubernetes may be reported by contacting the project maintainer(s). - -This Code of Conduct is adapted from the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and the [Contributor Covenant](https://www.contributor-covenant.org/), [version 1.2.0](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct/). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d7a73ec83b37..414a239e4b29 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,46 +1,24 @@ -# Contributing Guidelines for Kyverno +# Contributor Guidelines for Kyverno -We welcome all contributions, suggestions, and feedback, so please do not hesitate to reach out! +[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the contributor guidelines published at: https://github.com/kyverno/community/blob/main/CODE_OF_CONDUCT.md. -Before you contribute, please take a moment to review and agree to abide by our community [Code of Conduct](/CODE_OF_CONDUCT.md). +Please review the general guidelines before proceeding further to the project specific information below. -- [Contributing Guidelines for Kyverno](#contributing-guidelines-for-kyverno) - - [Engage with us](#engage-with-us) - - [Ways you can contribute](#ways-you-can-contribute) - - [1. Report issues](#1-report-issues) - - [2. Fix or Improve Documentation](#2-fix-or-improve-documentation) - - [3. Submit Pull Requests](#3-submit-pull-requests) - - [How to Create a PR](#how-to-create-a-pr) - - [Developer Certificate of Origin (DCO) Sign off](#developer-certificate-of-origin-dco-sign-off) - - [Release Processes](#release-processes) +### Fix or Improve Kyverno Documentation -## Engage with us - -The Kyverno website has the most updated information on [how to engage with the Kyverno community](https://kyverno.io/community/) including its maintainers and contributors. There are three classes of contributors possible: Contributor, Code Owner, and Maintainer. Please see the [Contributing section on the website](https://kyverno.io/community/#contributing) for the requirements and privileges afforded to each. - -Join our community meetings to learn more about Kyverno and engage with other contributors. - -## Ways you can contribute - -### 1. Report issues - -Issues to Kyverno help improve the project in multiple ways including the following: - -- Report potential bugs -- Request a feature -- Request a sample policy +The [Kyverno website](https://kyverno.io), like the main Kyverno codebase, is stored in its own [git repo](https://github.com/kyverno/website). To get started with contributions to the documentation, [follow the guide](https://github.com/kyverno/website#contributing) on that repository. -### 2. Fix or Improve Documentation +### Developer Guides -The [Kyverno website](https://kyverno.io), like the main Kyverno codebase, is stored in its own [git repo](https://github.com/kyverno/website). To get started with contributions to the documentation, [follow the guide](https://github.com/kyverno/website#contributing) on that repository. +To learn about the code base and developer processes, refer to the [development guide](/DEVELOPMENT.md). -### 3. Submit Pull Requests +### Good First Issues -[Pull requests](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) (PRs) allow you to contribute back the changes you've made on your side enabling others in the community to benefit from your hard work. They are the main source by which all changes are made to this project and are a standard piece of GitHub operational flows. +Maintainers identify issues that are ideal for new contributors with a `good first issue` label. -New contributors may easily view all [open issues labeled as good first issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) allowing you to get started in an approachable manner. +View all Kyverno [good first issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22). -Once you wish to get started contributing to the code base, please refer to our [development guide](/DEVELOPMENT.md) for a how-to. +### Pull Request Guidelines In the process of submitting your PRs, please read and abide by the template provided to ensure the maintainers are able to understand your changes and quickly come up to speed. There are some important pieces that are required outside the code itself. Some of these are up to you, others are up to the maintainers. @@ -49,99 +27,6 @@ In the process of submitting your PRs, please read and abide by the template pro 3. Test your change with the [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) and provide a test manifest in the proper format. If your feature/fix does not work with the CLI, a separate issue requesting CLI support must be made. For changes which can be tested as an end user, we require conformance/e2e tests by using the `chainsaw` tool. See [here](https://github.com/kyverno/kyverno/tree/main/test/conformance/chainsaw/README.md) for a specific guide on how and when to write these tests. 4. Indicate which release this PR is triaged for (maintainers). This step is important especially for the documentation maintainers in order to understand when and where the necessary changes should be made. -#### How to Create a PR - -Head over to the project repository on GitHub and click the **"Fork"** button. With the forked copy, you can try new ideas and implement changes to the project. - -1. **Clone the repository to your device:** - -Get the link of your forked repository, paste it in your device terminal and clone it using the command. - -```sh -git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY -``` - -2. **Create a branch:** - -Create a new brach and navigate to the branch using this command. - -```sh -git checkout -b -``` - -Great, it's time to start hacking! You can now go ahead to make all the changes you want. - -3. **Stage, Commit, and Push changes:** - -Now that we have implemented the required changes, use the command below to stage the changes and commit them. - -```sh -git add . -``` - -```sh -git commit -s -m "Commit message" -``` - -The `-s` signifies that you have signed off the commit. - -Go ahead and push your changes to GitHub using this command. - -```sh -git push -``` - -#### Cherry-pick PRs to release branches - -Add repository as remote - -```sh -git remote add https://github.com/kyverno/kyverno -``` -Then fetch the branches of remote: - -```sh -git fetch -``` - - You will notice that there are a number of branches related to Kyverno's releases such as release-1.7. You can always view the list of remote branches by using the command below: - -```sh -$ git branch -r -... -origin/release-1.5 -origin/release-1.6 -origin/release-1.7 -``` - -Checkout one of the release branch and cherry-pick the PRs you want to merge into the release branch: - -```sh -$ git checkout release-1.7 - -git cherry-pick -s - -git push --set-upstream origin release-1.7 -``` - -Once the commit has been cherry-picked, the author will need to open a PR merging to the release branch, release-1.7 for example. - -#### Developer Certificate of Origin (DCO) Sign off - -For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found [here](https://developercertificate.org/). - -To sign your work, just add a line like this at the end of your commit message: - -```sh -Signed-off-by: Random J Developer -``` - -This can easily be done with the `-s` command line option to append this automatically to your commit message. - -```sh -git commit -s -m 'This is my commit message' -``` - ## Release Processes Review the Kyverno release process at: https://kyverno.io/docs/releases/ diff --git a/GOVERNANCE.md b/GOVERNANCE.md index 139a135470ef..66ae53316445 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -1,39 +1,3 @@ # Kyverno Governance -This document defines governance policies for the Kyverno project. - -- [Principles](#principles) -- [Code of Conduct](#code-of-conduct) -- [Meetings](#meetings) -- [Roles and Process in the Kyverno Community](#roles) -- [Conflict Resolutions](#conflict-resolutions) -- [Changes](#changes) -- [Credits](#credits) - -## Principles -The Kyverno project community adheres to the following principles: - -- Open: The Kyverno community strives to be open, accessible and welcoming to everyone. Anyone may contribute, and contributions are available to all users according to open source values and licenses. -- Transparent and accessible: Any changes to the Kyverno source code and collaborations on the project are publicly accessible (GitHub issues, PRs, and discussions). -- Merit: Ideas and contributions are accepted according to their technical merit and alignment with project objectives, scope, and design principles. - - -## Code of Conduct -Kyverno follow the [Code of Conduct](CODE_OF_CONDUCT.md), which is aligned with the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). - -## Meetings -Kyverno community meetings follow a defined [schedule](https://kyverno.io/community/#community-meetings). - -The maintainers will also have closed meetings in order to discuss security reports or Code of Conduct violations. Such meetings should be scheduled by any maintainer on receipt of a security issue or CoC report. All current Maintainers must be invited to such closed meetings, except for any maintainer who is accused of a CoC violation. - -## Roles -The Kyverno project welcomes all contributors and has well-defined roles specified at [Project Roles](https://kyverno.io/community/#project-roles). - -## Conflict Resolutions -Typically, it is assumed that disputes will be resolved amicably by those involved. However, if the situation becomes more serious, conflicts will be resolved through a voting process. A supermajority of votes from project maintainers is required to make a decision, and the project lead has the final say in the ruling. - -## Changes -This Project Governance is a living document. All key project changes including changes in project governance can be proposed by a GitHub PR and then reviewed and voted on by project maintainers. - -## Credits -Sections of this document have been borrowed from the [CoreDNS](https://github.com/coredns/coredns/blob/master/GOVERNANCE.md) and [fluxcd](https://github.com/fluxcd/community/blob/main/GOVERNANCE.md) projects. \ No newline at end of file +[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the governance published and maintained at https://github.com/kyverno/community/blob/main/GOVERNANCE.md. diff --git a/README.md b/README.md index 782de911c3b9..75db6e5321fc 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ ![logo](img/Kyverno_Horizontal.png)

-Kyverno is a policy engine designed for Kubernetes platform engineering teams. It enables security, automation, compliance, and governance using policy-as-code. Kyverno can validate, mutate, generate, and cleanup configurations using Kubernetes admission controls, background scans, and source code respository scans. Kyverno policies can be managed as Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git. +Kyverno is a policy engine designed for cloud native platform engineering teams. It enables security, automation, compliance, and governance using policy-as-code. Kyverno can validate, mutate, generate, and cleanup configurations using Kubernetes admission controls, background scans, and source code respository scans. Kyverno policies can also be used to verify OCI images, for software supply chain security. Kyverno policies can be managed as Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.

Date: Wed, 17 Jul 2024 12:09:03 +0000 Subject: [PATCH 12/44] chore(deps): bump cbrgm/cleanup-stale-branches-action (#10661) Bumps [cbrgm/cleanup-stale-branches-action](https://github.com/cbrgm/cleanup-stale-branches-action) from 1.1.18 to 1.1.19. - [Release notes](https://github.com/cbrgm/cleanup-stale-branches-action/releases) - [Commits](https://github.com/cbrgm/cleanup-stale-branches-action/compare/d0f8b6440d1a5eb71cec3ebe376d83a74b901ca0...03d7d18e1a5ca5663846c6399e0614941d4985c3) --- updated-dependencies: - dependency-name: cbrgm/cleanup-stale-branches-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/clean-stale-branches.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/clean-stale-branches.yaml b/.github/workflows/clean-stale-branches.yaml index af0025905084..48b123cabe17 100644 --- a/.github/workflows/clean-stale-branches.yaml +++ b/.github/workflows/clean-stale-branches.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Cleanup Stale Branches - uses: cbrgm/cleanup-stale-branches-action@d0f8b6440d1a5eb71cec3ebe376d83a74b901ca0 # v1.1.18 + uses: cbrgm/cleanup-stale-branches-action@03d7d18e1a5ca5663846c6399e0614941d4985c3 # v1.1.19 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} From c977844b39682be84cf064ddce1b181a00b2ee4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 14:43:22 +0000 Subject: [PATCH 13/44] chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12 (#10662) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.25.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b611370bb5703a7efb587f9d136a52ea24c5c38c...4fa2a7953630fd2f3fb380f21be14ede0169dd4f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 75b81f1e8167..baf13854a052 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 + uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 with: sarif_file: results.sarif From d738d1fef40e598ac6ebca6fc68c24169458c4d2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 15:33:07 +0000 Subject: [PATCH 14/44] chore(deps): bump github.com/google/go-containerregistry (#10670) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.0 to 0.20.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.20.0...v0.20.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3a3a627acb4a..1dac6612ca2c 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 - github.com/google/go-containerregistry v0.20.0 + github.com/google/go-containerregistry v0.20.1 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e github.com/in-toto/in-toto-golang v0.9.0 github.com/jmoiron/jsonq v0.0.0-20150511023944-e874b168d07e diff --git a/go.sum b/go.sum index 9691f54b1a1e..04250b0505b1 100644 --- a/go.sum +++ b/go.sum @@ -451,8 +451,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg= -github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0= +github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e h1:4HrYlQDhLjT1ys3ts5xGT2XKhK3qh0kbpxE8sw6Au7I= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e/go.mod h1:8oYKXummIO/NNasXRCKr4DBziuA1MZ+VEhSQMYI8aJ0= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= From 279895c60056b1552476663b0fa814cb0e7d7597 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 16:31:08 +0000 Subject: [PATCH 15/44] chore(deps): bump github.com/cyphar/filepath-securejoin (#10652) Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.2.5 to 0.3.0. - [Release notes](https://github.com/cyphar/filepath-securejoin/releases) - [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.2.5...v0.3.0) --- updated-dependencies: - dependency-name: github.com/cyphar/filepath-securejoin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1dac6612ca2c..52a028f25652 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240525144225-0fe7eafab216 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff v2.2.1+incompatible - github.com/cyphar/filepath-securejoin v0.2.5 + github.com/cyphar/filepath-securejoin v0.3.0 github.com/dgraph-io/ristretto v0.1.1 github.com/distribution/reference v0.6.0 github.com/evanphx/json-patch/v5 v5.9.0 diff --git a/go.sum b/go.sum index 04250b0505b1..d3aed0fb8a85 100644 --- a/go.sum +++ b/go.sum @@ -249,8 +249,8 @@ github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0= github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo= -github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.3.0 h1:tXpmbiaeBrS/K2US8nhgwdKYnfAOnVfkcLPKFgFHeA0= +github.com/cyphar/filepath-securejoin v0.3.0/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= From 1f0ce82d118515f9d387e832d8b8ba706d4ff028 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jul 2024 15:36:46 +0800 Subject: [PATCH 16/44] chore(deps): bump k8s.io/api from 0.30.2 to 0.30.3 (#10674) Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.30.2 to 0.30.3. - [Commits](https://github.com/kubernetes/api/compare/v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 52a028f25652..e2a9d3d0b1cf 100644 --- a/go.mod +++ b/go.mod @@ -74,9 +74,9 @@ require ( gopkg.in/inf.v0 v0.9.1 gopkg.in/yaml.v2 v2.4.0 gotest.tools v2.2.0+incompatible - k8s.io/api v0.30.2 + k8s.io/api v0.30.3 k8s.io/apiextensions-apiserver v0.30.1 - k8s.io/apimachinery v0.30.2 + k8s.io/apimachinery v0.30.3 k8s.io/apiserver v0.30.1 k8s.io/cli-runtime v0.30.2 k8s.io/client-go v0.30.2 diff --git a/go.sum b/go.sum index d3aed0fb8a85..375f75b2345c 100644 --- a/go.sum +++ b/go.sum @@ -1204,12 +1204,12 @@ gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.30.2 h1:+ZhRj+28QT4UOH+BKznu4CBgPWgkXO7XAvMcMl0qKvI= -k8s.io/api v0.30.2/go.mod h1:ULg5g9JvOev2dG0u2hig4Z7tQ2hHIuS+m8MNZ+X6EmI= +k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= +k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= -k8s.io/apimachinery v0.30.2 h1:fEMcnBj6qkzzPGSVsAZtQThU62SmQ4ZymlXRC5yFSCg= -k8s.io/apimachinery v0.30.2/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= +k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8= k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo= k8s.io/cli-runtime v0.30.2 h1:ooM40eEJusbgHNEqnHziN9ZpLN5U4WcQGsdLKVxpkKE= From bdf961357261b751bacae5487d0c0a5b96bc7851 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 18 Jul 2024 09:19:55 +0000 Subject: [PATCH 17/44] chore(deps): bump k8s.io/apimachinery from 0.30.2 to 0.30.3 (#10676) Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.30.2 to 0.30.3. - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> From 90b24c70e5c7974a3de81c8a07309af3cd5089c7 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 18 Jul 2024 19:06:47 +0800 Subject: [PATCH 18/44] disable up cleanup crobjob (#10678) Signed-off-by: ShutingZhao --- charts/kyverno/README.md | 2 +- charts/kyverno/values.yaml | 2 +- config/install-latest-testing.yaml | 50 ------------------------------ 3 files changed, 2 insertions(+), 52 deletions(-) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index cc4df33b3b54..25dbe344b173 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -728,7 +728,7 @@ The chart values are organised per component. | Key | Type | Default | Description | |-----|------|---------|-------------| -| cleanupJobs.updateRequests.enabled | bool | `true` | Enable cleanup cronjob | +| cleanupJobs.updateRequests.enabled | bool | `false` | Enable cleanup cronjob | | cleanupJobs.updateRequests.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | | cleanupJobs.updateRequests.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | | cleanupJobs.updateRequests.image.registry | string | `nil` | Image registry | diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 42f0d0974e90..02de664dfe7d 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -687,7 +687,7 @@ cleanupJobs: updateRequests: # -- Enable cleanup cronjob - enabled: true + enabled: false # -- Maximum number of retries before considering a Job as failed. Defaults to 3. backoffLimit: 3 diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index f061435a6a5a..0ca855e3a4c0 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -45333,53 +45333,3 @@ spec: volumes: - name: sigstore emptyDir: {} ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: kyverno-cleanup-update-requests - namespace: kyverno - labels: - app.kubernetes.io/component: cleanup - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest -spec: - schedule: "*/10 * * * *" - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - backoffLimit: 3 - template: - metadata: - spec: - serviceAccountName: kyverno-cleanup-jobs - containers: - - name: cleanup - image: "bitnami/kubectl:1.30.2" - imagePullPolicy: - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get updaterequests.kyverno.io -A | wc -l) - if [ "$COUNT" -gt 10000 ]; then - echo "too many updaterequests found ($COUNT), cleaning up..." - kubectl delete updaterequests.kyverno.io --all -n kyverno - else - echo "($COUNT) reports found, no clean up needed" - fi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - restartPolicy: OnFailure From e9424a1be3423b2f1d45df5776bf15d6a49e116c Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 19 Jul 2024 16:59:28 +0800 Subject: [PATCH 19/44] extend timestamp (#10679) Signed-off-by: ShutingZhao --- .nancy-ignore | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.nancy-ignore b/.nancy-ignore index b52e57abcf50..8bde1744cc5d 100644 --- a/.nancy-ignore +++ b/.nancy-ignore @@ -1,6 +1,6 @@ -# golang/k8s.io/apiserver@v0.29.2 -CVE-2020-8561 until=2024-06-30 -# golang/github.com/notaryproject/notation-go@v1.1.0 -CVE-2024-23332 until=2024-06-30 -# golang/github.com/hashicorp/vault/api@v1.12.2 -CVE-2024-2660 until=2024-06-30 +# golang/k8s.io/apiserver@v0.30.1 +CVE-2020-8561 until=2024-12-30 +# golang/github.com/notaryproject/notation-go@v1.1.1 +CVE-2024-23332 until=2024-12-30 +# golang/github.com/hashicorp/vault/api@v1.14.0 +CVE-2024-2660 until=2024-12-30 From 5f258c47d2d19b7a530dda349c44b8a6ccce8131 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 09:49:18 +0000 Subject: [PATCH 20/44] chore(deps): bump k8s.io/client-go from 0.30.2 to 0.30.3 (#10689) Bumps [k8s.io/client-go](https://github.com/kubernetes/client-go) from 0.30.2 to 0.30.3. - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e2a9d3d0b1cf..97196657883c 100644 --- a/go.mod +++ b/go.mod @@ -79,7 +79,7 @@ require ( k8s.io/apimachinery v0.30.3 k8s.io/apiserver v0.30.1 k8s.io/cli-runtime v0.30.2 - k8s.io/client-go v0.30.2 + k8s.io/client-go v0.30.3 k8s.io/klog/v2 v2.130.1 k8s.io/kube-aggregator v0.30.1 k8s.io/pod-security-admission v0.30.1 diff --git a/go.sum b/go.sum index 375f75b2345c..848193fcbc5e 100644 --- a/go.sum +++ b/go.sum @@ -1214,8 +1214,8 @@ k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8= k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo= k8s.io/cli-runtime v0.30.2 h1:ooM40eEJusbgHNEqnHziN9ZpLN5U4WcQGsdLKVxpkKE= k8s.io/cli-runtime v0.30.2/go.mod h1:Y4g/2XezFyTATQUbvV5WaChoUGhojv/jZAtdp5Zkm0A= -k8s.io/client-go v0.30.2 h1:sBIVJdojUNPDU/jObC+18tXWcTJVcwyqS9diGdWHk50= -k8s.io/client-go v0.30.2/go.mod h1:JglKSWULm9xlJLx4KCkfLLQ7XwtlbflV6uFFSHTMgVs= +k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= +k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/component-base v0.30.1 h1:bvAtlPh1UrdaZL20D9+sWxsJljMi0QZ3Lmw+kmZAaxQ= k8s.io/component-base v0.30.1/go.mod h1:e/X9kDiOebwlI41AvBHuWdqFriSRrX50CdwA9TFaHLI= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= From 04f4fc9a89a322732bc0c058498296a1edeea312 Mon Sep 17 00:00:00 2001 From: Laurent Lavaud Date: Fri, 19 Jul 2024 13:56:11 +0200 Subject: [PATCH 21/44] fix(helm): remove namespace from RoleBinding/roleRef field (#10685) - namespace is not a valid parameter for a RoleBinding/roleRef field Signed-off-by: Laurent Lavaud --- charts/kyverno/templates/hooks/pre-delete-configmap.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/kyverno/templates/hooks/pre-delete-configmap.yaml b/charts/kyverno/templates/hooks/pre-delete-configmap.yaml index 1e225c93615e..116fdc848537 100644 --- a/charts/kyverno/templates/hooks/pre-delete-configmap.yaml +++ b/charts/kyverno/templates/hooks/pre-delete-configmap.yaml @@ -36,7 +36,6 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ template "kyverno.fullname" . }}:remove-configmap - namespace: {{ template "kyverno.namespace" . }} subjects: - kind: ServiceAccount name: {{ template "kyverno.fullname" . }}-remove-configmap From 0abaa4106ce7396a91d72c7af6b4da8fe87b7334 Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 19 Jul 2024 21:06:31 +0800 Subject: [PATCH 22/44] add 1.12.6 (#10691) Signed-off-by: ShutingZhao --- .github/ISSUE_TEMPLATE/bug-cli.yaml | 1 + .github/ISSUE_TEMPLATE/bug-other.yaml | 1 + .github/ISSUE_TEMPLATE/bug-webhook.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/ISSUE_TEMPLATE/bug-cli.yaml b/.github/ISSUE_TEMPLATE/bug-cli.yaml index 8806d1a2f791..0b151db7e67a 100644 --- a/.github/ISSUE_TEMPLATE/bug-cli.yaml +++ b/.github/ISSUE_TEMPLATE/bug-cli.yaml @@ -44,6 +44,7 @@ body: - 1.12.2 - 1.12.3 - 1.12.4 + - 1.12.5 validations: required: true - type: textarea diff --git a/.github/ISSUE_TEMPLATE/bug-other.yaml b/.github/ISSUE_TEMPLATE/bug-other.yaml index 693bfacc1355..ea3af73841f5 100644 --- a/.github/ISSUE_TEMPLATE/bug-other.yaml +++ b/.github/ISSUE_TEMPLATE/bug-other.yaml @@ -43,6 +43,7 @@ body: - 1.12.2 - 1.12.3 - 1.12.4 + - 1.12.5 validations: required: true - type: textarea diff --git a/.github/ISSUE_TEMPLATE/bug-webhook.yaml b/.github/ISSUE_TEMPLATE/bug-webhook.yaml index 46e05eb918b5..e4ba65808bc1 100644 --- a/.github/ISSUE_TEMPLATE/bug-webhook.yaml +++ b/.github/ISSUE_TEMPLATE/bug-webhook.yaml @@ -43,6 +43,7 @@ body: - 1.12.2 - 1.12.3 - 1.12.4 + - 1.12.5 validations: required: true - type: dropdown From 974da43c55425e391e2215e1f1f0ddb334d2195d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 21:57:21 +0000 Subject: [PATCH 23/44] chore(deps): bump k8s.io/cli-runtime from 0.30.2 to 0.30.3 (#10690) Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.30.2 to 0.30.3. - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 97196657883c..6b8c8fd75440 100644 --- a/go.mod +++ b/go.mod @@ -78,7 +78,7 @@ require ( k8s.io/apiextensions-apiserver v0.30.1 k8s.io/apimachinery v0.30.3 k8s.io/apiserver v0.30.1 - k8s.io/cli-runtime v0.30.2 + k8s.io/cli-runtime v0.30.3 k8s.io/client-go v0.30.3 k8s.io/klog/v2 v2.130.1 k8s.io/kube-aggregator v0.30.1 diff --git a/go.sum b/go.sum index 848193fcbc5e..232058442d0a 100644 --- a/go.sum +++ b/go.sum @@ -1212,8 +1212,8 @@ k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8= k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo= -k8s.io/cli-runtime v0.30.2 h1:ooM40eEJusbgHNEqnHziN9ZpLN5U4WcQGsdLKVxpkKE= -k8s.io/cli-runtime v0.30.2/go.mod h1:Y4g/2XezFyTATQUbvV5WaChoUGhojv/jZAtdp5Zkm0A= +k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k= +k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30= k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= k8s.io/component-base v0.30.1 h1:bvAtlPh1UrdaZL20D9+sWxsJljMi0QZ3Lmw+kmZAaxQ= From af8d4f9260c5833790655d8e18365a03fa9aa85c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 07:14:22 +0000 Subject: [PATCH 24/44] chore(deps): bump github/codeql-action from 3.25.12 to 3.25.13 (#10697) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.12 to 3.25.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4fa2a7953630fd2f3fb380f21be14ede0169dd4f...2d790406f505036ef40ecba973cc774a50395aac) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index baf13854a052..9cb9e1135b5d 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 with: sarif_file: results.sarif From 0421c44659b5162ef573cef338954eafaa6bd460 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 10:34:31 +0000 Subject: [PATCH 25/44] chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.17.1 to 0.17.2 (#10695) Bumps [sigs.k8s.io/kustomize/kyaml](https://github.com/kubernetes-sigs/kustomize) from 0.17.1 to 0.17.2. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.17.1...api/v0.17.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/kyaml dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6b8c8fd75440..d8b8798460d6 100644 --- a/go.mod +++ b/go.mod @@ -87,7 +87,7 @@ require ( sigs.k8s.io/controller-runtime v0.18.4 sigs.k8s.io/kubectl-validate v0.0.4 sigs.k8s.io/kustomize/api v0.17.2 - sigs.k8s.io/kustomize/kyaml v0.17.1 + sigs.k8s.io/kustomize/kyaml v0.17.2 sigs.k8s.io/release-utils v0.8.3 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 sigs.k8s.io/yaml v1.4.0 diff --git a/go.sum b/go.sum index 232058442d0a..7ebc11e41071 100644 --- a/go.sum +++ b/go.sum @@ -1242,8 +1242,8 @@ sigs.k8s.io/kubectl-validate v0.0.4 h1:tGKuv0awYHn11Cb6KPsZKxUmHgavF46K3NvVH0Nse sigs.k8s.io/kubectl-validate v0.0.4/go.mod h1:JTm3G+JZLPISqABh73uV7s/sW28q2zZqnTghOzahEKA= sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= -sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= -sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= +sigs.k8s.io/kustomize/kyaml v0.17.2 h1:+AzvoJUY0kq4QAhH/ydPHHMRLijtUKiyVyh7fOSshr0= +sigs.k8s.io/kustomize/kyaml v0.17.2/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/release-utils v0.8.3 h1:KtOtA4qDmzJyeQ2zkDsFVI25+NViwms/o5eL2NftFdA= sigs.k8s.io/release-utils v0.8.3/go.mod h1:fp82Fma06OXBhEJ+GUJKqvcplDBomruK1R/1fWJnsrQ= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= From 2f9f33183f1b8368a55ce1fdbb5274eaf02a6e51 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:16:06 +0800 Subject: [PATCH 26/44] chore(deps): bump sigs.k8s.io/kustomize/api from 0.17.2 to 0.17.3 (#10696) Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.17.2 to 0.17.3. - [Release notes](https://github.com/kubernetes-sigs/kustomize/releases) - [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.17.2...api/v0.17.3) --- updated-dependencies: - dependency-name: sigs.k8s.io/kustomize/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d8b8798460d6..d983e4657ea1 100644 --- a/go.mod +++ b/go.mod @@ -86,7 +86,7 @@ require ( k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 sigs.k8s.io/controller-runtime v0.18.4 sigs.k8s.io/kubectl-validate v0.0.4 - sigs.k8s.io/kustomize/api v0.17.2 + sigs.k8s.io/kustomize/api v0.17.3 sigs.k8s.io/kustomize/kyaml v0.17.2 sigs.k8s.io/release-utils v0.8.3 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 diff --git a/go.sum b/go.sum index 7ebc11e41071..38cdf8507c33 100644 --- a/go.sum +++ b/go.sum @@ -1240,8 +1240,8 @@ sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMm sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kubectl-validate v0.0.4 h1:tGKuv0awYHn11Cb6KPsZKxUmHgavF46K3NvVH0Nse9U= sigs.k8s.io/kubectl-validate v0.0.4/go.mod h1:JTm3G+JZLPISqABh73uV7s/sW28q2zZqnTghOzahEKA= -sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= -sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= +sigs.k8s.io/kustomize/api v0.17.3 h1:6GCuHSsxq7fN5yhF2XrC+AAr8gxQwhexgHflOAD/JJU= +sigs.k8s.io/kustomize/api v0.17.3/go.mod h1:TuDH4mdx7jTfK61SQ/j1QZM/QWR+5rmEiNjvYlhzFhc= sigs.k8s.io/kustomize/kyaml v0.17.2 h1:+AzvoJUY0kq4QAhH/ydPHHMRLijtUKiyVyh7fOSshr0= sigs.k8s.io/kustomize/kyaml v0.17.2/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/release-utils v0.8.3 h1:KtOtA4qDmzJyeQ2zkDsFVI25+NViwms/o5eL2NftFdA= From db45329cd669ab1b2f33d952fe6212ce894476bc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:10:59 +0000 Subject: [PATCH 27/44] chore(deps): bump docker/login-action from 3.2.0 to 3.3.0 (#10704) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/0d4c9c5ea7693da7b068278f7b52bda2a190a446...9780b0c442fbb1117ed29e0efdff1e18412f7567) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d5b95d21118e..72d487649df4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -300,7 +300,7 @@ jobs: file_glob: true tag: ${{ github.ref }} - name: Login to GHCR - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} From f9a8388c14549d2821b0d9906dc1955606607f38 Mon Sep 17 00:00:00 2001 From: Geetha Madhuri Bojanki <106727251+Geetha-Bojanki@users.noreply.github.com> Date: Wed, 24 Jul 2024 12:48:39 +0530 Subject: [PATCH 28/44] Updated the outdated example mentioned in Development.md file with latest one (#10706) * Updated Expose the endpoint on a local port section in DEVELOPMENT.md file Signed-off-by: Geetha Madhuri * Updated the outdated example mentioned in Development.md file with latest one Signed-off-by: Geetha Madhuri --------- Signed-off-by: Geetha Madhuri --- DEVELOPMENT.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index bfa71a7b9382..9e7fc84072f9 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -455,14 +455,27 @@ You can get at the application in the pod by port forwarding with kubectl, for e ````shell $ kubectl -n kyverno get pod -NAME READY STATUS RESTARTS AGE -kyverno-7d67c967c6-slbpr 1/1 Running 0 19s +NAME READY STATUS RESTARTS AGE +kyverno-admission-controller-57df6c565f-pxpnh 1/1 Running 0 20s +kyverno-background-controller-766589695-dhj9m 1/1 Running 0 20s +kyverno-cleanup-controller-54466dfbc6-5mlrc 1/1 Running 0 19s +kyverno-cleanup-update-requests-28695530-ft975 1/1 Running 0 19s +kyverno-reports-controller-76c49549f4-tljwm 1/1 Running 0 20s ```` +Check the port of the pod you'd like to forward using the command below. + +````bash +$ kubectl get pod kyverno-admission-controller-57df6c565f-pxpnh -n kyverno --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}' +9443 +```` + +Use the exposed port from above to run port-forward with the below command. + ````bash -$ kubectl -n kyverno port-forward kyverno-7d67c967c6-slbpr 6060 -Forwarding from 127.0.0.1:6060 -> 6060 -Forwarding from [::1]:6060 -> 6060 +$ kubectl -n kyverno port-forward kyverno-admission-controller-57df6c565f-pxpnh 6060:9443 +Forwarding from 127.0.0.1:6060 -> 9443 +Forwarding from [::1]:6060 -> 9443 ```` The HTTP endpoint will now be available as a local port. From f539e854bee118327028b6ddc24e831de64b3a90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 09:02:52 +0000 Subject: [PATCH 29/44] chore(deps): bump github.com/cyphar/filepath-securejoin (#10713) Bumps [github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin) from 0.3.0 to 0.3.1. - [Release notes](https://github.com/cyphar/filepath-securejoin/releases) - [Changelog](https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md) - [Commits](https://github.com/cyphar/filepath-securejoin/compare/v0.3.0...v0.3.1) --- updated-dependencies: - dependency-name: github.com/cyphar/filepath-securejoin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d983e4657ea1..977435bb7a0e 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240525144225-0fe7eafab216 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff v2.2.1+incompatible - github.com/cyphar/filepath-securejoin v0.3.0 + github.com/cyphar/filepath-securejoin v0.3.1 github.com/dgraph-io/ristretto v0.1.1 github.com/distribution/reference v0.6.0 github.com/evanphx/json-patch/v5 v5.9.0 diff --git a/go.sum b/go.sum index 38cdf8507c33..969e52546020 100644 --- a/go.sum +++ b/go.sum @@ -249,8 +249,8 @@ github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0= github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM= github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw= -github.com/cyphar/filepath-securejoin v0.3.0 h1:tXpmbiaeBrS/K2US8nhgwdKYnfAOnVfkcLPKFgFHeA0= -github.com/cyphar/filepath-securejoin v0.3.0/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= +github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= +github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= From ca17cb2c6f920afae8e78318e41c9e18c3686cd2 Mon Sep 17 00:00:00 2001 From: Korada Vishal <116670999+Vishalk91-4@users.noreply.github.com> Date: Wed, 24 Jul 2024 16:13:07 +0530 Subject: [PATCH 30/44] Improved test covergae for forceMutate (#10103) Signed-off-by: Vishal K Co-authored-by: Mariam Fahmy --- pkg/engine/forceMutate_test.go | 81 ++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/pkg/engine/forceMutate_test.go b/pkg/engine/forceMutate_test.go index 6508e18a9511..ff8704754019 100644 --- a/pkg/engine/forceMutate_test.go +++ b/pkg/engine/forceMutate_test.go @@ -113,6 +113,87 @@ func Test_ForceMutateSubstituteVars(t *testing.T) { assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent()) } +func Test_ApplyForEachMutate(t *testing.T) { + rawPolicy := []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "add-label" + }, + "spec": { + "rules": [ + { + "name": "add-name-label", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "mutate": { + "forEach": [ + { + "patchStrategicMerge": { + "metadata": { + "labels": { + "appname": "{{request.object.metadata.name}}" + } + } + }, + "forEach": [ + { + "patchStrategicMerge": { + "metadata": { + "labels": { + "nestedLabel": "nestedValue" + } + } + } + } + ] + } + ] + } + } + ] + } + } + `) + + var policy kyverno.ClusterPolicy + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) + + resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource) + assert.NilError(t, err) + jp := jmespath.New(config.NewDefaultConfiguration(false)) + ctx := context.NewContext(jp) + err = context.AddResource(ctx, rawResource) + assert.NilError(t, err) + + mutatedResource, err := ForceMutate(ctx, logr.Discard(), &policy, *resourceUnstructured) + assert.NilError(t, err) + + expectedRawResource := []byte(`{ + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "nestedLabel": "nestedValue" + }, + "name": "check-root-user" + }, + "spec": {"containers": [{"image": "nginxinc/nginx-unprivileged", "name": "check-root-user", "securityContext": {"runAsNonRoot": true}}]} + }`) + + var expectedResource interface{} + assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource)) + + assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent()) +} + func Test_ForceMutateSubstituteVarsWithPatchesJson6902(t *testing.T) { rawPolicy := []byte(` { From 2855d27ce4e55f408346edc7e39e90fa12fa4f21 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Thu, 25 Jul 2024 00:40:38 -0700 Subject: [PATCH 31/44] change security to point to org repo (#10716) Signed-off-by: Jim Bugwadia --- SECURITY.md | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 40f7f665d9e9..3bea512b31e6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,34 +1,3 @@ # Security Policy -The Kyverno community has adopted this security disclosures and response policy to ensure we responsibly handle critical issues. -## Security bulletins -For information regarding the security of this project please join our [slack channel](https://slack.k8s.io/#kyverno). - -## Reporting a Vulnerability -### When you should? -- You think you discovered a potential security vulnerability in Kyverno. -- You are unsure how a vulnerability affects Kyverno. -- You think you discovered a vulnerability in another project that Kyverno depends on. For projects with their own vulnerability reporting and disclosure process, please report it directly there. - -### When you should not? -- You need help tuning Kyverno components for security - please discuss this is in the Kyverno [slack channel](https://slack.k8s.io/#kyverno). -- You need help applying security-related updates. -- Your issue is not security-related. - -### Please use the below process to report a vulnerability to the project: -1. Email the **Kyverno security group at kyverno-security@googlegroups.com** - * Emails should contain: - * description of the problem - * precise and detailed steps (include screenshots) that created the problem - * the affected version(s) - * any possible mitigations, if known -2. The project security team will send an initial response to the disclosure in 3-5 days. Once the vulnerability and fix are confirmed, the team will plan to release the fix in 7 to 28 days based on the severity and complexity. -3. You may be contacted by a project maintainer to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present. - -## Supported Versions -Kyverno versions follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z: -- where x is the major version -- y is the minor version -- and z is the patch version - -Security fixes, may be backported to the three most recent minor releases, depending on severity and feasibility. Patch releases are cut from those branches periodically, plus additional urgent releases, when required. \ No newline at end of file +[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the security practices published and maintained at https://github.com/kyverno/community/blob/main/SECURITY.md. From 716611b7ea484bc2b36783c7a8bb09b87b8220f3 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 25 Jul 2024 20:36:19 +0300 Subject: [PATCH 32/44] fix: return all the exceptions that match the incoming resource (#10722) * fix: return all the exceptions that match the incoming resource Signed-off-by: Mariam Fahmy * fix: modify log messages Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy --- .../kubectl-kyverno/commands/test/output.go | 2 +- .../report/background/controller.go | 24 +++++-- pkg/engine/api/ruleresponse.go | 14 ++-- pkg/engine/background.go | 25 ++++--- .../handlers/mutation/mutate_existing.go | 29 ++++---- pkg/engine/handlers/mutation/mutate_image.go | 29 ++++---- .../handlers/mutation/mutate_resource.go | 29 ++++---- .../handlers/validation/validate_cel.go | 29 ++++---- .../handlers/validation/validate_image.go | 28 ++++---- .../handlers/validation/validate_manifest.go | 28 ++++---- .../handlers/validation/validate_pss.go | 64 ++++++++++------- .../handlers/validation/validate_resource.go | 28 ++++---- pkg/engine/utils/exceptions.go | 7 +- pkg/event/events.go | 68 +++++++++++-------- pkg/utils/report/results.go | 9 ++- .../README.md | 18 +++++ .../chainsaw-test.yaml | 21 ++++++ .../exceptions.yaml | 44 ++++++++++++ .../pod.yaml | 56 +++++++++++++++ .../policy-assert.yaml | 9 +++ .../policy.yaml | 19 ++++++ .../exceptions/multiple-exceptions/README.md | 18 +++++ .../multiple-exceptions/chainsaw-test.yaml | 21 ++++++ .../multiple-exceptions/exceptions.yaml | 36 ++++++++++ .../exceptions/multiple-exceptions/pod.yaml | 56 +++++++++++++++ .../multiple-exceptions/policy-assert.yaml | 9 +++ .../multiple-exceptions/policy.yaml | 19 ++++++ .../admission/exception/report-assert.yaml | 2 +- .../report-assert.yaml | 2 +- .../background/exception/report-assert.yaml | 2 +- .../README.md | 25 +++++++ .../chainsaw-test.yaml | 45 ++++++++++++ .../exceptions.yaml | 44 ++++++++++++ .../pod.yaml | 56 +++++++++++++++ .../policy-assert.yaml | 9 +++ .../policy.yaml | 19 ++++++ .../report-fail-assert.yaml | 33 +++++++++ .../report-skip-assert.yaml | 27 ++++++++ 38 files changed, 836 insertions(+), 167 deletions(-) create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/README.md create mode 100755 test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/exceptions.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/pod.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions/README.md create mode 100755 test/conformance/chainsaw/exceptions/multiple-exceptions/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions/exceptions.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions/pod.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions/policy-assert.yaml create mode 100644 test/conformance/chainsaw/exceptions/multiple-exceptions/policy.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/README.md create mode 100755 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/exceptions.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/pod.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy-assert.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-fail-assert.yaml create mode 100644 test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-skip-assert.yaml diff --git a/cmd/cli/kubectl-kyverno/commands/test/output.go b/cmd/cli/kubectl-kyverno/commands/test/output.go index d37d955c2aee..eee1cb17e197 100644 --- a/cmd/cli/kubectl-kyverno/commands/test/output.go +++ b/cmd/cli/kubectl-kyverno/commands/test/output.go @@ -90,7 +90,7 @@ func printCheckResult( // patchedTargetSubresourceName string // podSecurityChecks contains pod security checks (only if this is a pod security rule) "podSecurityChecks": rule.PodSecurityChecks(), - "exception ": rule.Exception(), + "exceptions": rule.Exceptions(), } if check.Assert.Value != nil { errs, err := assert.Assert(ctx, nil, assert.Parse(ctx, check.Assert.Value), data, nil) diff --git a/pkg/controllers/report/background/controller.go b/pkg/controllers/report/background/controller.go index ca03bb91ac51..66caea91acc0 100644 --- a/pkg/controllers/report/background/controller.go +++ b/pkg/controllers/report/background/controller.go @@ -2,6 +2,7 @@ package background import ( "context" + "strings" "time" "github.com/go-logr/logr" @@ -361,8 +362,8 @@ func (c *controller) reconcileReport( } policyNameToLabel[key] = reportutils.PolicyLabel(policy) } - for _, exception := range exceptions { - key, err := cache.MetaNamespaceKeyFunc(exception) + for i, exception := range exceptions { + key, err := cache.MetaNamespaceKeyFunc(&exceptions[i]) if err != nil { return err } @@ -376,13 +377,24 @@ func (c *controller) reconcileReport( policyNameToLabel[key] = reportutils.ValidatingAdmissionPolicyBindingLabel(binding) } for _, result := range observed.GetResults() { - // if the policy did not change, keep the result + // The result is kept as it is if: + // 1. The Kyverno policy and its matched exceptions are unchanged + // 2. The ValidatingAdmissionPolicy and its matched binding are unchanged + keepResult := true + exception := result.Properties["exceptions"] + exceptions := strings.Split(exception, ",") + for _, exception := range exceptions { + exceptionLabel := policyNameToLabel[exception] + if exceptionLabel != "" && expected[exceptionLabel] != actual[exceptionLabel] { + keepResult = false + break + } + } + label := policyNameToLabel[result.Policy] - exceptionLabel := policyNameToLabel[result.Properties["exception"]] vapBindingLabel := policyNameToLabel[result.Properties["binding"]] if (label != "" && expected[label] == actual[label]) || - (exceptionLabel != "" && expected[exceptionLabel] == actual[exceptionLabel]) || - (vapBindingLabel != "" && expected[vapBindingLabel] == actual[vapBindingLabel]) { + (vapBindingLabel != "" && expected[vapBindingLabel] == actual[vapBindingLabel]) || keepResult { ruleResults = append(ruleResults, result) } } diff --git a/pkg/engine/api/ruleresponse.go b/pkg/engine/api/ruleresponse.go index c45f6a6494da..b1927122af48 100644 --- a/pkg/engine/api/ruleresponse.go +++ b/pkg/engine/api/ruleresponse.go @@ -43,8 +43,8 @@ type RuleResponse struct { patchedTargetSubresourceName string // podSecurityChecks contains pod security checks (only if this is a pod security rule) podSecurityChecks *PodSecurityChecks - // exception is the exception applied (if any) - exception *kyvernov2.PolicyException + // exceptions are the exceptions applied (if any) + exceptions []kyvernov2.PolicyException // binding is the validatingadmissionpolicybinding (if any) binding *v1alpha1.ValidatingAdmissionPolicyBinding // emitWarning enable passing rule message as warning to api server warning header @@ -88,8 +88,8 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse { return NewRuleResponse(name, ruleType, msg, RuleStatusFail) } -func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse { - r.exception = exception +func (r RuleResponse) WithExceptions(exceptions []kyvernov2.PolicyException) *RuleResponse { + r.exceptions = exceptions return &r } @@ -129,8 +129,8 @@ func (r *RuleResponse) Stats() ExecutionStats { return r.stats } -func (r *RuleResponse) Exception() *kyvernov2.PolicyException { - return r.exception +func (r *RuleResponse) Exceptions() []kyvernov2.PolicyException { + return r.exceptions } func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAdmissionPolicyBinding { @@ -138,7 +138,7 @@ func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAd } func (r *RuleResponse) IsException() bool { - return r.exception != nil + return len(r.exceptions) > 0 } func (r *RuleResponse) PodSecurityChecks() *PodSecurityChecks { diff --git a/pkg/engine/background.go b/pkg/engine/background.go index 96b29fd5e4b4..2a6124ed9d0e 100644 --- a/pkg/engine/background.go +++ b/pkg/engine/background.go @@ -2,6 +2,7 @@ package engine import ( "context" + "strings" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -64,17 +65,21 @@ func (e *engine) filterRule( logger.Error(err, "failed to get exceptions") return nil } - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return engineapi.RuleError(rule.Name, ruleType, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return engineapi.RuleSkip(rule.Name, ruleType, "rule skipped due to policy exception "+key).WithException(exception) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return engineapi.RuleError(rule.Name, ruleType, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return engineapi.RuleSkip(rule.Name, ruleType, "rule is skipped due to policy exception "+strings.Join(keys, ", ")).WithExceptions(matchedExceptions) } newResource := policyContext.NewResource() diff --git a/pkg/engine/handlers/mutation/mutate_existing.go b/pkg/engine/handlers/mutation/mutate_existing.go index c7e6d6ca774c..0365fd88fc03 100644 --- a/pkg/engine/handlers/mutation/mutate_existing.go +++ b/pkg/engine/handlers/mutation/mutate_existing.go @@ -2,6 +2,7 @@ package mutation import ( "context" + "strings" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -37,19 +38,23 @@ func (h mutateExistingHandler) Process( contextLoader engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Mutation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Mutation, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Mutation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Mutation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } var responses []engineapi.RuleResponse diff --git a/pkg/engine/handlers/mutation/mutate_image.go b/pkg/engine/handlers/mutation/mutate_image.go index 1598ee29d7b6..62cea051eaeb 100644 --- a/pkg/engine/handlers/mutation/mutate_image.go +++ b/pkg/engine/handlers/mutation/mutate_image.go @@ -2,6 +2,7 @@ package mutation import ( "context" + "strings" json_patch "github.com/evanphx/json-patch/v5" "github.com/go-logr/logr" @@ -68,19 +69,23 @@ func (h mutateImageHandler) Process( contextLoader engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Mutation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Mutation, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Mutation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Mutation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } jsonContext := policyContext.JSONContext() diff --git a/pkg/engine/handlers/mutation/mutate_resource.go b/pkg/engine/handlers/mutation/mutate_resource.go index 6557a5d25b11..71ce7054d083 100644 --- a/pkg/engine/handlers/mutation/mutate_resource.go +++ b/pkg/engine/handlers/mutation/mutate_resource.go @@ -2,6 +2,7 @@ package mutation import ( "context" + "strings" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -30,19 +31,23 @@ func (h mutateResourceHandler) Process( contextLoader engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Mutation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Mutation, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Mutation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Mutation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } _, subresource := policyContext.ResourceKind() diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go index c5914233001f..d06ff604dc03 100644 --- a/pkg/engine/handlers/validation/validate_cel.go +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -3,6 +3,7 @@ package validation import ( "context" "fmt" + "strings" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -47,19 +48,23 @@ func (h validateCELHandler) Process( _ engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } // check if a corresponding validating admission policy is generated diff --git a/pkg/engine/handlers/validation/validate_image.go b/pkg/engine/handlers/validation/validate_image.go index 15952c46b412..71829f85fccc 100644 --- a/pkg/engine/handlers/validation/validate_image.go +++ b/pkg/engine/handlers/validation/validate_image.go @@ -47,19 +47,23 @@ func (h validateImageHandler) Process( _ engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.ImageVerify, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.ImageVerify, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } skippedImages := make([]string, 0) diff --git a/pkg/engine/handlers/validation/validate_manifest.go b/pkg/engine/handlers/validation/validate_manifest.go index 054896787887..7924656f032d 100644 --- a/pkg/engine/handlers/validation/validate_manifest.go +++ b/pkg/engine/handlers/validation/validate_manifest.go @@ -59,19 +59,23 @@ func (h validateManifestHandler) Process( _ engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } // verify manifest diff --git a/pkg/engine/handlers/validation/validate_pss.go b/pkg/engine/handlers/validation/validate_pss.go index b6ae4519601d..58ada5aa8124 100644 --- a/pkg/engine/handlers/validation/validate_pss.go +++ b/pkg/engine/handlers/validation/validate_pss.go @@ -44,17 +44,29 @@ func (h validatePssHandler) Process( return resource, nil } - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil && !exception.HasPodSecurity() { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var polex kyvernov2.PolicyException + hasPodSecurity := true + + for i, exception := range matchedExceptions { + if !exception.HasPodSecurity() { + hasPodSecurity = false + polex = matchedExceptions[i] + break + } + } + + if !hasPodSecurity { + key, err := cache.MetaNamespaceKeyFunc(&polex) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", polex.GetNamespace(), "name", polex.GetName()) + return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) + } + logger.V(3).Info("policy rule is skipped due to policy exception", "exception", key) return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule skipped due to policy exception "+key).WithException(exception), + engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exception "+key).WithExceptions([]kyvernov2.PolicyException{polex}), ) } } @@ -91,21 +103,25 @@ func (h validatePssHandler) Process( ) } else { // apply pod security exceptions if exist - if exception != nil && exception.HasPodSecurity() { - pssChecks, err = pss.ApplyPodSecurityExclusion(levelVersion, exception.Spec.PodSecurity, pssChecks, pod) - if len(pssChecks) == 0 && err == nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) - } else { - podSecurityChecks.Checks = pssChecks - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule skipped due to policy exception "+key).WithException(exception).WithPodSecurityChecks(podSecurityChecks), - ) - } + var excludes []kyvernov1.PodSecurityStandard + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) } + keys = append(keys, key) + excludes = append(excludes, exception.Spec.PodSecurity...) + } + + pssChecks, err = pss.ApplyPodSecurityExclusion(levelVersion, excludes, pssChecks, pod) + if len(pssChecks) == 0 && err == nil { + podSecurityChecks.Checks = pssChecks + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exceptions "+strings.Join(keys, ", ")).WithExceptions(matchedExceptions).WithPodSecurityChecks(podSecurityChecks), + ) } msg := fmt.Sprintf(`Validation rule '%s' failed. It violates PodSecurity "%s:%s": %s`, rule.Name, podSecurity.Level, podSecurity.Version, pss.FormatChecksPrint(pssChecks)) return resource, handlers.WithResponses( diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index 2d2089c6add2..f181fcbc676b 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -40,19 +40,23 @@ func (h validateResourceHandler) Process( contextLoader engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - // check if there is a policy exception matches the incoming resource - exception := engineutils.MatchesException(exceptions, policyContext, logger) - if exception != nil { - key, err := cache.MetaNamespaceKeyFunc(exception) - if err != nil { - logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) - return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) - } else { - logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) - return resource, handlers.WithResponses( - engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule skipped due to policy exception "+key).WithException(exception), - ) + // check if there are policy exceptions that match the incoming resource + matchedExceptions := engineutils.MatchesException(exceptions, policyContext, logger) + if len(matchedExceptions) > 0 { + var keys []string + for i, exception := range matchedExceptions { + key, err := cache.MetaNamespaceKeyFunc(&matchedExceptions[i]) + if err != nil { + logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) + return resource, handlers.WithError(rule, engineapi.Validation, "failed to compute exception key", err) + } + keys = append(keys, key) } + + logger.V(3).Info("policy rule is skipped due to policy exceptions", "exceptions", keys) + return resource, handlers.WithResponses( + engineapi.RuleSkip(rule.Name, engineapi.Validation, "rule is skipped due to policy exceptions"+strings.Join(keys, ", ")).WithExceptions(matchedExceptions), + ) } v := newValidator(logger, contextLoader, policyContext, rule) return resource, handlers.WithResponses(v.validate(ctx)) diff --git a/pkg/engine/utils/exceptions.go b/pkg/engine/utils/exceptions.go index 18c2a62bf74d..d65f6c2ce7bd 100644 --- a/pkg/engine/utils/exceptions.go +++ b/pkg/engine/utils/exceptions.go @@ -15,7 +15,8 @@ import ( // MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource. // It returns the matched policy exception. -func MatchesException(polexs []*kyvernov2.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2.PolicyException { +func MatchesException(polexs []*kyvernov2.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) []kyvernov2.PolicyException { + var matchedExceptions []kyvernov2.PolicyException gvk, subresource := policyContext.ResourceKind() resource := policyContext.NewResource() if resource.Object == nil { @@ -40,10 +41,10 @@ func MatchesException(polexs []*kyvernov2.PolicyException, policyContext enginea continue } } - return polex + matchedExceptions = append(matchedExceptions, *polex) } } - return nil + return matchedExceptions } func checkMatchesResources( diff --git a/pkg/event/events.go b/pkg/event/events.go index f21c5c14c1ad..2251f5d59d6c 100644 --- a/pkg/event/events.go +++ b/pkg/event/events.go @@ -222,16 +222,51 @@ func NewBackgroundSuccessEvent(source Source, policy kyvernov1.PolicyInterface, } func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp engineapi.RuleResponse, source Source) []Info { - exception := ruleResp.Exception() - exceptionName, exceptionNamespace := exception.GetName(), exception.GetNamespace() - policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name(), exceptionNamespace, exceptionName) - pol := engineResponse.Policy().AsKyvernoPolicy() var exceptionMessage string + exceptions := ruleResp.Exceptions() + exceptionNames := make([]string, 0, len(exceptions)) + events := make([]Info, 0, len(exceptions)) + + // build the events of the policy exceptions + pol := engineResponse.Policy().AsKyvernoPolicy() if pol.GetNamespace() == "" { exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", resourceKey(engineResponse.PatchedResource), pol.GetName(), ruleResp.Name()) } else { exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s/%s", resourceKey(engineResponse.PatchedResource), pol.GetNamespace(), pol.GetName(), ruleResp.Name()) } + + related := engineResponse.GetResourceSpec() + for _, exception := range exceptions { + ns := exception.GetNamespace() + name := exception.GetName() + exceptionNames = append(exceptionNames, ns+"/"+name) + + exceptionEvent := Info{ + Regarding: corev1.ObjectReference{ + // TODO: iirc it's not safe to assume api version is set + APIVersion: "kyverno.io/v2", + Kind: "PolicyException", + Name: name, + Namespace: ns, + UID: exception.GetUID(), + }, + Related: &corev1.ObjectReference{ + APIVersion: related.APIVersion, + Kind: related.Kind, + Name: related.Name, + Namespace: related.Namespace, + UID: types.UID(related.UID), + }, + Reason: PolicySkipped, + Message: exceptionMessage, + Source: source, + Action: ResourcePassed, + } + events = append(events, exceptionEvent) + } + + // build the policy events + policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exceptions %s", resourceKey(engineResponse.PatchedResource), ruleResp.Name(), strings.Join(exceptionNames, ", ")) regarding := corev1.ObjectReference{ // TODO: iirc it's not safe to assume api version is set APIVersion: "kyverno.io/v1", @@ -240,7 +275,6 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp Namespace: pol.GetNamespace(), UID: pol.GetUID(), } - related := engineResponse.GetResourceSpec() policyEvent := Info{ Regarding: regarding, Related: &corev1.ObjectReference{ @@ -255,28 +289,8 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp Source: source, Action: ResourcePassed, } - exceptionEvent := Info{ - Regarding: corev1.ObjectReference{ - // TODO: iirc it's not safe to assume api version is set - APIVersion: "kyverno.io/v2", - Kind: "PolicyException", - Name: exceptionName, - Namespace: exceptionNamespace, - UID: exception.GetUID(), - }, - Related: &corev1.ObjectReference{ - APIVersion: related.APIVersion, - Kind: related.Kind, - Name: related.Name, - Namespace: related.Namespace, - UID: types.UID(related.UID), - }, - Reason: PolicySkipped, - Message: exceptionMessage, - Source: source, - Action: ResourcePassed, - } - return []Info{policyEvent, exceptionEvent} + events = append(events, policyEvent) + return events } func NewCleanupPolicyEvent(policy kyvernov2.CleanupPolicyInterface, resource unstructured.Unstructured, err error) Info { diff --git a/pkg/utils/report/results.go b/pkg/utils/report/results.go index f7d680e2f5fa..2772565d83cf 100644 --- a/pkg/utils/report/results.go +++ b/pkg/utils/report/results.go @@ -110,8 +110,13 @@ func ToPolicyReportResult(policyType engineapi.PolicyType, policyName string, ru *resource, } } - if ruleResult.Exception() != nil { - addProperty("exception", ruleResult.Exception().Name, &result) + exceptions := ruleResult.Exceptions() + if len(exceptions) > 0 { + var names []string + for _, exception := range exceptions { + names = append(names, exception.Name) + } + addProperty("exceptions", strings.Join(names, ","), &result) } pss := ruleResult.PodSecurityChecks() if pss != nil && len(pss.Checks) > 0 { diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/README.md b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/README.md new file mode 100644 index 000000000000..957963aca530 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/README.md @@ -0,0 +1,18 @@ +## Description + +This test creates two policy exceptions that match the same policy. It is expected that the pod that satisfies both exceptions will be created successfully. + +## Expected Behavior + +1. Create a policy that applies the baseline profile. + +2. Create two exceptions for the init containters as follows: + - The first exception `init1-exception-baseline` allows the values of `NET_ADMIN` and `NET_RAW` capabilities in the init containers. + - The second exception `init2-exception-baseline` allows the values of `SYS_TIME` capabilities in the init containers. + +3. Create a pod with two init containers. The first init container should have the `NET_ADMIN` and `NET_RAW` capabilities, and the second init container should have the `SYS_TIME` capability. It is expected that the pod will be created successfully as it matches both exceptions. + + +## Reference Issue(s) + +#10580 diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/chainsaw-test.yaml new file mode 100755 index 000000000000..40fec37619d5 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: multiple-exceptions-with-pod-security +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: exceptions.yaml + - name: step-03 + try: + - apply: + file: pod.yaml diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/exceptions.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/exceptions.yaml new file mode 100644 index 000000000000..862a08403d23 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/exceptions.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: init1-exception-baseline +spec: + exceptions: + - policyName: psp-baseline + ruleNames: + - baseline + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Capabilities + images: + - 'alpine:latest' + restrictedField: spec.initContainers[*].securityContext.capabilities.add + values: + - NET_ADMIN + - NET_RAW +--- +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: init2-exception-baseline +spec: + exceptions: + - policyName: psp-baseline + ruleNames: + - baseline + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Capabilities + images: + - 'busybox:latest' + restrictedField: spec.initContainers[*].securityContext.capabilities.add + values: + - SYS_TIME diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/pod.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/pod.yaml new file mode 100644 index 000000000000..10ad4a02022f --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/pod.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod +spec: + containers: + - image: alpine:latest + imagePullPolicy: IfNotPresent + name: primary + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - image: alpine:latest + imagePullPolicy: IfNotPresent + name: init1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + - image: busybox:latest + imagePullPolicy: IfNotPresent + name: init2 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - SYS_TIME + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 10002 + runAsNonRoot: true + runAsUser: 10002 + seccompProfile: + type: RuntimeDefault diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy-assert.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy-assert.yaml new file mode 100644 index 000000000000..21bb1a0623da --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-baseline +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy.yaml new file mode 100644 index 000000000000..d554dccac897 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions-with-pod-security/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-baseline +spec: + failurePolicy: Ignore + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: v1.29 diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions/README.md b/test/conformance/chainsaw/exceptions/multiple-exceptions/README.md new file mode 100644 index 000000000000..9b0649c6745f --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions/README.md @@ -0,0 +1,18 @@ +## Description + +This test creates two policy exceptions that match the same policy. It is expected that the pod that satisfies both exceptions will be created successfully. + +## Expected Behavior + +1. Create a policy that applies the baseline profile. + +2. Create two exceptions as follows: + - The first exception `exception-baseline` that exempts the whole pod from the baseline profile. + - The second exception `init-exception-baseline` allows the values of `SYS_TIME` capabilities in the init containers. + +3. Create a pod with two init containers. The first init container should have the `NET_ADMIN` and `NET_RAW` capabilities, and the second init container should have the `SYS_TIME` capability. It is expected that the pod will be created successfully as it matches both exceptions. + + +## Reference Issue(s) + +#10580 diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions/chainsaw-test.yaml new file mode 100755 index 000000000000..e005c156e2fd --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: multiple-exceptions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: exceptions.yaml + - name: step-03 + try: + - apply: + file: pod.yaml diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions/exceptions.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions/exceptions.yaml new file mode 100644 index 000000000000..94665f7b07a7 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions/exceptions.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: exception-baseline +spec: + exceptions: + - policyName: psp-baseline + ruleNames: + - baseline + match: + any: + - resources: + kinds: + - Pod +--- +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: init-exception-baseline +spec: + exceptions: + - policyName: psp-baseline + ruleNames: + - baseline + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Capabilities + images: + - 'busybox:latest' + restrictedField: spec.initContainers[*].securityContext.capabilities.add + values: + - SYS_TIME diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions/pod.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions/pod.yaml new file mode 100644 index 000000000000..10ad4a02022f --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions/pod.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod +spec: + containers: + - image: alpine:latest + imagePullPolicy: IfNotPresent + name: primary + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - image: alpine:latest + imagePullPolicy: IfNotPresent + name: init1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + - image: busybox:latest + imagePullPolicy: IfNotPresent + name: init2 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - SYS_TIME + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 10002 + runAsNonRoot: true + runAsUser: 10002 + seccompProfile: + type: RuntimeDefault diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions/policy-assert.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions/policy-assert.yaml new file mode 100644 index 000000000000..21bb1a0623da --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-baseline +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/exceptions/multiple-exceptions/policy.yaml b/test/conformance/chainsaw/exceptions/multiple-exceptions/policy.yaml new file mode 100644 index 000000000000..d554dccac897 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/multiple-exceptions/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-baseline +spec: + failurePolicy: Ignore + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: v1.29 diff --git a/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml b/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml index 0304ef057e22..f8ca74b4e9ca 100644 --- a/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml +++ b/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml @@ -16,7 +16,7 @@ results: scored: true source: kyverno properties: - exception: mynewpolex + exceptions: mynewpolex summary: error: 0 fail: 0 diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml index 5090a26d192d..a1b403443e2a 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/report-assert.yaml @@ -9,7 +9,7 @@ metadata: results: - policy: psa-1 properties: - exception: pod-security-exception + exceptions: pod-security-exception result: skip rule: restricted scored: true diff --git a/test/conformance/chainsaw/reports/background/exception/report-assert.yaml b/test/conformance/chainsaw/reports/background/exception/report-assert.yaml index 0304ef057e22..f8ca74b4e9ca 100644 --- a/test/conformance/chainsaw/reports/background/exception/report-assert.yaml +++ b/test/conformance/chainsaw/reports/background/exception/report-assert.yaml @@ -16,7 +16,7 @@ results: scored: true source: kyverno properties: - exception: mynewpolex + exceptions: mynewpolex summary: error: 0 fail: 0 diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/README.md b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/README.md new file mode 100644 index 000000000000..56e057aca1a7 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/README.md @@ -0,0 +1,25 @@ +## Description + +This test makes sure that the report is generated correctly when multiple exceptions are created for the same policy. + +## Expected Behavior + +1. Create a pod with two init containers. The first init container should have the `NET_ADMIN` and `NET_RAW` capabilities, and the second init container should have the `SYS_TIME` capability. + +2. Create a policy that applies the baseline profile. + +3. Create two exceptions for the init containters as follows: + - The first exception `init1-exception-baseline` allows the values of `NET_ADMIN` and `NET_RAW` capabilities in the init containers. + - The second exception `init2-exception-baseline` allows the values of `SYS_TIME` capabilities in the init containers. + +4. It is expected that a policy report is generated with a `skip` result. + +5. Delete the first exception. + +6. It is expected that a policy report is updated with a `fail` result since the first init container violates the policy and it isn't excluded by the second exception. + + + +## Reference Issue(s) + +#10580 diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/chainsaw-test.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/chainsaw-test.yaml new file mode 100755 index 000000000000..5bf90e7fde14 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/chainsaw-test.yaml @@ -0,0 +1,45 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: multiple-exceptions-with-pod-security +spec: + steps: + - name: step-01 + try: + - apply: + file: pod.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-03 + try: + - apply: + file: exceptions.yaml + - name: step-04 + try: + - sleep: + duration: 5s + - name: step-05 + try: + - assert: + file: report-skip-assert.yaml + - name: step-06 + try: + - script: + env: + - name: NAMESPACE + value: ($namespace) + content: | + kubectl delete polex init1-exception-baseline -n $NAMESPACE + - name: step-07 + try: + - sleep: + duration: 5s + - name: step-08 + try: + - assert: + file: report-fail-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/exceptions.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/exceptions.yaml new file mode 100644 index 000000000000..862a08403d23 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/exceptions.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: init1-exception-baseline +spec: + exceptions: + - policyName: psp-baseline + ruleNames: + - baseline + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Capabilities + images: + - 'alpine:latest' + restrictedField: spec.initContainers[*].securityContext.capabilities.add + values: + - NET_ADMIN + - NET_RAW +--- +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: init2-exception-baseline +spec: + exceptions: + - policyName: psp-baseline + ruleNames: + - baseline + match: + any: + - resources: + kinds: + - Pod + podSecurity: + - controlName: Capabilities + images: + - 'busybox:latest' + restrictedField: spec.initContainers[*].securityContext.capabilities.add + values: + - SYS_TIME diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/pod.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/pod.yaml new file mode 100644 index 000000000000..10ad4a02022f --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/pod.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod +spec: + containers: + - image: alpine:latest + imagePullPolicy: IfNotPresent + name: primary + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + initContainers: + - image: alpine:latest + imagePullPolicy: IfNotPresent + name: init1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + - image: busybox:latest + imagePullPolicy: IfNotPresent + name: init2 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - SYS_TIME + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 10002 + runAsNonRoot: true + runAsUser: 10002 + seccompProfile: + type: RuntimeDefault diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy-assert.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy-assert.yaml new file mode 100644 index 000000000000..21bb1a0623da --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-baseline +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy.yaml new file mode 100644 index 000000000000..d554dccac897 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: psp-baseline +spec: + failurePolicy: Ignore + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: baseline + version: v1.29 diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-fail-assert.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-fail-assert.yaml new file mode 100644 index 000000000000..777ee1351225 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-fail-assert.yaml @@ -0,0 +1,33 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Pod + name: test-pod +results: +- message: 'Validation rule ''baseline'' failed. It violates PodSecurity "baseline:v1.29": + (Forbidden reason: non-default capabilities, field error list: [spec.initContainers[0].securityContext.capabilities.add + is forbidden, forbidden values found: [NET_ADMIN NET_RAW]])' + policy: psp-baseline + properties: + controls: capabilities_baseline + controlsJSON: '[{"ID":"capabilities_baseline","Name":"Capabilities","Images":["docker.io/alpine:latest","docker.io/busybox:latest"]}]' + standard: baseline + version: v1.29 + result: fail + rule: baseline + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Pod + name: test-pod +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-skip-assert.yaml b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-skip-assert.yaml new file mode 100644 index 000000000000..4ed6fc4592eb --- /dev/null +++ b/test/conformance/chainsaw/reports/background/multiple-exceptions-with-pod-security/report-skip-assert.yaml @@ -0,0 +1,27 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Pod + name: test-pod +results: +- policy: psp-baseline + properties: + exceptions: init1-exception-baseline,init2-exception-baseline + result: skip + rule: baseline + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Pod + name: test-pod +summary: + error: 0 + fail: 0 + pass: 0 + skip: 1 + warn: 0 From 8dadebb2ea6c0879714fda357118f87d39afefa1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:20:37 +0800 Subject: [PATCH 33/44] chore(deps): bump github/codeql-action from 3.25.13 to 3.25.14 (#10731) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.13 to 3.25.14. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2d790406f505036ef40ecba973cc774a50395aac...5cf07d8b700b67e235fbb65cbc84f69c0cf10464) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 9cb9e1135b5d..d38393ec157a 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13 + uses: github/codeql-action/upload-sarif@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14 with: sarif_file: results.sarif From 8109f2194ebce7a635b61537819f126d92fc6e00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 26 Jul 2024 09:09:20 +0000 Subject: [PATCH 34/44] chore(deps): bump sigs.k8s.io/release-utils from 0.8.3 to 0.8.4 (#10733) Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.8.3 to 0.8.4. - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.8.3...v0.8.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/release-utils dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 977435bb7a0e..b62b059e0675 100644 --- a/go.mod +++ b/go.mod @@ -88,7 +88,7 @@ require ( sigs.k8s.io/kubectl-validate v0.0.4 sigs.k8s.io/kustomize/api v0.17.3 sigs.k8s.io/kustomize/kyaml v0.17.2 - sigs.k8s.io/release-utils v0.8.3 + sigs.k8s.io/release-utils v0.8.4 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index 969e52546020..e50f2870413d 100644 --- a/go.sum +++ b/go.sum @@ -1244,8 +1244,8 @@ sigs.k8s.io/kustomize/api v0.17.3 h1:6GCuHSsxq7fN5yhF2XrC+AAr8gxQwhexgHflOAD/JJU sigs.k8s.io/kustomize/api v0.17.3/go.mod h1:TuDH4mdx7jTfK61SQ/j1QZM/QWR+5rmEiNjvYlhzFhc= sigs.k8s.io/kustomize/kyaml v0.17.2 h1:+AzvoJUY0kq4QAhH/ydPHHMRLijtUKiyVyh7fOSshr0= sigs.k8s.io/kustomize/kyaml v0.17.2/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= -sigs.k8s.io/release-utils v0.8.3 h1:KtOtA4qDmzJyeQ2zkDsFVI25+NViwms/o5eL2NftFdA= -sigs.k8s.io/release-utils v0.8.3/go.mod h1:fp82Fma06OXBhEJ+GUJKqvcplDBomruK1R/1fWJnsrQ= +sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw= +sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From f618717f755c81509d2535f0f8fd00ac59320f9f Mon Sep 17 00:00:00 2001 From: Ammar Yasser Date: Fri, 26 Jul 2024 13:49:51 +0300 Subject: [PATCH 35/44] fix: Check for the client being nil before applying a mutation (#10726) Signed-off-by: aerosouund Co-authored-by: shuting --- pkg/engine/mutation.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index d84e2a50edc0..c4d70769f30a 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -2,6 +2,7 @@ package engine import ( "context" + "fmt" "time" "github.com/go-logr/logr" @@ -36,6 +37,9 @@ func (e *engine) mutate( return nil, nil } if !policyContext.AdmissionOperation() && rule.HasMutateExisting() { + if e.client == nil { + return nil, fmt.Errorf("Handler factory requires a client but a nil client was passed, likely due to a bug or unsupported operation.") + } return mutation.NewMutateExistingHandler(e.client) } return mutation.NewMutateResourceHandler() From 734f1df059aeb12a3578198bfb12f27589691651 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 26 Jul 2024 16:45:54 +0300 Subject: [PATCH 36/44] fix: check the resource namespace (#10738) Signed-off-by: Mariam Fahmy --- .../processor/policy_processor.go | 2 +- .../chainsaw-test.yaml | 21 +++++++++++++++++++ .../policy.yaml | 20 ++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go index 415191dfed23..f7235f4c93df 100644 --- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go +++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go @@ -254,7 +254,7 @@ func (p *PolicyProcessor) makePolicyContext( return nil, fmt.Errorf("failed to update old resource in json context (%w)", err) } } - if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" { + if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" && resource.GetNamespace() != "" { ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace()) if err != nil { log.Log.Error(err, "failed to get the resource's namespace") diff --git a/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml new file mode 100644 index 000000000000..1e4110b4ffe1 --- /dev/null +++ b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: apply-on-cluster-scoped-resources +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl create rolebinding my-rolebinding --role=my-role --user=my-user + - name: step-02 + try: + - script: + content: kubectl create clusterrolebinding clusterrolebinding --clusterrole=my-clusterrole --user=my-user + - name: step-04 + try: + - script: + content: kyverno apply policy.yaml --cluster + check: + ($error != null): false diff --git a/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml new file mode 100644 index 000000000000..8afa58827f7a --- /dev/null +++ b/test/conformance/chainsaw/cli/apply/apply-on-cluster-scoped-resources/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-system-groups +spec: + validationFailureAction: Enforce + background: true + rules: + - name: restrict-masters + match: + any: + - resources: + kinds: + - RoleBinding + - ClusterRoleBinding + validate: + message: "Binding to system:masters is not allowed." + pattern: + roleRef: + name: "!system:masters" \ No newline at end of file From 7c730aee6f65b17cdaf4dc845e7bc5b695db4bb9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:50:53 +0800 Subject: [PATCH 37/44] chore(deps): bump sigstore/scaffolding from 0.7.4 to 0.7.5 (#10744) Bumps [sigstore/scaffolding](https://github.com/sigstore/scaffolding) from 0.7.4 to 0.7.5. - [Release notes](https://github.com/sigstore/scaffolding/releases) - [Changelog](https://github.com/sigstore/scaffolding/blob/main/release.md) - [Commits](https://github.com/sigstore/scaffolding/compare/26f31cb72ca848bb0273fcbd7a4ebf187ec4d711...634364a897dff805b1a26ab18abaefe379616785) --- updated-dependencies: - dependency-name: sigstore/scaffolding dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/conformance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 2a26feaac5a9..5f9efdf6361d 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -646,7 +646,7 @@ jobs: uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@26f31cb72ca848bb0273fcbd7a4ebf187ec4d711 + uses: sigstore/scaffolding/actions/setup@634364a897dff805b1a26ab18abaefe379616785 with: version: main k8s-version: ${{ matrix.k8s-version.version }} From 70c1dc6a06da1b8b4190dcb037359a8e70fc59c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 08:40:45 +0000 Subject: [PATCH 38/44] chore(deps): bump github.com/onsi/gomega from 1.33.1 to 1.34.0 (#10732) Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.33.1 to 1.34.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.33.1...v1.34.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index b62b059e0675..b551b1ea1aa3 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/notaryproject/notation-core-go v1.0.3 github.com/notaryproject/notation-go v1.1.1 github.com/onsi/ginkgo v1.16.5 - github.com/onsi/gomega v1.33.1 + github.com/onsi/gomega v1.34.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index e50f2870413d..adcfd12f90e1 100644 --- a/go.sum +++ b/go.sum @@ -692,14 +692,14 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c= -github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= -github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/gomega v1.34.0 h1:eSSPsPNp6ZpsG8X1OVmOTxig+CblTc4AxpPBykhe2Os= +github.com/onsi/gomega v1.34.0/go.mod h1:MIKI8c+f+QLWk+hxbePD4i0LMJSExPaZOVfkoex4cAo= github.com/open-policy-agent/gatekeeper/v3 v3.14.0 h1:bQV5temnG6lQHk0Bm7paT2T3oV5cZqtjp4MjiWwiKrE= github.com/open-policy-agent/gatekeeper/v3 v3.14.0/go.mod h1:F8UlPaPg/6TuZcVoYLj1+1ptnxOCOxKyasEIv4IzSOs= github.com/open-policy-agent/opa v0.61.0 h1:nhncQ2CAYtQTV/SMBhDDPsCpCQsUW+zO/1j+T5V7oZg= From c2646f7a9db6656903e89b5edb70448fc88670a3 Mon Sep 17 00:00:00 2001 From: Khaled Emara Date: Mon, 29 Jul 2024 14:57:20 +0300 Subject: [PATCH 39/44] feat(json): reduce reliance on `DocumentToUntyped()` (#10724) Signed-off-by: Khaled Emara Co-authored-by: Mariam Fahmy --- api/kyverno/v1/common_types.go | 25 +++++++++++++++++-- api/kyverno/v1/zz_generated.deepcopy.go | 6 ++--- docs/user/crd/index.html | 8 ++---- docs/user/crd/kyverno.v1.html | 4 +-- .../kyverno/v1/variable.go | 12 ++++----- pkg/engine/context/loaders/variable.go | 12 ++++----- pkg/engine/jsonutils/convert.go | 5 ++++ pkg/validation/policy/validate.go | 4 +-- 8 files changed, 48 insertions(+), 28 deletions(-) diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index cee5da6d7160..15b4a2662e23 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" + "github.com/kyverno/kyverno/api/kyverno" "github.com/kyverno/kyverno/pkg/engine/variables/regex" "github.com/kyverno/kyverno/pkg/pss/utils" "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest" @@ -119,7 +120,9 @@ type ContextEntry struct { type Variable struct { // Value is any arbitrary JSON object representable in YAML or JSON form. // +optional - Value *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + Value *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"` // JMESPath is an optional JMESPath Expression that can be used to // transform the variable. @@ -129,7 +132,25 @@ type Variable struct { // Default is an optional arbitrary JSON object that the variable may take if the JMESPath // expression evaluates to nil // +optional - Default *apiextv1.JSON `json:"default,omitempty" yaml:"default,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + Default *kyverno.Any `json:"default,omitempty" yaml:"default,omitempty"` +} + +func (v *Variable) GetValue() any { + return kyverno.FromAny(v.Value) +} + +func (v *Variable) SetValue(in any) { + v.Value = kyverno.ToAny(in) +} + +func (v *Variable) GetDefault() any { + return kyverno.FromAny(v.Default) +} + +func (v *Variable) SetDefault(in any) { + v.Default = kyverno.ToAny(in) } // ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 571a9df4910a..478a57f7e7a1 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1678,13 +1678,11 @@ func (in *Variable) DeepCopyInto(out *Variable) { *out = *in if in.Value != nil { in, out := &in.Value, &out.Value - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } if in.Default != nil { in, out := &in.Default, &out.Default - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } return } diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index d755e58da8c8..f87b0056b501 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -4593,9 +4593,7 @@

Variable value
- -Kubernetes apiextensions/v1.JSON - +github.com/kyverno/kyverno/api/kyverno.Any @@ -4620,9 +4618,7 @@

Variable default
- -Kubernetes apiextensions/v1.JSON - +github.com/kyverno/kyverno/api/kyverno.Any diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 0b7d70cb9dbc..2ef4588bd35a 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -9213,7 +9213,7 @@

Variable - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + github.com/kyverno/kyverno/api/kyverno.Any @@ -9268,7 +9268,7 @@

Variable - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + github.com/kyverno/kyverno/api/kyverno.Any diff --git a/pkg/client/applyconfigurations/kyverno/v1/variable.go b/pkg/client/applyconfigurations/kyverno/v1/variable.go index 53c44723b52f..59f292479663 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/variable.go +++ b/pkg/client/applyconfigurations/kyverno/v1/variable.go @@ -19,15 +19,15 @@ limitations under the License. package v1 import ( - v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + kyverno "github.com/kyverno/kyverno/api/kyverno" ) // VariableApplyConfiguration represents an declarative configuration of the Variable type for use // with apply. type VariableApplyConfiguration struct { - Value *v1.JSON `json:"value,omitempty"` - JMESPath *string `json:"jmesPath,omitempty"` - Default *v1.JSON `json:"default,omitempty"` + Value *kyverno.Any `json:"value,omitempty"` + JMESPath *string `json:"jmesPath,omitempty"` + Default *kyverno.Any `json:"default,omitempty"` } // VariableApplyConfiguration constructs an declarative configuration of the Variable type for use with @@ -39,7 +39,7 @@ func Variable() *VariableApplyConfiguration { // WithValue sets the Value field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Value field is set to the value of the last call. -func (b *VariableApplyConfiguration) WithValue(value v1.JSON) *VariableApplyConfiguration { +func (b *VariableApplyConfiguration) WithValue(value kyverno.Any) *VariableApplyConfiguration { b.Value = &value return b } @@ -55,7 +55,7 @@ func (b *VariableApplyConfiguration) WithJMESPath(value string) *VariableApplyCo // WithDefault sets the Default field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Default field is set to the value of the last call. -func (b *VariableApplyConfiguration) WithDefault(value v1.JSON) *VariableApplyConfiguration { +func (b *VariableApplyConfiguration) WithDefault(value kyverno.Any) *VariableApplyConfiguration { b.Default = &value return b } diff --git a/pkg/engine/context/loaders/variable.go b/pkg/engine/context/loaders/variable.go index 22e002464d79..270f9890455b 100644 --- a/pkg/engine/context/loaders/variable.go +++ b/pkg/engine/context/loaders/variable.go @@ -62,24 +62,24 @@ func (vl *variableLoader) loadVariable() (err error) { } var defaultValue interface{} = nil - if entry.Variable.Default != nil { - value, err := jsonutils.DocumentToUntyped(entry.Variable.Default) + if entry.Variable.GetDefault() != nil { + value, err := jsonutils.DocumentToUntyped(entry.Variable.GetDefault()) if err != nil { return fmt.Errorf("invalid default for variable %s", entry.Name) } defaultValue, err = variables.SubstituteAll(logger, ctx, value) if err != nil { - return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.Default, err) + return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.GetDefault(), err) } logger.V(4).Info("evaluated default value", "variable name", entry.Name, "jmespath", defaultValue) } var output interface{} = defaultValue - if entry.Variable.Value != nil { - value, _ := jsonutils.DocumentToUntyped(entry.Variable.Value) + if entry.Variable.GetValue() != nil { + value, _ := jsonutils.DocumentToUntyped(entry.Variable.GetValue()) variable, err := variables.SubstituteAll(logger, ctx, value) if err != nil { - return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.Value, err) + return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.GetValue(), err) } if path != "" { variable, err := applyJMESPath(vl.jp, path, variable) diff --git a/pkg/engine/jsonutils/convert.go b/pkg/engine/jsonutils/convert.go index 6b38dfc77679..64b9d6d1f55c 100644 --- a/pkg/engine/jsonutils/convert.go +++ b/pkg/engine/jsonutils/convert.go @@ -7,6 +7,11 @@ var json = jsoniter.ConfigCompatibleWithStandardLibrary // DocumentToUntyped converts a typed object to JSON data // i.e. string, []interface{}, map[string]interface{} func DocumentToUntyped(doc interface{}) (interface{}, error) { + switch doc.(type) { + case string, []any, map[string]any: + return doc, nil + } + jsonDoc, err := json.Marshal(doc) if err != nil { return nil, err diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 6a550913cc09..359e013e96af 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -1303,10 +1303,10 @@ func validateVariable(entry kyvernov1.ContextEntry) error { return fmt.Errorf("failed to parse JMESPath %s: %v", entry.Variable.JMESPath, err) } } - if entry.Variable.Value == nil && jmesPath == "" { + if entry.Variable.GetValue() == nil && jmesPath == "" { return fmt.Errorf("a variable must define a value or a jmesPath expression") } - if entry.Variable.Default != nil && jmesPath == "" { + if entry.Variable.GetDefault() != nil && jmesPath == "" { return fmt.Errorf("a variable must define a default value only when a jmesPath expression is defined") } return nil From 0aeb32df3b88b7f8b886697eddda5b8d614b229a Mon Sep 17 00:00:00 2001 From: Khaled Emara Date: Mon, 29 Jul 2024 16:46:11 +0300 Subject: [PATCH 40/44] feat(autogen): use static bytes instead of string (#10723) Signed-off-by: Khaled Emara Co-authored-by: Mariam Fahmy --- pkg/autogen/autogen.go | 17 ++------ pkg/autogen/autogen_test.go | 4 +- pkg/autogen/rule.go | 81 ++++++++++++++++++++++++------------- 3 files changed, 58 insertions(+), 44 deletions(-) diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index 4d6db9f2bfde..ebeced6693e1 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -1,9 +1,9 @@ package autogen import ( + "encoding/json" "strings" - jsoniter "github.com/json-iterator/go" "github.com/kyverno/kyverno/api/kyverno" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" @@ -190,23 +190,14 @@ func generateRules(spec *kyvernov1.Spec, controllers string) []kyvernov1.Rule { } func convertRule(rule kyvernoRule, kind string) (*kyvernov1.Rule, error) { - json := jsoniter.ConfigCompatibleWithStandardLibrary - if bytes, err := json.Marshal(rule); err != nil { return nil, err } else { - bytes = updateGenRuleByte(bytes, kind) - if err := json.Unmarshal(bytes, &rule); err != nil { - return nil, err - } - // CEL variables are object, oldObject, request, params and authorizer. // Therefore CEL expressions can be either written as object.spec or request.object.spec - if rule.Validation != nil && rule.Validation.CEL != nil { - bytes = updateCELFields(bytes, kind) - if err := json.Unmarshal(bytes, &rule); err != nil { - return nil, err - } + bytes = updateFields(bytes, kind, rule.Validation != nil && rule.Validation.CEL != nil) + if err := json.Unmarshal(bytes, &rule); err != nil { + return nil, err } } diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index 6c5523aec46f..b7c70283bbae 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -343,7 +343,7 @@ func TestUpdateGenRuleByte(t *testing.T) { }, } for _, tt := range tests { - got := updateGenRuleByte(tt.pbyte, tt.kind) + got := updateFields(tt.pbyte, tt.kind, false) if !reflect.DeepEqual(got, tt.want) { t.Errorf("updateGenRuleByte() = %v, want %v", string(got), string(tt.want)) } @@ -384,7 +384,7 @@ func TestUpdateCELFields(t *testing.T) { }, } for _, tt := range tests { - got := updateCELFields(tt.pbyte, tt.kind) + got := updateFields(tt.pbyte, tt.kind, true) if !reflect.DeepEqual(got, tt.want) { t.Errorf("updateCELFields() = %v, want %v", string(got), string(tt.want)) } diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index 07c97fdf5a13..698bfe2010b1 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -1,6 +1,7 @@ package autogen import ( + "bytes" "sort" "strings" @@ -312,34 +313,56 @@ func generateCronJobRule(rule *kyvernov1.Rule, controllers string) *kyvernov1.Ru ) } -func updateGenRuleByte(pbyte []byte, kind string) (obj []byte) { - if kind == "Pod" { - obj = []byte(strings.ReplaceAll(string(pbyte), "request.object.spec", "request.object.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "request.oldObject.spec", "request.oldObject.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "request.object.metadata", "request.object.spec.template.metadata")) - obj = []byte(strings.ReplaceAll(string(obj), "request.oldObject.metadata", "request.oldObject.spec.template.metadata")) - } - if kind == "Cronjob" { - obj = []byte(strings.ReplaceAll(string(pbyte), "request.object.spec", "request.object.spec.jobTemplate.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "request.oldObject.spec", "request.oldObject.spec.jobTemplate.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "request.object.metadata", "request.object.spec.jobTemplate.spec.template.metadata")) - obj = []byte(strings.ReplaceAll(string(obj), "request.oldObject.metadata", "request.oldObject.spec.jobTemplate.spec.template.metadata")) - } - return obj -} +var ( + podReplacementRules [][2][]byte = [][2][]byte{ + {[]byte("request.object.spec"), []byte("request.object.spec.template.spec")}, + {[]byte("request.oldObject.spec"), []byte("request.oldObject.spec.template.spec")}, + {[]byte("request.object.metadata"), []byte("request.object.spec.template.metadata")}, + {[]byte("request.oldObject.metadata"), []byte("request.oldObject.spec.template.metadata")}, + } + podCELReplacementRules [][2][]byte = [][2][]byte{ + {[]byte("object.spec"), []byte("object.spec.template.spec")}, + {[]byte("oldObject.spec"), []byte("oldObject.spec.template.spec")}, + {[]byte("object.metadata"), []byte("object.spec.template.metadata")}, + {[]byte("oldObject.metadata"), []byte("oldObject.spec.template.metadata")}, + } + cronJobReplacementRules [][2][]byte = [][2][]byte{ + {[]byte("request.object.spec"), []byte("request.object.spec.jobTemplate.spec.template.spec")}, + {[]byte("request.oldObject.spec"), []byte("request.oldObject.spec.jobTemplate.spec.template.spec")}, + {[]byte("request.object.metadata"), []byte("request.object.spec.jobTemplate.spec.template.metadata")}, + {[]byte("request.oldObject.metadata"), []byte("request.oldObject.spec.jobTemplate.spec.template.metadata")}, + } + cronJobCELReplacementRules [][2][]byte = [][2][]byte{ + {[]byte("object.spec"), []byte("object.spec.jobTemplate.spec.template.spec")}, + {[]byte("oldObject.spec"), []byte("oldObject.spec.jobTemplate.spec.template.spec")}, + {[]byte("object.metadata"), []byte("object.spec.jobTemplate.spec.template.metadata")}, + {[]byte("oldObject.metadata"), []byte("oldObject.spec.jobTemplate.spec.template.metadata")}, + } +) + +func updateFields(data []byte, kind string, cel bool) []byte { + switch kind { + case "Pod": + if cel { + for _, replacement := range podCELReplacementRules { + data = bytes.ReplaceAll(data, replacement[0], replacement[1]) + } + } else { + for _, replacement := range podReplacementRules { + data = bytes.ReplaceAll(data, replacement[0], replacement[1]) + } + } + case "Cronjob": + if cel { + for _, replacement := range cronJobCELReplacementRules { + data = bytes.ReplaceAll(data, replacement[0], replacement[1]) + } + } else { + for _, replacement := range cronJobReplacementRules { + data = bytes.ReplaceAll(data, replacement[0], replacement[1]) + } + } + } -func updateCELFields(pbyte []byte, kind string) (obj []byte) { - if kind == "Pod" { - obj = []byte(strings.ReplaceAll(string(pbyte), "object.spec", "object.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "oldObject.spec", "oldObject.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "object.metadata", "object.spec.template.metadata")) - obj = []byte(strings.ReplaceAll(string(obj), "oldObject.metadata", "oldObject.spec.template.metadata")) - } - if kind == "Cronjob" { - obj = []byte(strings.ReplaceAll(string(pbyte), "object.spec", "object.spec.jobTemplate.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "oldObject.spec", "oldObject.spec.jobTemplate.spec.template.spec")) - obj = []byte(strings.ReplaceAll(string(obj), "object.metadata", "object.spec.jobTemplate.spec.template.metadata")) - obj = []byte(strings.ReplaceAll(string(obj), "oldObject.metadata", "oldObject.spec.jobTemplate.spec.template.metadata")) - } - return obj + return data } From 6aba51564d441f0cb36fd35c4ca67bb6e0068015 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 15:20:44 +0000 Subject: [PATCH 41/44] chore(deps): bump github/codeql-action from 3.25.14 to 3.25.15 (#10743) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.14 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/5cf07d8b700b67e235fbb65cbc84f69c0cf10464...afb54ba388a7dca6ecae48f608c4ff05ff4cc77a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index d38393ec157a..35958bcd639c 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 with: sarif_file: results.sarif From 7232d8e57e8fef1081a7294e091c7f278bb1e0d4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 16:18:20 +0000 Subject: [PATCH 42/44] chore(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 (#10742) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 35958bcd639c..798e0fe53e35 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -27,7 +27,7 @@ jobs: with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif From 74e17cc6294de9fa2a0a106037cb029bf9e9f1d0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:45:14 +0800 Subject: [PATCH 43/44] chore(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 (#10746) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.0.1 to 6.1.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/a4f60bb28d35aeee14e6880718e0c85ff1882e64...aaa42aa0628b4ae2578232a66b541047968fac86) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index ed94164bcb56..0e678289c3c8 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -33,7 +33,7 @@ jobs: uses: ./.github/actions/setup-build-env timeout-minutes: 10 - name: golangci-lint - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v3.7.1 + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v3.7.1 with: version: v1.54.2 skip-cache: true From d17375204111a88f6425ce09d98b9fb9d4be0af2 Mon Sep 17 00:00:00 2001 From: Khaled Emara Date: Tue, 30 Jul 2024 13:52:41 +0300 Subject: [PATCH 44/44] feat(json): unmarshal once per policy (#10701) Signed-off-by: Khaled Emara Co-authored-by: Mariam Fahmy Co-authored-by: shuting --- api/kyverno/v1/common_types.go | 22 ++- api/kyverno/v1/wrappers.go | 79 ++++++++++ api/kyverno/v1/zz_generated.deepcopy.go | 6 +- docs/user/crd/index.html | 78 +++++++++- docs/user/crd/kyverno.v1.html | 140 +++++++++++++++++- .../kyverno/v1/foreachmutation.go | 4 +- .../kyverno/v1/foreachvalidation.go | 5 +- pkg/engine/forceMutate.go | 13 +- pkg/engine/handlers/mutation/common.go | 11 +- .../handlers/validation/validate_resource.go | 12 +- pkg/policy/mutate/validate.go | 16 +- pkg/policy/validate/validate.go | 2 +- pkg/utils/api/json.go | 16 -- pkg/validation/policy/validate.go | 18 +-- 14 files changed, 345 insertions(+), 77 deletions(-) create mode 100644 api/kyverno/v1/wrappers.go diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 15b4a2662e23..5592dabb307d 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -427,7 +427,16 @@ type ForEachMutation struct { // Foreach declares a nested foreach iterator // +optional - ForEachMutation *apiextv1.JSON `json:"foreach,omitempty" yaml:"foreach,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + ForEachMutation *ForEachMutationWrapper `json:"foreach,omitempty" yaml:"foreach,omitempty"` +} + +func (m *ForEachMutation) GetForEachMutation() []ForEachMutation { + if m.ForEachMutation == nil { + return nil + } + return m.ForEachMutation.Items } func (m *ForEachMutation) GetPatchStrategicMerge() apiextensions.JSON { @@ -690,7 +699,16 @@ type ForEachValidation struct { // Foreach declares a nested foreach iterator // +optional - ForEachValidation *apiextv1.JSON `json:"foreach,omitempty" yaml:"foreach,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + ForEachValidation *ForEachValidationWrapper `json:"foreach,omitempty" yaml:"foreach,omitempty"` +} + +func (v *ForEachValidation) GetForEachValidation() []ForEachValidation { + if v.ForEachValidation == nil { + return nil + } + return v.ForEachValidation.Items } func (v *ForEachValidation) GetPattern() apiextensions.JSON { diff --git a/api/kyverno/v1/wrappers.go b/api/kyverno/v1/wrappers.go new file mode 100644 index 000000000000..710bfd0dcccc --- /dev/null +++ b/api/kyverno/v1/wrappers.go @@ -0,0 +1,79 @@ +package v1 + +import ( + "encoding/json" + + "github.com/jinzhu/copier" +) + +// ForEachValidationWrapper contains a list of ForEach descriptors. +// +k8s:deepcopy-gen=false +type ForEachValidationWrapper struct { + // Item is a descriptor on how to iterate over the list of items. + // +optional + Items []ForEachValidation `json:"-"` +} + +func (in *ForEachValidationWrapper) DeepCopyInto(out *ForEachValidationWrapper) { + if err := copier.Copy(out, in); err != nil { + panic("deep copy failed") + } +} + +func (in *ForEachValidationWrapper) DeepCopy() *ForEachValidationWrapper { + if in == nil { + return nil + } + out := new(ForEachValidationWrapper) + in.DeepCopyInto(out) + return out +} + +func (a *ForEachValidationWrapper) MarshalJSON() ([]byte, error) { + return json.Marshal(a.Items) +} + +func (a *ForEachValidationWrapper) UnmarshalJSON(data []byte) error { + var res []ForEachValidation + if err := json.Unmarshal(data, &res); err != nil { + return err + } + a.Items = res + return nil +} + +// ForEachMutationWrapper contains a list of ForEach descriptors. +// +k8s:deepcopy-gen=false +type ForEachMutationWrapper struct { + // Item is a descriptor on how to iterate over the list of items. + // +optional + Items []ForEachMutation `json:"-"` +} + +func (in *ForEachMutationWrapper) DeepCopyInto(out *ForEachMutationWrapper) { + if err := copier.Copy(out, in); err != nil { + panic("deep copy failed") + } +} + +func (in *ForEachMutationWrapper) DeepCopy() *ForEachMutationWrapper { + if in == nil { + return nil + } + out := new(ForEachMutationWrapper) + in.DeepCopyInto(out) + return out +} + +func (a *ForEachMutationWrapper) MarshalJSON() ([]byte, error) { + return json.Marshal(a.Items) +} + +func (a *ForEachMutationWrapper) UnmarshalJSON(data []byte) error { + var res []ForEachMutation + if err := json.Unmarshal(data, &res); err != nil { + return err + } + a.Items = res + return nil +} diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 478a57f7e7a1..a2e740189167 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -565,8 +565,7 @@ func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) { } if in.ForEachMutation != nil { in, out := &in.ForEachMutation, &out.ForEachMutation - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } return } @@ -618,8 +617,7 @@ func (in *ForEachValidation) DeepCopyInto(out *ForEachValidation) { } if in.ForEachValidation != nil { in, out := &in.ForEachValidation, &out.ForEachValidation - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } return } diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index f87b0056b501..13d4807a30bd 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1615,6 +1615,7 @@

ForEachMutation

(Appears on: +ForEachMutationWrapper, Mutation)

@@ -1718,8 +1719,8 @@

ForEachMutation foreach
- -Kubernetes apiextensions/v1.JSON + +ForEachMutationWrapper @@ -1731,10 +1732,45 @@

ForEachMutation
+

ForEachMutationWrapper +

+

+(Appears on: +ForEachMutation) +

+

+

ForEachMutationWrapper contains a list of ForEach descriptors.

+

+ + + + + + + + + + + + + +
FieldDescription
+-
+ + +[]ForEachMutation + + +		 +(Optional) +

Item is a descriptor on how to iterate over the list of items.

+
+

ForEachValidation

(Appears on: +ForEachValidationWrapper, Validation, Validation)

@@ -1852,8 +1888,8 @@

ForEachValidation foreach
- -Kubernetes apiextensions/v1.JSON + +ForEachValidationWrapper @@ -1865,6 +1901,40 @@

ForEachValidation
+

ForEachValidationWrapper +

+

+(Appears on: +ForEachValidation) +

+

+

ForEachValidationWrapper contains a list of ForEach descriptors.

+

+ + + + + + + + + + + + + +
FieldDescription
+-
+ + +[]ForEachValidation + + +		 +(Optional) +

Item is a descriptor on how to iterate over the list of items.

+
+

ForeachOrder (string alias)

diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 2ef4588bd35a..dc349e3865e7 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -3318,6 +3318,7 @@

ForEachMutation

(Appears in: + ForEachMutationWrapper, Mutation)

@@ -3529,7 +3530,9 @@

ForEachMutation - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + ForEachMutationWrapper + @@ -3548,6 +3551,71 @@

ForEachMutation + + + + +

ForEachMutationWrapper +

+ + +

+ (Appears in: + ForEachMutation) +

+ + +

ForEachMutationWrapper contains a list of ForEach descriptors.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
- + +
+ + + + + + []ForEachMutation + + + + 		+ + +

Item is a descriptor on how to iterate over the list of items.

+ + + + + +
@@ -3558,6 +3626,7 @@

ForEachValidation

(Appears in: + ForEachValidationWrapper, Validation)

@@ -3795,7 +3864,9 @@

ForEachValidation - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + ForEachValidationWrapper + @@ -3814,6 +3885,71 @@

ForEachValidation + + + + +

ForEachValidationWrapper +

+ + +

+ (Appears in: + ForEachValidation) +

+ + +

ForEachValidationWrapper contains a list of ForEach descriptors.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
- + +
+ + + + + + []ForEachValidation + + + + 		+ + +

Item is a descriptor on how to iterate over the list of items.

+ + + + + +
diff --git a/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go b/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go index 96df14f47951..d6f56a66968a 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go @@ -32,7 +32,7 @@ type ForEachMutationApplyConfiguration struct { AnyAllConditions *AnyAllConditionsApplyConfiguration `json:"preconditions,omitempty"` RawPatchStrategicMerge *apiextensionsv1.JSON `json:"patchStrategicMerge,omitempty"` PatchesJSON6902 *string `json:"patchesJson6902,omitempty"` - ForEachMutation *apiextensionsv1.JSON `json:"foreach,omitempty"` + ForEachMutation *v1.ForEachMutationWrapper `json:"foreach,omitempty"` } // ForEachMutationApplyConfiguration constructs an declarative configuration of the ForEachMutation type for use with @@ -97,7 +97,7 @@ func (b *ForEachMutationApplyConfiguration) WithPatchesJSON6902(value string) *F // WithForEachMutation sets the ForEachMutation field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the ForEachMutation field is set to the value of the last call. -func (b *ForEachMutationApplyConfiguration) WithForEachMutation(value apiextensionsv1.JSON) *ForEachMutationApplyConfiguration { +func (b *ForEachMutationApplyConfiguration) WithForEachMutation(value v1.ForEachMutationWrapper) *ForEachMutationApplyConfiguration { b.ForEachMutation = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v1/foreachvalidation.go b/pkg/client/applyconfigurations/kyverno/v1/foreachvalidation.go index c18cd3240c0b..04bf1f4f8b96 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/foreachvalidation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/foreachvalidation.go @@ -19,6 +19,7 @@ limitations under the License. package v1 import ( + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) @@ -32,7 +33,7 @@ type ForEachValidationApplyConfiguration struct { RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` Deny *DenyApplyConfiguration `json:"deny,omitempty"` - ForEachValidation *apiextensionsv1.JSON `json:"foreach,omitempty"` + ForEachValidation *kyvernov1.ForEachValidationWrapper `json:"foreach,omitempty"` } // ForEachValidationApplyConfiguration constructs an declarative configuration of the ForEachValidation type for use with @@ -105,7 +106,7 @@ func (b *ForEachValidationApplyConfiguration) WithDeny(value *DenyApplyConfigura // WithForEachValidation sets the ForEachValidation field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the ForEachValidation field is set to the value of the last call. -func (b *ForEachValidationApplyConfiguration) WithForEachValidation(value apiextensionsv1.JSON) *ForEachValidationApplyConfiguration { +func (b *ForEachValidationApplyConfiguration) WithForEachValidation(value kyvernov1.ForEachValidationWrapper) *ForEachValidationApplyConfiguration { b.ForEachValidation = &value return b } diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go index e6ca6edd1148..741de18b117c 100644 --- a/pkg/engine/forceMutate.go +++ b/pkg/engine/forceMutate.go @@ -1,15 +1,12 @@ package engine import ( - "fmt" - "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/internal" "github.com/kyverno/kyverno/pkg/engine/mutate" "github.com/kyverno/kyverno/pkg/engine/variables" - "github.com/kyverno/kyverno/pkg/utils/api" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -64,13 +61,9 @@ func ForceMutate( func applyForEachMutate(name string, foreach []kyvernov1.ForEachMutation, resource unstructured.Unstructured, logger logr.Logger) (patchedResource unstructured.Unstructured, err error) { patchedResource = resource for _, fe := range foreach { - if fe.ForEachMutation != nil { - nestedForEach, err := api.DeserializeJSONArray[kyvernov1.ForEachMutation](fe.ForEachMutation) - if err != nil { - return patchedResource, fmt.Errorf("failed to deserialize foreach: %w", err) - } - - return applyForEachMutate(name, nestedForEach, patchedResource, logger) + fem := fe.GetForEachMutation() + if len(fem) > 0 { + return applyForEachMutate(name, fem, patchedResource, logger) } patchedResource, err = applyPatches(fe.GetPatchStrategicMerge(), fe.PatchesJSON6902, patchedResource, logger) diff --git a/pkg/engine/handlers/mutation/common.go b/pkg/engine/handlers/mutation/common.go index 4ba5609068ce..5ac473daca07 100644 --- a/pkg/engine/handlers/mutation/common.go +++ b/pkg/engine/handlers/mutation/common.go @@ -11,7 +11,6 @@ import ( "github.com/kyverno/kyverno/pkg/engine/internal" "github.com/kyverno/kyverno/pkg/engine/mutate" engineutils "github.com/kyverno/kyverno/pkg/engine/utils" - "github.com/kyverno/kyverno/pkg/utils/api" datautils "github.com/kyverno/kyverno/pkg/utils/data" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -110,18 +109,14 @@ func (f *forEachMutator) mutateElements(ctx context.Context, foreach kyvernov1.F } var mutateResp *mutate.Response - if foreach.ForEachMutation != nil { - nestedForEach, err := api.DeserializeJSONArray[kyvernov1.ForEachMutation](foreach.ForEachMutation) - if err != nil { - return mutate.NewErrorResponse("failed to deserialize foreach", err) - } - + fem := foreach.GetForEachMutation() + if len(fem) > 0 { m := &forEachMutator{ rule: f.rule, policyContext: f.policyContext, resource: patchedResource, logger: f.logger, - foreach: nestedForEach, + foreach: fem, nesting: f.nesting + 1, contextLoader: f.contextLoader, } diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index f181fcbc676b..bcb5299c91f8 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -16,7 +16,6 @@ import ( engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/engine/validate" "github.com/kyverno/kyverno/pkg/engine/variables" - "github.com/kyverno/kyverno/pkg/utils/api" datautils "github.com/kyverno/kyverno/pkg/utils/data" stringutils "github.com/kyverno/kyverno/pkg/utils/strings" "github.com/pkg/errors" @@ -103,9 +102,12 @@ func newForEachValidator( if err != nil { return nil, fmt.Errorf("failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions: %w", err) } - nestedForEach, err := api.DeserializeJSONArray[kyvernov1.ForEachValidation](foreach.ForEachValidation) - if err != nil { - return nil, fmt.Errorf("failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions: %w", err) + var loopItems []kyvernov1.ForEachValidation + fev := foreach.GetForEachValidation() + if len(fev) > 0 { + loopItems = fev + } else { + loopItems = make([]kyvernov1.ForEachValidation, 0) } return &validator{ log: log, @@ -117,7 +119,7 @@ func newForEachValidator( pattern: foreach.GetPattern(), anyPattern: foreach.GetAnyPattern(), deny: foreach.Deny, - forEach: nestedForEach, + forEach: loopItems, nesting: nesting, }, nil } diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go index 320916f19606..4d7f221a29f6 100644 --- a/pkg/policy/mutate/validate.go +++ b/pkg/policy/mutate/validate.go @@ -8,10 +8,8 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/engine/variables/regex" "github.com/kyverno/kyverno/pkg/policy/auth" - "github.com/kyverno/kyverno/pkg/utils/api" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" "go.uber.org/multierr" - v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) // Mutate provides implementation to validate 'mutate' rule @@ -55,12 +53,13 @@ func (m *Mutate) Validate(ctx context.Context) (string, error) { func (m *Mutate) validateForEach(tag string, foreach []kyvernov1.ForEachMutation) (string, error) { for i, fe := range foreach { tag = tag + fmt.Sprintf("foreach[%d]", i) - if fe.ForEachMutation != nil { + fem := fe.GetForEachMutation() + if len(fem) > 0 { if fe.Context != nil || fe.AnyAllConditions != nil || fe.PatchesJSON6902 != "" || fe.RawPatchStrategicMerge != nil { return tag, fmt.Errorf("a nested foreach cannot contain other declarations") } - return m.validateNestedForEach(tag, fe.ForEachMutation) + return m.validateNestedForEach(tag, fem) } psm := fe.GetPatchStrategicMerge() @@ -72,13 +71,12 @@ func (m *Mutate) validateForEach(tag string, foreach []kyvernov1.ForEachMutation return "", nil } -func (m *Mutate) validateNestedForEach(tag string, j *v1.JSON) (string, error) { - nestedForeach, err := api.DeserializeJSONArray[kyvernov1.ForEachMutation](j) - if err != nil { - return tag, fmt.Errorf("invalid foreach syntax: %w", err) +func (m *Mutate) validateNestedForEach(tag string, j []kyvernov1.ForEachMutation) (string, error) { + if j != nil { + return m.validateForEach(tag, j) } - return m.validateForEach(tag, nestedForeach) + return "", nil } func (m *Mutate) hasForEach() bool { diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go index fa0a079fc2dd..49e6282df3d3 100644 --- a/pkg/policy/validate/validate.go +++ b/pkg/policy/validate/validate.go @@ -204,7 +204,7 @@ func foreachElemCount(foreach kyvernov1.ForEachValidation) int { count++ } - if foreach.ForEachValidation != nil { + if foreach.GetForEachValidation() != nil && len(foreach.GetForEachValidation()) > 0 { count++ } diff --git a/pkg/utils/api/json.go b/pkg/utils/api/json.go index 3f3d3f9703ed..9fdc9fa6c7a5 100644 --- a/pkg/utils/api/json.go +++ b/pkg/utils/api/json.go @@ -8,22 +8,6 @@ import ( "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" ) -// Deserialize "apiextensions.JSON" to a typed array -func DeserializeJSONArray[T any](in apiextensions.JSON) ([]T, error) { - if in == nil { - return nil, nil - } - data, err := json.Marshal(in) - if err != nil { - return nil, err - } - var res []T - if err := json.Unmarshal(data, &res); err != nil { - return nil, err - } - return res, nil -} - // ApiextensionsJsonToKyvernoConditions takes in user-provided conditions in abstract apiextensions.JSON form // and converts it into []kyverno.Condition or kyverno.AnyAllConditions according to its content. // it also helps in validating the condtions as it returns an error when the conditions are provided wrongfully by the user. diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 359e013e96af..ead41c3d5231 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -1002,12 +1002,9 @@ func validateValidationForEach(foreach []kyvernov1.ForEachValidation, schemaKey } } } - if fe.ForEachValidation != nil { - nestedForEach, err := apiutils.DeserializeJSONArray[kyvernov1.ForEachValidation](fe.ForEachValidation) - if err != nil { - return schemaKey, err - } - if path, err := validateValidationForEach(nestedForEach, schemaKey); err != nil { + fev := fe.GetForEachValidation() + if len(fev) > 0 { + if path, err := validateValidationForEach(fev, schemaKey); err != nil { return fmt.Sprintf("%s.%s", schemaKey, path), err } } @@ -1022,12 +1019,9 @@ func validateMutationForEach(foreach []kyvernov1.ForEachMutation, schemaKey stri return fmt.Sprintf("%s.%s", schemaKey, path), err } } - if fe.ForEachMutation != nil { - nestedForEach, err := apiutils.DeserializeJSONArray[kyvernov1.ForEachMutation](fe.ForEachMutation) - if err != nil { - return schemaKey, err - } - if path, err := validateMutationForEach(nestedForEach, schemaKey); err != nil { + fem := fe.GetForEachMutation() + if len(fem) > 0 { + if path, err := validateMutationForEach(fem, schemaKey); err != nil { return fmt.Sprintf("%s.%s", schemaKey, path), err } }