diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 946da7f68fef..bbfdc7d5f024 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -642,7 +642,7 @@ jobs: - name: Install crane uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 - name: Install chainsaw uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 # create cluster diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 28cdd6b13b7a..09bb05332dbd 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -36,6 +36,6 @@ jobs: free-disk-space: false - name: Run FOSSA analysis if: steps.checksecret.outputs.result == 'true' - uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3 + uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0 with: api-key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 41b8c37245b8..8edfaa23dc56 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -70,7 +70,7 @@ jobs: version: v3.10.3 - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Set version run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml index 3bd54fd9be09..0a3671f7c71d 100644 --- a/.github/workflows/images-publish.yaml +++ b/.github/workflows/images-publish.yaml @@ -48,7 +48,7 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Publish kyverno id: publish-kyverno uses: ./.github/actions/publish-image diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 72d487649df4..a81c461f133b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -43,7 +43,7 @@ jobs: output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Publish kyverno id: release-kyverno uses: ./.github/actions/publish-image @@ -243,7 +243,7 @@ jobs: timeout-minutes: 30 - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Make Release env: VERSION: ${{ github.ref_name }} @@ -282,7 +282,7 @@ jobs: with: version: 0.35.0 - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Build yaml manifest run: VERSION=${{ github.ref_name }} make codegen-manifest-release - name: Upload install manifest diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 798e0fe53e35..21f3c228e449 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 with: sarif_file: results.sarif diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go index 5fc98022a37d..f7088bfd56eb 100644 --- a/api/kyverno/v1/clusterpolicy_types.go +++ b/api/kyverno/v1/clusterpolicy_types.go @@ -17,7 +17,6 @@ import ( // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 7feba87b711d..209245e9a414 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -392,10 +392,6 @@ func (m *Mutation) SetPatchStrategicMerge(in apiextensions.JSON) { m.RawPatchStrategicMerge = ToJSON(in) } -func (m *Mutation) IsMutateExistingOnPolicyUpdate() *bool { - return m.MutateExistingOnPolicyUpdate -} - // ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. type ForEachMutation struct { // List specifies a JMESPath expression that results in one or more elements @@ -422,7 +418,9 @@ type ForEachMutation struct { // See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ // and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. // +optional - RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + RawPatchStrategicMerge *kyverno.Any `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"` // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. // See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. @@ -443,22 +441,22 @@ func (m *ForEachMutation) GetForEachMutation() []ForEachMutation { return m.ForEachMutation.Items } -func (m *ForEachMutation) GetPatchStrategicMerge() apiextensions.JSON { - return FromJSON(m.RawPatchStrategicMerge) +func (m *ForEachMutation) GetPatchStrategicMerge() any { + return kyverno.FromAny(m.RawPatchStrategicMerge) } -func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) { - m.RawPatchStrategicMerge = ToJSON(in) +func (m *ForEachMutation) SetPatchStrategicMerge(in any) { + m.RawPatchStrategicMerge = kyverno.ToAny(in) } // Validation defines checks to be performed on matching resources. type Validation struct { // ValidationFailureAction defines if a validation policy rule violation should block - // the admission review request (enforce), or allow (audit) the admission review request + // the admission review request (Enforce), or allow (Audit) the admission review request // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. + // Allowed values are Audit or Enforce. // +optional - // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce + // +kubebuilder:validation:Enum=Audit;Enforce ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction @@ -658,15 +656,24 @@ type Deny struct { // of conditions (without `any` or `all` statements) is also supported for backwards compatibility // but will be deprecated in the next major release. // See: https://kyverno.io/docs/writing-policies/validate/#deny-rules - RawAnyAllConditions *apiextv1.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + RawAnyAllConditions *ConditionsWrapper `json:"conditions,omitempty" yaml:"conditions,omitempty"` } -func (d *Deny) GetAnyAllConditions() apiextensions.JSON { - return FromJSON(d.RawAnyAllConditions) +func (d *Deny) GetAnyAllConditions() any { + if d.RawAnyAllConditions == nil { + return nil + } + return d.RawAnyAllConditions.Conditions } -func (d *Deny) SetAnyAllConditions(in apiextensions.JSON) { - d.RawAnyAllConditions = ToJSON(in) +func (d *Deny) SetAnyAllConditions(in any) { + var new *ConditionsWrapper + if in != nil { + new = &ConditionsWrapper{in} + } + d.RawAnyAllConditions = new } // ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. @@ -776,10 +783,6 @@ type Generation struct { CloneList CloneList `json:"cloneList,omitempty" yaml:"cloneList,omitempty"` } -func (g *Generation) IsGenerateExisting() *bool { - return g.GenerateExisting -} - type CloneList struct { // Namespace specifies source resource namespace. Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index 473cbd5b05af..30925a772cd0 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -40,6 +40,11 @@ var signatureAlgorithmMap = map[string]bool{ // are signed with the supplied public key. Once the image is verified it is // mutated to include the SHA digest retrieved during the registration. type ImageVerification struct { + // Allowed values are Audit or Enforce. + // +optional + // +kubebuilder:validation:Enum=Audit;Enforce + ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + // Type specifies the method of signature validation. The allowed options // are Cosign and Notary. By default Cosign is used if a type is not specified. // +kubebuilder:validation:Optional diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go index 9b012f588b61..29941d8ab1c4 100644 --- a/api/kyverno/v1/policy_types.go +++ b/api/kyverno/v1/policy_types.go @@ -15,7 +15,6 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v1/resource_spec_types.go b/api/kyverno/v1/resource_spec_types.go index b3e701673c0d..16e2e766e868 100644 --- a/api/kyverno/v1/resource_spec_types.go +++ b/api/kyverno/v1/resource_spec_types.go @@ -3,8 +3,6 @@ package v1 import ( "strings" - "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" - apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" ) @@ -54,9 +52,14 @@ type TargetResourceSpec struct { // will be deprecated in the next major release. // See: https://kyverno.io/docs/writing-policies/preconditions/ // +optional - RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` } -func (r *TargetResourceSpec) GetAnyAllConditions() apiextensions.JSON { - return FromJSON(r.RawAnyAllConditions) +func (r *TargetResourceSpec) GetAnyAllConditions() any { + if r.RawAnyAllConditions == nil { + return nil + } + return r.RawAnyAllConditions.Conditions } diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go index 6d1eee9b7fac..5a9a457430fa 100644 --- a/api/kyverno/v1/rule_types.go +++ b/api/kyverno/v1/rule_types.go @@ -8,8 +8,6 @@ import ( "github.com/kyverno/kyverno/pkg/pss/utils" datautils "github.com/kyverno/kyverno/pkg/utils/data" admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" - "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" - apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" ) @@ -76,7 +74,9 @@ type Rule struct { // will be deprecated in the next major release. // See: https://kyverno.io/docs/writing-policies/preconditions/ // +optional - RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` + // +kubebuilder:validation:Schemaless + // +kubebuilder:pruning:PreserveUnknownFields + RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` // CELPreconditions are used to determine if a policy rule should be applied by evaluating a // set of CEL conditions. It can only be used with the validate.cel subrule @@ -160,6 +160,11 @@ func (r *Rule) HasValidateCEL() bool { return r.Validation.CEL != nil && !datautils.DeepEqual(r.Validation.CEL, &CEL{}) } +// HasValidateAssert checks for validate.assert rule +func (r *Rule) HasValidateAssert() bool { + return !datautils.DeepEqual(r.Validation.Assert, AssertionTree{}) +} + // HasValidate checks for validate rule func (r *Rule) HasValidate() bool { return !datautils.DeepEqual(r.Validation, Validation{}) @@ -181,12 +186,19 @@ func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, o return r.Generation.GetTypeAndSyncAndOrphanDownstream() } -func (r *Rule) GetAnyAllConditions() apiextensions.JSON { - return FromJSON(r.RawAnyAllConditions) +func (r *Rule) GetAnyAllConditions() any { + if r.RawAnyAllConditions == nil { + return nil + } + return r.RawAnyAllConditions.Conditions } -func (r *Rule) SetAnyAllConditions(in apiextensions.JSON) { - r.RawAnyAllConditions = ToJSON(in) +func (r *Rule) SetAnyAllConditions(in any) { + var new *ConditionsWrapper + if in != nil { + new = &ConditionsWrapper{in} + } + r.RawAnyAllConditions = new } // ValidateRuleType checks only one type of rule is defined per rule diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index f34a848f01bf..901cf0f6514d 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -171,6 +171,19 @@ func (s *Spec) HasValidate() bool { return false } +// HasValidateEnforce checks if the policy has any validate rules with enforce action +func (s *Spec) HasValidateEnforce() bool { + for _, rule := range s.Rules { + if rule.HasValidate() { + action := rule.Validation.ValidationFailureAction + if action != nil && action.Enforce() { + return true + } + } + } + return s.ValidationFailureAction.Enforce() +} + // HasGenerate checks for generate rule types func (s *Spec) HasGenerate() bool { for _, rule := range s.Rules { @@ -228,58 +241,29 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } -// GetValidationFailureAction returns the value of the validationFailureAction -func (s *Spec) GetValidationFailureAction() ValidationFailureAction { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureAction := rule.Validation.ValidationFailureAction - if validationFailureAction != nil { - return *validationFailureAction - } - } - } - return s.ValidationFailureAction -} - -// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides -func (s *Spec) GetValidationFailureActionOverrides() []ValidationFailureActionOverride { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides - if len(validationFailureActionOverrides) != 0 { - return validationFailureActionOverrides - } - } - } - return s.ValidationFailureActionOverrides -} - -// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value +// GetMutateExistingOnPolicyUpdate returns true if any of the rules have MutateExistingOnPolicyUpdate set to true func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { for _, rule := range s.Rules { if rule.HasMutate() { - isMutateExisting := rule.Mutation.IsMutateExistingOnPolicyUpdate() - if isMutateExisting != nil { - return *isMutateExisting + isMutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate + if isMutateExisting != nil && *isMutateExisting { + return true } } } return s.MutateExistingOnPolicyUpdate } -// IsGenerateExisting return GenerateExisting set value +// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true func (s *Spec) IsGenerateExisting() bool { for _, rule := range s.Rules { if rule.HasGenerate() { - isGenerateExisting := rule.Generation.IsGenerateExisting() - if isGenerateExisting != nil { - return *isGenerateExisting + isGenerateExisting := rule.Generation.GenerateExisting + if isGenerateExisting != nil && *isGenerateExisting { + return true } } } - if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate { - return true - } return s.GenerateExisting } @@ -353,31 +337,19 @@ func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) } - for _, rule := range s.Rules { - if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { - if s.GenerateExistingOnPolicyUpdate != nil { - errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - if s.GenerateExisting { - errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - } - - if rule.HasMutate() && rule.Mutation.IsMutateExistingOnPolicyUpdate() != nil { - if s.MutateExistingOnPolicyUpdate { - errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.mutate[*].mutateExistingOnPolicyUpdate instead")) - } - } + if s.GenerateExistingOnPolicyUpdate != nil { + errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) } return errs } func (s *Spec) validateMutateTargets(path *field.Path) (errs field.ErrorList) { - if s.GetMutateExistingOnPolicyUpdate() { - for i, rule := range s.Rules { - if !rule.HasMutate() { - continue - } + for i, rule := range s.Rules { + if !rule.HasMutate() { + continue + } + mutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate + if s.MutateExistingOnPolicyUpdate || (mutateExisting != nil && *mutateExisting) { if len(rule.Mutation.Targets) == 0 { errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), fmt.Sprintf("rules[%v].mutate.targets has to be specified when mutateExistingOnPolicyUpdate is set", i))) } diff --git a/api/kyverno/v1/wrappers.go b/api/kyverno/v1/wrappers.go index 710bfd0dcccc..4ea7542f3387 100644 --- a/api/kyverno/v1/wrappers.go +++ b/api/kyverno/v1/wrappers.go @@ -2,6 +2,7 @@ package v1 import ( "encoding/json" + "fmt" "github.com/jinzhu/copier" ) @@ -77,3 +78,48 @@ func (a *ForEachMutationWrapper) UnmarshalJSON(data []byte) error { a.Items = res return nil } + +// ConditionsWrapper contains either the deprecated list of Conditions or the new AnyAll Conditions. +// +k8s:deepcopy-gen=false +type ConditionsWrapper struct { + // Conditions is a list of conditions that must be satisfied for the rule to be applied. + // +optional + Conditions any `json:"-"` +} + +func (in *ConditionsWrapper) DeepCopyInto(out *ConditionsWrapper) { + if err := copier.Copy(out, in); err != nil { + panic("deep copy failed") + } +} + +func (in *ConditionsWrapper) DeepCopy() *ConditionsWrapper { + if in == nil { + return nil + } + out := new(ConditionsWrapper) + in.DeepCopyInto(out) + return out +} + +func (a *ConditionsWrapper) MarshalJSON() ([]byte, error) { + return json.Marshal(a.Conditions) +} + +func (a *ConditionsWrapper) UnmarshalJSON(data []byte) error { + var err error + + var kyvernoOldConditions []Condition + if err = json.Unmarshal(data, &kyvernoOldConditions); err == nil { + a.Conditions = kyvernoOldConditions + return nil + } + + var kyvernoAnyAllConditions AnyAllConditions + if err = json.Unmarshal(data, &kyvernoAnyAllConditions); err == nil { + a.Conditions = kyvernoAnyAllConditions + return nil + } + + return fmt.Errorf("failed to unmarshal Conditions") +} diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 09859606a299..c6feffb85c66 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -506,8 +506,7 @@ func (in *Deny) DeepCopyInto(out *Deny) { *out = *in if in.RawAnyAllConditions != nil { in, out := &in.RawAnyAllConditions, &out.RawAnyAllConditions - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } return } @@ -560,8 +559,7 @@ func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) { } if in.RawPatchStrategicMerge != nil { in, out := &in.RawPatchStrategicMerge, &out.RawPatchStrategicMerge - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } if in.ForEachMutation != nil { in, out := &in.ForEachMutation, &out.ForEachMutation @@ -795,6 +793,11 @@ func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { *out = *in + if in.ValidationFailureAction != nil { + in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + *out = new(ValidationFailureAction) + **out = **in + } if in.ImageReferences != nil { in, out := &in.ImageReferences, &out.ImageReferences *out = make([]string, len(*in)) @@ -1324,8 +1327,7 @@ func (in *Rule) DeepCopyInto(out *Rule) { } if in.RawAnyAllConditions != nil { in, out := &in.RawAnyAllConditions, &out.RawAnyAllConditions - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } if in.CELPreconditions != nil { in, out := &in.CELPreconditions, &out.CELPreconditions @@ -1517,8 +1519,7 @@ func (in *TargetResourceSpec) DeepCopyInto(out *TargetResourceSpec) { } if in.RawAnyAllConditions != nil { in, out := &in.RawAnyAllConditions, &out.RawAnyAllConditions - *out = new(apiextensionsv1.JSON) - (*in).DeepCopyInto(*out) + *out = (*in).DeepCopy() } return } diff --git a/api/kyverno/v2beta1/clusterpolicy_types.go b/api/kyverno/v2beta1/clusterpolicy_types.go index 2cfa7dee3ed6..89086a2f3716 100644 --- a/api/kyverno/v2beta1/clusterpolicy_types.go +++ b/api/kyverno/v2beta1/clusterpolicy_types.go @@ -18,7 +18,6 @@ import ( // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go index d2848ee00b7e..bce28ac00e6b 100644 --- a/api/kyverno/v2beta1/common_types.go +++ b/api/kyverno/v2beta1/common_types.go @@ -12,11 +12,11 @@ type AssertionTree = kjson.Any // Validation defines checks to be performed on matching resources. type Validation struct { // ValidationFailureAction defines if a validation policy rule violation should block - // the admission review request (enforce), or allow (audit) the admission review request + // the admission review request (Enforce), or allow (Audit) the admission review request // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. + // Allowed values are Audit or Enforce. // +optional - // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce + // +kubebuilder:validation:Enum=Audit;Enforce ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction diff --git a/api/kyverno/v2beta1/image_verification_types.go b/api/kyverno/v2beta1/image_verification_types.go index 5ec162086d43..d6a270c5b0e5 100644 --- a/api/kyverno/v2beta1/image_verification_types.go +++ b/api/kyverno/v2beta1/image_verification_types.go @@ -9,6 +9,11 @@ import ( // are signed with the supplied public key. Once the image is verified it is // mutated to include the SHA digest retrieved during the registration. type ImageVerification struct { + // Allowed values are Audit or Enforce. + // +optional + // +kubebuilder:validation:Enum=Audit;Enforce + ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + // Type specifies the method of signature validation. The allowed options // are Cosign and Notary. By default Cosign is used if a type is not specified. // +kubebuilder:validation:Optional diff --git a/api/kyverno/v2beta1/match_resources_types.go b/api/kyverno/v2beta1/match_resources_types.go index 7b6ace8ad13a..d3a3c995b662 100644 --- a/api/kyverno/v2beta1/match_resources_types.go +++ b/api/kyverno/v2beta1/match_resources_types.go @@ -18,6 +18,14 @@ type MatchResources struct { All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"` } +// GetResourceFilters returns all resource filters +func (m *MatchResources) GetResourceFilters() kyvernov1.ResourceFilters { + var filters kyvernov1.ResourceFilters + filters = append(filters, m.All...) + filters = append(filters, m.Any...) + return filters +} + // GetKinds returns all kinds func (m *MatchResources) GetKinds() []string { var kinds []string diff --git a/api/kyverno/v2beta1/policy_types.go b/api/kyverno/v2beta1/policy_types.go index a0acbabe371b..0d3a62675dd8 100644 --- a/api/kyverno/v2beta1/policy_types.go +++ b/api/kyverno/v2beta1/policy_types.go @@ -16,7 +16,6 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission" // +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background" -// +kubebuilder:printcolumn:name="VALIDATE ACTION",type=string,JSONPath=".spec.validationFailureAction" // +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status` // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1 diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 2d1d7f883d3c..11f72bf2b33b 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -135,6 +135,19 @@ func (s *Spec) HasValidate() bool { return false } +// HasValidateEnforce checks if the policy has any validate rules with enforce action +func (s *Spec) HasValidateEnforce() bool { + for _, rule := range s.Rules { + if rule.HasValidate() { + action := rule.Validation.ValidationFailureAction + if action != nil && action.Enforce() { + return true + } + } + } + return s.ValidationFailureAction.Enforce() +} + // HasGenerate checks for generate rule types func (s *Spec) HasGenerate() bool { for _, rule := range s.Rules { @@ -197,58 +210,29 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } -// GetValidationFailureAction returns the value of the validationFailureAction -func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureAction := rule.Validation.ValidationFailureAction - if validationFailureAction != nil { - return *validationFailureAction - } - } - } - return s.ValidationFailureAction -} - -// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides -func (s *Spec) GetValidationFailureActionOverrides() []kyvernov1.ValidationFailureActionOverride { - for _, rule := range s.Rules { - if rule.HasValidate() { - validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides - if len(validationFailureActionOverrides) != 0 { - return validationFailureActionOverrides - } - } - } - return s.ValidationFailureActionOverrides -} - -// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value +// GetMutateExistingOnPolicyUpdate returns true if any of the rules have MutateExistingOnPolicyUpdate set to true func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { for _, rule := range s.Rules { if rule.HasMutate() { - isMutateExisting := rule.Mutation.IsMutateExistingOnPolicyUpdate() - if isMutateExisting != nil { - return *isMutateExisting + isMutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate + if isMutateExisting != nil && *isMutateExisting { + return true } } } return s.MutateExistingOnPolicyUpdate } -// IsGenerateExisting return GenerateExisting set value +// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true func (s *Spec) IsGenerateExisting() bool { for _, rule := range s.Rules { if rule.HasGenerate() { - isGenerateExisting := rule.Generation.IsGenerateExisting() - if isGenerateExisting != nil { - return *isGenerateExisting + isGenerateExisting := rule.Generation.GenerateExisting + if isGenerateExisting != nil && *isGenerateExisting { + return true } } } - if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate { - return true - } return s.GenerateExisting } @@ -313,19 +297,21 @@ func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) } - for _, rule := range s.Rules { - if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { - if s.GenerateExistingOnPolicyUpdate != nil { - errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - if s.GenerateExisting { - errs = append(errs, field.Forbidden(path.Child("generateExisting"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) - } - } + if s.GenerateExistingOnPolicyUpdate != nil { + errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead")) + } + return errs +} - if rule.HasMutate() && rule.Mutation.IsMutateExistingOnPolicyUpdate() != nil { - if s.MutateExistingOnPolicyUpdate { - errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.mutate[*].mutateExistingOnPolicyUpdate instead")) +func (s *Spec) validateMutateTargets(path *field.Path) (errs field.ErrorList) { + for i, rule := range s.Rules { + if !rule.HasMutate() { + continue + } + mutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate + if s.MutateExistingOnPolicyUpdate || (mutateExisting != nil && *mutateExisting) { + if len(rule.Mutation.Targets) == 0 { + errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), fmt.Sprintf("rules[%v].mutate.targets has to be specified when mutateExistingOnPolicyUpdate is set", i))) } } } @@ -337,6 +323,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin if err := s.ValidateDeprecatedFields(path); err != nil { errs = append(errs, err...) } + if err := s.validateMutateTargets(path); err != nil { + errs = append(errs, err...) + } if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) { errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds")) } diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index d7bc15076b8a..d1151867693c 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -368,6 +368,11 @@ func (in *Exception) DeepCopy() *Exception { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ImageVerification) DeepCopyInto(out *ImageVerification) { *out = *in + if in.ValidationFailureAction != nil { + in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + *out = new(v1.ValidationFailureAction) + **out = **in + } if in.ImageReferences != nil { in, out := &in.ImageReferences, &out.ImageReferences *out = make([]string, len(*in)) diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 25dbe344b173..48ed8b51d0c3 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -728,72 +728,6 @@ The chart values are organised per component. | Key | Type | Default | Description | |-----|------|---------|-------------| -| cleanupJobs.updateRequests.enabled | bool | `false` | Enable cleanup cronjob | -| cleanupJobs.updateRequests.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | -| cleanupJobs.updateRequests.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | -| cleanupJobs.updateRequests.image.registry | string | `nil` | Image registry | -| cleanupJobs.updateRequests.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.updateRequests.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.updateRequests.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.updateRequests.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.updateRequests.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.updateRequests.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them | -| cleanupJobs.updateRequests.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.updateRequests.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.updateRequests.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.updateRequests.priorityClassName | string | `""` | Pod PriorityClassName | -| cleanupJobs.updateRequests.resources | object | `{}` | Job resources | -| cleanupJobs.updateRequests.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.updateRequests.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.updateRequests.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.updateRequests.podLabels | object | `{}` | Pod labels | -| cleanupJobs.updateRequests.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.updateRequests.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.updateRequests.nodeAffinity | object | `{}` | Node affinity constraints. | -| cleanupJobs.ephemeralReports.enabled | bool | `false` | Enable cleanup cronjob | -| cleanupJobs.ephemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | -| cleanupJobs.ephemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | -| cleanupJobs.ephemeralReports.image.registry | string | `nil` | Image registry | -| cleanupJobs.ephemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.ephemeralReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.ephemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.ephemeralReports.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.ephemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.ephemeralReports.threshold | int | `10000` | Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them | -| cleanupJobs.ephemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.ephemeralReports.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.ephemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.ephemeralReports.priorityClassName | string | `""` | Pod PriorityClassName | -| cleanupJobs.ephemeralReports.resources | object | `{}` | Job resources | -| cleanupJobs.ephemeralReports.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.ephemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.ephemeralReports.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.ephemeralReports.podLabels | object | `{}` | Pod labels | -| cleanupJobs.ephemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.ephemeralReports.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.ephemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. | -| cleanupJobs.clusterEphemeralReports.enabled | bool | `false` | Enable cleanup cronjob | -| cleanupJobs.clusterEphemeralReports.backoffLimit | int | `3` | Maximum number of retries before considering a Job as failed. Defaults to 3. | -| cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished | string | `""` | Time until the pod from the cronjob is deleted | -| cleanupJobs.clusterEphemeralReports.image.registry | string | `nil` | Image registry | -| cleanupJobs.clusterEphemeralReports.image.repository | string | `"bitnami/kubectl"` | Image repository | -| cleanupJobs.clusterEphemeralReports.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted | -| cleanupJobs.clusterEphemeralReports.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted | -| cleanupJobs.clusterEphemeralReports.imagePullSecrets | list | `[]` | Image pull secrets | -| cleanupJobs.clusterEphemeralReports.schedule | string | `"*/10 * * * *"` | Cronjob schedule | -| cleanupJobs.clusterEphemeralReports.threshold | int | `10000` | Reports threshold, if number of reports are above this value the cronjob will start deleting them | -| cleanupJobs.clusterEphemeralReports.history | object | `{"failure":1,"success":1}` | Cronjob history | -| cleanupJobs.clusterEphemeralReports.podSecurityContext | object | `{}` | Security context for the pod | -| cleanupJobs.clusterEphemeralReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | -| cleanupJobs.clusterEphemeralReports.priorityClassName | string | `""` | Pod PriorityClassName | -| cleanupJobs.clusterEphemeralReports.resources | object | `{}` | Job resources | -| cleanupJobs.clusterEphemeralReports.tolerations | list | `[]` | List of node taints to tolerate | -| cleanupJobs.clusterEphemeralReports.nodeSelector | object | `{}` | Node labels for pod assignment | -| cleanupJobs.clusterEphemeralReports.podAnnotations | object | `{}` | Pod Annotations | -| cleanupJobs.clusterEphemeralReports.podLabels | object | `{}` | Pod Labels | -| cleanupJobs.clusterEphemeralReports.podAntiAffinity | object | `{}` | Pod anti affinity constraints. | -| cleanupJobs.clusterEphemeralReports.podAffinity | object | `{}` | Pod affinity constraints. | -| cleanupJobs.clusterEphemeralReports.nodeAffinity | object | `{}` | Node affinity constraints. | ### Other diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 0181fd73bfda..6cc6fe94c0f1 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -31,9 +31,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3436,12 +3433,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4277,6 +4272,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7804,12 +7805,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8658,6 +8657,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8798,9 +8803,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11975,12 +11977,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12785,6 +12785,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16312,12 +16318,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17166,6 +17170,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 7590f581ef6c..244acd44e166 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -31,9 +31,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3437,12 +3434,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4278,6 +4273,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7806,12 +7807,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8660,6 +8659,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8800,9 +8805,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11978,12 +11980,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12788,6 +12788,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16315,12 +16321,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17169,6 +17173,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/charts/kyverno/ci/cleanupJobs-values.yaml b/charts/kyverno/ci/cleanupJobs-values.yaml deleted file mode 100644 index 6490a11c1d72..000000000000 --- a/charts/kyverno/ci/cleanupJobs-values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -cleanupJobs: - ephemeralReports: - enabled: true - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup - topologyKey: kubernetes.io/hostname - clusterEphemeralReports: - enabled: true - nodeSelector: - kubernetes.io/os: linux - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - cleanup - topologyKey: kubernetes.io/hostname diff --git a/charts/kyverno/templates/cleanup/_helpers.tpl b/charts/kyverno/templates/cleanup/_helpers.tpl deleted file mode 100644 index a1b70cb3392a..000000000000 --- a/charts/kyverno/templates/cleanup/_helpers.tpl +++ /dev/null @@ -1,9 +0,0 @@ -{{/* vim: set filetype=mustache: */}} - -{{- define "kyverno.cleanup.labels" -}} -{{- template "kyverno.labels.merge" (list - (include "kyverno.labels.common" .) - (include "kyverno.matchLabels.common" .) - (include "kyverno.labels.component" "cleanup") -) -}} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml deleted file mode 100644 index 1b8ab312e727..000000000000 --- a/charts/kyverno/templates/cleanup/cleanup-cluster-ephemeral-reports.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.cleanupJobs.clusterEphemeralReports.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-cluster-ephemeral-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.clusterEphemeralReports.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.history.failure }} - jobTemplate: - spec: - backoffLimit: {{ .Values.cleanupJobs.clusterEphemeralReports.backoffLimit }} - {{- if .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.cleanupJobs.clusterEphemeralReports.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - {{- with .Values.cleanupJobs.clusterEphemeralReports.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.clusterEphemeralReports.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.clusterEphemeralReports.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.clusterEphemeralReports.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get clusterephemeralreports.reports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.clusterEphemeralReports.threshold }} ]; then - echo "too many clusterephemeralreports found ($COUNT), cleaning up..." - kubectl delete clusterephemeralreports.reports.kyverno.io -A --all - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.clusterEphemeralReports.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.clusterEphemeralReports.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity .Values.cleanupJobs.clusterEphemeralReports.podAffinity .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.clusterEphemeralReports.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.clusterEphemeralReports.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml deleted file mode 100644 index 33a7c5ead199..000000000000 --- a/charts/kyverno/templates/cleanup/cleanup-ephemeral-reports.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.cleanupJobs.ephemeralReports.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-ephemeral-reports - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.ephemeralReports.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.ephemeralReports.history.failure }} - jobTemplate: - spec: - backoffLimit: {{ .Values.cleanupJobs.ephemeralReports.backoffLimit }} - {{- if .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.cleanupJobs.ephemeralReports.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - {{- with .Values.cleanupJobs.ephemeralReports.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.ephemeralReports.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.ephemeralReports.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.ephemeralReports.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get ephemeralreports.reports.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.ephemeralReports.threshold }} ]; then - echo "too many ephemeralreports found ($COUNT), cleaning up..." - kubectl delete ephemeralreports.reports.kyverno.io -A --all - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.ephemeralReports.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.ephemeralReports.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.ephemeralReports.podAntiAffinity .Values.cleanupJobs.ephemeralReports.podAffinity .Values.cleanupJobs.ephemeralReports.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.ephemeralReports.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.ephemeralReports.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml b/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml deleted file mode 100644 index 9344354fae9b..000000000000 --- a/charts/kyverno/templates/cleanup/cleanup-update-requests.yaml +++ /dev/null @@ -1,91 +0,0 @@ -{{- if .Values.cleanupJobs.updateRequests.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ template "kyverno.name" . }}-cleanup-update-requests - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.cleanup.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.cleanupJobs.updateRequests.schedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: {{ .Values.cleanupJobs.updateRequests.history.success }} - failedJobsHistoryLimit: {{ .Values.cleanupJobs.updateRequests.history.failure }} - jobTemplate: - spec: - backoffLimit: {{ .Values.cleanupJobs.updateRequests.backoffLimit }} - {{- if .Values.cleanupJobs.updateRequests.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.cleanupJobs.updateRequests.ttlSecondsAfterFinished }} - {{- end }} - template: - metadata: - {{- with .Values.cleanupJobs.updateRequests.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.podLabels }} - labels: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - serviceAccountName: {{ template "kyverno.name" . }}-cleanup-jobs - {{- with .Values.cleanupJobs.updateRequests.podSecurityContext }} - securityContext: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} - containers: - - name: cleanup - image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupJobs.updateRequests.image)) | quote }} - imagePullPolicy: {{ .Values.cleanupJobs.updateRequests.image.pullPolicy }} - command: - - /bin/bash - - -c - - | - set -euo pipefail - COUNT=$(kubectl get updaterequests.kyverno.io -A | wc -l) - if [ "$COUNT" -gt {{ .Values.cleanupJobs.updateRequests.threshold }} ]; then - echo "too many updaterequests found ($COUNT), cleaning up..." - kubectl delete updaterequests.kyverno.io --all -n kyverno - else - echo "($COUNT) reports found, no clean up needed" - fi - {{- with .Values.cleanupJobs.updateRequests.securityContext }} - securityContext: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.resources }} - resources: - {{- toYaml . | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.imagePullSecrets }} - imagePullSecrets: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - restartPolicy: OnFailure - {{- with .Values.cleanupJobs.updateRequests.tolerations | default .Values.global.tolerations}} - tolerations: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.nodeSelector | default .Values.global.nodeSelector }} - nodeSelector: - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} - {{- if or .Values.cleanupJobs.updateRequests.podAntiAffinity .Values.cleanupJobs.updateRequests.podAffinity .Values.cleanupJobs.updateRequests.nodeAffinity }} - affinity: - {{- with .Values.cleanupJobs.updateRequests.podAntiAffinity }} - podAntiAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.podAffinity }} - podAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- with .Values.cleanupJobs.updateRequests.nodeAffinity }} - nodeAffinity: - {{- tpl (toYaml .) $ | nindent 14 }} - {{- end }} - {{- end }} -{{- end -}} diff --git a/charts/kyverno/templates/cleanup/clusterrole.yaml b/charts/kyverno/templates/cleanup/clusterrole.yaml deleted file mode 100644 index 094328dbc22b..000000000000 --- a/charts/kyverno/templates/cleanup/clusterrole.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "kyverno.name" . }}:cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - list - - deletecollection - - delete - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - list - - deletecollection - - delete diff --git a/charts/kyverno/templates/cleanup/clusterrolebinding.yaml b/charts/kyverno/templates/cleanup/clusterrolebinding.yaml deleted file mode 100644 index a3cbb11e4a64..000000000000 --- a/charts/kyverno/templates/cleanup/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "kyverno.name" . }}:cleanup-jobs - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kyverno.name" . }}:cleanup-jobs -subjects: - - kind: ServiceAccount - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} diff --git a/charts/kyverno/templates/cleanup/serviceaccount.yaml b/charts/kyverno/templates/cleanup/serviceaccount.yaml deleted file mode 100644 index f93bdc2e6ede..000000000000 --- a/charts/kyverno/templates/cleanup/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "kyverno.name" . }}-cleanup-jobs - namespace: {{ template "kyverno.namespace" . }} - labels: - {{- include "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.matchLabels.common" .)) | nindent 4 }} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 02de664dfe7d..052b8c32d519 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -681,249 +681,6 @@ features: # -- (string) Tuf mirror mirror: ~ -# Cleanup cronjobs to prevent internal resources from stacking up in the cluster -cleanupJobs: - - updateRequests: - - # -- Enable cleanup cronjob - enabled: false - - # -- Maximum number of retries before considering a Job as failed. Defaults to 3. - backoffLimit: 3 - - # -- Time until the pod from the cronjob is deleted - ttlSecondsAfterFinished: "" - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.30.2' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Pod PriorityClassName - priorityClassName: "" - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - ephemeralReports: - - # -- Enable cleanup cronjob - enabled: false - - # -- Maximum number of retries before considering a Job as failed. Defaults to 3. - backoffLimit: 3 - - # -- Time until the pod from the cronjob is deleted - ttlSecondsAfterFinished: "" - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.30.2' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of updateRequests are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Pod PriorityClassName - priorityClassName: "" - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - - clusterEphemeralReports: - - # -- Enable cleanup cronjob - enabled: false - - # -- Maximum number of retries before considering a Job as failed. Defaults to 3. - backoffLimit: 3 - - # -- Time until the pod from the cronjob is deleted - ttlSecondsAfterFinished: "" - - image: - # -- (string) Image registry - registry: ~ - # -- Image repository - repository: bitnami/kubectl - # -- Image tag - # Defaults to `latest` if omitted - tag: '1.30.2' - # -- (string) Image pull policy - # Defaults to image.pullPolicy if omitted - pullPolicy: ~ - - # -- Image pull secrets - imagePullSecrets: [] - # - name: secretName - - # -- Cronjob schedule - schedule: '*/10 * * * *' - - # -- Reports threshold, if number of reports are above this value the cronjob will start deleting them - threshold: 10000 - - # -- Cronjob history - history: - success: 1 - failure: 1 - - # -- Security context for the pod - podSecurityContext: {} - - # -- Security context for the containers - securityContext: - runAsNonRoot: true - privileged: false - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - - # -- Pod PriorityClassName - priorityClassName: "" - - # -- Job resources - resources: {} - - # -- List of node taints to tolerate - tolerations: [] - - # -- Node labels for pod assignment - nodeSelector: {} - - # -- Pod Annotations - podAnnotations: {} - - # -- Pod Labels - podLabels: {} - - # -- Pod anti affinity constraints. - podAntiAffinity: {} - - # -- Pod affinity constraints. - podAffinity: {} - - # -- Node affinity constraints. - nodeAffinity: {} - # Admission controller configuration admissionController: diff --git a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml index 3dc4968a6a20..8dc690aa2ffa 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml @@ -26,7 +26,6 @@ metadata: name: require-ns-purpose-label namespace: test spec: - validationFailureAction: Enforce rules: - name: require-ns-purpose-label match: @@ -35,6 +34,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: "You must have label 'purpose' with value 'production' set on all new namespaces." pattern: metadata: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml index b225d5c0ff2f..2b9137d16944 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml @@ -18,6 +18,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -30,6 +31,7 @@ spec: - Pod name: pods-require-limits validate: + validationFailureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: @@ -41,4 +43,3 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml index b225d5c0ff2f..2b9137d16944 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml @@ -18,6 +18,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -30,6 +31,7 @@ spec: - Pod name: pods-require-limits validate: + validationFailureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: @@ -41,4 +43,3 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml index 5c5179f97f24..34b5af5fd12f 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml index c51244e97074..c6bc85b85fe7 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml @@ -56,4 +56,4 @@ spec: - CREATE message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml index b225d5c0ff2f..095c6af952da 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml @@ -18,6 +18,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -41,4 +42,4 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml index 8ce91ef6a2a8..2f0347e5c534 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml @@ -8,7 +8,6 @@ metadata: policies.kyverno.io/category: Pod Security Standards (Restricted) spec: background: false - validationFailureAction: audit rules: - name: pods-require-account match: @@ -19,6 +18,7 @@ spec: matchLabels: istio/rev: "default" validate: + validationFailureAction: audit message: User pods must include an account for charging pattern: metadata: @@ -30,6 +30,7 @@ spec: kinds: - Pod validate: + validationFailureAction: audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml index 6ebd08a81b94..03981491074d 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml @@ -19,6 +19,7 @@ spec: - Pod name: pods-require-account validate: + validationFailureAction: Audit message: User pods must include an account for charging pattern: metadata: @@ -31,6 +32,7 @@ spec: - Pod name: pods-require-limits validate: + validationFailureAction: Audit message: CPU and memory resource requests and limits are required for user pods pattern: spec: @@ -42,4 +44,3 @@ spec: requests: cpu: ?* memory: ?* - validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml index 7cf97bb114c6..6007ec75a432 100644 --- a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml @@ -20,4 +20,4 @@ spec: podSecurity: level: restricted version: latest - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 34900db2737e..f47d88288348 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3430,12 +3427,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4271,6 +4266,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7798,12 +7799,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8652,6 +8651,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8792,9 +8797,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11969,12 +11971,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12779,6 +12779,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16306,12 +16312,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17160,6 +17164,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 7b3de058c523..1e7589b40732 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3431,12 +3428,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4272,6 +4267,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7800,12 +7801,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8654,6 +8653,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8794,9 +8799,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11972,12 +11974,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12782,6 +12782,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16309,12 +16315,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17163,6 +17167,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/cmd/cli/kubectl-kyverno/fix/policy.go b/cmd/cli/kubectl-kyverno/fix/policy.go index 55c7f44baaf4..ed7221a6713f 100644 --- a/cmd/cli/kubectl-kyverno/fix/policy.go +++ b/cmd/cli/kubectl-kyverno/fix/policy.go @@ -5,7 +5,6 @@ import ( "reflect" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - apiutils "github.com/kyverno/kyverno/pkg/utils/api" ) func FixPolicy(policy kyvernov1.PolicyInterface) ([]string, error) { @@ -38,10 +37,7 @@ func FixPolicy(policy kyvernov1.PolicyInterface) ([]string, error) { } preconditions := rule.GetAnyAllConditions() if preconditions != nil { - cond, err := apiutils.ApiextensionsJsonToKyvernoConditions(preconditions) - if err != nil { - return messages, err - } + cond := preconditions var newCond *kyvernov1.AnyAllConditions switch typedValue := cond.(type) { case kyvernov1.AnyAllConditions: diff --git a/cmd/cli/kubectl-kyverno/policy/load_test.go b/cmd/cli/kubectl-kyverno/policy/load_test.go index 1136980e216c..87d36183e3ac 100644 --- a/cmd/cli/kubectl-kyverno/policy/load_test.go +++ b/cmd/cli/kubectl-kyverno/policy/load_test.go @@ -110,7 +110,7 @@ func TestLoadWithKubectlValidate(t *testing.T) { assert.NotNil(t, policy) spec := policy.GetSpec() assert.NotNil(t, spec) - assert.True(t, spec.GetValidationFailureAction().Audit()) + assert.True(t, spec.ValidationFailureAction.Audit()) assert.NotNil(t, spec.Background) assert.True(t, *spec.Background) assert.NotNil(t, spec.Admission) diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go index 04aba7915c89..081c95ec858b 100644 --- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go +++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go @@ -205,7 +205,7 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse, } responses = append(responses, generateResponse) } - p.Rc.addGenerateResponse(p.AuditWarn, generateResponse) + p.Rc.addGenerateResponse(generateResponse) } } p.Rc.addEngineResponses(p.AuditWarn, responses...) diff --git a/cmd/cli/kubectl-kyverno/processor/result.go b/cmd/cli/kubectl-kyverno/processor/result.go index 63122883bf1e..32d2561bca0e 100644 --- a/cmd/cli/kubectl-kyverno/processor/result.go +++ b/cmd/cli/kubectl-kyverno/processor/result.go @@ -63,7 +63,7 @@ func (rc *ResultCounts) addEngineResponse(auditWarn bool, response engineapi.Eng } } -func (rc *ResultCounts) addGenerateResponse(auditWarn bool, response engineapi.EngineResponse) { +func (rc *ResultCounts) addGenerateResponse(response engineapi.EngineResponse) { genericPolicy := response.Policy() if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType { return @@ -75,11 +75,7 @@ func (rc *ResultCounts) addGenerateResponse(auditWarn bool, response engineapi.E if ruleResponse.Status() == engineapi.RuleStatusPass { rc.Pass++ } else { - if auditWarn && response.GetValidationFailureAction().Audit() { - rc.Warn++ - } else { - rc.Fail++ - } + rc.Fail++ } continue } diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 34900db2737e..f47d88288348 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3430,12 +3427,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4271,6 +4266,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7798,12 +7799,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8652,6 +8651,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8792,9 +8797,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11969,12 +11971,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12779,6 +12779,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16306,12 +16312,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17160,6 +17164,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 7b3de058c523..1e7589b40732 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -25,9 +25,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -3431,12 +3428,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -4272,6 +4267,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -7800,12 +7801,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -8654,6 +8653,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -8794,9 +8799,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -11972,12 +11974,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -12782,6 +12782,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -16309,12 +16315,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17163,6 +17167,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 8661a019c1c0..2825cb4fc655 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -43,16 +43,6 @@ metadata: --- apiVersion: v1 kind: ServiceAccount -metadata: - name: kyverno-cleanup-jobs - namespace: kyverno - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest ---- -apiVersion: v1 -kind: ServiceAccount metadata: name: kyverno-reports-controller namespace: kyverno @@ -5232,9 +5222,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -8637,12 +8624,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -9478,6 +9463,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -13005,12 +12996,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -13859,6 +13848,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -13999,9 +13994,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -17176,12 +17168,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -17986,6 +17976,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -21513,12 +21509,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -22367,6 +22361,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -22788,9 +22788,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -26194,12 +26191,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -27035,6 +27030,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -30563,12 +30564,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -31417,6 +31416,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -31557,9 +31562,6 @@ spec: - jsonPath: .spec.background name: BACKGROUND type: boolean - - jsonPath: .spec.validationFailureAction - name: VALIDATE ACTION - type: string - jsonPath: .status.conditions[?(@.type == "Ready")].status name: READY type: string @@ -34735,12 +34737,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -35545,6 +35545,12 @@ spec: description: UseCache enables caching of image verify responses for this rule type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -39072,12 +39078,10 @@ spec: validationFailureAction: description: |- ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request + the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. - Allowed values are audit or enforce. + Allowed values are Audit or Enforce. enum: - - audit - - enforce - Audit - Enforce type: string @@ -39926,6 +39930,12 @@ spec: description: UseCache enables caching of image verify responses for this rule. type: boolean + validationFailureAction: + description: Allowed values are Audit or Enforce. + enum: + - Audit + - Enforce + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -43996,33 +44006,6 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - name: kyverno:cleanup-jobs - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest -rules: - - apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - list - - deletecollection - - delete - - apiGroups: - - reports.kyverno.io - resources: - - ephemeralreports - - clusterephemeralreports - verbs: - - list - - deletecollection - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: name: kyverno:rbac:admin:policies labels: @@ -44369,23 +44352,6 @@ subjects: --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:cleanup-jobs - labels: - app.kubernetes.io/instance: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: latest -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:cleanup-jobs -subjects: - - kind: ServiceAccount - name: kyverno-cleanup-jobs - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kyverno:reports-controller labels: diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index e557251adde4..98908837edaf 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -1324,6 +1324,40 @@

ConditionOperator

ConditionOperator is the operation performed on condition key and value.

+

ConditionsWrapper +

+

+(Appears on: +Deny, +Rule, +TargetResourceSpec) +

+

+

ConditionsWrapper contains either the deprecated list of Conditions or the new AnyAll Conditions.

+

+ + + + + + + + + + + + + +
FieldDescription
+-
+ +any + +
+(Optional) +

Conditions is a list of conditions that must be satisfied for the rule to be applied.

+
+

ConfigMapReference

@@ -1542,8 +1576,8 @@

Deny conditions
- -Kubernetes apiextensions/v1.JSON + +ConditionsWrapper @@ -1690,9 +1724,7 @@

ForEachMutation patchStrategicMerge
- -Kubernetes apiextensions/v1.JSON - +github.com/kyverno/kyverno/api/kyverno.Any @@ -2355,6 +2387,20 @@

ImageVerification +validationFailureAction
+ + +ValidationFailureAction + + + + +(Optional) +

Allowed values are Audit or Enforce.

+ + + + type
@@ -3686,8 +3732,8 @@

Rule preconditions
-
-Kubernetes apiextensions/v1.JSON + +ConditionsWrapper @@ -4289,8 +4335,8 @@

TargetResourceSpec preconditions
- -Kubernetes apiextensions/v1.JSON + +ConditionsWrapper @@ -4438,9 +4484,9 @@

Validation (Optional)

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.

+Allowed values are Audit or Enforce.

@@ -4589,9 +4635,11 @@

ValidationFailureAction (string alias)

(Appears on: +ImageVerification, Spec, Validation, ValidationFailureActionOverride, +ImageVerification, Spec, Validation)

@@ -8335,6 +8383,20 @@

ImageVerification +validationFailureAction
+ + +ValidationFailureAction + + + + +(Optional) +

Allowed values are Audit or Enforce.

+ + + + type
@@ -9214,9 +9276,9 @@

Validation (Optional)

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.

+Allowed values are Audit or Enforce.

diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 6de488a26f61..433baef7a551 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -2712,6 +2712,71 @@

ConditionOperator +

ConditionsWrapper +

+ + +

+ (Appears in: + Deny, + Rule, + TargetResourceSpec) +

+ + +

ConditionsWrapper contains either the deprecated list of Conditions or the new AnyAll Conditions.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
- + +
+ + + + + any + + +
+ + +

Conditions is a list of conditions that must be satisfied for the rule to be applied.

+ + + + + +
+ +

ConfigMapReference

@@ -3175,7 +3240,9 @@

Deny - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + ConditionsWrapper + @@ -3473,7 +3540,7 @@

ForEachMutation - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + github.com/kyverno/kyverno/api/kyverno.Any @@ -4627,6 +4694,35 @@

ImageVerification + + validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + + + + +

Allowed values are Audit or Enforce.

+ + + + + + + + + + + type @@ -7289,7 +7385,9 @@

Rule - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + ConditionsWrapper + @@ -8605,7 +8703,9 @@

TargetResourceSpec - k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON + + ConditionsWrapper + @@ -8894,9 +8994,9 @@

Validation

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.

+Allowed values are Audit or Enforce.

@@ -9203,6 +9303,7 @@

ValidationFailureAction

(Appears in: + ImageVerification, Spec, Validation, ValidationFailureActionOverride) diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html index 2d8036b79601..5ac8ef3c3509 100644 --- a/docs/user/crd/kyverno.v2beta1.html +++ b/docs/user/crd/kyverno.v2beta1.html @@ -2773,6 +2773,35 @@

ImageVerification + + validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + + + + +

Allowed values are Audit or Enforce.

+ + + + + + + + + + + type @@ -4536,9 +4565,9 @@

Validation

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request +the admission review request (Enforce), or allow (Audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce.

+Allowed values are Audit or Enforce.

diff --git a/go.mod b/go.mod index 49cfd65d1c59..a3e98a9c8e7b 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/go-logr/zapr v1.3.0 github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 - github.com/google/go-containerregistry v0.20.1 + github.com/google/go-containerregistry v0.20.2 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e github.com/in-toto/in-toto-golang v0.9.0 github.com/jmoiron/jsonq v0.0.0-20150511023944-e874b168d07e @@ -67,8 +67,8 @@ require ( go.uber.org/automaxprocs v1.5.3 go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.0 - golang.org/x/crypto v0.25.0 - golang.org/x/text v0.16.0 + golang.org/x/crypto v0.26.0 + golang.org/x/text v0.17.0 gomodules.xyz/jsonpatch/v2 v2.4.0 google.golang.org/grpc v1.65.0 gopkg.in/inf.v0 v0.9.1 @@ -185,9 +185,8 @@ require ( github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/djherbis/times v1.6.0 // indirect - github.com/docker/cli v26.1.3+incompatible // indirect + github.com/docker/cli v27.1.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v26.1.4+incompatible // indirect github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/emicklei/go-restful/v3 v3.12.1 // indirect @@ -259,7 +258,7 @@ require ( github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect github.com/jellydator/ttlcache/v3 v3.2.0 // indirect github.com/jinzhu/copier v0.4.0 - github.com/jmespath-community/go-jmespath v1.1.2-0.20240117150817-e430401a2172 // indirect + github.com/jmespath-community/go-jmespath v1.1.2-0.20240117150817-e430401a2172 github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 @@ -332,6 +331,7 @@ require ( github.com/spf13/viper v1.19.0 // indirect github.com/spiffe/go-spiffe/v2 v2.2.0 // indirect github.com/stoewer/go-strcase v1.3.0 // indirect + github.com/stretchr/objx v0.5.2 // indirect github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect @@ -364,9 +364,9 @@ require ( golang.org/x/mod v0.19.0 // indirect golang.org/x/net v0.27.0 // indirect golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.23.0 // indirect + golang.org/x/term v0.23.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.23.0 // indirect google.golang.org/api v0.183.0 // indirect diff --git a/go.sum b/go.sum index 299c2b097c1f..79878f261327 100644 --- a/go.sum +++ b/go.sum @@ -279,12 +279,10 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c= github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0= -github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc= -github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= +github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU= -github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -453,8 +451,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0= -github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI= +github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo= +github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e h1:4HrYlQDhLjT1ys3ts5xGT2XKhK3qh0kbpxE8sw6Au7I= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20240530172801-3764db238e3e/go.mod h1:8oYKXummIO/NNasXRCKr4DBziuA1MZ+VEhSQMYI8aJ0= github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg= @@ -987,8 +985,8 @@ golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= +golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= +golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= @@ -1044,8 +1042,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1083,8 +1081,8 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= +golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -1095,8 +1093,8 @@ golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= +golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -1107,8 +1105,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= +golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index 1e5c3bda1399..0c0b0549a283 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -32,13 +32,15 @@ type canIOptions struct { gvk string subresource string user string + name string discovery Discovery checker checker.AuthChecker } // NewCanI returns a new instance of operation access controller evaluator -func NewCanI(discovery Discovery, sarClient authorizationv1client.SubjectAccessReviewInterface, gvk, namespace, verb, subresource string, user string) CanIOptions { +func NewCanI(discovery Discovery, sarClient authorizationv1client.SubjectAccessReviewInterface, gvk, namespace, name, verb, subresource string, user string) CanIOptions { return &canIOptions{ + name: name, namespace: namespace, verb: verb, gvk: gvk, @@ -72,7 +74,7 @@ func (o *canIOptions) RunAccessCheck(ctx context.Context) (bool, string, error) return false, "", fmt.Errorf("failed to get the Group Version Resource for kind %s", o.gvk) } logger := logger.WithValues("kind", kind, "namespace", o.namespace, "gvr", gvr.String(), "verb", o.verb) - result, err := o.checker.Check(ctx, gvr.Group, gvr.Version, gvr.Resource, o.subresource, o.namespace, o.verb) + result, err := o.checker.Check(ctx, gvr.Group, gvr.Version, gvr.Resource, o.subresource, o.namespace, o.name, o.verb) if err != nil { logger.Error(err, "failed to check permissions") return false, "", err diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go index ceabe8ba2ac7..eb6be4d77457 100644 --- a/pkg/auth/auth_test.go +++ b/pkg/auth/auth_test.go @@ -17,6 +17,7 @@ func TestNewCanI(t *testing.T) { type args struct { client dclient.Interface kind string + name string namespace string verb string } @@ -27,14 +28,24 @@ func TestNewCanI(t *testing.T) { name: "deployments", args: args{ client: dclient.NewEmptyFakeClient(), + name: "", kind: "Deployment", namespace: "default", verb: "test", }, + }, { + name: "secrets", + args: args{ + client: dclient.NewEmptyFakeClient(), + name: "test-secret", + kind: "Secret", + namespace: "default", + verb: "test", + }, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got := NewCanI(tt.args.client.Discovery(), tt.args.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), tt.args.kind, tt.args.namespace, tt.args.verb, "", "admin") + got := NewCanI(tt.args.client.Discovery(), tt.args.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), tt.args.kind, tt.args.namespace, tt.args.verb, tt.args.name, "", "admin") assert.NotNil(t, got) }) } @@ -48,6 +59,7 @@ func (d *discovery) GetGVRFromGVK(schema.GroupVersionKind) (schema.GroupVersionR func TestCanIOptions_DiscoveryError(t *testing.T) { type fields struct { + name string namespace string verb string kind string @@ -62,16 +74,28 @@ func TestCanIOptions_DiscoveryError(t *testing.T) { name: "deployments", fields: fields{ discovery: &discovery{}, + name: "", kind: "Deployment", namespace: "default", verb: "test", }, want: false, wantErr: true, + }, { + name: "secrets", + fields: fields{ + discovery: &discovery{}, + name: "test-secret", + kind: "Secret", + namespace: "default", + verb: "test", + }, + want: false, + wantErr: true, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - o := NewCanI(tt.fields.discovery, nil, tt.fields.kind, tt.fields.namespace, tt.fields.verb, "", "admin") + o := NewCanI(tt.fields.discovery, nil, tt.fields.kind, tt.fields.namespace, tt.fields.name, tt.fields.verb, "", "admin") got, _, err := o.RunAccessCheck(context.TODO()) if tt.wantErr { assert.Error(t, err) @@ -91,6 +115,7 @@ func (d *sar) Create(_ context.Context, _ *v1.SubjectAccessReview, _ metav1.Crea func TestCanIOptions_SsarError(t *testing.T) { type fields struct { + name string namespace string verb string kind string @@ -107,16 +132,29 @@ func TestCanIOptions_SsarError(t *testing.T) { fields: fields{ discovery: dclient.NewEmptyFakeClient().Discovery(), sarClient: &sar{}, + name: "", kind: "Deployment", namespace: "default", verb: "test", }, want: false, wantErr: true, + }, { + name: "secrets", + fields: fields{ + discovery: dclient.NewEmptyFakeClient().Discovery(), + sarClient: &sar{}, + name: "test-secret", + kind: "Secret", + namespace: "default", + verb: "test", + }, + want: false, + wantErr: true, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - o := NewCanI(tt.fields.discovery, tt.fields.sarClient, tt.fields.kind, tt.fields.namespace, tt.fields.verb, "", "admin") + o := NewCanI(tt.fields.discovery, tt.fields.sarClient, tt.fields.kind, tt.fields.namespace, tt.fields.name, tt.fields.verb, "", "admin") got, _, err := o.RunAccessCheck(context.TODO()) if tt.wantErr { assert.Error(t, err) @@ -130,6 +168,7 @@ func TestCanIOptions_SsarError(t *testing.T) { func TestCanIOptions_RunAccessCheck(t *testing.T) { type fields struct { + name string namespace string verb string kind string @@ -144,6 +183,7 @@ func TestCanIOptions_RunAccessCheck(t *testing.T) { name: "deployments", fields: fields{ client: dclient.NewEmptyFakeClient(), + name: "", kind: "Deployment", namespace: "default", verb: "test", @@ -154,6 +194,7 @@ func TestCanIOptions_RunAccessCheck(t *testing.T) { name: "unknown", fields: fields{ client: dclient.NewEmptyFakeClient(), + name: "", kind: "Unknown", namespace: "default", verb: "test", @@ -164,16 +205,28 @@ func TestCanIOptions_RunAccessCheck(t *testing.T) { name: "v2 pods", fields: fields{ client: dclient.NewEmptyFakeClient(), + name: "", kind: "v2/Pod", namespace: "default", verb: "test", }, want: false, wantErr: true, + }, { + name: "secrets", + fields: fields{ + client: dclient.NewEmptyFakeClient(), + name: "test-secret", + kind: "Secret", + namespace: "default", + verb: "test", + }, + want: false, + wantErr: false, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - o := NewCanI(tt.fields.client.Discovery(), tt.fields.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), tt.fields.kind, tt.fields.namespace, tt.fields.verb, "", "admin") + o := NewCanI(tt.fields.client.Discovery(), tt.fields.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), tt.fields.kind, tt.fields.namespace, tt.fields.name, tt.fields.verb, "", "admin") got, _, err := o.RunAccessCheck(context.TODO()) if tt.wantErr { assert.Error(t, err) diff --git a/pkg/auth/checker/auth.go b/pkg/auth/checker/auth.go index cc7e5dfed0ea..e978ec828b37 100644 --- a/pkg/auth/checker/auth.go +++ b/pkg/auth/checker/auth.go @@ -16,7 +16,7 @@ type AuthResult struct { // AuthChecker provides utility to check authorization type AuthChecker interface { // Check checks if the caller can perform an operation - Check(ctx context.Context, group, version, resource, subresource, namespace, verb string) (*AuthResult, error) + Check(ctx context.Context, group, version, resource, subresource, namespace, name, verb string) (*AuthResult, error) } func NewSelfChecker(client authorizationv1client.SelfSubjectAccessReviewInterface) AuthChecker { diff --git a/pkg/auth/checker/helpers.go b/pkg/auth/checker/helpers.go index cbc0150c010c..0d698d57cf33 100644 --- a/pkg/auth/checker/helpers.go +++ b/pkg/auth/checker/helpers.go @@ -6,7 +6,7 @@ import ( func Check(ctx context.Context, checker AuthChecker, group, version, resource, subresource, namespace string, verbs ...string) (bool, error) { for _, verb := range verbs { - result, err := checker.Check(ctx, group, version, resource, subresource, namespace, verb) + result, err := checker.Check(ctx, group, version, resource, subresource, namespace, "", verb) if err != nil { return false, err } diff --git a/pkg/auth/checker/self.go b/pkg/auth/checker/self.go index 98d541b666b4..18ac7ffb5ef5 100644 --- a/pkg/auth/checker/self.go +++ b/pkg/auth/checker/self.go @@ -12,7 +12,7 @@ type self struct { client authorizationv1client.SelfSubjectAccessReviewInterface } -func (c self) Check(ctx context.Context, group, version, resource, subresource, namespace, verb string) (*AuthResult, error) { +func (c self) Check(ctx context.Context, group, version, resource, subresource, namespace, name, verb string) (*AuthResult, error) { review := &authorizationv1.SelfSubjectAccessReview{ Spec: authorizationv1.SelfSubjectAccessReviewSpec{ ResourceAttributes: &authorizationv1.ResourceAttributes{ @@ -22,6 +22,7 @@ func (c self) Check(ctx context.Context, group, version, resource, subresource, Subresource: subresource, Namespace: namespace, Verb: verb, + Name: name, }, }, } diff --git a/pkg/auth/checker/subject.go b/pkg/auth/checker/subject.go index 6ee15bf66319..c5d4a40400ac 100644 --- a/pkg/auth/checker/subject.go +++ b/pkg/auth/checker/subject.go @@ -14,7 +14,7 @@ type subject struct { groups []string } -func (c subject) Check(ctx context.Context, group, version, resource, subresource, namespace, verb string) (*AuthResult, error) { +func (c subject) Check(ctx context.Context, group, version, resource, subresource, namespace, name, verb string) (*AuthResult, error) { review := &authorizationv1.SubjectAccessReview{ Spec: authorizationv1.SubjectAccessReviewSpec{ ResourceAttributes: &authorizationv1.ResourceAttributes{ @@ -24,6 +24,7 @@ func (c subject) Check(ctx context.Context, group, version, resource, subresourc Subresource: subresource, Namespace: namespace, Verb: verb, + Name: name, }, User: c.user, Groups: c.groups, diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index ebeced6693e1..837c654cd874 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -19,6 +19,7 @@ const ( var ( PodControllers = sets.New("DaemonSet", "Deployment", "Job", "StatefulSet", "ReplicaSet", "ReplicationController", "CronJob") podControllersKindsSet = PodControllers.Union(sets.New("Pod")) + assertAutogenNodes = []string{"object", "oldObject"} ) func isKindOtherthanPod(kinds []string) bool { @@ -215,7 +216,7 @@ func convertRule(rule kyvernoRule, kind string) (*kyvernov1.Rule, error) { out.Context = *rule.Context } if rule.AnyAllConditions != nil { - out.SetAnyAllConditions(*rule.AnyAllConditions) + out.SetAnyAllConditions(rule.AnyAllConditions.Conditions) } if rule.Mutation != nil { out.Mutation = *rule.Mutation @@ -275,3 +276,38 @@ func computeRules(p kyvernov1.PolicyInterface, kind string) []kyvernov1.Rule { out = append(out, genRules...) return out } + +func copyMap(m map[string]any) map[string]any { + newMap := make(map[string]any, len(m)) + for k, v := range m { + newMap[k] = v + } + + return newMap +} + +func createAutogenAssertion(tree kyvernov1.AssertionTree, tplKey string) kyvernov1.AssertionTree { + v, ok := tree.Value.(map[string]any) + if !ok { + return tree + } + + value := copyMap(v) + + for _, n := range assertAutogenNodes { + object, ok := v[n].(map[string]any) + if !ok { + continue + } + + value[n] = map[string]any{ + "spec": map[string]any{ + tplKey: copyMap(object), + }, + } + } + + return kyvernov1.AssertionTree{ + Value: value, + } +} diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index b7c70283bbae..1ce2b90f9f0e 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -242,7 +242,7 @@ func Test_GetSupportedControllers(t *testing.T) { }, { name: "rule-with-validate-podsecurity", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), expectedControllers: PodControllers, }, } @@ -406,7 +406,6 @@ kind: ClusterPolicy metadata: name: check-image spec: - validationFailureAction: enforce background: false webhookTimeoutSeconds: 30 failurePolicy: Fail @@ -540,7 +539,7 @@ kA== } func Test_PodSecurityWithNoExceptions(t *testing.T) { - policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) + policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) policies, _, _, err := yamlutils.GetPolicy([]byte(policy)) assert.NilError(t, err) assert.Equal(t, 1, len(policies)) @@ -558,7 +557,6 @@ func Test_ValidateWithCELExpressions(t *testing.T) { "name": "disallow-host-path" }, "spec": { - "validationFailureAction": "Enforce", "background": false, "rules": [ { @@ -575,6 +573,7 @@ func Test_ValidateWithCELExpressions(t *testing.T) { ] }, "validate": { + "validationFailureAction": "Enforce", "cel": { "expressions": [ { @@ -596,3 +595,50 @@ func Test_ValidateWithCELExpressions(t *testing.T) { rules := computeRules(policies[0], "DaemonSet") assert.Equal(t, 2, len(rules)) } + +func Test_ValidateWithAssertion(t *testing.T) { + policy := []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "disallow-default-sa" + }, + "spec": { + "validationFailureAction": "Enforce", + "background": false, + "rules": [ + { + "name": "default-sa", + "match": { + "any": [ + { + "resources": { + "kinds": [ + "Pod" + ] + } + } + ] + }, + "validate": { + "assert": { + "object": { + "spec": { + "(serviceAccountName == 'default')": false + } + } + } + } + } + ] + } + } +`) + policies, _, _, err := yamlutils.GetPolicy([]byte(policy)) + assert.NilError(t, err) + assert.Equal(t, 1, len(policies)) + + rules := computeRules(policies[0], "") + assert.Equal(t, 3, len(rules)) +} diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index 698bfe2010b1..9cb03dfbbab6 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -7,10 +7,8 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/engine/variables" - apiutils "github.com/kyverno/kyverno/pkg/utils/api" datautils "github.com/kyverno/kyverno/pkg/utils/data" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" - apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) // the kyvernoRule holds the temporary kyverno rule struct @@ -27,7 +25,7 @@ type kyvernoRule struct { MatchResources *kyvernov1.MatchResources `json:"match"` ExcludeResources *kyvernov1.MatchResources `json:"exclude,omitempty"` Context *[]kyvernov1.ContextEntry `json:"context,omitempty"` - AnyAllConditions *apiextensions.JSON `json:"preconditions,omitempty"` + AnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"` Mutation *kyvernov1.Mutation `json:"mutate,omitempty"` Validation *kyvernov1.Validation `json:"validate,omitempty"` VerifyImages []kyvernov1.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"` @@ -53,7 +51,7 @@ func createRule(rule *kyvernov1.Rule) *kyvernoRule { if !datautils.DeepEqual(rule.Validation, kyvernov1.Validation{}) { jsonFriendlyStruct.Validation = rule.Validation.DeepCopy() } - kyvernoAnyAllConditions, _ := apiutils.ApiextensionsJsonToKyvernoConditions(rule.GetAnyAllConditions()) + kyvernoAnyAllConditions := rule.GetAnyAllConditions() switch typedAnyAllConditions := kyvernoAnyAllConditions.(type) { case kyvernov1.AnyAllConditions: if !datautils.DeepEqual(typedAnyAllConditions, kyvernov1.AnyAllConditions{}) { @@ -131,7 +129,9 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } if target := rule.Validation.GetPattern(); target != nil { newValidate := kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + ValidationFailureAction: rule.Validation.ValidationFailureAction, + ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, } newValidate.SetPattern( map[string]interface{}{ @@ -145,8 +145,10 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } if rule.Validation.Deny != nil { deny := kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), - Deny: rule.Validation.Deny, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"), + Deny: rule.Validation.Deny, + ValidationFailureAction: rule.Validation.ValidationFailureAction, + ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, } rule.Validation = deny return rule @@ -161,6 +163,8 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds Version: rule.Validation.PodSecurity.Version, Exclude: newExclude, }, + ValidationFailureAction: rule.Validation.ValidationFailureAction, + ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides, } rule.Validation = podSecurity return rule @@ -179,8 +183,12 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds } patterns = append(patterns, newPattern) } + validationFailureAction := rule.Validation.ValidationFailureAction + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides rule.Validation = kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"), + ValidationFailureAction: validationFailureAction, + ValidationFailureActionOverrides: validationFailureActionOverrides, } rule.Validation.SetAnyPattern(patterns) return rule @@ -188,9 +196,13 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil { newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation)) copy(newForeachValidate, rule.Validation.ForEachValidation) + validationFailureAction := rule.Validation.ValidationFailureAction + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides rule.Validation = kyvernov1.Validation{ - Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), - ForEachValidation: newForeachValidate, + Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"), + ForEachValidation: newForeachValidate, + ValidationFailureAction: validationFailureAction, + ValidationFailureActionOverrides: validationFailureActionOverrides, } return rule } @@ -207,6 +219,11 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds rule.Validation.CEL = cel return rule } + if rule.HasValidateAssert() { + rule.Validation.Assert = createAutogenAssertion(*rule.Validation.Assert.DeepCopy(), tplKey) + + return rule + } return nil } diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index a7d669c7e9c4..408f532fed79 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -95,7 +95,7 @@ func NewGenerateController( } func (c *GenerateController) ProcessUR(ur *kyvernov2.UpdateRequest) error { - logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String()) + logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String()) var err error var genResources []kyvernov1.ResourceSpec logger.Info("start processing UR", "ur", ur.Name, "resourceVersion", ur.GetResourceVersion()) @@ -198,7 +198,7 @@ func (c *GenerateController) getTriggerForCreateOperation(spec kyvernov2.UpdateR } func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, ur kyvernov2.UpdateRequest, namespaceLabels map[string]string) ([]kyvernov1.ResourceSpec, error) { - logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String()) + logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "rule", ur.Spec.GetRuleName(), "resource", ur.Spec.GetResource().String()) logger.V(3).Info("applying generate policy rule") policy, err := c.getPolicySpec(ur) @@ -237,6 +237,10 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u var applicableRules []string // Removing UR if rule is failed. Used when the generate condition failed but ur exist for _, r := range engineResponse.PolicyResponse.Rules { + if r.Name() != ur.Spec.GetRuleName() { + continue + } + if r.Status() != engineapi.RuleStatusPass { logger.V(4).Info("querying all update requests") selector := labels.SelectorFromSet(labels.Set(map[string]string{ diff --git a/pkg/client/applyconfigurations/kyverno/v1/deny.go b/pkg/client/applyconfigurations/kyverno/v1/deny.go index 61667eb69484..631563721696 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/deny.go +++ b/pkg/client/applyconfigurations/kyverno/v1/deny.go @@ -19,13 +19,13 @@ limitations under the License. package v1 import ( - v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" ) // DenyApplyConfiguration represents an declarative configuration of the Deny type for use // with apply. type DenyApplyConfiguration struct { - RawAnyAllConditions *v1.JSON `json:"conditions,omitempty"` + RawAnyAllConditions *v1.ConditionsWrapper `json:"conditions,omitempty"` } // DenyApplyConfiguration constructs an declarative configuration of the Deny type for use with @@ -37,7 +37,7 @@ func Deny() *DenyApplyConfiguration { // WithRawAnyAllConditions sets the RawAnyAllConditions field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RawAnyAllConditions field is set to the value of the last call. -func (b *DenyApplyConfiguration) WithRawAnyAllConditions(value v1.JSON) *DenyApplyConfiguration { +func (b *DenyApplyConfiguration) WithRawAnyAllConditions(value v1.ConditionsWrapper) *DenyApplyConfiguration { b.RawAnyAllConditions = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go b/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go index d6f56a66968a..ae0747fc0290 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/foreachmutation.go @@ -19,8 +19,8 @@ limitations under the License. package v1 import ( + kyverno "github.com/kyverno/kyverno/api/kyverno" v1 "github.com/kyverno/kyverno/api/kyverno/v1" - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) // ForEachMutationApplyConfiguration represents an declarative configuration of the ForEachMutation type for use @@ -30,7 +30,7 @@ type ForEachMutationApplyConfiguration struct { Order *v1.ForeachOrder `json:"order,omitempty"` Context []ContextEntryApplyConfiguration `json:"context,omitempty"` AnyAllConditions *AnyAllConditionsApplyConfiguration `json:"preconditions,omitempty"` - RawPatchStrategicMerge *apiextensionsv1.JSON `json:"patchStrategicMerge,omitempty"` + RawPatchStrategicMerge *kyverno.Any `json:"patchStrategicMerge,omitempty"` PatchesJSON6902 *string `json:"patchesJson6902,omitempty"` ForEachMutation *v1.ForEachMutationWrapper `json:"foreach,omitempty"` } @@ -81,7 +81,7 @@ func (b *ForEachMutationApplyConfiguration) WithAnyAllConditions(value *AnyAllCo // WithRawPatchStrategicMerge sets the RawPatchStrategicMerge field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RawPatchStrategicMerge field is set to the value of the last call. -func (b *ForEachMutationApplyConfiguration) WithRawPatchStrategicMerge(value apiextensionsv1.JSON) *ForEachMutationApplyConfiguration { +func (b *ForEachMutationApplyConfiguration) WithRawPatchStrategicMerge(value kyverno.Any) *ForEachMutationApplyConfiguration { b.RawPatchStrategicMerge = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go index b9e664c13b19..b03d1002dcb8 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go +++ b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go @@ -25,6 +25,7 @@ import ( // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // with apply. type ImageVerificationApplyConfiguration struct { + ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"` Image *string `json:"image,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"` @@ -52,6 +53,14 @@ func ImageVerification() *ImageVerificationApplyConfiguration { return &ImageVerificationApplyConfiguration{} } +// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ValidationFailureAction field is set to the value of the last call. +func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { + b.ValidationFailureAction = &value + return b +} + // WithType sets the Type field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Type field is set to the value of the last call. diff --git a/pkg/client/applyconfigurations/kyverno/v1/rule.go b/pkg/client/applyconfigurations/kyverno/v1/rule.go index dbf9f622bfe9..bc0b0f6bdeb2 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/rule.go +++ b/pkg/client/applyconfigurations/kyverno/v1/rule.go @@ -21,7 +21,6 @@ package v1 import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" v1alpha1 "k8s.io/api/admissionregistration/v1alpha1" - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) // RuleApplyConfiguration represents an declarative configuration of the Rule type for use @@ -32,7 +31,7 @@ type RuleApplyConfiguration struct { MatchResources *MatchResourcesApplyConfiguration `json:"match,omitempty"` ExcludeResources *MatchResourcesApplyConfiguration `json:"exclude,omitempty"` ImageExtractors *kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty"` - RawAnyAllConditions *apiextensionsv1.JSON `json:"preconditions,omitempty"` + RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"` CELPreconditions []v1alpha1.MatchCondition `json:"celPreconditions,omitempty"` Mutation *MutationApplyConfiguration `json:"mutate,omitempty"` Validation *ValidationApplyConfiguration `json:"validate,omitempty"` @@ -95,7 +94,7 @@ func (b *RuleApplyConfiguration) WithImageExtractors(value kyvernov1.ImageExtrac // WithRawAnyAllConditions sets the RawAnyAllConditions field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RawAnyAllConditions field is set to the value of the last call. -func (b *RuleApplyConfiguration) WithRawAnyAllConditions(value apiextensionsv1.JSON) *RuleApplyConfiguration { +func (b *RuleApplyConfiguration) WithRawAnyAllConditions(value kyvernov1.ConditionsWrapper) *RuleApplyConfiguration { b.RawAnyAllConditions = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go b/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go index 4b722ffb38e4..9c26ee03608e 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go +++ b/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go @@ -19,7 +19,7 @@ limitations under the License. package v1 import ( - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" types "k8s.io/apimachinery/pkg/types" ) @@ -28,7 +28,7 @@ import ( type TargetResourceSpecApplyConfiguration struct { *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"` Context []ContextEntryApplyConfiguration `json:"context,omitempty"` - RawAnyAllConditions *apiextensionsv1.JSON `json:"preconditions,omitempty"` + RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"` } // TargetResourceSpecApplyConfiguration constructs an declarative configuration of the TargetResourceSpec type for use with @@ -104,7 +104,7 @@ func (b *TargetResourceSpecApplyConfiguration) WithContext(values ...*ContextEnt // WithRawAnyAllConditions sets the RawAnyAllConditions field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the RawAnyAllConditions field is set to the value of the last call. -func (b *TargetResourceSpecApplyConfiguration) WithRawAnyAllConditions(value apiextensionsv1.JSON) *TargetResourceSpecApplyConfiguration { +func (b *TargetResourceSpecApplyConfiguration) WithRawAnyAllConditions(value kyvernov1.ConditionsWrapper) *TargetResourceSpecApplyConfiguration { b.RawAnyAllConditions = &value return b } diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go index cf924395534a..4a51d6db705c 100644 --- a/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go +++ b/pkg/client/applyconfigurations/kyverno/v2beta1/imageverification.go @@ -26,6 +26,7 @@ import ( // ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use // with apply. type ImageVerificationApplyConfiguration struct { + ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` Type *v1.ImageVerificationType `json:"type,omitempty"` ImageReferences []string `json:"imageReferences,omitempty"` SkipImageReferences []string `json:"skipImageReferences,omitempty"` @@ -45,6 +46,14 @@ func ImageVerification() *ImageVerificationApplyConfiguration { return &ImageVerificationApplyConfiguration{} } +// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ValidationFailureAction field is set to the value of the last call. +func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration { + b.ValidationFailureAction = &value + return b +} + // WithType sets the Type field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Type field is set to the value of the last call. diff --git a/pkg/controllers/metrics/policy/metrics.go b/pkg/controllers/metrics/policy/metrics.go index 38e0b89c7c41..10e6db868335 100644 --- a/pkg/controllers/metrics/policy/metrics.go +++ b/pkg/controllers/metrics/policy/metrics.go @@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName()) } // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() { + if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() { err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated) if err != nil { logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName()) diff --git a/pkg/controllers/report/aggregate/controller.go b/pkg/controllers/report/aggregate/controller.go index 99c7f72ac379..28622ac97a02 100644 --- a/pkg/controllers/report/aggregate/controller.go +++ b/pkg/controllers/report/aggregate/controller.go @@ -5,6 +5,7 @@ import ( "time" "github.com/go-logr/logr" + "github.com/kyverno/kyverno/api/kyverno" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" reportsv1 "github.com/kyverno/kyverno/api/reports/v1" @@ -92,12 +93,16 @@ func NewController( logger.Error(err, "failed to register event handlers") } enqueueAll := func() { - if list, err := polrInformer.Lister().List(labels.Everything()); err == nil { + selector := labels.SelectorFromSet(labels.Set{ + kyverno.LabelAppManagedBy: kyverno.ValueKyvernoApp, + }) + + if list, err := polrInformer.Lister().List(selector); err == nil { for _, item := range list { c.backQueue.AddAfter(controllerutils.MetaObjectToName(item.(*metav1.PartialObjectMetadata)), enqueueDelay) } } - if list, err := cpolrInformer.Lister().List(labels.Everything()); err == nil { + if list, err := cpolrInformer.Lister().List(selector); err == nil { for _, item := range list { c.backQueue.AddAfter(controllerutils.MetaObjectToName(item.(*metav1.PartialObjectMetadata)), enqueueDelay) } diff --git a/pkg/controllers/report/aggregate/controller_test.go b/pkg/controllers/report/aggregate/controller_test.go new file mode 100644 index 000000000000..a9a1881ee3f0 --- /dev/null +++ b/pkg/controllers/report/aggregate/controller_test.go @@ -0,0 +1,102 @@ +package aggregate_test + +import ( + "context" + "testing" + "time" + + "github.com/kyverno/kyverno/api/kyverno" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/api/policyreport/v1alpha2" + versionedfake "github.com/kyverno/kyverno/pkg/client/clientset/versioned/fake" + kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions" + "github.com/kyverno/kyverno/pkg/controllers/report/aggregate" + "github.com/stretchr/testify/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + metafake "k8s.io/client-go/metadata/fake" + metadatainformers "k8s.io/client-go/metadata/metadatainformer" + k8stesting "k8s.io/client-go/testing" +) + +func newFakeMetaClient() (metadatainformers.SharedInformerFactory, metafake.MetadataClient) { + s := metafake.NewTestScheme() + metav1.AddMetaToScheme(s) + + client := metafake.NewSimpleMetadataClient(s) + + return metadatainformers.NewSharedInformerFactory(client, 1*time.Minute), client.Resource(v1alpha2.SchemeGroupVersion.WithResource("policyreports")).Namespace("default").(metafake.MetadataClient) +} + +var ( + kyvernoPolr = &v1alpha2.PolicyReport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "kyverno-polr", + Namespace: "default", + Labels: map[string]string{ + kyverno.LabelAppManagedBy: kyverno.ValueKyvernoApp, + }, + }, + } + notKyvernoPolr = &v1alpha2.PolicyReport{ + ObjectMeta: metav1.ObjectMeta{ + Name: "not-kyverno-polr", + Namespace: "default", + }, + } +) + +func TestController(t *testing.T) { + metaFactory, metaClient := newFakeMetaClient() + client := versionedfake.NewSimpleClientset() + kyvernoFactory := kyvernoinformer.NewSharedInformerFactory(client, 1*time.Second) + + polInformer := kyvernoFactory.Kyverno().V1().Policies() + cpolInformer := kyvernoFactory.Kyverno().V1().ClusterPolicies() + + client.Wgpolicyk8sV1alpha2().PolicyReports("default").Create(context.TODO(), kyvernoPolr, metav1.CreateOptions{}) + client.Wgpolicyk8sV1alpha2().PolicyReports("default").Create(context.TODO(), notKyvernoPolr, metav1.CreateOptions{}) + + metaClient.CreateFake(&metav1.PartialObjectMetadata{ObjectMeta: kyvernoPolr.ObjectMeta}, metav1.CreateOptions{}) + metaClient.CreateFake(&metav1.PartialObjectMetadata{ObjectMeta: notKyvernoPolr.ObjectMeta}, metav1.CreateOptions{}) + + controller := aggregate.NewController(client, nil, metaFactory, polInformer, cpolInformer, nil) + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + go func() { + controller.Run(ctx, 1) + }() + + stop := make(chan struct{}) + defer close(stop) + + metaFactory.Start(stop) + kyvernoFactory.Start(stop) + + metaFactory.WaitForCacheSync(stop) + kyvernoFactory.WaitForCacheSync(stop) + + _, err := client.KyvernoV1().ClusterPolicies().Create(context.TODO(), &v1.ClusterPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "kyverno-pol", + }, + }, metav1.CreateOptions{}) + + assert.Nil(t, err) + + // This delay is necessary because the controller processes the queue if a delay of 10 seconds + // because the controller runs in a goroutine it needs to wait a bit longer to give the controller time to process the queue + time.Sleep(13 * time.Second) + + list, _ := client.Wgpolicyk8sV1alpha2().PolicyReports("default").List(context.TODO(), metav1.ListOptions{}) + + assert.Len(t, list.Items, 1) + assert.Equal(t, notKyvernoPolr.Name, list.Items[0].Name) + + for _, a := range client.Fake.Actions() { + if action, ok := a.(k8stesting.GetAction); ok { + assert.False(t, action.GetName() == notKyvernoPolr.Name, "PolicyReports not managed by kyverno should not be requested") + } + } +} diff --git a/pkg/controllers/webhook/utils_test.go b/pkg/controllers/webhook/utils_test.go index 91e39591152d..ceeb0c5ab3e3 100644 --- a/pkg/controllers/webhook/utils_test.go +++ b/pkg/controllers/webhook/utils_test.go @@ -35,7 +35,6 @@ var policy = ` "name": "disallow-unsigned-images" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { diff --git a/pkg/engine/adapters/dclient.go b/pkg/engine/adapters/dclient.go index 384574e69178..ab0e9b964686 100644 --- a/pkg/engine/adapters/dclient.go +++ b/pkg/engine/adapters/dclient.go @@ -70,7 +70,7 @@ func (a *dclientAdapter) IsNamespaced(group, version, kind string) (bool, error) } func (a *dclientAdapter) CanI(ctx context.Context, kind, namespace, verb, subresource, user string) (bool, string, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), kind, namespace, verb, subresource, user) + canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), kind, namespace, "", verb, subresource, user) ok, reason, err := canI.RunAccessCheck(ctx) if err != nil { return false, reason, err diff --git a/pkg/engine/api/engineresponse.go b/pkg/engine/api/engineresponse.go index 7788c3709e24..0c903c1aa968 100644 --- a/pkg/engine/api/engineresponse.go +++ b/pkg/engine/api/engineresponse.go @@ -199,7 +199,41 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur return "" } spec := pol.AsKyvernoPolicy().GetSpec() - for _, v := range spec.GetValidationFailureActionOverrides() { + for _, r := range spec.Rules { + if r.HasValidate() { + for _, v := range r.Validation.ValidationFailureActionOverrides { + if !v.Action.IsValid() { + continue + } + if v.Namespaces == nil { + hasPass, err := utils.CheckSelector(v.NamespaceSelector, er.namespaceLabels) + if err == nil && hasPass { + return v.Action + } + } + for _, ns := range v.Namespaces { + if wildcard.Match(ns, er.PatchedResource.GetNamespace()) { + if v.NamespaceSelector == nil { + return v.Action + } + hasPass, err := utils.CheckSelector(v.NamespaceSelector, er.namespaceLabels) + if err == nil && hasPass { + return v.Action + } + } + } + } + + if r.Validation.ValidationFailureAction != nil { + return *r.Validation.ValidationFailureAction + } + } else if r.HasVerifyImages() { + if r.VerifyImages[0].ValidationFailureAction != nil { + return *r.VerifyImages[0].ValidationFailureAction + } + } + } + for _, v := range spec.ValidationFailureActionOverrides { if !v.Action.IsValid() { continue } @@ -221,5 +255,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur } } } - return spec.GetValidationFailureAction() + return spec.ValidationFailureAction } diff --git a/pkg/engine/handlers/mutation/common.go b/pkg/engine/handlers/mutation/common.go index 5ac473daca07..a6862f8e71fc 100644 --- a/pkg/engine/handlers/mutation/common.go +++ b/pkg/engine/handlers/mutation/common.go @@ -69,7 +69,7 @@ func (f *forEachMutator) mutateElements(ctx context.Context, foreach kyvernov1.F reverse := false // if it's a patch strategic merge, reverse by default - if foreach.RawPatchStrategicMerge != nil { + if foreach.GetPatchStrategicMerge() != nil { reverse = true } if foreach.Order != nil { diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index bcb5299c91f8..9e4b6bd298e4 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -16,7 +16,6 @@ import ( engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/engine/validate" "github.com/kyverno/kyverno/pkg/engine/variables" - datautils "github.com/kyverno/kyverno/pkg/utils/data" stringutils "github.com/kyverno/kyverno/pkg/utils/strings" "github.com/pkg/errors" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" @@ -66,7 +65,7 @@ type validator struct { policyContext engineapi.PolicyContext rule kyvernov1.Rule contextEntries []kyvernov1.ContextEntry - anyAllConditions apiextensions.JSON + anyAllConditions any pattern apiextensions.JSON anyPattern apiextensions.JSON deny *kyvernov1.Deny @@ -76,7 +75,6 @@ type validator struct { } func newValidator(log logr.Logger, contextLoader engineapi.EngineContextLoader, ctx engineapi.PolicyContext, rule kyvernov1.Rule) *validator { - anyAllConditions, _ := datautils.ToMap(rule.RawAnyAllConditions) return &validator{ log: log, rule: rule, @@ -85,7 +83,7 @@ func newValidator(log logr.Logger, contextLoader engineapi.EngineContextLoader, pattern: rule.Validation.GetPattern(), anyPattern: rule.Validation.GetAnyPattern(), deny: rule.Validation.Deny, - anyAllConditions: anyAllConditions, + anyAllConditions: rule.GetAnyAllConditions(), forEach: rule.Validation.ForEachValidation, } } @@ -98,10 +96,6 @@ func newForEachValidator( ctx engineapi.PolicyContext, log logr.Logger, ) (*validator, error) { - anyAllConditions, err := datautils.ToMap(foreach.AnyAllConditions) - if err != nil { - return nil, fmt.Errorf("failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions: %w", err) - } var loopItems []kyvernov1.ForEachValidation fev := foreach.GetForEachValidation() if len(fev) > 0 { @@ -115,7 +109,7 @@ func newForEachValidator( rule: rule, contextLoader: contextLoader, contextEntries: foreach.Context, - anyAllConditions: anyAllConditions, + anyAllConditions: foreach.AnyAllConditions, pattern: foreach.GetPattern(), anyPattern: foreach.GetAnyPattern(), deny: foreach.Deny, diff --git a/pkg/engine/handlers/validation/validate_resource_test.go b/pkg/engine/handlers/validation/validate_resource_test.go index aa96c20669c5..8e057816f631 100644 --- a/pkg/engine/handlers/validation/validate_resource_test.go +++ b/pkg/engine/handlers/validation/validate_resource_test.go @@ -40,7 +40,6 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { "name": "block-label-changes" }, "spec": { - "validationFailureAction": "Enforce", "background": false, "rules": [ { @@ -61,6 +60,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { ] }, "validate": { + "validationFailureAction": "Enforce", "message": "The label size is required", "pattern": { "metadata": { @@ -88,6 +88,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext { ] }, "validate": { + "validationFailureAction": "Enforce", "message": "The label size cannot be changed for a namespace", "deny": { "conditions": { diff --git a/pkg/engine/mutate/mutation.go b/pkg/engine/mutate/mutation.go index 2ca2c4421ddd..9f730430fe62 100644 --- a/pkg/engine/mutate/mutation.go +++ b/pkg/engine/mutate/mutation.go @@ -1,7 +1,6 @@ package mutate import ( - "encoding/json" "fmt" "strings" @@ -11,7 +10,6 @@ import ( "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/mutate/patch" "github.com/kyverno/kyverno/pkg/engine/variables" - datautils "github.com/kyverno/kyverno/pkg/utils/data" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -77,7 +75,7 @@ func ForEach(name string, foreach kyvernov1.ForEachMutation, policyContext engin if err != nil { return NewErrorResponse("variable substitution failed", err) } - patcher := NewPatcher(fe.GetPatchStrategicMerge(), fe.PatchesJSON6902) + patcher := NewPatcher(fe["patchStrategicMerge"], fe["patchesJson6902"].(string)) if patcher == nil { return NewErrorResponse("empty mutate rule", nil) } @@ -101,28 +99,22 @@ func ForEach(name string, foreach kyvernov1.ForEachMutation, policyContext engin return NewResponse(engineapi.RuleStatusPass, *patchedResource, "resource patched") } -func substituteAllInForEach(fe kyvernov1.ForEachMutation, ctx context.Interface, logger logr.Logger) (*kyvernov1.ForEachMutation, error) { - jsonObj, err := datautils.ToMap(fe) - if err != nil { - return nil, err - } - - data, err := variables.SubstituteAll(logger, ctx, jsonObj) - if err != nil { - return nil, err - } +func substituteAllInForEach(fe kyvernov1.ForEachMutation, ctx context.Interface, logger logr.Logger) (map[string]interface{}, error) { + patchesMap := make(map[string]interface{}) + patchesMap["patchStrategicMerge"] = fe.GetPatchStrategicMerge() + patchesMap["patchesJson6902"] = fe.PatchesJSON6902 - bytes, err := json.Marshal(data) + subedPatchesMap, err := variables.SubstituteAll(logger, ctx, patchesMap) if err != nil { return nil, err } - var updatedForEach kyvernov1.ForEachMutation - if err := json.Unmarshal(bytes, &updatedForEach); err != nil { - return nil, err + typedMap, ok := subedPatchesMap.(map[string]interface{}) + if !ok { + return nil, fmt.Errorf("failed to convert patched map to map[string]interface{}") } - return &updatedForEach, nil + return typedMap, nil } func NewPatcher(strategicMergePatch apiextensions.JSON, jsonPatch string) patch.Patcher { diff --git a/pkg/engine/mutate/mutation_test.go b/pkg/engine/mutate/mutation_test.go index ca4ef1c5d4d6..a12a21c5593e 100644 --- a/pkg/engine/mutate/mutation_test.go +++ b/pkg/engine/mutate/mutation_test.go @@ -7,10 +7,13 @@ import ( "github.com/go-logr/logr" types "github.com/kyverno/kyverno/api/kyverno/v1" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/jmespath" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -235,3 +238,34 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) { unstructured.SetNestedField(resource.UnstructuredContent(), "label2Value", "metadata", "labels", "label2") require.Equal(t, resource, patched) } + +type MockContext struct { + context.Interface + mock.Mock +} + +func (m *MockContext) Query(query string) (interface{}, error) { + args := m.Called(query) + return args.Get(0), args.Error(1) +} + +func (m *MockContext) QueryOperation() string { + args := m.Called() + return args.Get(0).(string) +} + +func TestSubstituteAllInForEach_InvalidTypeConversion(t *testing.T) { + ctx := &MockContext{} + // Simulate a scenario where the substitution returns an unexpected type + ctx.On("Query", mock.Anything).Return(true, nil) + ctx.On("QueryOperation").Return("CREATE") + + foreach := v1.ForEachMutation{ + PatchesJSON6902: "string", + } + + fe, err := substituteAllInForEach(foreach, ctx, logr.Discard()) + + assert.NoError(t, err) + assert.IsType(t, "string", fe["patchesJson6902"]) +} diff --git a/pkg/engine/mutate/patch/strategicMergePatch_test.go b/pkg/engine/mutate/patch/strategicMergePatch_test.go index c37080e1e10f..e14228f99ca5 100644 --- a/pkg/engine/mutate/patch/strategicMergePatch_test.go +++ b/pkg/engine/mutate/patch/strategicMergePatch_test.go @@ -180,7 +180,6 @@ func Test_PolicyDeserilize(t *testing.T) { "name": "set-image-pull-policy" }, "spec": { - "validationFailureAction": "enforce", "rules": [ { "name": "set-image-pull-policy", diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index 9a97b3cd98ea..6b4941ea33e0 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -655,7 +655,6 @@ func Test_foreach_element_mutation(t *testing.T) { "name": "mutate-privileged" }, "spec": { - "validationFailureAction": "audit", "background": false, "webhookTimeoutSeconds": 10, "failurePolicy": "Fail", diff --git a/pkg/engine/utils/utils.go b/pkg/engine/utils/utils.go index 0e73e6be061a..28d2e0e93997 100644 --- a/pkg/engine/utils/utils.go +++ b/pkg/engine/utils/utils.go @@ -7,7 +7,6 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/logging" - apiutils "github.com/kyverno/kyverno/pkg/utils/api" jsonutils "github.com/kyverno/kyverno/pkg/utils/json" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -76,12 +75,16 @@ func ApplyPatchNew(resource, patch []byte) ([]byte, error) { } func TransformConditions(original apiextensions.JSON) (interface{}, error) { - // conditions are currently in the form of []interface{} - oldConditions, err := apiutils.ApiextensionsJsonToKyvernoConditions(original) - if err != nil { - return nil, err + if original == nil { + return kyvernov1.AnyAllConditions{}, nil } - switch typedValue := oldConditions.(type) { + + switch typedValue := original.(type) { + case *kyvernov1.AnyAllConditions: + if typedValue == nil { + return kyvernov1.AnyAllConditions{}, nil + } + return *typedValue.DeepCopy(), nil case kyvernov1.AnyAllConditions: return *typedValue.DeepCopy(), nil case []kyvernov1.Condition: // backwards compatibility diff --git a/pkg/engine/utils/utils_test.go b/pkg/engine/utils/utils_test.go index 58d950856924..98047363d3d0 100644 --- a/pkg/engine/utils/utils_test.go +++ b/pkg/engine/utils/utils_test.go @@ -837,7 +837,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: false, }, { @@ -846,7 +846,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: false, }, { @@ -864,7 +864,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, { @@ -873,7 +873,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "validationFailureAction": "enforce", "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -882,7 +882,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -891,7 +891,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, } @@ -1742,7 +1742,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: false, }, { @@ -1751,7 +1751,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: false, }, { @@ -1769,7 +1769,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, { @@ -1778,7 +1778,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "validationFailureAction": "enforce", "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -1787,7 +1787,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`), areErrorsExpected: true, }, { @@ -1796,7 +1796,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`), - Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), + Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } } ] } }`), areErrorsExpected: true, }, } diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index f0603cda8147..a6bcd7b735be 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -679,7 +679,6 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) { } }, "spec": { - "validationFailureAction": "Enforce", "background": true, "rules": [ { @@ -690,6 +689,7 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) { } }, "validate": { + "validationFailureAction": "Enforce", "foreach": [ { "list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds", @@ -1948,7 +1948,6 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. "name": "cm-array-example" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -1961,6 +1960,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. } }, "validate": { + "validationFailureAction": "enforce", "message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.", "deny": { "conditions": [ @@ -2125,7 +2125,6 @@ func Test_BlockLabelRemove(t *testing.T) { "name": "prevent-label-remove" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -2152,6 +2151,7 @@ func Test_BlockLabelRemove(t *testing.T) { ] }, "validate": { + "validationFailureAction": "enforce", "message": "not allowed", "deny": { "conditions": { @@ -2248,7 +2248,6 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) { "name": "restrict-pod-count" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -2270,6 +2269,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) { } ], "validate": { + "validationFailureAction": "enforce", "message": "restrict pod counts to be no more than 10 on node minikube", "deny": { "conditions": [ @@ -2372,6 +2372,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) { } ], "validate": { + "validationFailureAction": "enforce", "deny": { "conditions": [ { @@ -2383,8 +2384,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) { } } } - ], - "validationFailureAction": "enforce" + ] } }`) @@ -2457,6 +2457,7 @@ func Test_StringInDenyCondition(t *testing.T) { } ], "validate": { + "validationFailureAction": "enforce", "deny": { "conditions": [ { @@ -2468,8 +2469,7 @@ func Test_StringInDenyCondition(t *testing.T) { } } } - ], - "validationFailureAction": "enforce" + ] } }`) @@ -3000,13 +3000,13 @@ func Test_outof_foreach_element_validation(t *testing.T) { "kind": "ClusterPolicy", "metadata": {"name": "check-container-names"}, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { "name": "test", "match": {"resources": { "kinds": [ "Pod" ] } }, "validate": { + "validationFailureAction": "enforce", "message": "Invalid name", "pattern": { "name": "{{ element.name }}" @@ -3033,7 +3033,6 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) { "name": "check-images" }, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { @@ -3046,6 +3045,7 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) { } }, "validate": { + "validationFailureAction": "enforce", "message": "unknown registry", "foreach": [ { @@ -3210,13 +3210,13 @@ func Test_delete_ignore_pattern(t *testing.T) { "kind": "ClusterPolicy", "metadata": {"name": "check-container-labels"}, "spec": { - "validationFailureAction": "enforce", "background": false, "rules": [ { "name": "test", "match": {"resources": { "kinds": [ "Pod" ] } }, "validate": { + "validationFailureAction": "enforce", "message": "Invalid label", "pattern": { "metadata" : { diff --git a/pkg/engine/variables/evaluate.go b/pkg/engine/variables/evaluate.go index 7a9e4b32bdc7..4a5a30dc6ac7 100644 --- a/pkg/engine/variables/evaluate.go +++ b/pkg/engine/variables/evaluate.go @@ -30,6 +30,8 @@ func Evaluate(logger logr.Logger, ctx context.EvalInterface, condition kyvernov1 // EvaluateConditions evaluates all the conditions present in a slice, in a backwards compatible way func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions interface{}) (bool, string, error) { switch typedConditions := conditions.(type) { + case *kyvernov1.AnyAllConditions: + return evaluateAnyAllConditions(log, ctx, *typedConditions) case kyvernov1.AnyAllConditions: return evaluateAnyAllConditions(log, ctx, typedConditions) case []kyvernov1.Condition: // backwards compatibility diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go index ef65e31ac871..ddc59c34051d 100644 --- a/pkg/metrics/parsers.go +++ b/pkg/metrics/parsers.go @@ -77,6 +77,12 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp policyType = Namespaced } backgroundMode := ParsePolicyBackgroundMode(policy) - validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction()) - return name, namespace, policyType, backgroundMode, validationMode, err + isEnforce := policy.GetSpec().HasValidateEnforce() + var validationMode PolicyValidationMode + if isEnforce { + validationMode = Enforce + } else { + validationMode = Audit + } + return name, namespace, policyType, backgroundMode, validationMode, nil } diff --git a/pkg/policy/auth/auth.go b/pkg/policy/auth/auth.go index 1298d67e426f..bbb47acd8ccd 100644 --- a/pkg/policy/auth/auth.go +++ b/pkg/policy/auth/auth.go @@ -11,13 +11,13 @@ import ( // Operations provides methods to performing operations on resource type Operations interface { // CanICreate returns 'true' if self can 'create' resource - CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error) + CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) // CanIUpdate returns 'true' if self can 'update' resource - CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) + CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) // CanIDelete returns 'true' if self can 'delete' resource - CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error) + CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) // CanIGet returns 'true' if self can 'get' resource - CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) + CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) } // Auth provides implementation to check if caller/self/kyverno has access to perofrm operations @@ -38,8 +38,8 @@ func NewAuth(client dclient.Interface, user string, log logr.Logger) *Auth { } // CanICreate returns 'true' if self can 'create' resource -func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "create", "", a.user) +func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { + canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "create", "", a.user) ok, _, err := canI.RunAccessCheck(ctx) if err != nil { return false, err @@ -48,8 +48,8 @@ func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource strin } // CanIUpdate returns 'true' if self can 'update' resource -func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "update", "", a.user) +func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { + canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "update", "", a.user) ok, _, err := canI.RunAccessCheck(ctx) if err != nil { return false, err @@ -58,8 +58,8 @@ func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource strin } // CanIDelete returns 'true' if self can 'delete' resource -func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "delete", "", a.user) +func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { + canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "delete", "", a.user) ok, _, err := canI.RunAccessCheck(ctx) if err != nil { return false, err @@ -68,8 +68,8 @@ func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource strin } // CanIGet returns 'true' if self can 'get' resource -func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) { - canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "get", "", a.user) +func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) { + canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "get", "", a.user) ok, _, err := canI.RunAccessCheck(ctx) if err != nil { return false, err diff --git a/pkg/policy/auth/fake/auth.go b/pkg/policy/auth/fake/auth.go index a336da6fecc9..0492ecbada2c 100644 --- a/pkg/policy/auth/fake/auth.go +++ b/pkg/policy/auth/fake/auth.go @@ -12,21 +12,21 @@ func NewFakeAuth() *FakeAuth { } // CanICreate returns 'true' -func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, sub string) (bool, error) { +func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, name, sub string) (bool, error) { return true, nil } // CanIUpdate returns 'true' -func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace, sub string) (bool, error) { +func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace, name, sub string) (bool, error) { return true, nil } // CanIDelete returns 'true' -func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace, sub string) (bool, error) { +func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace, name, sub string) (bool, error) { return true, nil } // CanIGet returns 'true' -func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace, sub string) (bool, error) { +func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace, name, sub string) (bool, error) { return true, nil } diff --git a/pkg/policy/generate.go b/pkg/policy/generate.go index 692d7097e43a..9ba2d616441c 100644 --- a/pkg/policy/generate.go +++ b/pkg/policy/generate.go @@ -41,10 +41,22 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt var errors []error var triggers []*unstructured.Unstructured ruleType := kyvernov2.Generate + spec := policy.GetSpec() policyNew := policy.CreateDeepCopy() policyNew.GetSpec().Rules = nil - for _, rule := range policy.GetSpec().Rules { + for _, rule := range spec.Rules { + // check if the rule sets the generateExisting field. + // if not, use the policy level setting + generateExisting := rule.Generation.GenerateExisting + if generateExisting != nil { + if !*generateExisting { + continue + } + } else if !spec.GenerateExisting { + continue + } + triggers = getTriggers(pc.client, rule, policy.IsNamespaced(), policy.GetNamespace(), pc.log) policyNew.GetSpec().SetRules([]kyvernov1.Rule{rule}) for _, trigger := range triggers { diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go index 1f9b73f6c24c..8bf0bc341dff 100644 --- a/pkg/policy/generate/validate.go +++ b/pkg/policy/generate/validate.go @@ -110,7 +110,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource // Skip if there is variable defined authCheck := g.authCheck if !regex.IsVariable(gvk) { - ok, err := authCheck.CanICreate(ctx, gvk, namespace, subresource) + ok, err := authCheck.CanICreate(ctx, gvk, namespace, "", subresource) if err != nil { return err } @@ -118,7 +118,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) } - ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, subresource) + ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, "", subresource) if err != nil { return err } @@ -126,7 +126,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) } - ok, err = authCheck.CanIGet(ctx, gvk, namespace, subresource) + ok, err = authCheck.CanIGet(ctx, gvk, namespace, "", subresource) if err != nil { return err } @@ -134,7 +134,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) } - ok, err = authCheck.CanIDelete(ctx, gvk, namespace, subresource) + ok, err = authCheck.CanIDelete(ctx, gvk, namespace, "", subresource) if err != nil { return err } diff --git a/pkg/policy/mutate.go b/pkg/policy/mutate.go index a86ac5f18c0a..d52a5beb7521 100644 --- a/pkg/policy/mutate.go +++ b/pkg/policy/mutate.go @@ -15,14 +15,24 @@ func (pc *policyController) handleMutate(policyKey string, policy kyvernov1.Poli logger.Info("update URs on policy event") ruleType := kyvernov2.Mutate + spec := policy.GetSpec() policyNew := policy.CreateDeepCopy() policyNew.GetSpec().Rules = nil - for _, rule := range policy.GetSpec().Rules { + for _, rule := range spec.Rules { if !rule.HasMutateExisting() { continue } + mutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate + if mutateExisting != nil { + if !*mutateExisting { + continue + } + } else if !spec.MutateExistingOnPolicyUpdate { + continue + } + policyNew.GetSpec().SetRules([]kyvernov1.Rule{rule}) triggers := getTriggers(pc.client, rule, policyNew.IsNamespaced(), policyNew.GetNamespace(), pc.log) for _, trigger := range triggers { diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go index 4d7f221a29f6..88c311fe03e6 100644 --- a/pkg/policy/mutate/validate.go +++ b/pkg/policy/mutate/validate.go @@ -55,7 +55,7 @@ func (m *Mutate) validateForEach(tag string, foreach []kyvernov1.ForEachMutation tag = tag + fmt.Sprintf("foreach[%d]", i) fem := fe.GetForEachMutation() if len(fem) > 0 { - if fe.Context != nil || fe.AnyAllConditions != nil || fe.PatchesJSON6902 != "" || fe.RawPatchStrategicMerge != nil { + if fe.Context != nil || fe.AnyAllConditions != nil || fe.PatchesJSON6902 != "" || fe.GetPatchStrategicMerge() != nil { return tag, fmt.Errorf("a nested foreach cannot contain other declarations") } @@ -101,13 +101,13 @@ func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.TargetRes srcKey = srcKey + "/" + sub } - if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, sub); err != nil { + if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil { errs = append(errs, err) } else if !ok { errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "update", target.APIVersion, srcKey, target.Namespace)) } - if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, sub); err != nil { + if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil { errs = append(errs, err) } else if !ok { errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "get", target.APIVersion, srcKey, target.Namespace)) diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index 2f2aab1c2b06..bbe1e6de1375 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -3,6 +3,7 @@ package policycache import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/ext/wildcard" + "github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/clients/dclient" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -62,31 +63,56 @@ func (c *cache) GetPolicies(pkey PolicyType, gvr schema.GroupVersionResource, su func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace string) []kyvernov1.PolicyInterface { var policies []kyvernov1.PolicyInterface for _, policy := range result { + var filteredPolicy kyvernov1.PolicyInterface keepPolicy := true switch pkey { case ValidateAudit: - keepPolicy = checkValidationFailureActionOverrides(false, nspace, policy) + keepPolicy, filteredPolicy = checkValidationFailureActionOverrides(false, nspace, policy) case ValidateEnforce: - keepPolicy = checkValidationFailureActionOverrides(true, nspace, policy) + keepPolicy, filteredPolicy = checkValidationFailureActionOverrides(true, nspace, policy) } // add policy to result if keepPolicy { - policies = append(policies, policy) + policies = append(policies, filteredPolicy) } } return policies } -func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool { - validationFailureAction := policy.GetSpec().GetValidationFailureAction() - validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides() - if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) { - return false - } - for _, action := range validationFailureActionOverrides { - if action.Action.Enforce() != enforce && wildcard.CheckPatterns(action.Namespaces, ns) { - return false +func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) (bool, kyvernov1.PolicyInterface) { + var filteredRules []kyvernov1.Rule + for _, rule := range autogen.ComputeRules(policy, "") { + if !rule.HasValidate() { + continue + } + + // if the field isn't set, use the higher level policy setting + validationFailureAction := rule.Validation.ValidationFailureAction + if validationFailureAction == nil { + validationFailureAction = &policy.GetSpec().ValidationFailureAction + } + + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + if len(validationFailureActionOverrides) == 0 { + validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides + } + + if (ns == "" || len(validationFailureActionOverrides) == 0) && validationFailureAction.Enforce() == enforce { + filteredRules = append(filteredRules, rule) + continue + } + for _, action := range validationFailureActionOverrides { + if action.Action.Enforce() == enforce && wildcard.CheckPatterns(action.Namespaces, ns) { + filteredRules = append(filteredRules, rule) + continue + } } } - return true + if len(filteredRules) > 0 { + filteredPolicy := policy.CreateDeepCopy() + filteredPolicy.GetSpec().Rules = filteredRules + return true, filteredPolicy + } + + return false, nil } diff --git a/pkg/policycache/store.go b/pkg/policycache/store.go index 9f67f4c14bf2..761857662e77 100644 --- a/pkg/policycache/store.go +++ b/pkg/policycache/store.go @@ -80,10 +80,10 @@ func newPolicyMap() *policyMap { } func computeEnforcePolicy(spec *kyvernov1.Spec) bool { - if spec.GetValidationFailureAction().Enforce() { + if spec.ValidationFailureAction.Enforce() { return true } - for _, k := range spec.GetValidationFailureActionOverrides() { + for _, k := range spec.ValidationFailureActionOverrides { if k.Action.Enforce() { return true } @@ -108,6 +108,17 @@ func (m *policyMap) set(key string, policy kyvernov1.PolicyInterface, client Res } kindStates := map[policyKey]state{} for _, rule := range autogen.ComputeRules(policy, "") { + if rule.HasValidate() { + action := rule.Validation.ValidationFailureAction + if action != nil && action.Enforce() { + enforcePolicy = true + } + for _, k := range rule.Validation.ValidationFailureActionOverrides { + if k.Action.Enforce() { + enforcePolicy = true + } + } + } entries := sets.New[policyKey]() for _, gvk := range rule.MatchResources.GetKinds() { group, version, kind, subresource := kubeutils.ParseKindSelector(gvk) diff --git a/pkg/utils/api/json.go b/pkg/utils/api/json.go deleted file mode 100644 index 9fdc9fa6c7a5..000000000000 --- a/pkg/utils/api/json.go +++ /dev/null @@ -1,70 +0,0 @@ -package api - -import ( - "encoding/json" - "fmt" - - kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" -) - -// ApiextensionsJsonToKyvernoConditions takes in user-provided conditions in abstract apiextensions.JSON form -// and converts it into []kyverno.Condition or kyverno.AnyAllConditions according to its content. -// it also helps in validating the condtions as it returns an error when the conditions are provided wrongfully by the user. -func ApiextensionsJsonToKyvernoConditions(in apiextensions.JSON) (interface{}, error) { - path := "preconditions/validate.deny.conditions" - - // checks for the existence any other field apart from 'any'/'all' under preconditions/validate.deny.conditions - unknownFieldChecker := func(jsonByteArr []byte, path string) error { - allowedKeys := map[string]bool{ - "any": true, - "all": true, - } - var jsonDecoded map[string]interface{} - if err := json.Unmarshal(jsonByteArr, &jsonDecoded); err != nil { - return fmt.Errorf("error occurred while checking for unknown fields under %s: %+v", path, err) - } - for k := range jsonDecoded { - if !allowedKeys[k] { - return fmt.Errorf("unknown field '%s' found under %s", k, path) - } - } - return nil - } - - // marshalling the abstract apiextensions.JSON back to JSON form - jsonByte, err := json.Marshal(in) - if err != nil { - return nil, fmt.Errorf("error occurred while marshalling %s: %+v", path, err) - } - - var kyvernoOldConditions []kyvernov1.Condition - if err = json.Unmarshal(jsonByte, &kyvernoOldConditions); err == nil { - var validConditionOperator bool - - for _, jsonOp := range kyvernoOldConditions { - for _, validOp := range kyvernov1.ConditionOperators { - if jsonOp.Operator == validOp { - validConditionOperator = true - } - } - if !validConditionOperator { - return nil, fmt.Errorf("invalid condition operator: %s", jsonOp.Operator) - } - validConditionOperator = false - } - - return kyvernoOldConditions, nil - } - - var kyvernoAnyAllConditions kyvernov1.AnyAllConditions - if err = json.Unmarshal(jsonByte, &kyvernoAnyAllConditions); err == nil { - // checking if unknown fields exist or not - err = unknownFieldChecker(jsonByte, path) - if err != nil { - return nil, fmt.Errorf("error occurred while parsing %s: %+v", path, err) - } - return kyvernoAnyAllConditions, nil - } - return nil, fmt.Errorf("error occurred while parsing %s: %+v", path, err) -} diff --git a/pkg/utils/fuzz/policy_spec.go b/pkg/utils/fuzz/policy_spec.go index 8e8b7b029a51..f39fed8c07e1 100644 --- a/pkg/utils/fuzz/policy_spec.go +++ b/pkg/utils/fuzz/policy_spec.go @@ -7,7 +7,6 @@ import ( fuzz "github.com/AdaLogics/go-fuzz-headers" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" - apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) { @@ -97,12 +96,6 @@ func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) { } spec.MutateExistingOnPolicyUpdate = mutateExistingOnPolicyUpdate - generateExistingOnPolicyUpdate, err := ff.GetBool() - if err != nil { - return *spec, err - } - spec.GenerateExistingOnPolicyUpdate = &generateExistingOnPolicyUpdate - generateExisting, err := ff.GetBool() if err != nil { return *spec, err @@ -194,7 +187,7 @@ func createRule(f *fuzz.ConsumeFuzzer) (*kyvernov1.Rule, error) { return rule, err } if setRawAnyAllConditions { - raac := &apiextv1.JSON{} + raac := &kyvernov1.ConditionsWrapper{} err = f.GenerateStruct(raac) if err != nil { return rule, err diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go index 0db222233f46..649a54119720 100644 --- a/pkg/validatingadmissionpolicy/builder.go +++ b/pkg/validatingadmissionpolicy/builder.go @@ -105,12 +105,22 @@ func BuildValidatingAdmissionPolicyBinding( // set validation action for vap binding var validationActions []admissionregistrationv1alpha1.ValidationAction - action := cpol.GetSpec().GetValidationFailureAction() - if action.Enforce() { - validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) - } else if action.Audit() { - validationActions = append(validationActions, admissionregistrationv1alpha1.Audit) - validationActions = append(validationActions, admissionregistrationv1alpha1.Warn) + validateAction := cpol.GetSpec().Rules[0].Validation.ValidationFailureAction + if validateAction != nil { + if validateAction.Enforce() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) + } else if validateAction.Audit() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Audit) + validationActions = append(validationActions, admissionregistrationv1alpha1.Warn) + } + } else { + validateAction := cpol.GetSpec().ValidationFailureAction + if validateAction.Enforce() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) + } else if validateAction.Audit() { + validationActions = append(validationActions, admissionregistrationv1alpha1.Audit) + validationActions = append(validationActions, admissionregistrationv1alpha1.Warn) + } } // set validating admission policy binding spec diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go index cbaa38eb3bbd..9a295175d58e 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go @@ -17,14 +17,11 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) { return false, msg } - validationFailureActionOverrides := spec.GetValidationFailureActionOverrides() - if len(validationFailureActionOverrides) > 1 { - msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable." + if ok, msg := checkValidationFailureActionOverrides(spec.ValidationFailureActionOverrides); !ok { return false, msg } - if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 { - msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable." + if ok, msg := checkValidationFailureActionOverrides(rule.Validation.ValidationFailureActionOverrides); !ok { return false, msg } @@ -164,3 +161,17 @@ func checkResourceFilter(resFilters kyvernov1.ResourceFilters, isMatch bool) (bo return true, msg } + +func checkValidationFailureActionOverrides(validationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride) (bool, string) { + var msg string + if len(validationFailureActionOverrides) > 1 { + msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable." + return false, msg + } + + if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 { + msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable." + return false, msg + } + return true, msg +} diff --git a/pkg/validation/cleanuppolicy/validate.go b/pkg/validation/cleanuppolicy/validate.go index c77b55066312..99da17f89c0c 100644 --- a/pkg/validation/cleanuppolicy/validate.go +++ b/pkg/validation/cleanuppolicy/validate.go @@ -70,25 +70,44 @@ func validatePolicy(clusterResources sets.Set[string], policy kyvernov2.CleanupP func validateAuth(ctx context.Context, client dclient.Interface, policy kyvernov2.CleanupPolicyInterface) error { namespace := policy.GetNamespace() spec := policy.GetSpec() - kinds := sets.New(spec.MatchResources.GetKinds()...) - for kind := range kinds { - checker := auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), kind, namespace, "delete", "", config.KyvernoUserName(config.KyvernoServiceAccountName())) - allowedDeletion, _, err := checker.RunAccessCheck(ctx) - if err != nil { - return err - } - if !allowedDeletion { - return fmt.Errorf("cleanup controller has no permission to delete kind %s", kind) + resourceFilters := spec.MatchResources.GetResourceFilters() + for _, res := range resourceFilters { + for _, kind := range res.Kinds { + if len(res.Names) == 0 { + err := canI(ctx, client, kind, namespace, "", "") + if err != nil { + return err + } + } else { + for _, name := range res.Names { + err := canI(ctx, client, kind, namespace, name, "") + if err != nil { + return err + } + } + } } + } + return nil +} - checker = auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), kind, namespace, "list", "", config.KyvernoUserName(config.KyvernoServiceAccountName())) - allowedList, _, err := checker.RunAccessCheck(ctx) - if err != nil { - return err - } - if !allowedList { - return fmt.Errorf("cleanup controller has no permission to list kind %s", kind) - } +func canI(ctx context.Context, client dclient.Interface, kind, namespace, name, subresource string) error { + checker := auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), kind, namespace, name, "delete", subresource, config.KyvernoUserName(config.KyvernoServiceAccountName())) + allowedDeletion, _, err := checker.RunAccessCheck(ctx) + if err != nil { + return err + } + if !allowedDeletion { + return fmt.Errorf("cleanup controller has no permission to delete kind %s", kind) + } + + checker = auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), kind, namespace, name, "list", subresource, config.KyvernoUserName(config.KyvernoServiceAccountName())) + allowedList, _, err := checker.RunAccessCheck(ctx) + if err != nil { + return err + } + if !allowedList { + return fmt.Errorf("cleanup controller has no permission to list kind %s", kind) } return nil } diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 820bb3e0776a..44d8be7a3a01 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -27,7 +27,6 @@ import ( "github.com/kyverno/kyverno/pkg/engine/variables/operator" "github.com/kyverno/kyverno/pkg/engine/variables/regex" "github.com/kyverno/kyverno/pkg/logging" - apiutils "github.com/kyverno/kyverno/pkg/utils/api" datautils "github.com/kyverno/kyverno/pkg/utils/data" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" vaputils "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy" @@ -115,12 +114,12 @@ func validateJSONPatch(patch string, ruleIdx int) error { return nil } -func checkValidationFailureAction(spec *kyvernov1.Spec) []string { +func checkValidationFailureAction(validationFailureAction kyvernov1.ValidationFailureAction, validationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride) []string { msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead." - if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" { + if validationFailureAction == "enforce" || validationFailureAction == "audit" { return []string{msg} } - for _, override := range spec.GetValidationFailureActionOverrides() { + for _, override := range validationFailureActionOverrides { if override.Action == "enforce" || override.Action == "audit" { return []string{msg} } @@ -133,13 +132,19 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf var warnings []string spec := policy.GetSpec() background := spec.BackgroundProcessingEnabled() - mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate() if policy.GetSpec().CustomWebhookMatchConditions() && !kubeutils.HigherThanKubernetesVersion(client.GetKubeClient().Discovery(), logging.GlobalLogger(), 1, 27, 0) { return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above") } - warnings = append(warnings, checkValidationFailureAction(spec)...) + warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...) + for _, rule := range spec.Rules { + if rule.HasValidate() { + if rule.Validation.ValidationFailureAction != nil { + warnings = append(warnings, checkValidationFailureAction(*rule.Validation.ValidationFailureAction, rule.Validation.ValidationFailureActionOverrides)...) + } + } + } var errs field.ErrorList specPath := field.NewPath("spec") @@ -148,13 +153,6 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf return warnings, err } - if mutateExistingOnPolicyUpdate { - err := ValidateOnPolicyUpdate(policy, mutateExistingOnPolicyUpdate) - if err != nil { - return warnings, err - } - } - getClusteredResources := func(invalidate bool) (sets.Set[string], error) { clusterResources := sets.New[string]() // Get all the cluster type kind supported by cluster @@ -207,7 +205,15 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } if !policy.IsNamespaced() { - err := validateNamespaces(spec, specPath.Child("validationFailureActionOverrides")) + for i, r := range spec.Rules { + if r.HasValidate() { + err := validateNamespaces(r.Validation.ValidationFailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides")) + if err != nil { + return warnings, err + } + } + } + err := validateNamespaces(spec.ValidationFailureActionOverrides, specPath.Child("validationFailureActionOverrides")) if err != nil { return warnings, err } @@ -327,12 +333,20 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf if rule.HasVerifyImages() { isAuditFailureAction := false - if spec.GetValidationFailureAction() == kyvernov1.Audit { + if spec.ValidationFailureAction.Audit() { isAuditFailureAction = true } verifyImagePath := rulePath.Child("verifyImages") for index, i := range rule.VerifyImages { + action := i.ValidationFailureAction + if action != nil { + if action.Audit() { + isAuditFailureAction = true + } else { + isAuditFailureAction = false + } + } errs = append(errs, i.Validate(isAuditFailureAction, verifyImagePath.Index(index))...) } if len(errs) != 0 { @@ -395,6 +409,19 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } checkForScaleSubresource(mutationJson, allKinds, &warnings) checkForStatusSubresource(mutationJson, allKinds, &warnings) + + mutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate + if mutateExisting != nil { + if *mutateExisting { + if err := ValidateOnPolicyUpdate(policy, true); err != nil { + return warnings, err + } + } + } else if spec.MutateExistingOnPolicyUpdate { + if err := ValidateOnPolicyUpdate(policy, true); err != nil { + return warnings, err + } + } } if rule.HasVerifyImages() { @@ -1033,7 +1060,7 @@ func validateMutationForEach(foreach []kyvernov1.ForEachMutation, schemaKey stri // validateConditions validates all the 'conditions' or 'preconditions' of a rule depending on the corresponding 'condition.key'. // As of now, it is validating the 'value' field whether it contains the only allowed set of values or not when 'condition.key' is {{request.operation}} // this is backwards compatible i.e. conditions can be provided in the old manner as well i.e. without 'any' or 'all' -func validateConditions(conditions apiextensions.JSON, schemaKey string) (string, error) { +func validateConditions(conditions any, schemaKey string) (string, error) { // Conditions can only exist under some specific keys of the policy schema allowedSchemaKeys := map[string]bool{ "preconditions": true, @@ -1043,12 +1070,7 @@ func validateConditions(conditions apiextensions.JSON, schemaKey string) (string return schemaKey, fmt.Errorf("wrong schema key found for validating the conditions. Conditions can only occur under one of ['preconditions', 'conditions'] keys in the policy schema") } - // conditions are currently in the form of []interface{} - kyvernoConditions, err := apiutils.ApiextensionsJsonToKyvernoConditions(conditions) - if err != nil { - return schemaKey, err - } - switch typedConditions := kyvernoConditions.(type) { + switch typedConditions := conditions.(type) { case kyvernov1.AnyAllConditions: // validating the conditions under 'any', if there are any if !datautils.DeepEqual(typedConditions, kyvernov1.AnyAllConditions{}) && typedConditions.AnyConditions != nil { @@ -1142,7 +1164,7 @@ func validateAnyAllConditionOperator(c kyvernov1.AnyAllConditions, schemaKey str return "", nil } -func validateRawJSONConditionOperator(c apiextensions.JSON, schemaKey string) (string, error) { +func validateRawJSONConditionOperator(c any, schemaKey string) (string, error) { allowedSchemaKeys := map[string]bool{ "preconditions": true, "conditions": true, @@ -1151,11 +1173,7 @@ func validateRawJSONConditionOperator(c apiextensions.JSON, schemaKey string) (s return schemaKey, fmt.Errorf("wrong schema key found for validating the conditions. Conditions can only occur under one of ['preconditions', 'conditions'] keys in the policy schema") } - kyvernoConditions, err := apiutils.ApiextensionsJsonToKyvernoConditions(c) - if err != nil { - return schemaKey, err - } - switch typedConditions := kyvernoConditions.(type) { + switch typedConditions := c.(type) { case kyvernov1.AnyAllConditions: if path, err := validateAnyAllConditionOperator(typedConditions, schemaKey); err != nil { return path, err @@ -1479,8 +1497,7 @@ func validateWildcard(kinds []string, background bool, rule kyvernov1.Rule) erro } if rule.Validation.Deny != nil { - kyvernoConditions, _ := apiutils.ApiextensionsJsonToKyvernoConditions(rule.Validation.Deny.GetAnyAllConditions()) - switch typedConditions := kyvernoConditions.(type) { + switch typedConditions := rule.Validation.Deny.GetAnyAllConditions().(type) { case []kyvernov1.Condition: // backwards compatibility for _, condition := range typedConditions { key := condition.GetKey() @@ -1549,7 +1566,7 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string) return nil } -func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error { +func validateNamespaces(validationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride, path *field.Path) error { action := map[string]sets.Set[string]{ "enforce": sets.New[string](), "audit": sets.New[string](), @@ -1557,7 +1574,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error { "auditW": sets.New[string](), } - for i, vfa := range s.GetValidationFailureActionOverrides() { + for i, vfa := range validationFailureActionOverrides { if !vfa.Action.IsValid() { return fmt.Errorf("invalid action") } @@ -1661,11 +1678,7 @@ func checkDeprecatedAnyAllConditionOperator(c kyvernov1.AnyAllConditions, warnin } func checkDeprecatedRawJSONConditionOperator(c apiextensions.JSON, warnings *[]string) { - kyvernoConditions, err := apiutils.ApiextensionsJsonToKyvernoConditions(c) - if err != nil { - return - } - switch typedConditions := kyvernoConditions.(type) { + switch typedConditions := c.(type) { case kyvernov1.AnyAllConditions: checkDeprecatedAnyAllConditionOperator(typedConditions, warnings) case []kyvernov1.Condition: // backwards compatibility diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 34c3b8a67088..b41612f6f048 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -141,28 +141,40 @@ func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, req var ok bool var msg string var warnings []string + var enforceResponses []engineapi.EngineResponse wg.Add(1) go func() { defer wg.Done() - ok, msg, warnings = vh.HandleValidationEnforce(ctx, request, policies, startTime) + ok, msg, warnings, enforceResponses = vh.HandleValidationEnforce(ctx, request, policies, startTime) }() - go h.auditPool.Submit(func() { - vh.HandleValidationAudit(ctx, request) - }) if !admissionutils.IsDryRun(request.AdmissionRequest) { h.handleBackgroundApplies(ctx, logger, request, generatePolicies, mutatePolicies, startTime, nil) } - if len(policies) == 0 { - return admissionutils.ResponseSuccess(request.UID) - } wg.Wait() if !ok { logger.Info("admission request denied") + events := webhookutils.GenerateEvents(enforceResponses, true) + h.eventGen.Add(events...) return admissionutils.Response(request.UID, errors.New(msg), warnings...) } + go h.auditPool.Submit(func() { + auditResponses := vh.HandleValidationAudit(ctx, request) + var events []event.Info + switch { + case len(auditResponses) == 0: + events = webhookutils.GenerateEvents(enforceResponses, false) + case len(enforceResponses) == 0: + events = webhookutils.GenerateEvents(auditResponses, false) + default: + responses := mergeEngineResponses(auditResponses, enforceResponses) + events = webhookutils.GenerateEvents(responses, false) + } + + h.eventGen.Add(events...) + }) return admissionutils.ResponseSuccess(request.UID, warnings...) } @@ -310,3 +322,34 @@ func filterPolicies(ctx context.Context, failurePolicy string, policies ...kyver } return results } + +func mergeEngineResponses(auditResponses, enforceResponses []engineapi.EngineResponse) []engineapi.EngineResponse { + responseMap := make(map[string]engineapi.EngineResponse) + var responses []engineapi.EngineResponse + + for _, enforceResponse := range enforceResponses { + responseMap[enforceResponse.Policy().GetName()] = enforceResponse + } + + for _, auditResponse := range auditResponses { + policyName := auditResponse.Policy().GetName() + if enforceResponse, exists := responseMap[policyName]; exists { + response := auditResponse + for _, ruleResponse := range enforceResponse.PolicyResponse.Rules { + response.PolicyResponse.Add(ruleResponse.Stats(), ruleResponse) + } + responses = append(responses, response) + delete(responseMap, policyName) + } else { + responses = append(responses, auditResponse) + } + } + + if len(responseMap) != 0 { + for _, enforceResponse := range responseMap { + responses = append(responses, enforceResponse) + } + } + + return responses +} diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index 0876577b5611..ffec49f53817 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -31,8 +31,8 @@ type ValidationHandler interface { // HandleValidation handles validating webhook admission request // If there are no errors in validating rule we apply generation rules // patchedResource is the (resource + patches) after applying mutation rules - HandleValidationEnforce(context.Context, handlers.AdmissionRequest, []kyvernov1.PolicyInterface, time.Time) (bool, string, []string) - HandleValidationAudit(context.Context, handlers.AdmissionRequest) + HandleValidationEnforce(context.Context, handlers.AdmissionRequest, []kyvernov1.PolicyInterface, time.Time) (bool, string, []string, []engineapi.EngineResponse) + HandleValidationAudit(context.Context, handlers.AdmissionRequest) []engineapi.EngineResponse } func NewValidationHandler( @@ -82,18 +82,18 @@ func (v *validationHandler) HandleValidationEnforce( request handlers.AdmissionRequest, policies []kyvernov1.PolicyInterface, admissionRequestTimestamp time.Time, -) (bool, string, []string) { +) (bool, string, []string, []engineapi.EngineResponse) { resourceName := admissionutils.GetResourceName(request.AdmissionRequest) logger := v.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind) if len(policies) == 0 { - return true, "", nil + return true, "", nil, nil } policyContext, err := v.buildPolicyContextFromAdmissionRequest(logger, request) if err != nil { msg := fmt.Sprintf("failed to create policy context: %v", err) - return false, msg, nil + return false, msg, nil, nil } var engineResponses []engineapi.EngineResponse @@ -118,7 +118,7 @@ func (v *validationHandler) HandleValidationEnforce( engineResponses = append(engineResponses, engineResponse) if !engineResponse.IsSuccessful() { - logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) + logger.V(2).Info("validation failed", "action", "Enforce", "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) return } @@ -130,12 +130,10 @@ func (v *validationHandler) HandleValidationEnforce( } blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger) - events := webhookutils.GenerateEvents(engineResponses, blocked) - v.eventGen.Add(events...) if blocked { logger.V(4).Info("admission request blocked") - return false, webhookutils.GetBlockedMessages(engineResponses), nil + return false, webhookutils.GetBlockedMessages(engineResponses), nil, engineResponses } go func() { @@ -147,37 +145,36 @@ func (v *validationHandler) HandleValidationEnforce( }() warnings := webhookutils.GetWarningMessages(engineResponses) - return true, "", warnings + return true, "", warnings, engineResponses } func (v *validationHandler) HandleValidationAudit( ctx context.Context, request handlers.AdmissionRequest, -) { +) []engineapi.EngineResponse { gvr := schema.GroupVersionResource(request.Resource) policies := v.pCache.GetPolicies(policycache.ValidateAudit, gvr, request.SubResource, request.Namespace) if len(policies) == 0 { - return + return nil } policyContext, err := v.buildPolicyContextFromAdmissionRequest(v.log, request) if err != nil { v.log.Error(err, "failed to build policy context") - return + return nil } + var responses []engineapi.EngineResponse needsReport := needsReports(request, policyContext.NewResource(), v.admissionReports) tracing.Span( context.Background(), "", fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind), func(ctx context.Context, span trace.Span) { - responses, err := v.buildAuditResponses(ctx, policyContext, policies) + responses, err = v.buildAuditResponses(ctx, policyContext, policies) if err != nil { v.log.Error(err, "failed to build audit responses") } - events := webhookutils.GenerateEvents(responses, false) - v.eventGen.Add(events...) if needsReport { if err := v.createReports(ctx, policyContext.NewResource(), request, responses...); err != nil { v.log.Error(err, "failed to create report") @@ -186,6 +183,7 @@ func (v *validationHandler) HandleValidationAudit( }, trace.WithLinks(trace.LinkFromContext(ctx)), ) + return responses } func (v *validationHandler) buildAuditResponses( diff --git a/test/cli/apply/policies-set/policy.yaml b/test/cli/apply/policies-set/policy.yaml index 4ae9bdacb478..540c3ee5b327 100644 --- a/test/cli/apply/policies-set/policy.yaml +++ b/test/cli/apply/policies-set/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: enforce-label spec: - validationFailureAction: Audit background: false rules: - name: enforce-label @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: "The foo label must be set." pattern: metadata: diff --git a/test/cli/apply/policies/policy.yaml b/test/cli/apply/policies/policy.yaml index 19f0e79edf98..b463427a85a0 100644 --- a/test/cli/apply/policies/policy.yaml +++ b/test/cli/apply/policies/policy.yaml @@ -19,12 +19,12 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -48,6 +48,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Audit foreach: - deny: conditions: @@ -57,4 +58,3 @@ spec: value: '{{ element.securityContext.capabilities.drop || '''' }}' list: request.object.spec.[ephemeralContainers, initContainers, containers][] message: Containers must drop `ALL` capabilities. - validationFailureAction: Audit diff --git a/test/cli/registry/image-example.yaml b/test/cli/registry/image-example.yaml index a8b31d924aa2..f4c0945c104c 100644 --- a/test/cli/registry/image-example.yaml +++ b/test/cli/registry/image-example.yaml @@ -19,6 +19,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce foreach: - context: - imageRegistry: @@ -35,7 +36,6 @@ spec: value: ghcr.io list: request.object.spec.containers message: images with root user are not allowed - validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -57,6 +57,7 @@ spec: operator: NotEquals value: DELETE validate: + validationFailureAction: Enforce foreach: - context: - imageRegistry: @@ -76,4 +77,3 @@ spec: list: request.object.spec.containers message: Images must specify a source/base image from which they are built to be valid. - validationFailureAction: Enforce diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml index 316ef024662a..3d77f9a5bbef 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_default_proc_mount/policy.yaml @@ -14,10 +14,10 @@ spec: - Pod name: validate-default-proc-mount validate: + validationFailureAction: Audit message: Default proc mount should set to Unmasked pattern: spec: containers: - securityContext: procMount: Unmasked - validationFailureAction: Audit diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml index fd72d55863e1..485622f617e4 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_selinux_context/policy.yaml @@ -14,6 +14,7 @@ spec: - Pod name: validate-selinux-options validate: + validationFailureAction: Audit message: SELinux level is required pattern: spec: @@ -21,4 +22,3 @@ spec: - securityContext: seLinuxOptions: level: ?* - validationFailureAction: Audit diff --git a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml index d005b241783b..79f7a08fb08c 100644 --- a/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml +++ b/test/cli/scenarios_to_cli/other/scenario_validate_volume_whitelist/policy.yaml @@ -14,6 +14,7 @@ spec: - Pod name: validate-volumes-whitelist validate: + validationFailureAction: Audit anyPattern: - spec: volumes: @@ -25,4 +26,3 @@ spec: volumes: - configMap: '*' message: Volume type is not of type hostPath, emptyDir, or configMap. - validationFailureAction: Audit diff --git a/test/cli/test-exceptions/exceptions-1/policy.yaml b/test/cli/test-exceptions/exceptions-1/policy.yaml index c4ee436ac199..e205e4657573 100644 --- a/test/cli/test-exceptions/exceptions-1/policy.yaml +++ b/test/cli/test-exceptions/exceptions-1/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-namespaces spec: - validationFailureAction: Enforce background: false rules: - name: host-namespaces @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/test/cli/test-exceptions/exceptions-2/policy.yaml b/test/cli/test-exceptions/exceptions-2/policy.yaml index 2e66ed14296a..e80f7806ce9d 100644 --- a/test/cli/test-exceptions/exceptions-2/policy.yaml +++ b/test/cli/test-exceptions/exceptions-2/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: max-containers spec: - validationFailureAction: Enforce background: false rules: - name: max-two-containers @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/cli/test-exceptions/exceptions-3/policy.yaml b/test/cli/test-exceptions/exceptions-3/policy.yaml index 863539b590ac..17ddd6544996 100644 --- a/test/cli/test-exceptions/exceptions-3/policy.yaml +++ b/test/cli/test-exceptions/exceptions-3/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/cli/test-exceptions/exceptions-deprecated/exception.yaml b/test/cli/test-exceptions/exceptions-deprecated/exception.yaml new file mode 100644 index 000000000000..93dd81a83c81 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2 +kind: PolicyException +metadata: + name: delta-exception + namespace: delta +spec: + exceptions: + - policyName: disallow-host-namespaces + ruleNames: + - host-namespaces + - autogen-host-namespaces + match: + any: + - resources: + kinds: + - Pod + - Deployment + namespaces: + - delta + names: + - important-tool* diff --git a/test/cli/test-exceptions/exceptions-deprecated/kyverno-test.yaml b/test/cli/test-exceptions/exceptions-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..a27939d26d77 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/kyverno-test.yaml @@ -0,0 +1,29 @@ +apiVersion: cli.kyverno.io/v1alpha1 +exceptions: +- exception.yaml +kind: Test +metadata: + name: kyverno-test +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Deployment + policy: disallow-host-namespaces + resources: + - bad-deployment + result: fail + rule: autogen-host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - good-deployment + result: pass + rule: autogen-host-namespaces +- kind: Deployment + policy: disallow-host-namespaces + resources: + - important-tool + result: skip + rule: autogen-host-namespaces diff --git a/test/cli/test-exceptions/exceptions-deprecated/policy.yaml b/test/cli/test-exceptions/exceptions-deprecated/policy.yaml new file mode 100644 index 000000000000..bb51da022985 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: disallow-host-namespaces +spec: + background: false + validationFailureAction: Enforce + rules: + - name: host-namespaces + match: + any: + - resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is disallowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): "false" + =(hostIPC): "false" + =(hostNetwork): "false" diff --git a/test/cli/test-exceptions/exceptions-deprecated/resources.yaml b/test/cli/test-exceptions/exceptions-deprecated/resources.yaml new file mode 100644 index 000000000000..d416eb55ef16 --- /dev/null +++ b/test/cli/test-exceptions/exceptions-deprecated/resources.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: important-tool + namespace: delta + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: true + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: true + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + hostIPC: false + containers: + - image: busybox:1.35 + name: busybox + command: ["sleep", "1d"] diff --git a/test/cli/test-fail/invalid-ns-deprecated/kyverno-test.yaml b/test/cli/test-fail/invalid-ns-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..c1dc942597c6 --- /dev/null +++ b/test/cli/test-fail/invalid-ns-deprecated/kyverno-test.yaml @@ -0,0 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Namespace + policy: restrict-labels + resources: + - kyverno-system-tst + result: fail + rule: restrict-labels diff --git a/test/cli/test-fail/invalid-ns-deprecated/policy.yaml b/test/cli/test-fail/invalid-ns-deprecated/policy.yaml new file mode 100644 index 000000000000..5fa1223a3416 --- /dev/null +++ b/test/cli/test-fail/invalid-ns-deprecated/policy.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Labels + policies.kyverno.io/description: This policy prevents the use of an label beginning + with a common key name (in this case "platform.das-schiff.telekom.de/owner | + owner"). This can be useful to ensure users either don't set reserved labels + or to force them to use a newer version of an label. + policies.kyverno.io/minversion: 1.3.0 + policies.kyverno.io/title: Restrict Labels on Namespaces + labels: + policy.schiff.telekom.de: enforced + name: restrict-labels +spec: + admission: true + background: false + validationFailureAction: Enforce + rules: + - exclude: + any: + - clusterRoles: + - cluster-admin + resources: {} + match: + any: + - resources: + kinds: + - Namespace + name: restrict-labels + validate: + message: Every namespace has to have `platform.das-schiff.telekom.de/owner` + label. It must not have value `das-schiff` which is reserved for system namespaces + pattern: + metadata: + labels: + =(schiff.telekom.de/owner): '!schiff' + platform.das-schiff.telekom.de/owner: '!das-schiff' diff --git a/test/cli/test-fail/invalid-ns-deprecated/resources.yaml b/test/cli/test-fail/invalid-ns-deprecated/resources.yaml new file mode 100644 index 000000000000..c51350cc7aeb --- /dev/null +++ b/test/cli/test-fail/invalid-ns-deprecated/resources.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno-system-tst + labels: + name: kyverno-system-tst + schiff.telekom.de/owner: schiff + platform.das-schiff.telekom.de/owner: das-schiff \ No newline at end of file diff --git a/test/cli/test-fail/invalid-ns/policy.yaml b/test/cli/test-fail/invalid-ns/policy.yaml index 054dfbb7858f..f7c36cc57c97 100644 --- a/test/cli/test-fail/invalid-ns/policy.yaml +++ b/test/cli/test-fail/invalid-ns/policy.yaml @@ -36,4 +36,4 @@ spec: labels: =(schiff.telekom.de/owner): '!schiff' platform.das-schiff.telekom.de/owner: '!das-schiff' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test-fail/missing-policy/policy.yaml b/test/cli/test-fail/missing-policy/policy.yaml index 0402a2191622..1d23fdcbc180 100644 --- a/test/cli/test-fail/missing-policy/policy.yaml +++ b/test/cli/test-fail/missing-policy/policy.yaml @@ -21,6 +21,7 @@ spec: - test name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -40,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test-fail/missing-resource/policy.yaml b/test/cli/test-fail/missing-resource/policy.yaml index 0402a2191622..1d23fdcbc180 100644 --- a/test/cli/test-fail/missing-resource/policy.yaml +++ b/test/cli/test-fail/missing-resource/policy.yaml @@ -21,6 +21,7 @@ spec: - test name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -40,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test-fail/missing-rule/policy.yaml b/test/cli/test-fail/missing-rule/policy.yaml index 0402a2191622..1d23fdcbc180 100644 --- a/test/cli/test-fail/missing-rule/policy.yaml +++ b/test/cli/test-fail/missing-rule/policy.yaml @@ -21,6 +21,7 @@ spec: - test name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -40,4 +41,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test-generate/add-network-policy/policy.yaml b/test/cli/test-generate/add-network-policy/policy.yaml index 2591e87b6c5f..45b95c64d80c 100644 --- a/test/cli/test-generate/add-network-policy/policy.yaml +++ b/test/cli/test-generate/add-network-policy/policy.yaml @@ -38,4 +38,3 @@ spec: kinds: - Namespace name: default-deny - validationFailureAction: Audit diff --git a/test/cli/test-generate/add-quota/policy.yaml b/test/cli/test-generate/add-quota/policy.yaml index 7d31290c1984..a3bb58045f8b 100644 --- a/test/cli/test-generate/add-quota/policy.yaml +++ b/test/cli/test-generate/add-quota/policy.yaml @@ -57,4 +57,3 @@ spec: kinds: - Namespace name: generate-limitrange - validationFailureAction: Audit diff --git a/test/cli/test-generate/clone-list/policy.yaml b/test/cli/test-generate/clone-list/policy.yaml index d2c5a0276200..70e962c6fe0b 100644 --- a/test/cli/test-generate/clone-list/policy.yaml +++ b/test/cli/test-generate/clone-list/policy.yaml @@ -34,4 +34,3 @@ spec: kinds: - Namespace name: clone-list-labelled-secrets - validationFailureAction: Audit diff --git a/test/cli/test-generate/sync-multiple-resources/policy.yaml b/test/cli/test-generate/sync-multiple-resources/policy.yaml index 989217f234f6..5b9852780007 100644 --- a/test/cli/test-generate/sync-multiple-resources/policy.yaml +++ b/test/cli/test-generate/sync-multiple-resources/policy.yaml @@ -10,7 +10,7 @@ metadata: Sync Secret and Configmap from kube-system namespace spec: failurePolicy: Ignore - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - name: sync-controller-secret match: diff --git a/test/cli/test-generate/sync-secrets/policy.yaml b/test/cli/test-generate/sync-secrets/policy.yaml index 6b86f808a9e1..5ea6b2245fa1 100644 --- a/test/cli/test-generate/sync-secrets/policy.yaml +++ b/test/cli/test-generate/sync-secrets/policy.yaml @@ -32,4 +32,3 @@ spec: kinds: - Namespace name: sync-image-pull-secret - validationFailureAction: Audit diff --git a/test/cli/test-mutate/bug-demo/policy.yaml b/test/cli/test-mutate/bug-demo/policy.yaml index 91c93ec64ee6..852af73439df 100644 --- a/test/cli/test-mutate/bug-demo/policy.yaml +++ b/test/cli/test-mutate/bug-demo/policy.yaml @@ -80,4 +80,3 @@ spec: to_string(@) }} name: mutate1 - validationFailureAction: Enforce diff --git a/test/cli/test-mutate/connection-draining/policy.yaml b/test/cli/test-mutate/connection-draining/policy.yaml index 6a1404bdf6f2..046248e96c00 100644 --- a/test/cli/test-mutate/connection-draining/policy.yaml +++ b/test/cli/test-mutate/connection-draining/policy.yaml @@ -77,4 +77,3 @@ spec: - key: '{{ tg_attributes }}' operator: Equals value: "false" - validationFailureAction: Audit diff --git a/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml b/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml index 268928e6ab70..098986bc4a71 100644 --- a/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml +++ b/test/cli/test-mutate/foreach/addIfNotPresent/policies.yaml @@ -24,4 +24,3 @@ spec: +(sizeLimit): 20Mi name: '{{ element.name }}' name: setDefault - validationFailureAction: Audit diff --git a/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml index de7e0f426e61..de5b5693028e 100644 --- a/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml +++ b/test/cli/test-mutate/foreach/cumulativePatch/policies.yaml @@ -27,4 +27,3 @@ spec: op: add value: "100m" name: add-default-requests - validationFailureAction: Audit diff --git a/test/cli/test-mutate/foreach/policies.yaml b/test/cli/test-mutate/foreach/policies.yaml index 387d307561ca..cf0daf0df12d 100644 --- a/test/cli/test-mutate/foreach/policies.yaml +++ b/test/cli/test-mutate/foreach/policies.yaml @@ -27,7 +27,6 @@ spec: - key: '{{ request.operation }}' operator: Equals value: CREATE - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -53,4 +52,3 @@ spec: - image: registry.digitalocean.com/runlevl4/{{ images.containers."{{element.name}}".name}}:{{images.containers."{{element.name}}".tag}} name: '{{ element.name }}' name: test - validationFailureAction: Audit diff --git a/test/cli/test-mutate/patched-resource/policy.yaml b/test/cli/test-mutate/patched-resource/policy.yaml index 0e1164c84d79..faba76ec409e 100644 --- a/test/cli/test-mutate/patched-resource/policy.yaml +++ b/test/cli/test-mutate/patched-resource/policy.yaml @@ -29,4 +29,3 @@ spec: value: - CREATE - UPDATE - validationFailureAction: Audit diff --git a/test/cli/test-mutate/policy.yaml b/test/cli/test-mutate/policy.yaml index 5ae8d7a10e84..39329b16f8e9 100644 --- a/test/cli/test-mutate/policy.yaml +++ b/test/cli/test-mutate/policy.yaml @@ -43,7 +43,6 @@ spec: - key: not-the-name operator: AllIn value: '{{ request.object.metadata.labels | keys(@) }}' - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: Policy @@ -75,7 +74,6 @@ spec: - name: ndots value: "1" name: add-ndots - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -104,4 +102,3 @@ spec: op: replace value: {{ annotations }} name: object_from_lists - validationFailureAction: Audit diff --git a/test/cli/test/admission_user_info/disallow_latest_tag.yaml b/test/cli/test/admission_user_info/disallow_latest_tag.yaml index d31ac874dd76..c5e12d0936cb 100644 --- a/test/cli/test/admission_user_info/disallow_latest_tag.yaml +++ b/test/cli/test/admission_user_info/disallow_latest_tag.yaml @@ -21,6 +21,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -33,9 +34,9 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit diff --git a/test/cli/test/admission_user_info_deprecated/disallow_latest_tag.yaml b/test/cli/test/admission_user_info_deprecated/disallow_latest_tag.yaml new file mode 100644 index 000000000000..9b5c5c1bf19a --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/disallow_latest_tag.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Best Practices + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application pod. ' + name: disallow-latest-tag +spec: + validationFailureAction: Audit + admission: true + background: false + rules: + - match: + any: + - clusterRoles: + - cluster-admin + resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/cli/test/admission_user_info_deprecated/kyverno-test.yaml b/test/cli/test/admission_user_info_deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..0ab6def4a23e --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/kyverno-test.yaml @@ -0,0 +1,26 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- disallow_latest_tag.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod1 + - myapp-pod2 + - myapp-pod3 + result: pass + rule: require-image-tag +- kind: Pod + policy: disallow-latest-tag + resources: + - myapp-pod1 + - myapp-pod2 + - myapp-pod3 + result: pass + rule: validate-image-tag +userinfo: user_info.yaml diff --git a/test/cli/test/admission_user_info_deprecated/resource.yaml b/test/cli/test/admission_user_info_deprecated/resource.yaml new file mode 100644 index 000000000000..3decae1d6e2b --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/resource.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod1 + labels: + app: myapp1 +spec: + containers: + - name: nginx + image: nginx:1.12 + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod2 + labels: + app: myapp2 +spec: + containers: + - name: nginx + image: nginx:1.12 + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod3 + labels: + app: myapp3 +spec: + containers: + - name: nginx + image: ngnix:1.12 diff --git a/test/cli/test/admission_user_info_deprecated/user_info.yaml b/test/cli/test/admission_user_info_deprecated/user_info.yaml new file mode 100644 index 000000000000..0ce75489fc7d --- /dev/null +++ b/test/cli/test/admission_user_info_deprecated/user_info.yaml @@ -0,0 +1,6 @@ +apiVersion: cli.kyverno.io/v1alpha1 +clusterRoles: +- cluster-admin +kind: UserInfo +userInfo: + username: molybdenum@somecorp.com diff --git a/test/cli/test/any-all-wildcard-deprecated/kyverno-test.yaml b/test/cli/test/any-all-wildcard-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..f3574e0b8f26 --- /dev/null +++ b/test/cli/test/any-all-wildcard-deprecated/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: disallow-protected-namespaces + resources: + - namespace2/test2 + - namespace1/test1 + result: fail + rule: disallow diff --git a/test/cli/test/any-all-wildcard-deprecated/policy.yaml b/test/cli/test/any-all-wildcard-deprecated/policy.yaml new file mode 100644 index 000000000000..f0710ff9455b --- /dev/null +++ b/test/cli/test/any-all-wildcard-deprecated/policy.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-protected-namespaces +spec: + validationFailureAction: Enforce + admission: true + background: false + rules: + - match: + all: + - resources: + kinds: + - '*' + namespaces: + - namespace1 + - namespace2 + name: disallow + validate: + deny: {} + message: This resource is protected and changes are not allowed. diff --git a/test/cli/test/any-all-wildcard-deprecated/resource.yaml b/test/cli/test/any-all-wildcard-deprecated/resource.yaml new file mode 100644 index 000000000000..118128773977 --- /dev/null +++ b/test/cli/test/any-all-wildcard-deprecated/resource.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test1 + namespace: namespace1 +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: test2 + namespace: namespace2 +spec: + containers: + - name: nginx + image: nginx + +--- +apiVersion: v1 +kind: Pod +metadata: + name: test3 + namespace: namespace3 +spec: + containers: + - name: nginx + image: nginx \ No newline at end of file diff --git a/test/cli/test/any-all-wildcard/policy.yaml b/test/cli/test/any-all-wildcard/policy.yaml index 10e06143626f..aa3e6737f2ec 100644 --- a/test/cli/test/any-all-wildcard/policy.yaml +++ b/test/cli/test/any-all-wildcard/policy.yaml @@ -17,6 +17,6 @@ spec: - namespace2 name: disallow validate: + validationFailureAction: Enforce deny: {} message: This resource is protected and changes are not allowed. - validationFailureAction: Enforce diff --git a/test/cli/test/any-namespaceSelector-deprecated/kyverno-test.yaml b/test/cli/test/any-namespaceSelector-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..1548fce3f332 --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: enforce-pod-name + resources: + - test1/test-nginx + result: pass + rule: validate-name +variables: value.yaml diff --git a/test/cli/test/any-namespaceSelector-deprecated/policy.yaml b/test/cli/test/any-namespaceSelector-deprecated/policy.yaml new file mode 100644 index 000000000000..273c5b6b9dc0 --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/policy.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-pod-name +spec: + validationFailureAction: Audit + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: foo.com/managed-state + operator: In + values: + - managed + name: validate-name + validate: + message: The Pod must end with -nginx + pattern: + metadata: + name: '*-nginx' diff --git a/test/cli/test/any-namespaceSelector-deprecated/resource.yaml b/test/cli/test/any-namespaceSelector-deprecated/resource.yaml new file mode 100644 index 000000000000..23c2d7b9c935 --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/resource.yaml @@ -0,0 +1,9 @@ +kind: Pod +apiVersion: v1 +metadata: + name: test-nginx + namespace: test1 +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test/any-namespaceSelector-deprecated/value.yaml b/test/cli/test/any-namespaceSelector-deprecated/value.yaml new file mode 100644 index 000000000000..aa46c703786f --- /dev/null +++ b/test/cli/test/any-namespaceSelector-deprecated/value.yaml @@ -0,0 +1,6 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +namespaceSelector: +- labels: + foo.com/managed-state: managed + name: test1 diff --git a/test/cli/test/any-namespaceSelector/policy.yaml b/test/cli/test/any-namespaceSelector/policy.yaml index 07d514a365e0..e94ac81003c3 100644 --- a/test/cli/test/any-namespaceSelector/policy.yaml +++ b/test/cli/test/any-namespaceSelector/policy.yaml @@ -20,8 +20,8 @@ spec: - managed name: validate-name validate: + validationFailureAction: Audit message: The Pod must end with -nginx pattern: metadata: name: '*-nginx' - validationFailureAction: Audit diff --git a/test/cli/test/anypattern_skip_error/policy.yaml b/test/cli/test/anypattern_skip_error/policy.yaml index 71cfbdde2722..429682d339a0 100644 --- a/test/cli/test/anypattern_skip_error/policy.yaml +++ b/test/cli/test/anypattern_skip_error/policy.yaml @@ -14,6 +14,7 @@ spec: - Service name: check-loadbalancer-public validate: + validationFailureAction: Enforce anyPattern: - metadata: annotations: @@ -26,4 +27,3 @@ spec: message: Service of type 'LoadBalancer' is public and does not explicitly define network security. To use a public LB you must supply either spec[loadBalancerSourceRanges] or the 'service.beta.kubernetes.io/aws-load-balancer-security-groups' annotation. - validationFailureAction: Enforce diff --git a/test/cli/test/autogen-values/policy.yaml b/test/cli/test/autogen-values/policy.yaml index 93dddb86f55d..a676919ef403 100644 --- a/test/cli/test/autogen-values/policy.yaml +++ b/test/cli/test/autogen-values/policy.yaml @@ -28,4 +28,4 @@ spec: validate: message: Do nothing! pattern: {} - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/autogen/policy.yaml b/test/cli/test/autogen/policy.yaml index 66c931e46691..654bd3a76485 100644 --- a/test/cli/test/autogen/policy.yaml +++ b/test/cli/test/autogen/policy.yaml @@ -14,10 +14,10 @@ spec: - Pod name: check-for-labels validate: + validationFailureAction: Enforce message: Both `app` and `owner` labels must be set on all workloads pattern: metadata: labels: app: ?* owner: ?* - validationFailureAction: Enforce diff --git a/test/cli/test/cel-preconditions-deprecated/disallow-host-path.yaml b/test/cli/test/cel-preconditions-deprecated/disallow-host-path.yaml new file mode 100644 index 000000000000..335c4c9bc6f9 --- /dev/null +++ b/test/cli/test/cel-preconditions-deprecated/disallow-host-path.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-host-path +spec: + background: false + validationFailureAction: Audit + rules: + - name: host-path + match: + any: + - resources: + kinds: + - Pod + celPreconditions: + - expression: "object.metadata.labels['color'] == 'red'" + name: "Label should be red" + validate: + cel: + expressions: + - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + message: "HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset." diff --git a/test/cli/test/cel-preconditions-deprecated/kyverno-test.yaml b/test/cli/test/cel-preconditions-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..2af80d4084d7 --- /dev/null +++ b/test/cli/test/cel-preconditions-deprecated/kyverno-test.yaml @@ -0,0 +1,27 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- disallow-host-path.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: disallow-host-path + resources: + - bad-pod + result: fail + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - good-pod + result: pass + rule: host-path +- kind: Pod + policy: disallow-host-path + resources: + - skipped-pod + result: skip + rule: host-path diff --git a/test/cli/test/cel-preconditions-deprecated/resources.yaml b/test/cli/test/cel-preconditions-deprecated/resources.yaml new file mode 100644 index 000000000000..5fe865c154ea --- /dev/null +++ b/test/cli/test/cel-preconditions-deprecated/resources.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Pod +metadata: + name: skipped-pod + labels: + color: blue +spec: + containers: + - name: nginx-container + image: nginx:latest + volumeMounts: + - name: hostpath-volume + mountPath: /var/www/html + volumes: + - name: hostpath-volume + hostPath: + path: /var/log +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + labels: + color: red +spec: + containers: + - name: nginx-container + image: nginx:latest + volumeMounts: + - name: hostpath-volume + mountPath: /var/www/html + volumes: + - name: hostpath-volume + hostPath: + path: /var/log +--- +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + labels: + color: red +spec: + containers: + - name: nginx-container + image: nginx:latest + volumeMounts: + - name: hostpath-volume + mountPath: /var/www/html + volumes: + - name: hostpath-volume + emptyDir: {} diff --git a/test/cli/test/cel-preconditions/disallow-host-path.yaml b/test/cli/test/cel-preconditions/disallow-host-path.yaml index 924c501cbbc7..0fd6663ff456 100644 --- a/test/cli/test/cel-preconditions/disallow-host-path.yaml +++ b/test/cli/test/cel-preconditions/disallow-host-path.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -16,6 +15,7 @@ spec: - expression: "object.metadata.labels['color'] == 'red'" name: "Label should be red" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/cli/test/check-deployment-namespace-cel/policy.yaml b/test/cli/test/check-deployment-namespace-cel/policy.yaml index d50a913abd1c..d54a0fc2e041 100644 --- a/test/cli/test/check-deployment-namespace-cel/policy.yaml +++ b/test/cli/test/check-deployment-namespace-cel/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-default-namespace spec: - validationFailureAction: Audit background: true rules: - name: validate-deployment-namespace @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Audit cel: expressions: - expression: "namespaceObject.metadata.name != 'default'" diff --git a/test/cli/test/container_reorder/policy.yml b/test/cli/test/container_reorder/policy.yml index d769e6df8d30..879965e282fe 100644 --- a/test/cli/test/container_reorder/policy.yml +++ b/test/cli/test/container_reorder/policy.yml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/context-entries/policies.yaml b/test/cli/test/context-entries/policies.yaml index 3491be04654a..7d393b574f13 100644 --- a/test/cli/test/context-entries/policies.yaml +++ b/test/cli/test/context-entries/policies.yaml @@ -21,6 +21,7 @@ spec: - Pod name: defined-value validate: + validationFailureAction: Audit deny: conditions: - key: '{{ example.test.nested.value }}' @@ -37,6 +38,7 @@ spec: - Pod name: defined-jmespath validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -54,6 +56,7 @@ spec: - Pod name: defined-jmespath-with-default validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -71,6 +74,7 @@ spec: - Pod name: defined-value-with-variable validate: + validationFailureAction: Audit deny: conditions: - key: '{{ obj.name }}' @@ -88,6 +92,7 @@ spec: - Pod name: defined-jmespath-with-default-variable validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -106,6 +111,7 @@ spec: - Pod name: defined-value-jmespath validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -127,6 +133,7 @@ spec: - Pod name: defined-value-jmespath-variable validate: + validationFailureAction: Audit deny: conditions: - key: '{{ objName }}' @@ -148,6 +155,7 @@ spec: - Pod name: value-override validate: + validationFailureAction: Audit deny: conditions: any: @@ -170,6 +178,7 @@ spec: - Pod name: wildcard-match validate: + validationFailureAction: Audit deny: conditions: - key: A=* @@ -196,6 +205,7 @@ spec: - Pod name: items validate: + validationFailureAction: Audit deny: conditions: - key: '{{ obj }}' @@ -224,9 +234,9 @@ spec: - Pod name: unused-var validate: + validationFailureAction: Audit deny: conditions: - key: '{{ modifiedObj }}' operator: NotEqual value: '{{ expected }}' - validationFailureAction: Audit diff --git a/test/cli/test/context-foreach/policy.yaml b/test/cli/test/context-foreach/policy.yaml index f3d1af4cb671..c2cf2e89f65b 100644 --- a/test/cli/test/context-foreach/policy.yaml +++ b/test/cli/test/context-foreach/policy.yaml @@ -14,6 +14,7 @@ spec: - Pod name: block-images validate: + validationFailureAction: Audit foreach: - context: - imageRegistry: @@ -26,4 +27,3 @@ spec: value: '{{ element.name }}' list: request.object.spec.containers message: Images containing built-in volumes are prohibited. - validationFailureAction: Audit diff --git a/test/cli/test/custom-functions/policy.yaml b/test/cli/test/custom-functions/policy.yaml index 3d8a0ec039e1..39daa7f61a5b 100644 --- a/test/cli/test/custom-functions/policy.yaml +++ b/test/cli/test/custom-functions/policy.yaml @@ -19,7 +19,7 @@ spec: - key: '{{base64_decode(request.object.data.value)}}' operator: NotEquals value: '{{request.object.metadata.labels.value}}' - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -42,7 +42,7 @@ spec: - key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}' operator: Equals value: false - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -78,7 +78,7 @@ spec: - key: '{{ element.hostPath.path }}' operator: NotEquals value: "" - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -101,7 +101,7 @@ spec: operator: NotEquals value: b message: Test JMESPath - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -124,7 +124,7 @@ spec: operator: NotEquals value: a message: Test JMESPath - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -148,7 +148,7 @@ spec: value: '{{request.object.metadata.annotations.test | parse_yaml(@).array }}' message: Test JMESPath - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -175,4 +175,4 @@ spec: message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N }}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N }}"' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/default_value_to_create/check-supplemental-groups.yaml b/test/cli/test/default_value_to_create/check-supplemental-groups.yaml index cae6766663b5..aa903ce9ab28 100644 --- a/test/cli/test/default_value_to_create/check-supplemental-groups.yaml +++ b/test/cli/test/default_value_to_create/check-supplemental-groups.yaml @@ -39,4 +39,4 @@ spec: spec: =(securityContext): =(supplementalGroups): 100-200 | 500-600 - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml index 7e2183f41e3d..d15bf4fceb35 100644 --- a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml @@ -30,4 +30,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml index 8289c11dbdb0..3b53ed4c84d6 100644 --- a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml @@ -26,4 +26,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml b/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml index 31bd7b7e900c..758a42a548e1 100644 --- a/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml +++ b/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml @@ -35,4 +35,4 @@ spec: deny: {} message: Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users. - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml b/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml index 8a228bc3a61d..13b68836e827 100644 --- a/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml +++ b/test/cli/test/deny-pod-delete-match-opn-block/deny-pod-delete-match-opn-block.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny-pod-delete-match-opn-block spec: - validationFailureAction: Enforce background: false rules: - name: deny-pod-delete-match-opn-block @@ -15,6 +14,7 @@ spec: operations: - DELETE validate: + validationFailureAction: Enforce message: Pod cannot be deleted deny: {} diff --git a/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml b/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml index f532c0134795..f0c0f1826212 100644 --- a/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml +++ b/test/cli/test/deny-pod-delete-validate-deny/deny-pod-delete-validate-deny.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny-pod-delete-validate-deny spec: - validationFailureAction: Enforce background: false rules: - name: deny-pod-delete-validate-deny @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: Pod cannot be deleted deny: conditions: diff --git a/test/cli/test/depecated_apis/policy.yaml b/test/cli/test/depecated_apis/policy.yaml index 74138799beb9..8a1e153a1227 100644 --- a/test/cli/test/depecated_apis/policy.yaml +++ b/test/cli/test/depecated_apis/policy.yaml @@ -33,4 +33,4 @@ spec: deny: {} message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/disallow-service/policy.yaml b/test/cli/test/disallow-service/policy.yaml index db8139f9d63d..e48411f6ba0b 100644 --- a/test/cli/test/disallow-service/policy.yaml +++ b/test/cli/test/disallow-service/policy.yaml @@ -28,4 +28,4 @@ spec: anyPattern: - kind: '!Service' message: Can't create a service. Sorry... - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/exclude/policy.yaml b/test/cli/test/exclude/policy.yaml index 24e041062a26..30a0d704ff56 100644 --- a/test/cli/test/exclude/policy.yaml +++ b/test/cli/test/exclude/policy.yaml @@ -17,7 +17,6 @@ metadata: requests and memory limits. spec: background: true - validationFailureAction: enforce rules: - name: validate-resources match: @@ -37,6 +36,7 @@ spec: matchLabels: require-requests-limits.kyverno.io/exclude: "true" validate: + validationFailureAction: Enforce message: "CPU and memory resource requests and limits are required." pattern: spec: diff --git a/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml b/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml index b59d893b059c..e8c9c084738a 100644 --- a/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml +++ b/test/cli/test/exec-subresource/deny-exec-by-pod-label.yaml @@ -41,4 +41,4 @@ spec: operator: Equals value: "false" message: Exec'ing into Pods protected with the label `exec=false` is forbidden. - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/foreach-preconditions/policies.yaml b/test/cli/test/foreach-preconditions/policies.yaml index 2a6e7d3009d5..679f1a0a45e1 100644 --- a/test/cli/test/foreach-preconditions/policies.yaml +++ b/test/cli/test/foreach-preconditions/policies.yaml @@ -32,4 +32,4 @@ spec: operator: NotEquals value: "" message: Limits may not exceed 2.5x the requests. - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/foreach/policies.yaml b/test/cli/test/foreach/policies.yaml index fea5f29c463a..8a985d60f956 100644 --- a/test/cli/test/foreach/policies.yaml +++ b/test/cli/test/foreach/policies.yaml @@ -25,7 +25,7 @@ spec: - (name): '{{element.name}}' mountPath: /tmp/* message: emptyDir volumes must be mounted under /tmp - validationFailureAction: Audit + validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -56,7 +56,7 @@ spec: volumeMounts: - <(name): '{{element.name}}' message: ephemeral-storage requests and limits are required for emptyDir volumes - validationFailureAction: Audit + validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -82,7 +82,7 @@ spec: value: ghcr.io list: request.object.spec.containers[].image message: images must begin with ghcr.io - validationFailureAction: Audit + validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -109,4 +109,4 @@ spec: elementScope: true list: request.object.spec.containers[].image message: images must begin with ghcr.io - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/images/digest/policies.yaml b/test/cli/test/images/digest/policies.yaml index 71a4f0c51296..395942f83366 100644 --- a/test/cli/test/images/digest/policies.yaml +++ b/test/cli/test/images/digest/policies.yaml @@ -22,4 +22,4 @@ spec: required: false useCache: true verifyDigest: true - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/images/secure-images/policies.yaml b/test/cli/test/images/secure-images/policies.yaml index 76e493725461..909335ccefd9 100644 --- a/test/cli/test/images/secure-images/policies.yaml +++ b/test/cli/test/images/secure-images/policies.yaml @@ -23,5 +23,5 @@ spec: required: true useCache: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/cli/test/images/signatures/policies.yaml b/test/cli/test/images/signatures/policies.yaml index a945aefa6baa..b2d8e649d66d 100644 --- a/test/cli/test/images/signatures/policies.yaml +++ b/test/cli/test/images/signatures/policies.yaml @@ -36,4 +36,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/images/verify-signature/policies.yaml b/test/cli/test/images/verify-signature/policies.yaml index 66cbc630fb54..23c307aa7aa0 100644 --- a/test/cli/test/images/verify-signature/policies.yaml +++ b/test/cli/test/images/verify-signature/policies.yaml @@ -37,7 +37,7 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -81,4 +81,4 @@ spec: required: true useCache: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/jmespath-brackets/policy.yaml b/test/cli/test/jmespath-brackets/policy.yaml index eb9da57499ad..df68bd08fb23 100644 --- a/test/cli/test/jmespath-brackets/policy.yaml +++ b/test/cli/test/jmespath-brackets/policy.yaml @@ -26,7 +26,7 @@ spec: a: "1" test: "" message: All pod labels must match except test - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -51,4 +51,4 @@ spec: value: false message: For creating a namespace you need to set the objectid of the Azure AD Group that needs access to this namespace as the aadobjectid label - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml b/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml index c51244e97074..c6bc85b85fe7 100644 --- a/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml +++ b/test/cli/test/limit-configmap-for-sa/limit_configmap_for_sa.yaml @@ -56,4 +56,4 @@ spec: - CREATE message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/manifests/verify-signature/policies.yaml b/test/cli/test/manifests/verify-signature/policies.yaml index eaac2339c2a6..24fa3fc4c224 100644 --- a/test/cli/test/manifests/verify-signature/policies.yaml +++ b/test/cli/test/manifests/verify-signature/policies.yaml @@ -16,6 +16,7 @@ spec: name: test* name: validate-yaml validate: + validationFailureAction: Enforce manifests: attestors: - count: 1 @@ -42,6 +43,7 @@ spec: name: test* name: validate-yaml-multi-sig validate: + validationFailureAction: Enforce manifests: attestors: - entries: @@ -59,5 +61,4 @@ spec: FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== -----END PUBLIC KEY----- signatureAlgorithm: sha256 - validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/cli/test/mixed-deprecated/kyverno-test.yaml b/test/cli/test/mixed-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..7adbd64a616e --- /dev/null +++ b/test/cli/test/mixed-deprecated/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resource.yaml +results: +- kind: Pod + policy: ondemand + resources: + - user-foo/nodeselector-without-labels-on-mutation + result: fail + rule: ondemand-managed_by +- kind: Pod + policy: ondemand + resources: + - user-space/nodeselector-with-labels-on-mutation + result: pass + rule: ondemand-managed_by +- kind: Pod + patchedResource: patched-resource.yaml + policy: ondemand + resources: + - user-space/nodeselector-with-labels-on-mutation + result: pass + rule: ondemand-nodeselector diff --git a/test/cli/test/mixed-deprecated/patched-resource.yaml b/test/cli/test/mixed-deprecated/patched-resource.yaml new file mode 100644 index 000000000000..fb07e70fd344 --- /dev/null +++ b/test/cli/test/mixed-deprecated/patched-resource.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app.kubernetes.io/managed-by: open-ondemand + name: nodeselector-with-labels-on-mutation + namespace: user-space +spec: + containers: + - image: nginx:latest + name: nginx + nodeSelector: + osc.edu/role: ondemand diff --git a/test/cli/test/mixed-deprecated/patched-resource1.yaml b/test/cli/test/mixed-deprecated/patched-resource1.yaml new file mode 100644 index 000000000000..d7e6415eee9d --- /dev/null +++ b/test/cli/test/mixed-deprecated/patched-resource1.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nodeselector-without-labels-on-mutation + labels: + app.kubernetes.io/managed-by: "open-xyz" + namespace: user-foo +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test/mixed-deprecated/policy.yaml b/test/cli/test/mixed-deprecated/policy.yaml new file mode 100644 index 000000000000..260d62a4d12f --- /dev/null +++ b/test/cli/test/mixed-deprecated/policy.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/description: 'This Policy contains two different types of + rules that is validate as well as mutate. The validate rule validate against + the mutation or patches added by the mutate rule whereas mutate rule adds label + for nodeSelector "osc.edu/role: ondemand".' + name: ondemand +spec: + validationFailureAction: Audit + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - user-?* + name: ondemand-managed_by + validate: + message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand' + pattern: + metadata: + labels: + app.kubernetes.io/managed-by: open-ondemand + - match: + any: + - resources: + kinds: + - Pod + selector: + matchLabels: + app.kubernetes.io/managed-by: open-ondemand + mutate: + patchStrategicMerge: + spec: + nodeSelector: + osc.edu/role: ondemand + name: ondemand-nodeselector diff --git a/test/cli/test/mixed-deprecated/resource.yaml b/test/cli/test/mixed-deprecated/resource.yaml new file mode 100644 index 000000000000..325a5510529b --- /dev/null +++ b/test/cli/test/mixed-deprecated/resource.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nodeselector-with-labels-on-mutation + labels: + app.kubernetes.io/managed-by: open-ondemand + namespace: user-space +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: nodeselector-without-labels-on-mutation + labels: + app.kubernetes.io/managed-by: "open-xyz" + namespace: user-foo +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test/mixed/policy.yaml b/test/cli/test/mixed/policy.yaml index b2835e78b3cd..4acf77bd867c 100644 --- a/test/cli/test/mixed/policy.yaml +++ b/test/cli/test/mixed/policy.yaml @@ -21,6 +21,7 @@ spec: - user-?* name: ondemand-managed_by validate: + validationFailureAction: Audit message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand' pattern: metadata: @@ -40,4 +41,3 @@ spec: nodeSelector: osc.edu/role: ondemand name: ondemand-nodeselector - validationFailureAction: Audit diff --git a/test/cli/test/multiple-validate-rules/policy.yaml b/test/cli/test/multiple-validate-rules/policy.yaml index f8649cdf0ba8..96c941f6db38 100644 --- a/test/cli/test/multiple-validate-rules/policy.yaml +++ b/test/cli/test/multiple-validate-rules/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: restrict-service-ports spec: - validationFailureAction: Enforce background: true rules: - name: restrict-port-range @@ -18,6 +17,7 @@ spec: operator: Equals value: 'LoadBalancer' validate: + validationFailureAction: Enforce message: >- Only approved ports may be used for LoadBalancer services. foreach: @@ -38,6 +38,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce message: "NodePort services are not allowed. This is {{ request.object.spec.type }}" pattern: spec: diff --git a/test/cli/test/multiple_condition_keys/policy.yaml b/test/cli/test/multiple_condition_keys/policy.yaml index de9dc89989c2..170ad7ea3fe5 100644 --- a/test/cli/test/multiple_condition_keys/policy.yaml +++ b/test/cli/test/multiple_condition_keys/policy.yaml @@ -23,4 +23,4 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/mutate-keda-scaled-object/policy.yaml b/test/cli/test/mutate-keda-scaled-object/policy.yaml index ae62084e7b76..f8f1bc290ff6 100644 --- a/test/cli/test/mutate-keda-scaled-object/policy.yaml +++ b/test/cli/test/mutate-keda-scaled-object/policy.yaml @@ -37,4 +37,3 @@ spec: value: - CREATE - UPDATE - validationFailureAction: Audit diff --git a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml index dc4ee221a56b..ec962a49bb4b 100644 --- a/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml +++ b/test/cli/test/nil-values-in-variables/exclude_namespaces_dynamically/exclude_namespaces_dynamically.yaml @@ -44,4 +44,4 @@ spec: metadata: labels: foo: '*' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml b/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml index da6261d101be..157e35f404c5 100644 --- a/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml +++ b/test/cli/test/nil-values-in-variables/limit-duration/limit-duration.yaml @@ -37,4 +37,4 @@ spec: operator: NotEquals value: 2400 message: certificate duration must be < than 2400h (100 days) - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml index 5644a85a8625..c1b649e41fa7 100644 --- a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml +++ b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml @@ -32,4 +32,4 @@ spec: status: nodeInfo: kernelVersion: '!5.10.84-1 & !5.15.5-2' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/owner_references/policy.yaml b/test/cli/test/owner_references/policy.yaml index e0e0fc74730b..2e6e80763aab 100644 --- a/test/cli/test/owner_references/policy.yaml +++ b/test/cli/test/owner_references/policy.yaml @@ -28,4 +28,4 @@ spec: periodSeconds: '>0' readinessProbe: periodSeconds: '>0' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/policy-reports-skip-validation/policy.yaml b/test/cli/test/policy-reports-skip-validation/policy.yaml index 74ac8ac20c41..3bdbfcc86f88 100644 --- a/test/cli/test/policy-reports-skip-validation/policy.yaml +++ b/test/cli/test/policy-reports-skip-validation/policy.yaml @@ -33,4 +33,4 @@ spec: operator: AnyNotIn value: '{{request.object.metadata.keys(@)}}' message: naked pods are not allowed - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/preconditions/policy.yaml b/test/cli/test/preconditions/policy.yaml index f1f9e52f3e32..b2550396ab7c 100644 --- a/test/cli/test/preconditions/policy.yaml +++ b/test/cli/test/preconditions/policy.yaml @@ -24,4 +24,4 @@ spec: spec: containers: - name: '*busybox*' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/rangeoperators/policy.yaml b/test/cli/test/rangeoperators/policy.yaml index d6fff22c6c3c..45954368e58c 100644 --- a/test/cli/test/rangeoperators/policy.yaml +++ b/test/cli/test/rangeoperators/policy.yaml @@ -22,4 +22,4 @@ spec: fourth_value: 2.5-3.5 second_value: -2-5 third_value: 100Mi!-1024Mi - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/resource_lists/policy.yaml b/test/cli/test/resource_lists/policy.yaml index e8dd213bfaf8..fe3259fc1b54 100644 --- a/test/cli/test/resource_lists/policy.yaml +++ b/test/cli/test/resource_lists/policy.yaml @@ -19,6 +19,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -31,9 +32,9 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit diff --git a/test/cli/test/restrict-something/policy.yaml b/test/cli/test/restrict-something/policy.yaml index a8337c4ed1cd..fe75ee740b1c 100644 --- a/test/cli/test/restrict-something/policy.yaml +++ b/test/cli/test/restrict-something/policy.yaml @@ -16,6 +16,7 @@ spec: - foo name: validate-some-foo validate: + validationFailureAction: Audit deny: conditions: - key: '{{ images.containers.*.registry }}' @@ -35,6 +36,7 @@ spec: - Pod name: validate-some-non-foo validate: + validationFailureAction: Audit deny: conditions: - key: '{{ images.containers.*.registry }}' @@ -42,4 +44,3 @@ spec: value: - bar.io message: Unknown image registry. - validationFailureAction: Audit diff --git a/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml b/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml index 1a848dea8d54..9ca6c6123db0 100644 --- a/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml +++ b/test/cli/test/restrict_ingress_host/restrict_ingress_host.yaml @@ -39,6 +39,7 @@ spec: operator: AllIn value: '{{ hosts }}' validate: + validationFailureAction: Audit deny: {} message: The Ingress host name must be unique. - match: @@ -56,6 +57,6 @@ spec: operator: GreaterThan value: 1 validate: + validationFailureAction: Audit deny: {} message: An Ingress resource may only contain a single host entry. - validationFailureAction: Audit diff --git a/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml b/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml index cbae90f9a3c1..51a82f64f2cd 100644 --- a/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml +++ b/test/cli/test/scale-subresource/enforce-replicas-for-scale-subresource.yml @@ -23,4 +23,4 @@ spec: pattern: spec: replicas: 2 - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/secret/policy.yaml b/test/cli/test/secret/policy.yaml index 1f7c66b242f1..fe3570caf409 100644 --- a/test/cli/test/secret/policy.yaml +++ b/test/cli/test/secret/policy.yaml @@ -18,4 +18,3 @@ spec: labels: kyverno.com/maintainer: test name: add-maintainer - validationFailureAction: Audit diff --git a/test/cli/test/simple/policy.yaml b/test/cli/test/simple/policy.yaml index 0b57d822fbe6..de1ccf55069f 100644 --- a/test/cli/test/simple/policy.yaml +++ b/test/cli/test/simple/policy.yaml @@ -19,6 +19,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -33,12 +34,12 @@ spec: - test name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Audit --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -62,6 +63,7 @@ spec: operator: GreaterThan value: 8h message: Pod lifetime exceeds limit of 8h + validationFailureAction: Enforce - match: any: - resources: @@ -76,6 +78,7 @@ spec: operator: LessThan value: 8h message: Pod lifetime under limit of 8h + validationFailureAction: Enforce - match: any: - resources: @@ -90,6 +93,7 @@ spec: operator: GreaterThanOrEquals value: 8h message: Pod lifetime exceeds limit of 8h + validationFailureAction: Enforce - match: any: - resources: @@ -104,7 +108,7 @@ spec: operator: LessThanOrEquals value: 8h message: Pod lifetime under limit of 8h - validationFailureAction: Enforce + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -148,4 +152,4 @@ spec: operator: GreaterThan value: 10 message: A maximum of 10 Pods are allowed on the Node `minikube` - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/unordered-context-variables/policy.yaml b/test/cli/test/unordered-context-variables/policy.yaml index dbee1a6355df..9420798a3436 100644 --- a/test/cli/test/unordered-context-variables/policy.yaml +++ b/test/cli/test/unordered-context-variables/policy.yaml @@ -28,4 +28,4 @@ spec: spec: =(hostIPC): false =(hostPID): false - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/update/policy.yaml b/test/cli/test/update/policy.yaml index 6eaa67aca94d..a91696297d98 100644 --- a/test/cli/test/update/policy.yaml +++ b/test/cli/test/update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-update-no-label-change spec: - validationFailureAction: Audit background: false rules: - name: check-label-change @@ -18,6 +17,7 @@ spec: operator: Equals value: UPDATE validate: + validationFailureAction: Audit message: Pass only if labels are different deny: conditions: diff --git a/test/cli/test/variables-deprecated/cm-array-example.yaml b/test/cli/test/variables-deprecated/cm-array-example.yaml new file mode 100644 index 000000000000..b724cec277b6 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-array-example.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-array-example +spec: + admission: true + background: false + rules: + - context: + - configMap: + name: roles-dictionary + namespace: default + name: roles-dictionary + match: + any: + - resources: + kinds: + - Pod + name: validate-role-annotation + validate: + deny: + conditions: + - key: '{{ request.object.metadata.annotations.role }}' + operator: NotIn + value: '{{ "roles-dictionary".data."allowed-roles" }}' + message: 'The role {{ request.object.metadata.annotations.role }} is not in + the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' + validationFailureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml b/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml new file mode 100644 index 000000000000..ea727b52c157 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-blk-scalar-example.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-blk-scalar-example +spec: + admission: true + background: false + rules: + - context: + - configMap: + name: roles-dictionary + namespace: default + name: roles-dictionary + match: + any: + - resources: + kinds: + - Pod + name: validate-blk-role-annotation + validate: + deny: + conditions: + - key: '{{ request.object.metadata.annotations.role }}' + operator: NotIn + value: '{{ "roles-dictionary".data."allowed-roles" }}' + message: 'The role {{ request.object.metadata.annotations.role }} is not in + the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' + validationFailureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-globalval-example.yaml b/test/cli/test/variables-deprecated/cm-globalval-example.yaml new file mode 100644 index 000000000000..0b36123763ec --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-globalval-example.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-globalval-example +spec: + admission: true + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod + name: validate-mode + validate: + deny: + conditions: + - key: '{{ request.mode }}' + operator: NotEquals + value: dev + message: The value {{ request.mode }} for val1 is not equal to 'dev'. + validationFailureAction: Enforce diff --git a/test/cli/test/variables-deprecated/cm-multiple-example.yaml b/test/cli/test/variables-deprecated/cm-multiple-example.yaml new file mode 100644 index 000000000000..6f6bca9537a2 --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-multiple-example.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-multiple-example +spec: + admission: true + background: true + rules: + - context: + - configMap: + name: some-config-map + namespace: some-namespace + name: dictionary + - configMap: + name: another-config-map + namespace: some-namespace + name: anotherdictionary + match: + any: + - resources: + kinds: + - Pod + name: example-configmap-lookup + validate: + pattern: + metadata: + labels: + my-environment-name: '{{dictionary.data.env || anotherdictionary.data.env + }}' + validationFailureAction: Audit diff --git a/test/cli/test/variables-deprecated/cm-variable-example.yaml b/test/cli/test/variables-deprecated/cm-variable-example.yaml new file mode 100644 index 000000000000..e25c2c7014fa --- /dev/null +++ b/test/cli/test/variables-deprecated/cm-variable-example.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cm-variable-example +spec: + admission: true + background: true + rules: + - context: + - configMap: + name: some-config-map + namespace: some-namespace + name: dictionary + match: + any: + - resources: + kinds: + - Pod + name: example-configmap-lookup + validate: + pattern: + metadata: + labels: + my-environment-name: '{{dictionary.data.env}}' + validationFailureAction: Audit diff --git a/test/cli/test/variables-deprecated/image-example.yaml b/test/cli/test/variables-deprecated/image-example.yaml new file mode 100644 index 000000000000..1ddc5ac9ea42 --- /dev/null +++ b/test/cli/test/variables-deprecated/image-example.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: images +spec: + admission: true + background: true + validationFailureAction: Enforce + rules: + - match: + any: + - resources: + kinds: + - Pod + name: only-allow-trusted-images + preconditions: + all: + - key: '{{request.operation}}' + operator: NotEquals + value: DELETE + validate: + foreach: + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData + deny: + conditions: + all: + - key: '{{ imageData.configData.config.User || ''''}}' + operator: Equals + value: "" + - key: '{{ imageData.registry }}' + operator: NotEquals + value: ghcr.io + list: request.object.spec.containers + message: images with root user are not allowed diff --git a/test/cli/test/variables-deprecated/kyverno-test.yaml b/test/cli/test/variables-deprecated/kyverno-test.yaml new file mode 100644 index 000000000000..7186411884a3 --- /dev/null +++ b/test/cli/test/variables-deprecated/kyverno-test.yaml @@ -0,0 +1,88 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- cm-variable-example.yaml +- cm-multiple-example.yaml +- cm-array-example.yaml +- cm-blk-scalar-example.yaml +- cm-globalval-example.yaml +- image-example.yaml +resources: +- resources.yaml +results: +- kind: Pod + policy: cm-array-example + resources: + - test-web + result: fail + rule: validate-role-annotation +- kind: Pod + policy: cm-array-example + resources: + - test-app + result: pass + rule: validate-role-annotation +- kind: Pod + policy: cm-blk-scalar-example + resources: + - test-blk-web + result: fail + rule: validate-blk-role-annotation +- kind: Pod + policy: cm-blk-scalar-example + resources: + - test-blk-app + result: pass + rule: validate-blk-role-annotation +- kind: Pod + policy: cm-globalval-example + resources: + - test-global-prod + result: fail + rule: validate-mode +- kind: Pod + policy: cm-globalval-example + resources: + - test-global-dev + result: pass + rule: validate-mode +- kind: Pod + policy: cm-multiple-example + resources: + - test-env-dev + result: fail + rule: example-configmap-lookup +- kind: Pod + policy: cm-multiple-example + resources: + - test-env-test + result: pass + rule: example-configmap-lookup +- kind: Pod + policy: cm-variable-example + resources: + - test-env-dev + result: fail + rule: example-configmap-lookup +- kind: Pod + policy: cm-variable-example + resources: + - test-env-test + result: pass + rule: example-configmap-lookup +- kind: Pod + policy: images + resources: + - test-pod-with-non-trusted-registry + result: fail + rule: only-allow-trusted-images +- kind: Pod + policy: images + resources: + - test-pod-with-non-root-user-image + - test-pod-with-trusted-registry + result: pass + rule: only-allow-trusted-images +variables: variables.yaml diff --git a/test/cli/test/variables-deprecated/resources.yaml b/test/cli/test/variables-deprecated/resources.yaml new file mode 100644 index 000000000000..87ebc09296cc --- /dev/null +++ b/test/cli/test/variables-deprecated/resources.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-env-test + labels: + my-environment-name: test +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-env-dev + labels: + my-environment-name: dev +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-web + annotations: + role: web +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-app + annotations: + role: app +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-blk-web + annotations: + role: web +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-blk-app + annotations: + role: app +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-global-prod +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-global-dev +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-with-non-root-user-image +spec: + containers: + - name: nginx + image: nginx:1.14.2 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-with-trusted-registry +spec: + containers: + - name: kyverno + image: ghcr.io/kyverno/kyverno +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-with-non-trusted-registry +spec: + containers: + - name: not-kyverno + image: gcr.io/not-kyverno/kyverno diff --git a/test/cli/test/variables-deprecated/variables.yaml b/test/cli/test/variables-deprecated/variables.yaml new file mode 100644 index 000000000000..ee0d6d8c7c75 --- /dev/null +++ b/test/cli/test/variables-deprecated/variables.yaml @@ -0,0 +1,79 @@ +apiVersion: cli.kyverno.io/v1alpha1 +globalValues: + request.mode: dev +kind: Values +policies: +- name: cm-multiple-example + rules: + - name: example-configmap-lookup + values: + anotherdictionary.data.env: test + dictionary.data.env: "" +- name: cm-variable-example + resources: + - name: test-env-test + values: + request.object.metadata.name: test-env-test + - name: test-env-dev + values: + request.object.metadata.name: test-env-dev + rules: + - name: example-configmap-lookup + values: + dictionary: + data: + env: test +- name: cm-array-example + resources: + - name: test-web + values: + request.object.metadata.annotations.role: web + - name: test-app + values: + request.object.metadata.annotations.role: app + rules: + - name: validate-role-annotation + values: + roles-dictionary.data.allowed-roles: '["app","test"]' +- name: cm-blk-scalar-example + resources: + - name: test-blk-web + values: + request.object.metadata.annotations.role: web + - name: test-blk-app + values: + request.object.metadata.annotations.role: app + rules: + - name: validate-blk-role-annotation + values: + roles-dictionary.data.allowed-roles: '["app", "test"]' +- name: cm-globalval-example + resources: + - name: test-global-prod + values: + request.mode: prod +- name: images + resources: + - name: test-pod-with-non-root-user-image + values: + element.name: nginx + imageData.configData.config.User: nginx + imageData.registry: index.docker.io + - name: test-pod-with-trusted-registry + values: + element.name: kyverno + imageData.configData.config.User: "" + imageData.registry: ghcr.io + - name: test-pod-with-non-trusted-registry + values: + element: + name: not-kyverno + imageData: + configData: + config: + User: "" + registry: gcr.io + rules: + - name: only-allow-trusted-images + values: + request.operation: CREATE diff --git a/test/cli/test/variables/cm-array-example.yaml b/test/cli/test/variables/cm-array-example.yaml index d078f090ca83..b724cec277b6 100644 --- a/test/cli/test/variables/cm-array-example.yaml +++ b/test/cli/test/variables/cm-array-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/variables/cm-blk-scalar-example.yaml b/test/cli/test/variables/cm-blk-scalar-example.yaml index 44130771d43e..ea727b52c157 100644 --- a/test/cli/test/variables/cm-blk-scalar-example.yaml +++ b/test/cli/test/variables/cm-blk-scalar-example.yaml @@ -26,4 +26,4 @@ spec: value: '{{ "roles-dictionary".data."allowed-roles" }}' message: 'The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/variables/cm-globalval-example.yaml b/test/cli/test/variables/cm-globalval-example.yaml index 8faf1a5223e2..0b36123763ec 100644 --- a/test/cli/test/variables/cm-globalval-example.yaml +++ b/test/cli/test/variables/cm-globalval-example.yaml @@ -20,4 +20,4 @@ spec: operator: NotEquals value: dev message: The value {{ request.mode }} for val1 is not equal to 'dev'. - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/variables/cm-multiple-example.yaml b/test/cli/test/variables/cm-multiple-example.yaml index 14fccbe5ced3..6f6bca9537a2 100644 --- a/test/cli/test/variables/cm-multiple-example.yaml +++ b/test/cli/test/variables/cm-multiple-example.yaml @@ -28,4 +28,4 @@ spec: labels: my-environment-name: '{{dictionary.data.env || anotherdictionary.data.env }}' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/variables/cm-variable-example.yaml b/test/cli/test/variables/cm-variable-example.yaml index 7cf02aafe6ec..e25c2c7014fa 100644 --- a/test/cli/test/variables/cm-variable-example.yaml +++ b/test/cli/test/variables/cm-variable-example.yaml @@ -23,4 +23,4 @@ spec: metadata: labels: my-environment-name: '{{dictionary.data.env}}' - validationFailureAction: Audit + validationFailureAction: Audit diff --git a/test/cli/test/variables/image-example.yaml b/test/cli/test/variables/image-example.yaml index e1a7bc2fcd4c..7ce05f320147 100644 --- a/test/cli/test/variables/image-example.yaml +++ b/test/cli/test/variables/image-example.yaml @@ -35,4 +35,4 @@ spec: value: ghcr.io list: request.object.spec.containers message: images with root user are not allowed - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/wildcard_match_label_selector/policy.yaml b/test/cli/test/wildcard_match_label_selector/policy.yaml index 3b225b3a741f..6cb200033afb 100644 --- a/test/cli/test/wildcard_match_label_selector/policy.yaml +++ b/test/cli/test/wildcard_match_label_selector/policy.yaml @@ -17,6 +17,7 @@ spec: protected: '*' name: wildcard-label validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -32,6 +33,7 @@ spec: protected: '*-test' name: label-end-with-test validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -52,4 +54,4 @@ spec: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/cli/test/wildcard_mutate/policy.yaml b/test/cli/test/wildcard_mutate/policy.yaml index d203af3deec8..c8667728b076 100644 --- a/test/cli/test/wildcard_mutate/policy.yaml +++ b/test/cli/test/wildcard_mutate/policy.yaml @@ -19,4 +19,3 @@ spec: annotations: test: app name: mutate-wildcard - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/autogen/assert-autogen/README.md b/test/conformance/chainsaw/autogen/assert-autogen/README.md new file mode 100644 index 000000000000..b32768eea0e9 --- /dev/null +++ b/test/conformance/chainsaw/autogen/assert-autogen/README.md @@ -0,0 +1,8 @@ +## Description + +The policy should contain autogen rules for cronjobs and deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob` annotation. + +## Expected Behavior + +The policy gets created and contains a autogen rules for cronjobs and deployments in the status. + diff --git a/test/conformance/chainsaw/autogen/assert-autogen/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/assert-autogen/chainsaw-test.yaml new file mode 100755 index 000000000000..ce556cb6c793 --- /dev/null +++ b/test/conformance/chainsaw/autogen/assert-autogen/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: assert-autogen +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/assert-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/assert-autogen/policy-assert.yaml new file mode 100644 index 000000000000..c2c973a44910 --- /dev/null +++ b/test/conformance/chainsaw/autogen/assert-autogen/policy-assert.yaml @@ -0,0 +1,56 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-default-sa +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: disallow-default-sa + validate: + message: default ServiceAccount should not be used + assert: + object: + spec: + (serviceAccountName == 'default'): false +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-disallow-default-sa + validate: + message: default ServiceAccount should not be used + assert: + object: + spec: + template: + spec: + (serviceAccountName == 'default'): false + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-disallow-default-sa + validate: + message: default ServiceAccount should not be used + assert: + object: + spec: + jobTemplate: + spec: + template: + spec: + (serviceAccountName == 'default'): false diff --git a/test/conformance/chainsaw/autogen/assert-autogen/policy.yaml b/test/conformance/chainsaw/autogen/assert-autogen/policy.yaml new file mode 100644 index 000000000000..fbc1f846299c --- /dev/null +++ b/test/conformance/chainsaw/autogen/assert-autogen/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-default-sa + annotations: + pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: disallow-default-sa + validate: + message: default ServiceAccount should not be used + assert: + object: + spec: + (serviceAccountName == 'default'): false diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/README.md b/test/conformance/chainsaw/autogen/conditions-deprecated/README.md new file mode 100644 index 000000000000..e52cebc4c04e --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +The policy should contain autogen rules with deny conditions correctly adjusted. + +## Expected Behavior + +The policy contains autogen rules with deny conditions correctly adjusted. + +## Related Issue(s) + +- https://github.com/kyverno/kyverno/issues/7566 diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/conditions-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..be01acaeff8b --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: conditions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/conditions-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..561108308ba3 --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/policy-assert.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +spec: {} +status: + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.spec.jobTemplate.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/autogen/conditions-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/conditions-deprecated/policy.yaml new file mode 100644 index 000000000000..fc38471aba0e --- /dev/null +++ b/test/conformance/chainsaw/autogen/conditions-deprecated/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: allowed-annotations +spec: + validationFailureAction: Enforce + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: allowed-fluxcd-annotations + validate: + deny: + conditions: + all: + - key: '{{ request.object.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}' + operator: AnyNotIn + value: + - fluxcd.io/cow + - fluxcd.io/dog + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. diff --git a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml index 561108308ba3..1a19e25a568b 100644 --- a/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/conditions/policy-assert.yaml @@ -27,6 +27,7 @@ status: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + validationFailureAction: Enforce - match: any: - resources: @@ -43,6 +44,7 @@ status: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + validationFailureAction: Enforce conditions: - reason: Succeeded status: "True" diff --git a/test/conformance/chainsaw/autogen/conditions/policy.yaml b/test/conformance/chainsaw/autogen/conditions/policy.yaml index e0d1a7d0eff7..580fc91ca7b7 100644 --- a/test/conformance/chainsaw/autogen/conditions/policy.yaml +++ b/test/conformance/chainsaw/autogen/conditions/policy.yaml @@ -12,6 +12,7 @@ spec: - Pod name: allowed-fluxcd-annotations validate: + validationFailureAction: Enforce deny: conditions: all: @@ -21,4 +22,3 @@ spec: - fluxcd.io/cow - fluxcd.io/dog message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/README.md b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/README.md new file mode 100644 index 000000000000..95624aac6e9a --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +The policy should contain autogen rules for cronjobs and deployments because it has the `pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob` annotation. + +## Expected Behavior + +The policy gets created and contains a autogen rules for cronjobs and deployments in the status. + +## Related Issue(s) + +- https://github.com/kyverno/kyverno/issues/7444 diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..42af2f2e71bd --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: deployment-cronjob +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..181e0a9df186 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy-assert.yaml @@ -0,0 +1,98 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Deployment + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy.yaml new file mode 100644 index 000000000000..467a033ab388 --- /dev/null +++ b/test/conformance/chainsaw/autogen/deployment-cronjob-deprecated/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml index 181e0a9df186..1b67b0ff8a14 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -43,6 +44,7 @@ status: - Deployment name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -57,6 +59,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -73,6 +76,7 @@ status: - Deployment name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -87,6 +91,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml index 467a033ab388..90a9cf0664a1 100644 --- a/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-cronjob/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: Deployment,CronJob spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml index 29025bc3ed20..3a94b5bf786a 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -45,6 +46,7 @@ status: - StatefulSet name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -61,6 +63,7 @@ status: - StatefulSet name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml index eecb0fd7c8d1..ffa40232a325 100644 --- a/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml +++ b/test/conformance/chainsaw/autogen/deployment-statefulset-job/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: Deployment,StatefulSet,Job spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/none-deprecated/README.md b/test/conformance/chainsaw/autogen/none-deprecated/README.md new file mode 100644 index 000000000000..b7c8e1c1badc --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain no autogen rules because it has the `pod-policies.kyverno.io/autogen-controllers: none` annotation. + +## Expected Behavior + +The policy gets created and have no autogen rules recorded in the status. diff --git a/test/conformance/chainsaw/autogen/none-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/none-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..cbcce6f996f3 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: none +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/none-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/none-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..20ea7d32a6d9 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/policy-assert.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/none-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/none-deprecated/policy.yaml new file mode 100644 index 000000000000..9c4a105a8563 --- /dev/null +++ b/test/conformance/chainsaw/autogen/none-deprecated/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/none/policy-assert.yaml b/test/conformance/chainsaw/autogen/none/policy-assert.yaml index 20ea7d32a6d9..e0fe17bbb4ff 100644 --- a/test/conformance/chainsaw/autogen/none/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/none/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/none/policy.yaml b/test/conformance/chainsaw/autogen/none/policy.yaml index 9c4a105a8563..3c26e24d3eb9 100644 --- a/test/conformance/chainsaw/autogen/none/policy.yaml +++ b/test/conformance/chainsaw/autogen/none/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml index 19687d3167a2..e599ce36c9ac 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -43,6 +44,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -59,6 +61,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml index 4fd854b9974e..41767bd475c8 100644 --- a/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml +++ b/test/conformance/chainsaw/autogen/only-cronjob/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: CronJob spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml index 53441000e541..351fa6018801 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -43,6 +44,7 @@ status: - Deployment name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -57,6 +59,7 @@ status: - Deployment name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml index 3f124a8a67ef..54c416fbf92a 100644 --- a/test/conformance/chainsaw/autogen/only-deployment/policy.yaml +++ b/test/conformance/chainsaw/autogen/only-deployment/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: Deployment spec: - validationFailureAction: Audit rules: - match: any: @@ -14,6 +13,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -26,6 +26,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/chainsaw-test.yaml new file mode 100755 index 000000000000..924b00124721 --- /dev/null +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-image-registries +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - script: + content: kubectl run nginx-1 --image nginx + check: + ($error != null): true + (contains($stderr, 'rule validate-registries failed at path /spec/containers/0/image/')): true + - name: step-03 + try: + - script: + content: kubectl create deployment testing --image=nginx --replicas=1 + check: + ($error != null): true + (contains($stderr, 'rule autogen-validate-registries failed at path /spec/template/spec/containers/0/image/')): true + - name: step-04 + try: + - script: + content: kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" + check: + ($error != null): true + (contains($stderr, 'rule autogen-cronjob-validate-registries failed')): true diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml new file mode 100644 index 000000000000..63fafdfe8f62 --- /dev/null +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/policy-assert.yaml @@ -0,0 +1,69 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + admission: true + background: true + rules: + - match: + any: + - resources: + kinds: + - Pod + name: validate-registries + skipBackgroundRequests: true + validate: + message: Images may only come from our internal enterprise registry. + pattern: + spec: + containers: + - image: registry.domain.com/* + validationFailureAction: Enforce +status: + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-validate-registries + skipBackgroundRequests: true + validate: + message: Images may only come from our internal enterprise registry. + pattern: + spec: + template: + spec: + containers: + - image: registry.domain.com/* + validationFailureAction: Enforce + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-registries + skipBackgroundRequests: true + validate: + message: Images may only come from our internal enterprise registry. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: registry.domain.com/* + validationFailureAction: Enforce + conditions: + - message: Ready + reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml b/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml new file mode 100644 index 000000000000..5ee3ad7cf66e --- /dev/null +++ b/test/conformance/chainsaw/autogen/restrict-image-registries/policy.yaml @@ -0,0 +1,19 @@ +apiVersion : kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-image-registries +spec: + rules: + - name: validate-registries + match: + any: + - resources: + kinds: + - Pod + validate: + validationFailureAction: Enforce + message: "Images may only come from our internal enterprise registry." + pattern: + spec: + containers: + - image: "registry.domain.com/*" diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/README.md b/test/conformance/chainsaw/autogen/should-autogen-deprecated/README.md new file mode 100644 index 000000000000..bbbe68d45f39 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should contain all autogen rules. + +## Expected Behavior + +The policy gets created and contains all autogen rules in the status. diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/should-autogen-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..460a82615b71 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: should-autogen +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..08fc06865280 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy-assert.yaml @@ -0,0 +1,108 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: + rules: + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - DaemonSet + - Deployment + - Job + - ReplicaSet + - ReplicationController + - StatefulSet + name: autogen-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + template: + spec: + containers: + - image: '!*:latest' + - match: + any: + - resources: + kinds: + - CronJob + name: autogen-cronjob-validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + jobTemplate: + spec: + template: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy.yaml new file mode 100644 index 000000000000..0e4770f3e7e9 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-autogen-deprecated/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml index 08fc06865280..952e639d43fc 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -48,6 +49,7 @@ status: - StatefulSet name: autogen-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -62,6 +64,7 @@ status: - CronJob name: autogen-cronjob-require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -83,6 +86,7 @@ status: - StatefulSet name: autogen-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: @@ -97,6 +101,7 @@ status: - CronJob name: autogen-cronjob-validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml index 0e4770f3e7e9..3fbaa4c1d20a 100644 --- a/test/conformance/chainsaw/autogen/should-autogen/policy.yaml +++ b/test/conformance/chainsaw/autogen/should-autogen/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -12,6 +11,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -24,6 +24,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/README.md b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/README.md new file mode 100644 index 000000000000..3e7d26726f3f --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/README.md @@ -0,0 +1,7 @@ +## Description + +The policy should not contain autogen rules as autogen should not apply to the policy (it's not a `Pod` only policy). + +## Expected Behavior + +The policy gets created and contains no autogen rules in the status. diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..c69b1907bd03 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/chainsaw-test.yaml @@ -0,0 +1,13 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: should-not-autogen +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..e16f08f26525 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy-assert.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + - Deployment + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + autogen: {} diff --git a/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy.yaml new file mode 100644 index 000000000000..62a1223e6742 --- /dev/null +++ b/test/conformance/chainsaw/autogen/should-not-autogen-deprecated/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag +spec: + validationFailureAction: Audit + rules: + - match: + any: + - resources: + kinds: + - Pod + - Deployment + name: require-image-tag + validate: + message: An image tag is required. + pattern: + spec: + containers: + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + name: validate-image-tag + validate: + message: Using a mutable image tag e.g. 'latest' is not allowed. + pattern: + spec: + containers: + - image: '!*:latest' diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml index e16f08f26525..b93773c82d9d 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy-assert.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -13,6 +12,7 @@ spec: - Deployment name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -25,6 +25,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml index 62a1223e6742..f1a824139fec 100644 --- a/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml +++ b/test/conformance/chainsaw/autogen/should-not-autogen/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit rules: - match: any: @@ -13,6 +12,7 @@ spec: - Deployment name: require-image-tag validate: + validationFailureAction: Audit message: An image tag is required. pattern: spec: @@ -25,6 +25,7 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Audit message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/README.md new file mode 100644 index 000000000000..8e7d11859bb7 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission event is created. +One background event is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/admission-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/admission-event.yaml new file mode 100644 index 000000000000..a2e37ce4a1a4 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/admission-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/background-event.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/background-event.yaml new file mode 100644 index 000000000000..8a25b544c0ed --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/background-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-scan diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..1b04d86664cc --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-event +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: background-event.yaml + - error: + file: admission-event.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..4e2954e27886 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy.yaml new file mode 100644 index 000000000000..9ba9837c465d --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/resource.yaml new file mode 100644 index 000000000000..3e067cb88b68 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml index 9ba9837c465d..6431b95be2e5 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-event/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/README.md b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/README.md new file mode 100644 index 000000000000..2ca354e9f6ac --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/admission-report.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/admission-report.yaml new file mode 100644 index 000000000000..edafe074327a --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: reports.kyverno.io/v1 +kind: EphemeralReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..19248d74840e --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-report +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - error: + file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..4e2954e27886 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy.yaml new file mode 100644 index 000000000000..9ba9837c465d --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/resource.yaml new file mode 100644 index 000000000000..3e067cb88b68 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml index 9ba9837c465d..6431b95be2e5 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/no-admission-report/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/README.md b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/README.md new file mode 100644 index 000000000000..89489ef4652a --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..cb87369ca514 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: not-rejected +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..4e2954e27886 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy.yaml new file mode 100644 index 000000000000..9ba9837c465d --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/resource.yaml new file mode 100644 index 000000000000..3e067cb88b68 --- /dev/null +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml index 9ba9837c465d..6431b95be2e5 100644 --- a/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml +++ b/test/conformance/chainsaw/background-only/cluster-policy/not-rejected/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/README.md new file mode 100644 index 000000000000..8e7d11859bb7 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission event is created. +One background event is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/admission-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/admission-event.yaml new file mode 100644 index 000000000000..a2e37ce4a1a4 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/admission-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/background-event.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/background-event.yaml new file mode 100644 index 000000000000..8a25b544c0ed --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/background-event.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +involvedObject: + apiVersion: v1 + kind: Pod + name: pod +kind: Event +metadata: {} +reportingComponent: kyverno-scan diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..1b04d86664cc --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-event +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: background-event.yaml + - error: + file: admission-event.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..d3196721f200 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy.yaml new file mode 100644 index 000000000000..92bab9083285 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/resource.yaml new file mode 100644 index 000000000000..3e067cb88b68 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml index 92bab9083285..91a845df053d 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-event/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/README.md b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/README.md new file mode 100644 index 000000000000..2ca354e9f6ac --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/README.md @@ -0,0 +1,9 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. +No admission report is created. diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/admission-report.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/admission-report.yaml new file mode 100644 index 000000000000..edafe074327a --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/admission-report.yaml @@ -0,0 +1,7 @@ +apiVersion: reports.kyverno.io/v1 +kind: EphemeralReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Pod + name: pod diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..19248d74840e --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: no-admission-report +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - error: + file: admission-report.yaml diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..d3196721f200 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy.yaml new file mode 100644 index 000000000000..92bab9083285 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/resource.yaml new file mode 100644 index 000000000000..3e067cb88b68 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml index 92bab9083285..91a845df053d 100644 --- a/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/no-admission-report/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/README.md b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/README.md new file mode 100644 index 000000000000..89489ef4652a --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy with `admission` set to `false`. +Then it creates a resource that violates the policy. + +## Expected Behavior + +The resource creates fine as the policy doesn't apply at admission time. diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..cb87369ca514 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: not-rejected +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy-assert.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..d3196721f200 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: {} +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy.yaml new file mode 100644 index 000000000000..92bab9083285 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/policy.yaml @@ -0,0 +1,17 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: validate +spec: + validationFailureAction: Enforce + admission: false + background: true + rules: + - name: validate + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/resource.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/resource.yaml new file mode 100644 index 000000000000..3e067cb88b68 --- /dev/null +++ b/test/conformance/chainsaw/background-only/policy/not-rejected-deprecated/resource.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod +spec: + containers: + - name: container + image: nginx:latest + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml index 92bab9083285..91a845df053d 100644 --- a/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml +++ b/test/conformance/chainsaw/background-only/policy/not-rejected/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml index 4bb661fe1ddc..e2c116d3dd78 100644 --- a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml +++ b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-run-as-non-root-user spec: - validationFailureAction: Enforce background: true rules: - name: run-as-non-root-user @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: >- Running the container as root user is not allowed. pattern: diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/chainsaw-test.yaml new file mode 100644 index 000000000000..1ad9aee7011d --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: basic +spec: + concurrent: false + namespace: foo + steps: + - try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - script: + content: kubectl run -n $NAMESPACE test-sigstore --image=$TEST_IMAGE_URL + - assert: + file: pod-assert.yaml diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/pod-assert.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/pod-assert.yaml new file mode 100644 index 000000000000..bdf06e1e5d55 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/pod-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-sigstore diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy-assert.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..d62249910054 --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: basic-sigstore-test-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy.yaml new file mode 100644 index 000000000000..bbf59ae3110e --- /dev/null +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic-deprecated/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: basic-sigstore-test-policy +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: keyed-basic-rule + match: + any: + - resources: + kinds: + - Pod + context: + - name: tufvalues + configMap: + name: tufvalues + namespace: kyverno + verifyImages: + - imageReferences: + - "ttl.sh/*" + attestors: + - count: 1 + entries: + - keyless: + issuer: "https://kubernetes.default.svc.cluster.local" + subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default" + rekor: + url: "{{ tufvalues.data.REKOR_URL }}" + required: true diff --git a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml index bbf59ae3110e..08ad133aabfb 100644 --- a/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml +++ b/test/conformance/chainsaw/custom-sigstore/standard/basic/policy.yaml @@ -3,10 +3,10 @@ kind: ClusterPolicy metadata: name: basic-sigstore-test-policy spec: - validationFailureAction: Enforce background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail rules: - name: keyed-basic-rule match: @@ -31,3 +31,4 @@ spec: rekor: url: "{{ tufvalues.data.REKOR_URL }}" required: true + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/README.md b/test/conformance/chainsaw/deferred/dependencies-deprecated/README.md new file mode 100644 index 000000000000..a19b14626b48 --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/README.md @@ -0,0 +1,12 @@ +## Description + +This test checks for handling of variable dependencies with deferred lookups + +## Expected Behavior + +The deployment should fail + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/7486 + diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..6fdd52dc67e3 --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/chainsaw-test.yaml @@ -0,0 +1,20 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: dependencies +spec: + steps: + - name: step-01 + try: + - apply: + file: manifests.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: deploy.yaml diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/deploy.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/deploy.yaml new file mode 100644 index 000000000000..c03b8fa60f29 --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/deploy.yaml @@ -0,0 +1,28 @@ + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: acme-fitness + labels: + app: kubecost-cost-analyzer +spec: + replicas: 3 + selector: + matchLabels: + app: kubecost-cost-analyzer + template: + metadata: + labels: + app: kubecost-cost-analyzer + spec: + containers: + - name: cost-model + image: nginx:1.14.2 + resources: + requests: + cpu: 350m + memory: 500Mi + limits: + memory: 2Gi diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/manifests.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/manifests.yaml new file mode 100644 index 000000000000..ffdbf0a9af31 --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/manifests.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: acme-fitness +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-company-budget +spec: + validationFailureAction: Enforce + rules: + - name: check-kubecost-budget + match: + any: + - resources: + kinds: + - Deployment + operations: + - CREATE + context: + # Mocked response from the Kubecost prediction API until it natively supports JSON input. + # Get the predicted amount of the Deployment and transform to get the totalMonthlyRate. + - name: predictedcost + variable: + jmesPath: '[0].costChange.totalMonthlyRate' + value: + - namespace: acme-fitness + controllerKind: deployment + controllerName: test + costBefore: + totalMonthlyRate: 0 + cpuMonthlyRate: 0 + ramMonthlyRate: 0 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 0 + monthlyRAMByteHours: 0 + monthlyGPUHours: 0 + costAfter: + totalMonthlyRate: 28.839483652409793 + cpuMonthlyRate: 24.295976357646456 + ramMonthlyRate: 4.543507294763337 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 766.5 + monthlyRAMByteHours: 1.14819072e+12 + monthlyGPUHours: 0 + costChange: + totalMonthlyRate: 92.839483652409793 + cpuMonthlyRate: 24.295976357646456 + ramMonthlyRate: 4.543507294763337 + gpuMonthlyRate: 0 + monthlyCPUCoreHours: 766.5 + monthlyRAMByteHours: 1.14819072e+12 + monthlyGPUHours: 0 + - name: budget + variable: + value: + spendLimit: 100.0 + currentSpend: 73.0 + # Calculate the budget that remains from the window by subtracting the currentSpend from the spendLimit. + - name: remainingbudget + variable: + jmesPath: subtract(`{{budget.spendLimit}}`,`{{budget.currentSpend}}`) + validate: + # Need to improve this by rounding. + message: "This Deployment, which costs ${{ predictedcost }} to run for a month, will overrun the remaining budget of ${{ remainingbudget }}. Please seek approval." + deny: + conditions: + all: + - key: "{{ predictedcost }}" + operator: GreaterThan + value: "{{ remainingbudget }}" \ No newline at end of file diff --git a/test/conformance/chainsaw/deferred/dependencies-deprecated/policy-assert.yaml b/test/conformance/chainsaw/deferred/dependencies-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..8ce29958ed3b --- /dev/null +++ b/test/conformance/chainsaw/deferred/dependencies-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-company-budget +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml index ffdbf0a9af31..88fdb61da59c 100644 --- a/test/conformance/chainsaw/deferred/dependencies/manifests.yaml +++ b/test/conformance/chainsaw/deferred/dependencies/manifests.yaml @@ -9,7 +9,6 @@ kind: ClusterPolicy metadata: name: enforce-company-budget spec: - validationFailureAction: Enforce rules: - name: check-kubecost-budget match: @@ -63,6 +62,7 @@ spec: variable: jmesPath: subtract(`{{budget.spendLimit}}`,`{{budget.currentSpend}}`) validate: + validationFailureAction: Enforce # Need to improve this by rounding. message: "This Deployment, which costs ${{ predictedcost }} to run for a month, will overrun the remaining budget of ${{ remainingbudget }}. Please seek approval." deny: diff --git a/test/conformance/chainsaw/deferred/foreach/manifests.yaml b/test/conformance/chainsaw/deferred/foreach/manifests.yaml index f298d56d7c3f..cae265a4e05b 100644 --- a/test/conformance/chainsaw/deferred/foreach/manifests.yaml +++ b/test/conformance/chainsaw/deferred/foreach/manifests.yaml @@ -41,4 +41,3 @@ spec: - CREATE - UPDATE schemaValidation: false - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/deferred/recursive/policy.yaml b/test/conformance/chainsaw/deferred/recursive/policy.yaml index 4965a30bc480..72176cd3dba6 100644 --- a/test/conformance/chainsaw/deferred/recursive/policy.yaml +++ b/test/conformance/chainsaw/deferred/recursive/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: one spec: - validationFailureAction: Enforce rules: - name: one match: diff --git a/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml index 7737635f086f..a01028cd98ae 100644 --- a/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml +++ b/test/conformance/chainsaw/deferred/resolve-overriden-variable/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: one spec: - validationFailureAction: Enforce rules: - name: one match: diff --git a/test/conformance/chainsaw/deferred/two-rules/policy.yaml b/test/conformance/chainsaw/deferred/two-rules/policy.yaml index 592fbdc5d784..86963117c5fe 100644 --- a/test/conformance/chainsaw/deferred/two-rules/policy.yaml +++ b/test/conformance/chainsaw/deferred/two-rules/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: one spec: - validationFailureAction: Enforce rules: - name: one match: diff --git a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml index 3d6ea0ae684f..f1fb10a77aea 100644 --- a/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml +++ b/test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml @@ -4,7 +4,6 @@ metadata: name: podsecurity-subrule-restricted spec: background: true - validationFailureAction: Audit rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/README.md b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/README.md new file mode 100644 index 000000000000..a5f5debf1b30 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy, and a resource. +A `PolicyApplied` event should be created. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Create a resource +1. - Asset a `PolicyApplied` event is created diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..1ddc8e2f4568 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-applied +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/event-assert.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/event-assert.yaml new file mode 100644 index 000000000000..f66222be12e2 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Normal +reason: PolicyApplied +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy-assert.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..bc25d0fdf80b --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy.yaml new file mode 100644 index 000000000000..9ba84f9f2363 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/events/policy/policy-applied-deprecated/resource.yaml b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/resource.yaml new file mode 100644 index 000000000000..4777dd31fd21 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-applied-deprecated/resource.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo + labels: + team: kyverno + \ No newline at end of file diff --git a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml index 9ba84f9f2363..ecc56be5c51d 100644 --- a/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-applied/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/README.md b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/README.md new file mode 100644 index 000000000000..87b6fc1c0421 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/README.md @@ -0,0 +1,12 @@ +## Description + +This test creates a policy, and a resource. +The resource is expected to be rejected. +A `PolicyViolation` event should be created. + +## Steps + +1. - Create a policy + - Assert the policy becomes ready +1. - Try to create a resource, expecting the creation to fail +1. - Asset a `PolicyViolation` event is created diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..e1131f9b3e78 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: policy-violation +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource.yaml + - name: step-03 + try: + - assert: + file: event-assert.yaml diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/event-assert.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/event-assert.yaml new file mode 100644 index 000000000000..cc0c40b6d5a9 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/event-assert.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Event +metadata: {} +involvedObject: + apiVersion: kyverno.io/v1 + kind: Policy + name: require-labels +type: Warning +reason: PolicyViolation +reportingComponent: kyverno-admission diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy-assert.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy-assert.yaml new file mode 100644 index 000000000000..bc25d0fdf80b --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy.yaml new file mode 100644 index 000000000000..9ba84f9f2363 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: require-labels +spec: + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - ConfigMap + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/chainsaw/events/policy/policy-violation-deprecated/resource.yaml b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/resource.yaml new file mode 100644 index 000000000000..2a4a424bcba0 --- /dev/null +++ b/test/conformance/chainsaw/events/policy/policy-violation-deprecated/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: foo diff --git a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml index 9ba84f9f2363..ecc56be5c51d 100644 --- a/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml +++ b/test/conformance/chainsaw/events/policy/policy-violation/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml index 7e9c5d923def..fbd58e62052c 100644 --- a/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml index c69706f2db0a..f11840f37b44 100644 --- a/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: psa spec: - validationFailureAction: Enforce background: true rules: - name: restricted @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: v1.25 diff --git a/test/conformance/chainsaw/exceptions/conditions/policy.yaml b/test/conformance/chainsaw/exceptions/conditions/policy.yaml index 2e66ed14296a..e80f7806ce9d 100644 --- a/test/conformance/chainsaw/exceptions/conditions/policy.yaml +++ b/test/conformance/chainsaw/exceptions/conditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: max-containers spec: - validationFailureAction: Enforce background: false rules: - name: max-two-containers @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml index bad86e81b36c..ffc0f0b63939 100644 --- a/test/conformance/chainsaw/exceptions/events-creation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/events-creation/policy.yaml @@ -23,9 +23,9 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: An image tag is required (:latest is not allowed) pattern: spec: containers: - image: '!*:latest & *:*' - validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml index 70dfebfda12c..3e53fb4a663e 100644 --- a/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-capabilities/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa-1 spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml index 8bf4dedbe8a5..d30e5216d50f 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-ports/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa-3 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml index f8614b068ec2..8480491699f6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa-2 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml index 863539b590ac..17ddd6544996 100644 --- a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml index 8220f0056830..d7381d289a67 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml index 863539b590ac..17ddd6544996 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml index 8220f0056830..d7381d289a67 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml index 8220f0056830..d7381d289a67 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml index 8220f0056830..d7381d289a67 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml index 8220f0056830..d7381d289a67 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml index 863539b590ac..17ddd6544996 100644 --- a/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml index 863539b590ac..17ddd6544996 100644 --- a/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml index 863539b590ac..17ddd6544996 100644 --- a/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml index 8220f0056830..d7381d289a67 100644 --- a/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/policy.yaml @@ -4,7 +4,6 @@ metadata: name: psa spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml index 2e66ed14296a..e80f7806ce9d 100644 --- a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: max-containers spec: - validationFailureAction: Enforce background: false rules: - name: max-two-containers @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: "A maximum of 2 containers are allowed inside a Pod." deny: conditions: diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml index 7e9c5d923def..fbd58e62052c 100644 --- a/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml index a8140c18c8ae..7fb8105163de 100644 --- a/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml +++ b/test/conformance/chainsaw/exceptions/psa-run-as-non-root/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -17,6 +16,7 @@ spec: namespaces: - default validate: + validationFailureAction: Enforce podSecurity: level: restricted version: v1.29 diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml index 7e9c5d923def..fbd58e62052c 100644 --- a/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/exceptions/with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml index 172b3a203718..23661cb3a5c4 100644 --- a/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/sa/no-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -19,4 +18,5 @@ spec: name: kyverno namespace: kyverno validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml index 5a780f0b2168..70c4330bcd1d 100644 --- a/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/sa/wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -19,4 +18,5 @@ spec: name: '?*' namespace: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml index 3f258d6215ee..6086efceb889 100644 --- a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: not-kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml index 6dbdc24a9911..050284adccb6 100644 --- a/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/no-wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml index 5320014c9780..a4aec0071140 100644 --- a/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: not-?* validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml index b92e77c33728..940a88e7a56e 100644 --- a/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/exclude/user/wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -18,4 +17,5 @@ spec: - kind: User name: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml index 4968d662ca03..77f4c46db188 100644 --- a/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/match/sa/no-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -17,4 +16,5 @@ spec: name: kyverno namespace: kyverno validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml index cfe930ca0846..aacfdfcc628c 100644 --- a/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml +++ b/test/conformance/chainsaw/filter/match/sa/wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -17,4 +16,5 @@ spec: name: '?*' namespace: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml index 5a269a41b67f..7f8fa49c81a2 100644 --- a/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml index d4f8b61e2a49..58e85612a90b 100644 --- a/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/no-wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: not-kubernetes-admin validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml index 391727e6524f..8cf931a8f83b 100644 --- a/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/wildcard/block/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: '?*' validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml index 5cc4323566b3..55652de5aa74 100644 --- a/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml +++ b/test/conformance/chainsaw/filter/match/user/wildcard/pass/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-pod spec: - validationFailureAction: Enforce background: false rules: - name: block-pod @@ -16,4 +15,5 @@ spec: - kind: User name: not-?* validate: + validationFailureAction: Enforce deny: {} diff --git a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml index 9ba84f9f2363..ecc56be5c51d 100644 --- a/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml +++ b/test/conformance/chainsaw/flags/standard/emit-events/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: require-labels spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml index 79d3bec1fbb0..1f71eb0fb527 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail-deprecated/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: failurePolicy: Fail - validationFailureAction: Enforce background: false rules: - name: require-team @@ -16,6 +15,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: @@ -28,7 +28,6 @@ metadata: name: add-labels spec: failurePolicy: Fail - validationFailureAction: Enforce background: false rules: - name: add-labels diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml index ad83cf9b6eab..5406032e7d51 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: @@ -28,7 +28,6 @@ kind: ClusterPolicy metadata: name: add-labels spec: - validationFailureAction: Enforce background: false rules: - name: add-labels diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml index c5b4a5dcf92f..34e2259a6f47 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: block-ephemeral-containers spec: - validationFailureAction: Enforce background: true rules: - name: block-ephemeral-containers @@ -16,6 +15,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce cel: expressions: - expression: "!has(object.spec.ephemeralContainers)" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml index 65f78e9b8c5d..4f22c42d51d0 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t9 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -20,6 +19,7 @@ spec: matchLabels: app: critical validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml index 19387d48fbe3..8de553d9dc9e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t16 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml index 97904eed4b2b..a356e7fcaaa6 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t14 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -29,6 +28,7 @@ spec: names: - "testing" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml index 893891a1dd06..7e2a13086b5f 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t15 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -29,6 +28,7 @@ spec: names: - "testing" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml index 1c7b71926ec7..c5bddb037ddc 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t13 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -29,6 +28,7 @@ spec: names: - "testing" validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml index e8115feafab7..739e55ca8226 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t8 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -34,6 +33,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml index 2c3dc0e456e8..46ba297cbdff 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t7 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -25,6 +24,7 @@ spec: values: - connector validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml index bd9e09e46960..6045d430436e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app-4 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -18,6 +17,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml index cae60e95935e..77febe5d783d 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app5 spec: - validationFailureAction: Audit background: false rules: - name: check-label-app @@ -25,6 +24,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml index 7c5dcafcfddf..cc4e8b547428 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app4 spec: - validationFailureAction: Audit background: false rules: - name: check-label-app @@ -16,6 +15,7 @@ spec: - production - staging validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml index 01665b6be131..193c0e113ca4 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t4 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -18,6 +17,7 @@ spec: - production - staging validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml index f89223ce609c..8ff720b0cc52 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t12 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -27,6 +26,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml index 9f96709d9f2d..74287f4cf453 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t13 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -24,6 +23,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml index 98771ef5995d..f0f505019e24 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app-3 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -15,6 +14,7 @@ spec: - "prod-*" - "staging" validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml index a7f82795eff0..fc6629d9d2b5 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app-5 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -15,6 +14,7 @@ spec: - "prod-*" - "staging" validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml index 3a0b12028e71..217bacbf461a 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-namespace-selectors/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t1 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -33,6 +32,7 @@ spec: values: - compute validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml index ba70f77d7801..918c37a20497 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-with-different-object-selectors/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t2 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -27,6 +26,7 @@ spec: matchLabels: app: normal validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml index 3628adb12053..aa18a9265997 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-in-specific-namespace/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t17 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -27,6 +26,7 @@ spec: - testing-ns - staging-ns validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml index e1b5129be21e..c4e00860cd5d 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-namespace-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t10 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -30,6 +29,7 @@ spec: values: - connector validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml index 5c3c08affda5..3f080414570e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-resources-with-object-selector/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app2 spec: - validationFailureAction: Audit rules: - name: check-label-app match: @@ -20,6 +19,7 @@ spec: matchLabels: app: critical validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml index e477a4381ec1..990d96339bb8 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-user-and-roles/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app1 spec: - validationFailureAction: Audit background: false rules: - name: check-label-app @@ -20,6 +19,7 @@ spec: - kind: User name: John validate: + validationFailureAction: Audit cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml index c1fa1a95b6df..98b387d8aa87 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-created-by-user/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t3 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -21,6 +20,7 @@ spec: clusterRoles: - cluster-admin validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml index d5dd4e4b1a83..9c6f3fe79150 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-match-resource-using-annotations/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t5 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -17,6 +16,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml index 9da54abdf3a4..d27c9ee0ed9c 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-all-match-resources/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t6 spec: - validationFailureAction: Audit rules: - name: host-path match: @@ -26,6 +25,7 @@ spec: names: - app validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml index 200aec435c0a..f567d67347be 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-multiple-validation-failure-action-overrides/policy.yaml @@ -3,14 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app spec: - validationFailureAction: Audit - validationFailureActionOverrides: - - action: Enforce - namespaces: - - default - - action: Audit - namespaces: - - test rules: - name: check-label-app match: @@ -19,6 +11,14 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit + validationFailureActionOverrides: + - action: Enforce + namespaces: + - default + - action: Audit + namespaces: + - test cel: expressions: - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml index 7429ec4cf1ee..727e20dc179e 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-non-cel-rule/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-ns-purpose-label spec: - validationFailureAction: Enforce rules: - name: require-ns-purpose-label match: @@ -12,6 +11,7 @@ spec: kinds: - Namespace validate: + validationFailureAction: Enforce message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml index ad4762247807..28b993b06da3 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-validation-failure-action-overrides-with-namespace/policy.yaml @@ -3,11 +3,6 @@ kind: ClusterPolicy metadata: name: check-label-app1 spec: - validationFailureAction: Audit - validationFailureActionOverrides: - - action: Enforce - namespaces: - - default rules: - name: check-label-app match: @@ -16,6 +11,11 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit + validationFailureActionOverrides: + - action: Enforce + namespaces: + - default message: "The label `app` is required." pattern: metadata: diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml index 8c4e3a258227..9968b557e649 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-host-path-t11 spec: - validationFailureAction: Audit background: false rules: - name: host-path @@ -20,6 +19,7 @@ spec: matchLabels: app: critical validate: + validationFailureAction: Audit cel: expressions: - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/README.md new file mode 100644 index 000000000000..16e6dc869c83 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This tests that the ownerReferences of cloned objects in different Namespaces are removed. Otherwise these objects will be immediately garbage-collected + +## Expected Behavior + +The background controller will strip the ownerReference when cloning between Namespaces, if it exists. + +## Reference Issue(s) + +- https://github.com/kyverno/kyverno/issues/2276 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..03b1501ce3b0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/chainsaw-test.yaml @@ -0,0 +1,38 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-delete-ownerreferences-across-namespaces +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - script: + content: | + kubectl -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns get configmap owner -o json | jq '{ + "metadata": { + "ownerReferences": [{ + "apiVersion": "v1", + "kind": "ConfigMap", + "name": "owner", + "uid": .metadata.uid + }] + } + }' | kubectl patch -n cpol-clone-delete-ownerreferences-across-namespaces-source-ns secret cpol-clone-delete-ownerreferences-across-namespaces --patch-file=/dev/stdin + - name: step-03 + try: + - apply: + file: trigger.yaml + - assert: + file: created-secret.yaml + - name: step-04 + try: + - script: + content: | + kubectl --namespace cpol-clone-delete-ownerreferences-across-namespaces-target-ns get secret cpol-clone-delete-ownerreferences-across-namespaces -o json | jq -e '.metadata.ownerReferences == null' diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/created-secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/created-secret.yaml new file mode 100644 index 000000000000..64e2789fd09f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/created-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-target-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/policy-ready.yaml new file mode 100644 index 000000000000..087293808dee --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/policy.yaml new file mode 100644 index 000000000000..e95821be60b1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/policy.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: owner + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns +type: Opaque +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: cpol-clone-delete-ownerreferences-across-namespaces-source-ns + kind: Secret + name: cpol-clone-delete-ownerreferences-across-namespaces + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: clone-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/trigger.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/trigger.yaml new file mode 100644 index 000000000000..04ad516c4603 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces-deprecated/trigger.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-delete-ownerreferences-across-namespaces-target-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml index e95821be60b1..0bf679f8b95d 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-delete-ownerreferences-across-namespaces/policy.yaml @@ -24,9 +24,9 @@ kind: ClusterPolicy metadata: name: cpol-clone-delete-ownerreferences-across-namespaces spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 clone: name: cpol-clone-delete-ownerreferences-across-namespaces diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/README.md new file mode 100644 index 000000000000..843d3541400a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/README.md @@ -0,0 +1,13 @@ +## Description + +This is a corner case test to ensure a generate clone rule can be triggered on the deletion of the trigger resource. It also ensures upgrades to 1.10 are successful for the same clone rule type. + +## Expected Behavior + +1. when the trigger is created, the corresponding downstream target secret should be generated +2. delete the policy, update the source, then re-install the policy with generateExisting=true, the change should be synced to the downstream target +3. update the source again, the change should be synced to the downstream target + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7170 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..5362f726a8ff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..f1ead79e1ee7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: Zm9v +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 000000000000..4daff4a3014e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-reinstall-policy +spec: + rules: + - generate: + apiVersion: v1 + clone: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns + kind: Secret + name: regcred + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: sync-image-pull-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..53f672f4cebc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-reinstall-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..8f943622adea --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-02-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-02-apply-1-2.yaml new file mode 100755 index 000000000000..426355750d34 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-02-apply-1-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..9e3170e1209c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: Zm9v +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-03-assert-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-03-assert-1-2.yaml new file mode 100755 index 000000000000..2a85a1190592 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-03-assert-1-2.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: Zm9v +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-05-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-05-apply-1-1.yaml new file mode 100755 index 000000000000..8e7a7103b8c7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-05-apply-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-06-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-06-apply-1-1.yaml new file mode 100755 index 000000000000..7b0fa06a2e73 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-06-apply-1-1.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-reinstall-policy +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns + kind: Secret + name: regcred + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: sync-image-pull-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-08-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-08-assert-1-1.yaml new file mode 100755 index 000000000000..09c5e3946b76 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-08-assert-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-08-assert-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-08-assert-1-2.yaml new file mode 100755 index 000000000000..65729904d892 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-08-assert-1-2.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: aGVyZWlzY2hhbmdlZGRhdGE= +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-09-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-09-apply-1-1.yaml new file mode 100755 index 000000000000..12906c0adbc6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-09-apply-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-11-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-11-assert-1-1.yaml new file mode 100755 index 000000000000..9eed40bc86ba --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-11-assert-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-11-assert-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-11-assert-1-2.yaml new file mode 100755 index 000000000000..db3bfca1ea57 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-step-11-assert-1-2.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: regcred + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..9f026339e641 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy-deprecated/chainsaw-test.yaml @@ -0,0 +1,68 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-sync-reinstall-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - apply: + file: chainsaw-step-02-apply-1-2.yaml + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1-1.yaml + - assert: + file: chainsaw-step-03-assert-1-2.yaml + - name: step-04 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-clone-sync-reinstall-policy + - name: step-05 + try: + - apply: + file: chainsaw-step-05-apply-1-1.yaml + - name: step-06 + try: + - apply: + file: chainsaw-step-06-apply-1-1.yaml + - name: step-07 + try: + - sleep: + duration: 3s + - name: step-08 + try: + - assert: + file: chainsaw-step-08-assert-1-1.yaml + - assert: + file: chainsaw-step-08-assert-1-2.yaml + - name: step-09 + try: + - apply: + file: chainsaw-step-09-apply-1-1.yaml + - name: step-10 + try: + - sleep: + duration: 3s + - name: step-11 + try: + - assert: + file: chainsaw-step-11-assert-1-1.yaml + - assert: + file: chainsaw-step-11-assert-1-2.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-step-06-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-step-06-apply-1-1.yaml index 7b0fa06a2e73..85c42ca39893 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-step-06-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-reinstall-policy/chainsaw-step-06-apply-1-1.yaml @@ -3,9 +3,9 @@ kind: ClusterPolicy metadata: name: cpol-clone-sync-reinstall-policy spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 clone: name: regcred diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/README.md new file mode 100644 index 000000000000..220aefaaca3c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This is a corner case test to ensure the changes to the clone source can be synced to multiple targets. + +## Expected Behavior + +If the change from `foo=bar` to `foo=baz` is synced to downstream targets, the test passes. Otherwise fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7170 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..5362f726a8ff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..d2ecb8831d49 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: foosource + namespace: cpol-clone-sync-single-source-multiple-targets-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 000000000000..af736c2e3ad0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-source-multiple-targets +spec: + generateExisting: false + rules: + - generate: + apiVersion: v1 + clone: + name: foosource + namespace: cpol-clone-sync-single-source-multiple-targets-ns + kind: ConfigMap + name: footarget + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: rule-clone-sync-single-source-multiple-targets diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..509cb1954276 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-single-source-multiple-targets +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..8f943622adea --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-02-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-02-apply-1-2.yaml new file mode 100755 index 000000000000..426355750d34 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-02-apply-1-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..cb210f1f2d4b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-03-assert-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-03-assert-1-2.yaml new file mode 100755 index 000000000000..55feaab63a0a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-03-assert-1-2.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-04-apply-1-1.yaml new file mode 100755 index 000000000000..53e0fd526fb3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-04-apply-1-1.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: foosource + namespace: cpol-clone-sync-single-source-multiple-targets-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-06-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-06-assert-1-1.yaml new file mode 100755 index 000000000000..aa965bc916d9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-06-assert-1-1.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-06-assert-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-06-assert-1-2.yaml new file mode 100755 index 000000000000..dd0baf6c93b7 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-step-06-assert-1-2.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + foo: baz +kind: ConfigMap +metadata: + name: footarget + namespace: cpol-clone-sync-single-source-multiple-targets-trigger-ns-2 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..02cf82aa201b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets-deprecated/chainsaw-test.yaml @@ -0,0 +1,43 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-sync-single-source-multiple-triggers-targets +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - apply: + file: chainsaw-step-02-apply-1-2.yaml + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1-1.yaml + - assert: + file: chainsaw-step-03-assert-1-2.yaml + - name: step-04 + try: + - apply: + file: chainsaw-step-04-apply-1-1.yaml + - name: step-05 + try: + - sleep: + duration: 3s + - name: step-06 + try: + - assert: + file: chainsaw-step-06-assert-1-1.yaml + - assert: + file: chainsaw-step-06-assert-1-2.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-step-01-apply-1-3.yaml index af736c2e3ad0..3dc008a3213b 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-step-01-apply-1-3.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-clone-sync-single-source-multiple-triggers-targets/chainsaw-step-01-apply-1-3.yaml @@ -3,9 +3,9 @@ kind: ClusterPolicy metadata: name: cpol-clone-sync-single-source-multiple-targets spec: - generateExisting: false rules: - generate: + generateExisting: false apiVersion: v1 clone: name: foosource diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/README.md new file mode 100644 index 000000000000..80d73af201ed --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/README.md @@ -0,0 +1,10 @@ +## Description + +This test checks to ensure that deletion of a rule in a ClusterPolicy generate rule, data declaration, with sync disabled, does not result in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to remain if the corresponding rule within a ClusterPolicy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..b52a6e57bd43 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-to-nosync-delete-rule-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-step-04-apply-1-1.yaml new file mode 100755 index 000000000000..0839987d1c61 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-step-04-apply-1-1.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-to-nosync-delete-rule +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: false + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl + kind: Secret + metadata: + labels: + somekey: somesecretvalue + type: Opaque + kind: Secret + name: supersecret + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: super-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..e524146ca046 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/chainsaw-test.yaml @@ -0,0 +1,43 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-to-nosync-delete-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - assert: + file: secret.yaml + - assert: + file: configmap.yaml + - name: step-04 + try: + - apply: + file: chainsaw-step-04-apply-1-1.yaml + - name: step-05 + try: + - apply: + file: delete-rule.yaml + - assert: + file: policy-ready.yaml + - name: step-06 + try: + - sleep: + duration: 3s + - name: step-07 + try: + - assert: + file: secret.yaml + - assert: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/configmap.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/configmap.yaml new file mode 100644 index 000000000000..aae2b42313d1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-to-nosync-delete-rule-ns \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/delete-rule.yaml new file mode 100644 index 000000000000..d24c7e4397b6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/delete-rule.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +spec: + generateExisting: false + rules: + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/policy-ready.yaml new file mode 100644 index 000000000000..d6a7219a7bb5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-to-nosync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/policy.yaml new file mode 100644 index 000000000000..b2cb12d617af --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-to-nosync-delete-rule +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/secret.yaml new file mode 100644 index 000000000000..611a54d4d554 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule-deprecated/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: cpol-data-sync-to-nosync-delete-rule-ns +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-step-04-apply-1-1.yaml index 0839987d1c61..cb903c576410 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-step-04-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/chainsaw-step-04-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-to-nosync-delete-rule spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: @@ -42,6 +42,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml index d24c7e4397b6..20fd582920cf 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/delete-rule.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: multiple-gens spec: - generateExisting: false rules: - name: super-secret match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: true apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml index b2cb12d617af..091c0f557ea3 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/cpol-data-sync-to-nosync-delete-rule/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-to-nosync-delete-rule spec: - generateExisting: false rules: - name: k-kafka-address match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: true apiVersion: v1 kind: ConfigMap @@ -48,6 +48,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: true apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/README.md b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/README.md similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/README.md rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/README.md diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/chainsaw-step-04-apply-1-1.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/chainsaw-step-04-apply-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/chainsaw-step-04-apply-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/chainsaw-test.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/chainsaw-test.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/chainsaw-test.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/cluster-role.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/cluster-role.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/cluster-role.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/cluster-role.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/manifests.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/manifests.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/manifests.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/policy-ready.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/policy.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update(deprecated)/policy.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update-deprecated/policy.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml index b7306156897b..17588701ea9f 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/description: >- This policy generates and synchronizes a configmap for custom resource kube-state-metrics. spec: - generateExisting: true schemaValidation: false rules: - name: generate-cm-for-kube-state-metrics-crds @@ -23,6 +22,7 @@ spec: matchLabels: kubestatemetrics.platform.example: source generate: + generateExisting: true synchronize: true apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/README.md new file mode 100644 index 000000000000..acfc8d8ea885 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that creation of a multiple target resource created by a ClusterPolicy `generate.cloneList` rule. If it is not generated, the test fails. + +## Expected Behavior + +The cloned Secret and ConfigMap from the default namespace should exists in newly created namespace. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..519798f9e0c9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/chainsaw-test.yaml @@ -0,0 +1,21 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-list-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: manifests.yaml + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/cluster-policy-ready.yaml new file mode 100644 index 000000000000..aa49cef01066 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/cluster-policy.yaml new file mode 100644 index 000000000000..999776422d3a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/cluster-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/manifests.yaml new file mode 100644 index 000000000000..2761bf800e7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/manifests.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: default + labels: + allowedToBeCloned: "true" +data: + initial_lives: "15" +--- +apiVersion: v1 +kind: Secret +metadata: + name: image-secret + namespace: default + labels: + allowedToBeCloned: "true" +type: kubernetes.io/basic-auth +stringData: + username: admin + password: t0p-Secret-super diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/ns.yaml new file mode 100644 index 000000000000..102035c1c452 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prod-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/resource-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/resource-assert.yaml new file mode 100644 index 000000000000..e9a93ac5a14d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create-deprecated/resource-assert.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +data: + password: dDBwLVNlY3JldC1zdXBlcg== + username: YWRtaW4= +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + name: image-secret + namespace: prod-1 +type: kubernetes.io/basic-auth +--- +apiVersion: v1 +data: + initial_lives: "15" +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: bootstrap-config + namespace: prod-1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml index 999776422d3a..5d376ce17e79 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-create/cluster-policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: sync-with-multi-clone spec: - generateExisting: false rules: - name: sync-secret match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false namespace: "{{request.object.metadata.name}}" synchronize : true cloneList: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/README.md new file mode 100644 index 000000000000..4e6125e799d1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies the synchronize behavior of generated resource, if the selected source resources using a matched label selector `allowedToBeCloned: "true"` gets changed, the update should be synchronized with the target resource as well. + +## Expected Behavior + +This test ensures that update of source resource(ConfigMap) match selected using `allowedToBeCloned: "true"` label get synchronized with target resource created by a ClusterPolicy `generate.cloneList` rule, otherwise the test fails. + +## Reference Issue(s) + +#4930 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..f5e4b34e6812 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/chainsaw-test.yaml @@ -0,0 +1,33 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-list-sync-update +spec: + steps: + - name: step-00 + try: + - apply: + file: manifests.yaml + - apply: + file: cluster-policy.yaml + - assert: + file: cluster-policy-ready.yaml + - name: step-01 + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - assert: + file: resource-assert.yaml + - name: step-03 + try: + - apply: + file: update-source.yaml + - assert: + file: synchronized-target.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/cluster-policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/cluster-policy-ready.yaml new file mode 100644 index 000000000000..d0a67c43a092 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/cluster-policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone-update +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/cluster-policy.yaml new file mode 100644 index 000000000000..c245f8c5f52a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/cluster-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-with-multi-clone-update +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/manifests.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/manifests.yaml new file mode 100644 index 000000000000..2761bf800e7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/manifests.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: default + labels: + allowedToBeCloned: "true" +data: + initial_lives: "15" +--- +apiVersion: v1 +kind: Secret +metadata: + name: image-secret + namespace: default + labels: + allowedToBeCloned: "true" +type: kubernetes.io/basic-auth +stringData: + username: admin + password: t0p-Secret-super diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/ns.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/ns.yaml new file mode 100644 index 000000000000..f1ded585a826 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prod \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/resource-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/resource-assert.yaml new file mode 100644 index 000000000000..e377632d08da --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/resource-assert.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +data: + password: dDBwLVNlY3JldC1zdXBlcg== + username: YWRtaW4= +kind: Secret +metadata: + labels: + allowedToBeCloned: "true" + name: image-secret + namespace: prod +type: kubernetes.io/basic-auth +--- +apiVersion: v1 +data: + initial_lives: "15" +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: bootstrap-config + namespace: prod diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/synchronized-target.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/synchronized-target.yaml new file mode 100644 index 000000000000..59428d2df12e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/synchronized-target.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +data: + initial_lives: "50" +kind: ConfigMap +metadata: + labels: + allowedToBeCloned: "true" + name: bootstrap-config + namespace: prod diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/update-source.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/update-source.yaml new file mode 100644 index 000000000000..91ed16a4fcb4 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update-deprecated/update-source.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bootstrap-config + namespace: default + labels: + allowedToBeCloned: "true" +data: + initial_lives: "50" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml index c245f8c5f52a..bcabfb7856cd 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-list-sync-update/cluster-policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: sync-with-multi-clone-update spec: - generateExisting: false rules: - name: sync-secret match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false namespace: "{{request.object.metadata.name}}" synchronize : true cloneList: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/README.md new file mode 100644 index 000000000000..0367ead91fb0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate clone declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7481 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..b8f1d42261a6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-clone-sync-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..7aaae52e7032 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create: "true" + name: test-org + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..fdbca3177bb2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: source-secret + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-apply-1-2.yaml new file mode 100755 index 000000000000..35a9cd5c455b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-apply-1-2.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-existing-update-trigger-no-precondition +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + name: source-secret + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns + kind: Secret + name: downstream-secret + namespace: '{{request.object.metadata.namespace}}' + synchronize: true + match: + any: + - resources: + kinds: + - ConfigMap + name: clone-secret + preconditions: + any: + - key: '{{ request.object.metadata.labels.create || '''' }}' + operator: Equals + value: "true" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..2edd4172cf65 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-clone-sync-existing-update-trigger-no-precondition +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-05-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-05-apply-1-1.yaml new file mode 100755 index 000000000000..514fea3c095b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-step-05-apply-1-1.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + create: "false" + name: test-org + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..f20146f12c5b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/chainsaw-test.yaml @@ -0,0 +1,41 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-clone-sync-existing-update-trigger-no-precondition +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - apply: + file: chainsaw-step-02-apply-1-2.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: downstream.yaml + - name: step-05 + try: + - apply: + file: chainsaw-step-05-apply-1-1.yaml + - name: step-06 + try: + - sleep: + duration: 3s + - name: step-07 + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/downstream.yaml new file mode 100644 index 000000000000..3d17e04f1010 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition-deprecated/downstream.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: downstream-secret + namespace: cpol-clone-sync-existing-update-trigger-no-precondition-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-2.yaml index 35a9cd5c455b..87e8d28ec025 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-2.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-2.yaml @@ -3,9 +3,9 @@ kind: ClusterPolicy metadata: name: cpol-clone-sync-existing-update-trigger-no-precondition spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 clone: name: source-secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/README.md new file mode 100644 index 000000000000..e79931200ad5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/README.md @@ -0,0 +1,11 @@ +# Title + +This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace. + +## Expected Behavior + +If the generated (downstream) resource is not recreated, the test passes. If it is recreated from the definition in the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..54d5a66d06e0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: true + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: false + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..a74a39118d37 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..2db0de2d3e6e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-nosync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..eec69cbde9eb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-nosync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-05-error-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-05-error-1-1.yaml new file mode 100755 index 000000000000..c2b5b3992610 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-step-05-error-1-1.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: cpol-data-nosync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-test.yaml new file mode 100755 index 000000000000..8120e85859c8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-downstream/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-nosync-delete-downstream +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - delete: + ref: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: cpol-data-nosync-delete-downstream-ns + - name: step-05 + try: + - error: + file: chainsaw-step-05-error-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/README.md new file mode 100644 index 000000000000..592cd1e3cc23 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when the ClusterPolicy is deleted does NOT cause the generated resources to be deleted. + +## Expected Behavior + +If the downstream resource remains after deletion of the ClusterPolicy, the test passes. If it is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/chainsaw-step-05-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/chainsaw-step-05-assert-1-1.yaml new file mode 100755 index 000000000000..a267204a6970 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/chainsaw-step-05-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: wolfram-debug diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/chainsaw-test.yaml new file mode 100755 index 000000000000..47f840aee41c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-nosync-delete-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml + - name: step-03 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-nosync-delete-policy-policy + - name: step-04 + try: + - sleep: + duration: 3s + - name: step-05 + try: + - assert: + file: chainsaw-step-05-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/policy-ready.yaml new file mode 100644 index 000000000000..318f65b1265a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-policy-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/policy.yaml new file mode 100644 index 000000000000..cd628d18b725 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-policy-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-delete-policy-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/resource-generated.yaml new file mode 100644 index 000000000000..09eb786efa77 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/resource-generated.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: wolfram-debug \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/resource.yaml new file mode 100644 index 000000000000..1cb9ac1a0998 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-policy/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wolfram-debug \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/README.md new file mode 100644 index 000000000000..0b2e9aa1544a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted. + +## Expected Behavior + +If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/both-resources-exist.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/both-resources-exist.yaml new file mode 100644 index 000000000000..2ffa5486a5a3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/both-resources-exist.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trench-splendid +--- +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: trench-splendid +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/chainsaw-test.yaml new file mode 100755 index 000000000000..56f80c437a0a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-nosync-delete-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml + - name: step-03 + try: + - apply: + file: policy-with-rule-removed.yaml + - assert: + file: both-resources-exist.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy-ready.yaml new file mode 100644 index 000000000000..1b643c1744f6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-rule-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml new file mode 100644 index 000000000000..81d1b5c1629c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-delete-rule-ruletwo + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy.yaml new file mode 100644 index 000000000000..652db29e1330 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-delete-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-delete-rule-ruleone + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: cpol-data-nosync-delete-rule-ruletwo + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/resource-generated.yaml new file mode 100644 index 000000000000..2ffa5486a5a3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/resource-generated.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trench-splendid +--- +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: trench-splendid +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/resource.yaml new file mode 100644 index 000000000000..a2c9cf71f1b2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-delete-rule/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: trench-splendid \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/README.md new file mode 100644 index 000000000000..596e15403275 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a downstream (generated) resource is modified this does NOT result in those modifications getting reverted based upon the definition in the rule. + +## Expected Behavior + +If the downstream resource is left in the modified state, the test passes. If the downstream resource is synced from the definition in the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/chainsaw-test.yaml new file mode 100755 index 000000000000..6add43591fcb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-nosync-modify-downstream +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml + - name: step-03 + try: + - apply: + file: downstream-modified.yaml + - assert: + file: downstream-untouched.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/downstream-modified.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/downstream-modified.yaml new file mode 100644 index 000000000000..3de43c12f772 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/downstream-modified.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: hereissomenewdataichanged + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: selected-beagle diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/downstream-untouched.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/downstream-untouched.yaml new file mode 100644 index 000000000000..3de43c12f772 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/downstream-untouched.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: hereissomenewdataichanged + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: selected-beagle diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/policy-ready.yaml new file mode 100644 index 000000000000..138224923e82 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-downstream-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/policy.yaml new file mode 100644 index 000000000000..5af58dedb7fc --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-downstream-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-downstream-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/resource-generated.yaml new file mode 100644 index 000000000000..e505b84cb1e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/resource-generated.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: selected-beagle diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/resource.yaml new file mode 100644 index 000000000000..8e8591b4c234 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-downstream/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: selected-beagle \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/README.md new file mode 100644 index 000000000000..2c677699cbff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule with a data declaration and NO synchronization, when a rule within a policy is changed (under the data object) that this does NOT cause the downstream resource to be synced. + +## Expected Behavior + +If the downstream resource is NOT modified from its initial generation, the test passes. If the downstream resource is synced from the changes made to the rule, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/chainsaw-test.yaml new file mode 100755 index 000000000000..67e53b07601d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-nosync-modify-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml + - name: step-03 + try: + - apply: + file: rule-modified.yaml + - assert: + file: downstream-untouched.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/downstream-untouched.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/downstream-untouched.yaml new file mode 100644 index 000000000000..c0a559ef8a44 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/downstream-untouched.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: stern-liquid diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/policy-ready.yaml new file mode 100644 index 000000000000..6e7c0e22b08e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/policy.yaml new file mode 100644 index 000000000000..867b2c774732 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/resource-generated.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/resource-generated.yaml new file mode 100644 index 000000000000..c0a559ef8a44 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/resource-generated.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: stern-liquid diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/resource.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/resource.yaml new file mode 100644 index 000000000000..e00ac16bc193 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/resource.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: stern-liquid \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/rule-modified.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/rule-modified.yaml new file mode 100644 index 000000000000..731814074a96 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/cpol-data-nosync-modify-rule/rule-modified.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-nosync-modify-rule-policy +spec: + generateExisting: false + rules: + - name: cpol-data-nosync-modify-rule-rule + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "ihavechangedthis" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/README.md new file mode 100644 index 000000000000..b234ae5d3c1b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/README.md @@ -0,0 +1,11 @@ +## Description + +This test assures generation of resource with a sub-resource acting as a trigger. + +## Expected Behavior + +The test passes and `configmap` `zk-kafka-address` is created. + +## Reference Issue(s) + +6399 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..16db48356d15 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + generate.kyverno.io/policy-name: zk-kafka-address + generate.kyverno.io/policy-namespace: "" + generate.kyverno.io/rule-name: k-kafka-address + generate.kyverno.io/trigger-group: "" + generate.kyverno.io/trigger-kind: PodExecOptions + generate.kyverno.io/trigger-namespace: test-generate-exec + generate.kyverno.io/trigger-version: v1 + somekey: somevalue + name: zk-kafka-address + namespace: test-generate-exec diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/chainsaw-test.yaml new file mode 100755 index 000000000000..a9663373aecd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/chainsaw-test.yaml @@ -0,0 +1,92 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: generate-on-subresource-trigger +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - apply: + file: namespace.yaml + - assert: + file: policy-ready.yaml + - assert: + file: namespace-ready.yaml + - name: step-02 + try: + - command: + args: + - run + - nginx + - --image=nginx + - -n + - test-generate-exec + entrypoint: kubectl + - command: + args: + - wait + - --for=condition=Ready + - pod/nginx + - -n + - test-generate-exec + entrypoint: kubectl + - command: + args: + - exec + - -n + - test-generate-exec + - nginx + - -it + - -- + - ls + entrypoint: kubectl + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1-1.yaml + - name: step-99 + try: + - command: + args: + - delete + - cpol + - zk-kafka-address + - --force + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + timeout: 30s + - command: + args: + - delete + - pod + - nginx + - -n + - test-generate-exec + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + timeout: 30s + - command: + args: + - delete + - cm + - zk-kafka-address + - -n + - test-generate-exec + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + timeout: 30s + - command: + args: + - delete + - ns + - test-generate-exec + - --wait=true + - --ignore-not-found=true + entrypoint: kubectl + timeout: 30s diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/namespace-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/namespace-ready.yaml new file mode 100644 index 000000000000..d6e0bec5d6f3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/namespace-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-generate-exec +status: + phase: Active diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/namespace.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/namespace.yaml new file mode 100644 index 000000000000..41144ca1ec9e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: test-generate-exec diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/policy-ready.yaml new file mode 100644 index 000000000000..ff338c6bcf53 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/policy.yaml new file mode 100644 index 000000000000..4171a6a71922 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync-deprecated/generate-on-subresource-trigger/policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + # generateExisting does not work for sub-resources + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - "Pod/exec" + generate: + # synchronization does not work for sub-resources + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.namespace}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml index 54d5a66d06e0..240479313459 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-downstream/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: zk-kafka-address spec: - generateExisting: true rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml index cd628d18b725..0db6d0e30449 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-policy/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-nosync-delete-policy-policy spec: - generateExisting: false rules: - name: cpol-data-nosync-delete-policy-rule match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml index 81d1b5c1629c..74980bfc8d3d 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy-with-rule-removed.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-nosync-delete-rule-policy spec: - generateExisting: false rules: - name: cpol-data-nosync-delete-rule-ruletwo match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml index 652db29e1330..e2f60a3e4ba4 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-delete-rule/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-nosync-delete-rule-policy spec: - generateExisting: false rules: - name: cpol-data-nosync-delete-rule-ruleone match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap @@ -48,6 +48,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml index 5af58dedb7fc..2829baa1531d 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-downstream/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-nosync-modify-downstream-policy spec: - generateExisting: false rules: - name: cpol-data-nosync-modify-downstream-rule match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml index 867b2c774732..77a8d55bd3c0 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-nosync-modify-rule-policy spec: - generateExisting: false rules: - name: cpol-data-nosync-modify-rule-rule match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml index 731814074a96..883fcadeb6b5 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/cpol-data-nosync-modify-rule/rule-modified.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-nosync-modify-rule-policy spec: - generateExisting: false rules: - name: cpol-data-nosync-modify-rule-rule match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml index 4171a6a71922..406c74db0c6c 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/nosync/generate-on-subresource-trigger/policy.yaml @@ -3,8 +3,6 @@ kind: ClusterPolicy metadata: name: zk-kafka-address spec: - # generateExisting does not work for sub-resources - generateExisting: false rules: - name: k-kafka-address match: @@ -13,6 +11,8 @@ spec: kinds: - "Pod/exec" generate: + # generateExisting does not work for sub-resources + generateExisting: false # synchronization does not work for sub-resources synchronize: false apiVersion: v1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/README.md new file mode 100644 index 000000000000..1a6d9f93096c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure a generate policy using a data declaration with sync enabled creates a downstream ConfigMap when matching a new Namespace. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..f3400e8caaba --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..a74a39118d37 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..39e58da1c62e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-create-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..910142382083 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-create-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-test.yaml new file mode 100755 index 000000000000..5ffd23bd2546 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-create/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-create +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/README.md new file mode 100644 index 000000000000..6c4c8bc164a3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that when a standard generate policy with data type and sync enabled is used, deletion of the generated/downstream resource causes Kyverno to re-create the resource. + +## Expected Behavior + +If the resource is recreated, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..823e4d47a85b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-downstream-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-downstream-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..1dc2717dc1d0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-downstream-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..0547fe104f12 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..5163971fb028 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-05-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-05-assert-1-1.yaml new file mode 100755 index 000000000000..5163971fb028 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-step-05-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-downstream-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-test.yaml new file mode 100755 index 000000000000..ae24d10bba5b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-downstream/chainsaw-test.yaml @@ -0,0 +1,35 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-delete-downstream +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - delete: + ref: + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: cpol-data-sync-delete-downstream-ns + - name: step-04 + try: + - sleep: + duration: 3s + - name: step-05 + try: + - assert: + file: chainsaw-step-05-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/README.md new file mode 100644 index 000000000000..e4636d9dc5ff --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled deletes the downstream ConfigMap when matching a new Namespace. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..1bfd91e83428 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..daed8b6b3502 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-delete-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..8236730116c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..ffa72b5034c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..ffa72b5034c3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-04-error-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-04-error-1-1.yaml new file mode 100755 index 000000000000..9dcf69519191 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-step-04-error-1-1.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-test.yaml new file mode 100755 index 000000000000..d7bb1335ed52 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-policy/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-delete-policy +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1-1.yaml + - name: step-04 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-delete-policy + - error: + file: chainsaw-step-04-error-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/README.md new file mode 100644 index 000000000000..628111ceaa5a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a rule in a ClusterPolicy generate rule, data declaration, with sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to be deleted if the corresponding rule within a ClusterPolicy is deleted. If it is not deleted, the test fails. If it is deleted, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5744 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..c3a4e19eada6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/chainsaw-test.yaml new file mode 100755 index 000000000000..911052ec42bb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/chainsaw-test.yaml @@ -0,0 +1,39 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-delete-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - assert: + file: secret.yaml + - assert: + file: configmap.yaml + - name: step-04 + try: + - apply: + file: delete-rule.yaml + - assert: + file: policy-ready.yaml + - name: step-05 + try: + - sleep: + duration: 3s + - name: step-06 + try: + - assert: + file: secret.yaml + - error: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/configmap.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/configmap.yaml new file mode 100644 index 000000000000..860b6bb8f1e1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-delete-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/delete-rule.yaml new file mode 100644 index 000000000000..d24c7e4397b6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/delete-rule.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +spec: + generateExisting: false + rules: + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/policy-ready.yaml new file mode 100644 index 000000000000..1a5b4fb467c1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/policy.yaml new file mode 100644 index 000000000000..4176708f9a15 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/policy.yaml @@ -0,0 +1,63 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multiple-gens +spec: + generateExisting: false + rules: + - name: k-kafka-address + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: super-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + synchronize: true + apiVersion: v1 + kind: Secret + name: supersecret + namespace: "{{request.object.metadata.name}}" + data: + kind: Secret + type: Opaque + metadata: + labels: + somekey: somesecretvalue + data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/secret.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/secret.yaml new file mode 100644 index 000000000000..5ca961ce2fe0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-delete-rule/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + mysupersecretkey: bXlzdXBlcnNlY3JldHZhbHVl +kind: Secret +metadata: + labels: + somekey: somesecretvalue + name: supersecret + namespace: cpol-data-sync-delete-rule +type: Opaque \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/README.md new file mode 100644 index 000000000000..bc6af6d61473 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that updates to a trigger which cause it to no longer match a precondition of the rule, with a generate data declaration and sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +If the downstream resource is deleted, the test passes. If it remains, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7481 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..8b080eed9e80 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:background-controller:pdb +rules: +- apiGroups: + - '*' + resources: + - poddisruptionbudgets + verbs: + - create + - update + - patch + - delete + - get + - list diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-2-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-2-1.yaml new file mode 100755 index 000000000000..5985035e7110 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-2-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-existing-update-trigger-no-precondition-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-2-2.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-2-2.yaml new file mode 100755 index 000000000000..35f2b85c8ea1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-01-apply-2-2.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..4e0127dbe0e9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-existing-update-trigger-no-precondition +spec: + generateExisting: true + rules: + - generate: + apiVersion: policy/v1 + data: + spec: + minAvailable: 50% + selector: + matchLabels: '{{ not_null(request.object.spec.selector.matchLabels, request.object.spec.template.metadata.labels) + }}' + kind: PodDisruptionBudget + name: '{{request.object.metadata.name}}-default' + namespace: '{{request.object.metadata.namespace}}' + synchronize: true + match: + all: + - resources: + kinds: + - Deployment + - StatefulSet + name: create-default-pdb + preconditions: + all: + - key: '{{ request.object.spec.replicas }}' + operator: GreaterThan + value: 1 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..91808cd3e9d6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-existing-update-trigger-no-precondition +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-03-apply-1-1.yaml new file mode 100755 index 000000000000..0a148b31f088 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-03-apply-1-1.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-05-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-05-apply-1-1.yaml new file mode 100755 index 000000000000..35f2b85c8ea1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-05-apply-1-1.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + template: + metadata: + labels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml new file mode 100755 index 000000000000..bdca6f811a3f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-test.yaml @@ -0,0 +1,41 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-existing-update-trigger-no-precondition +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-2-1.yaml + - apply: + file: chainsaw-step-01-apply-2-2.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1-1.yaml + - name: step-04 + try: + - assert: + file: downstream.yaml + - name: step-05 + try: + - apply: + file: chainsaw-step-05-apply-1-1.yaml + - name: step-06 + try: + - sleep: + duration: 3s + - name: step-07 + try: + - error: + file: downstream.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/downstream.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/downstream.yaml new file mode 100644 index 000000000000..17cbd08458af --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-existing-update-trigger-no-precondition/downstream.yaml @@ -0,0 +1,11 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: test-default + namespace: cpol-data-sync-existing-update-trigger-no-precondition-ns +spec: + minAvailable: 50% + selector: + matchLabels: + app.kubernetes.io/instance: test + app.kubernetes.io/name: nginx diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/README.md new file mode 100644 index 000000000000..afc0164abd3c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that when a standard generate policy with data type and sync enabled is used, modification of the generated/downstream resource causes Kyverno to sync the resource from the definition in the rule. + +## Expected Behavior + +If the resource is synced from the definition in the rule, the test passes. If it is not and remains in the modified state, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..01090a31868b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-downstream-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-modify-downstream-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..f16b1b504ac0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-modify-downstream-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..f6ebf5ad9faa --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: trainer diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..2d4279c9fb02 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-03-apply-1-1.yaml new file mode 100755 index 000000000000..f6d022901e64 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-03-apply-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: ichangedthis +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-05-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-05-assert-1-1.yaml new file mode 100755 index 000000000000..2d4279c9fb02 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-05-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-06-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-06-apply-1-1.yaml new file mode 100755 index 000000000000..c07802cbd914 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-06-apply-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-08-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-08-assert-1-1.yaml new file mode 100755 index 000000000000..2d4279c9fb02 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-step-08-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: trainer diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-test.yaml new file mode 100755 index 000000000000..9b1f2e07d93f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-downstream/chainsaw-test.yaml @@ -0,0 +1,43 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-modify-downstream +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1-1.yaml + - name: step-04 + try: + - sleep: + duration: 3s + - name: step-05 + try: + - assert: + file: chainsaw-step-05-assert-1-1.yaml + - name: step-06 + try: + - apply: + file: chainsaw-step-06-apply-1-1.yaml + - name: step-07 + try: + - sleep: + duration: 3s + - name: step-08 + try: + - assert: + file: chainsaw-step-08-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/README.md new file mode 100644 index 000000000000..10c3b6432d83 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/README.md @@ -0,0 +1,3 @@ +# Title + +This is a generate test to ensure a generate policy using a data declaration with sync enabled and modifying the policy/rule propagates those changes to a downstream ConfigMap. diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..689cb8353677 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: true + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..a74a39118d37 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..af01f91c0ee1 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-modify-rule-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-02-assert-1-1.yaml new file mode 100755 index 000000000000..ab0662b3a58e --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-02-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-modify-rule-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml new file mode 100755 index 000000000000..07c3c664e244 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: zk-kafka-address +spec: + generateExisting: true + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: k-kafka-address diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..59eba16d9265 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-modify-rule-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-test.yaml new file mode 100755 index 000000000000..15b2cfa6474d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-modify-rule/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-modify-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - assert: + file: chainsaw-step-02-assert-1-1.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1-1.yaml + - assert: + file: chainsaw-step-03-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/README.md new file mode 100644 index 000000000000..fe942eb018a5 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/README.md @@ -0,0 +1,11 @@ +## Description + +This is a generate test to ensure deleting a generate policy using a data declaration with sync enabled, orphanDownstreamOnPolicyDelete preserves the downstream ConfigMap. + +## Expected Behavior + +If the generated configmap is retained, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/9578 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml new file mode 100755 index 000000000000..6277148d568f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml @@ -0,0 +1,62 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-data-sync-delete-policy-with-orphan +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: namespace.yaml + - assert: + file: configmap.yaml + - name: step-03 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-orphan-downstream-delete-policy + - error: + file: configmap-assert.yaml + - name: step-04 + try: + - delete: + ref: + apiVersion: v1 + kind: Namespace + name: cpol-data-sync-orphan-downstream-delete-policy-ns + - name: step-05 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-06 + try: + - apply: + file: policy-orphan.yaml + - assert: + file: policy-ready.yaml + - name: step-07 + try: + - apply: + file: namespace.yaml + - assert: + file: configmap.yaml + - name: step-08 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-orphan-downstream-delete-policy + - assert: + file: configmap.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml new file mode 100755 index 000000000000..9dcf69519191 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: zk-kafka-address + namespace: cpol-data-sync-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml new file mode 100644 index 000000000000..e6733a490e18 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: cpol-data-sync-orphan-downstream-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml new file mode 100755 index 000000000000..65e71f6cdce3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml new file mode 100755 index 000000000000..eef03ad0c1b8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + orphanDownstreamOnPolicyDelete: true + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml new file mode 100755 index 000000000000..d2ac63687178 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml new file mode 100755 index 000000000000..d5660a15c9f0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync-deprecated/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + orphanDownstreamOnPolicyDelete: false + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml index f3400e8caaba..785bc2698913 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-create/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: zk-kafka-address spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml index 823e4d47a85b..29db215344e0 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-downstream/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-delete-downstream-policy spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml index 1bfd91e83428..7232b1019721 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-policy/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-delete-policy spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml index d24c7e4397b6..20fd582920cf 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/delete-rule.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: multiple-gens spec: - generateExisting: false rules: - name: super-secret match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: true apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml index 4176708f9a15..2b8ea62330e4 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-delete-rule/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: multiple-gens spec: - generateExisting: false rules: - name: k-kafka-address match: @@ -20,6 +19,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: true apiVersion: v1 kind: ConfigMap @@ -48,6 +48,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false synchronize: true apiVersion: v1 kind: Secret diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml index 4e0127dbe0e9..18ae42dfaf00 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-existing-update-trigger-no-precondition/chainsaw-step-02-apply-1-1.yaml @@ -3,9 +3,9 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-existing-update-trigger-no-precondition spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: policy/v1 data: spec: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml index 01090a31868b..60b89666f0d1 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-downstream/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-modify-downstream-policy spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml index 689cb8353677..6d5bf3e4285a 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-01-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: zk-kafka-address spec: - generateExisting: true rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml index 07c3c664e244..de4341187c0c 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: zk-kafka-address spec: - generateExisting: true rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml index eef03ad0c1b8..0da18e86f0b8 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-orphan-downstream-delete-policy spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml index d5660a15c9f0..bb889196efa9 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-data-sync-orphan-downstream-delete-policy spec: - generateExisting: false rules: - exclude: any: @@ -14,6 +13,7 @@ spec: - kube-public - kyverno generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/README.md new file mode 100644 index 000000000000..1ddf1dde73e6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test for a "generate existing" policy. It checks that the basic functionality works whereby creation of a new rule causes correct evaluation of the match block resulting in generation of resources in only the matching result. + +## Expected Behavior + +If both `blue-ns` and `yellow-ns` Namespaces receive a generated NetworkPolicy, and `summer-ns` does not receive a NetworkPolicies, the test passes. Otherwise the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6471 diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/add-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/add-rule.yaml new file mode 100644 index 000000000000..2bebbe7ce106 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/add-rule.yaml @@ -0,0 +1,55 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-add-rule-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: existing-basic-add-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: yellow + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/chainsaw-test.yaml new file mode 100755 index 000000000000..ff49eaad7b85 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/chainsaw-test.yaml @@ -0,0 +1,47 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: existing-basic-add-rule-data +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: netpol-blue.yaml + - error: + file: netpol-yellow.yaml + - error: + file: netpol-summer.yaml + - name: step-05 + try: + - apply: + file: add-rule.yaml + - assert: + file: policy-ready.yaml + - name: step-06 + try: + - sleep: + duration: 3s + - name: step-07 + try: + - assert: + file: netpol-blue.yaml + - assert: + file: netpol-yellow.yaml + - error: + file: netpol-summer.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/existing-resources.yaml new file mode 100644 index 000000000000..e557f9b4be94 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/existing-resources.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: blue-ns + labels: + color: blue +--- +apiVersion: v1 +kind: Namespace +metadata: + name: yellow-ns + labels: + color: yellow +--- +apiVersion: v1 +kind: Namespace +metadata: + name: summer-ns + labels: + season: summer \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-blue.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-blue.yaml new file mode 100644 index 000000000000..9940a77b721c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-blue.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: blue-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-summer.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-summer.yaml new file mode 100644 index 000000000000..17817fb4a00b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-summer.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: summer-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-yellow.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-yellow.yaml new file mode 100644 index 000000000000..f5530dd351d6 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/netpol-yellow.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: yellow-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/policy-ready.yaml new file mode 100644 index 000000000000..587423b2c213 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-add-rule-data +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/policy.yaml new file mode 100644 index 000000000000..fd47a1770bb2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-add-rule-data/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-add-rule-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/README.md new file mode 100644 index 000000000000..b84820f916fb --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test for a "generate existing" policy. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match block resulting in generation of resources in only the matching result. + +## Expected Behavior + +If only the `red-ns` Namespace receives a generated NetworkPolicy, the test passes. If either it does not or `green-ns` or `winter-ns` receive NetworkPolicies, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/chainsaw-test.yaml new file mode 100755 index 000000000000..5e621db29626 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: existing-basic-create-policy-data +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/existing-resources.yaml new file mode 100644 index 000000000000..6825003a177a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/existing-resources.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green +--- +apiVersion: v1 +kind: Namespace +metadata: + name: winter-ns + labels: + season: winter \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/fail-generated-resources.yaml new file mode 100644 index 000000000000..70315eb977cd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/fail-generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: winter-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/generated-resources.yaml new file mode 100644 index 000000000000..e6ae5538f2a3 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/generated-resources.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/policy-ready.yaml new file mode 100644 index 000000000000..325e7aa15257 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-data +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/policy.yaml new file mode 100644 index 000000000000..cb262bdbfc05 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-data/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: red + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/README.md new file mode 100644 index 000000000000..35232d3c6e6d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/README.md @@ -0,0 +1,11 @@ +## Description + +This is a basic creation test for a "generate existing" policy with preconditions. It checks that the basic functionality works whereby installation of the policy causes correct evaluation of the match and preconditions blocks. + +## Expected Behavior + +If only the `jupiter` Namespace receives a generated ConfigMap, the test passes. If either it does not or `venus` receives a ConfigMap, the test fails. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/chainsaw-test.yaml new file mode 100755 index 000000000000..e87045c71517 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: existing-basic-create-policy-preconditions-data +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/existing-resources.yaml new file mode 100644 index 000000000000..51a708659ca0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/existing-resources.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jupiter +--- +apiVersion: v1 +kind: Service +metadata: + name: test-lb + namespace: jupiter +spec: + ports: + - name: web + port: 80 + protocol: TCP + targetPort: web + selector: + app.kubernetes.io/instance: jupiter-foobar + type: LoadBalancer +--- +apiVersion: v1 +kind: Namespace +metadata: + name: venus +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: redis + name: venus-clusterip-svc + namespace: venus +spec: + ports: + - name: tcp-redis + port: 6379 + protocol: TCP + targetPort: 6379 + selector: + app.kubernetes.io/name: venus-redis + type: ClusterIP diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/fail-generated-resources.yaml new file mode 100644 index 000000000000..e908e1a9d16f --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/fail-generated-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + doeshavesvclb: "true" +kind: ConfigMap +metadata: + name: mylb-cm + namespace: venus diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/generated-resources.yaml new file mode 100644 index 000000000000..24d219c6d72a --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/generated-resources.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + doeshavesvclb: "true" +kind: ConfigMap +metadata: + name: mylb-cm + namespace: jupiter diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/policy-ready.yaml new file mode 100644 index 000000000000..f062f545d8d2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-preconditions-data +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/policy.yaml new file mode 100644 index 000000000000..077c830ccbd9 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing-deprecated/existing-basic-create-policy-preconditions-data/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: existing-basic-create-policy-preconditions-data +spec: + generateExisting: true + rules: + - name: existing-basic-create-data-preconditions-rule + match: + any: + - resources: + kinds: + - Service + preconditions: + any: + - key: "{{request.object.spec.type}}" + operator: Equals + value: LoadBalancer + generate: + kind: ConfigMap + apiVersion: v1 + name: mylb-cm + namespace: "{{request.object.metadata.namespace}}" + synchronize: true + data: + data: + doeshavesvclb: "true" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md new file mode 100644 index 000000000000..7cbbb9745326 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case one rule sets the `generateExisting` field whereas the other don't set it. It is expected that rules which don't set the field will use the higher level value `spec.generateExisting`. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces and it doesn't set the field. It is expected that the rule will use the `spec.generateExisting` value which is `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml new file mode 100755 index 000000000000..125d03a4742b --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-configurations-for-generate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml new file mode 100644 index 000000000000..ab3740d2bd5c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml new file mode 100644 index 000000000000..96b86fb5dce8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/fail-generated-resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml new file mode 100644 index 000000000000..f61700ca9f7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml new file mode 100644 index 000000000000..8017a12787c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml new file mode 100644 index 000000000000..a2b525e9076c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-configurations-for-generate-existing/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +spec: + generateExisting: false + rules: + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md new file mode 100644 index 000000000000..f183346bb5e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/README.md @@ -0,0 +1,17 @@ +## Description + +This test ensures that a generate policy works as expected in case the rules have a different value for the `generateExisting` field. + +## Expected Behavior + +1. Create two Namespaces named `red-ns` and `green-ns`. + +2. Create a policy with two generate rules: + - The first rule named `generate-network-policy` matches Namespaces sets the `generateExisting` to `true`. + - The second rule named `generate-config-map` matches Namespaces sets the `generateExisting` to `false`. + +3. It is expected that a NetworkPolicy will be generated for each Namespace whereas ConfigMaps will not be generated. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml new file mode 100755 index 000000000000..231349992ecd --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-generate-existing-values +spec: + steps: + - name: step-01 + try: + - apply: + file: existing-resources.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - sleep: + duration: 3s + - name: step-04 + try: + - assert: + file: generated-resources.yaml + - error: + file: fail-generated-resources.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml new file mode 100644 index 000000000000..ab3740d2bd5c --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/existing-resources.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: red-ns + labels: + color: red +--- +apiVersion: v1 +kind: Namespace +metadata: + name: green-ns + labels: + color: green diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml new file mode 100644 index 000000000000..96b86fb5dce8 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/fail-generated-resources.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: red-ns +--- +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: green-ns diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml new file mode 100644 index 000000000000..f61700ca9f7d --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/generated-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: red-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + created-by: kyverno + name: default-deny + namespace: green-ns +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml new file mode 100644 index 000000000000..8017a12787c2 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml new file mode 100644 index 000000000000..302c9f571267 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/different-generate-existing-values/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: different-generate-existing-values +spec: + rules: + - name: generate-network-policy + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + - name: generate-config-map + match: + any: + - resources: + kinds: + - Namespace + generate: + generateExisting: false + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: "{{request.object.metadata.name}}" + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml index 2bebbe7ce106..9b7a6ea26d96 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/add-rule.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: existing-basic-add-rule-data spec: - generateExisting: true rules: - name: existing-basic-create-rule match: @@ -15,6 +14,7 @@ spec: matchLabels: color: blue generate: + generateExisting: true kind: NetworkPolicy apiVersion: networking.k8s.io/v1 name: default-deny @@ -39,6 +39,7 @@ spec: matchLabels: color: yellow generate: + generateExisting: true kind: NetworkPolicy apiVersion: networking.k8s.io/v1 name: default-deny diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml index fd47a1770bb2..c123d9eb156f 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-add-rule-data/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: existing-basic-add-rule-data spec: - generateExisting: true rules: - name: existing-basic-create-rule match: @@ -15,6 +14,7 @@ spec: matchLabels: color: blue generate: + generateExisting: true kind: NetworkPolicy apiVersion: networking.k8s.io/v1 name: default-deny diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml index cb262bdbfc05..4425fdee2b30 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-data/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: existing-basic-create-policy-data spec: - generateExisting: true rules: - name: existing-basic-create-rule match: @@ -15,6 +14,7 @@ spec: matchLabels: color: red generate: + generateExisting: true kind: NetworkPolicy apiVersion: networking.k8s.io/v1 name: default-deny diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml index 077c830ccbd9..6b80068aa033 100644 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/existing/existing-basic-create-policy-preconditions-data/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: existing-basic-create-policy-preconditions-data spec: - generateExisting: true rules: - name: existing-basic-create-data-preconditions-rule match: @@ -17,6 +16,7 @@ spec: operator: Equals value: LoadBalancer generate: + generateExisting: true kind: ConfigMap apiVersion: v1 name: mylb-cm diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/README.md b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/README.md new file mode 100644 index 000000000000..acf3217f1f84 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that a generate rule in a Policy (Namespaced) with a data declaration and NO synchronization, when a rule within the Policy having two rules is deleted does NOT cause any of the generated resources corresponding to that removed rule to be deleted. + +## Expected Behavior + +If both generated resources remain after deletion of the rule, the test passes. If either one is deleted, the test fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/both-resources-exist.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/both-resources-exist.yaml new file mode 100644 index 000000000000..56b4ec706cfd --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/both-resources-exist.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: otter +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: otter +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..bd5c0b3a9829 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pol-data-nosync-delete-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - sleep: + duration: 3s + - name: step-03 + try: + - apply: + file: resource.yaml + - assert: + file: resource-generated.yaml + - name: step-04 + try: + - apply: + file: policy-with-rule-removed.yaml + - assert: + file: both-resources-exist.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy-ready.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy-ready.yaml new file mode 100644 index 000000000000..2f4e0c7a8b16 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy-ready.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-rule-policy + namespace: otter +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy-with-rule-removed.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy-with-rule-removed.yaml new file mode 100644 index 000000000000..97b48c5a4497 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy-with-rule-removed.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: otter +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-rule-policy + namespace: otter +spec: + generateExisting: false + rules: + - name: pol-data-nosync-delete-rule-policy-ruleone + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: otter + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy.yaml new file mode 100644 index 000000000000..8f944a16ff91 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/policy.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: otter +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: pol-data-nosync-delete-rule-policy + namespace: otter +spec: + generateExisting: false + rules: + - name: pol-data-nosync-delete-rule-policy-ruleone + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: false + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: otter + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" + - name: pol-data-nosync-delete-rule-policy-ruletwo + match: + any: + - resources: + kinds: + - Service + generate: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: default-deny + namespace: otter + synchronize: false + data: + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/resource-generated.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/resource-generated.yaml new file mode 100644 index 000000000000..56b4ec706cfd --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/resource-generated.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: otter +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: otter +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/resource.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/resource.yaml new file mode 100644 index 000000000000..e0b7e543408d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule-deprecated/resource.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret + namespace: otter +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: engsvcclusip + name: engsvcclusip + namespace: otter +spec: + ports: + - name: 80-80 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: engsvcclusip + sessionAffinity: None + type: ClusterIP diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml index 97b48c5a4497..8f3343c56278 100644 --- a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy-with-rule-removed.yaml @@ -9,7 +9,6 @@ metadata: name: pol-data-nosync-delete-rule-policy namespace: otter spec: - generateExisting: false rules: - name: pol-data-nosync-delete-rule-policy-ruleone match: @@ -18,6 +17,7 @@ spec: kinds: - Secret generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap diff --git a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml index 8f944a16ff91..d508dd1d06ab 100644 --- a/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/data/nosync/pol-data-nosync-delete-rule/policy.yaml @@ -9,7 +9,6 @@ metadata: name: pol-data-nosync-delete-rule-policy namespace: otter spec: - generateExisting: false rules: - name: pol-data-nosync-delete-rule-policy-ruleone match: @@ -18,6 +17,7 @@ spec: kinds: - Secret generate: + generateExisting: false synchronize: false apiVersion: v1 kind: ConfigMap @@ -38,6 +38,7 @@ spec: kinds: - Service generate: + generateExisting: false apiVersion: networking.k8s.io/v1 kind: NetworkPolicy name: default-deny diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/README.md new file mode 100644 index 000000000000..75255c9be8c1 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, data declaration, with sync enabled, results in the downstream resource's deletion. + +## Expected Behavior + +The downstream (generated) resource is expected to be deleted if the corresponding rule within a Policy is deleted. If it is not deleted, the test fails. If it is deleted, the test passes. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/5744 diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..a9a50e159b9a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..a834061e7e32 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,51 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +spec: + generateExisting: false + rules: + - generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-delete-rule + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - trigger-secret + name: k-kafka-address + - generate: + apiVersion: v1 + data: + data: + key: superconfigmap + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: superconfigmap + namespace: pol-data-sync-delete-rule + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - trigger-secret + name: super-configmap diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..9cd68a01c7f8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..aad8c13b2605 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + org: kyverno + name: trigger-secret + namespace: pol-data-sync-delete-rule +type: Opaque diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-04-apply-1-1.yaml new file mode 100755 index 000000000000..13da262dfc7f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-04-apply-1-1.yaml @@ -0,0 +1,29 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +spec: + generateExisting: false + rules: + - generate: + apiVersion: v1 + data: + data: + key: superconfigmap + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: superconfigmap + namespace: pol-data-sync-delete-rule + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - trigger-secret + name: super-configmap diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-04-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-04-assert-1-1.yaml new file mode 100755 index 000000000000..9cd68a01c7f8 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-step-04-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: multiple-gens + namespace: pol-data-sync-delete-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..c62d4f3c287b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/chainsaw-test.yaml @@ -0,0 +1,41 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pol-data-sync-delete-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - assert: + file: configmap.yaml + - assert: + file: configmap-remain.yaml + - name: step-04 + try: + - apply: + file: chainsaw-step-04-apply-1-1.yaml + - assert: + file: chainsaw-step-04-assert-1-1.yaml + - name: step-05 + try: + - sleep: + duration: 3s + - name: step-06 + try: + - assert: + file: configmap-remain.yaml + - error: + file: configmap.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/configmap-remain.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/configmap-remain.yaml new file mode 100644 index 000000000000..17607f464f0b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/configmap-remain.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + key: superconfigmap +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: superconfigmap + namespace: pol-data-sync-delete-rule \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/configmap.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/configmap.yaml new file mode 100644 index 000000000000..e97ab78537e2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule-deprecated/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-01-apply-1-2.yaml index a834061e7e32..b7f6f2ceac0e 100755 --- a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-01-apply-1-2.yaml @@ -4,9 +4,9 @@ metadata: name: multiple-gens namespace: pol-data-sync-delete-rule spec: - generateExisting: false rules: - generate: + generateExisting: false apiVersion: v1 data: data: @@ -29,6 +29,7 @@ spec: - trigger-secret name: k-kafka-address - generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-04-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-04-apply-1-1.yaml index 13da262dfc7f..4ec68bf797f1 100755 --- a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-04-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-delete-rule/chainsaw-step-04-apply-1-1.yaml @@ -4,9 +4,9 @@ metadata: name: multiple-gens namespace: pol-data-sync-delete-rule spec: - generateExisting: false rules: - generate: + generateExisting: false apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/README.md b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/README.md new file mode 100644 index 000000000000..7effee6d5e95 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This is a generate test to ensure a generate Policy using a data declaration with sync enabled and modifying the policy/rule propagates those changes to a downstream ConfigMap. + +## Expected Behavior + +The downstream (generated) resource is expected to be synced from the corresponding rule within a Policy is modified. If it is not sync, the test fails. If it is synced, the test passes. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..e0fe6bbcebb2 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pol-data-sync-modify-rule diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..5ac20c811f3c --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: zk-kafka-address + namespace: pol-data-sync-modify-rule +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-modify-rule + synchronize: true + match: + any: + - resources: + kinds: + - Secret + name: k-kafka-address diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..f76e4f71f53e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: zk-kafka-address + namespace: pol-data-sync-modify-rule +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..64f7efa0aa8e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + org: kyverno + name: trigger-secret + namespace: pol-data-sync-modify-rule +type: Opaque diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-03-apply-1-1.yaml new file mode 100755 index 000000000000..05ae2854c008 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-03-apply-1-1.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: zk-kafka-address + namespace: pol-data-sync-modify-rule +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: pol-data-sync-modify-rule + synchronize: true + match: + any: + - resources: + kinds: + - Secret + name: k-kafka-address diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..e79015e9cb7b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-rule diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-04-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-04-assert-1-1.yaml new file mode 100755 index 000000000000..e79015e9cb7b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-step-04-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9999 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 +kind: ConfigMap +metadata: + labels: + somekey: somevalue + name: zk-kafka-address + namespace: pol-data-sync-modify-rule diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..da8d6a2bc34f --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule-deprecated/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pol-data-sync-modify-rule +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1-1.yaml + - assert: + file: chainsaw-step-03-assert-1-1.yaml + - name: step-04 + try: + - assert: + file: chainsaw-step-04-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-01-apply-1-2.yaml index 5ac20c811f3c..98209c182ed7 100755 --- a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-01-apply-1-2.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-01-apply-1-2.yaml @@ -4,9 +4,9 @@ metadata: name: zk-kafka-address namespace: pol-data-sync-modify-rule spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml index 05ae2854c008..09e9e4730db5 100755 --- a/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/data/sync/pol-data-sync-modify-rule/chainsaw-step-03-apply-1-1.yaml @@ -4,9 +4,9 @@ metadata: name: zk-kafka-address namespace: pol-data-sync-modify-rule spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/README.md b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/README.md new file mode 100644 index 000000000000..85df447fb76e --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the generateExisting namespaced policy is applied when the trigger is found in the same namespace as the policy. + +## Expected Behavior + +If the resource secret is created, the test passes. If it is not, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6519 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..4490a3ed45d3 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: match-trigger-namespace-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..fc9135f5077b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + example.com/sm-sync: "true" + name: regcred + namespace: match-trigger-namespace-ns +type: Opaque diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 000000000000..18085b3d6d09 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: match-trigger-namespace + namespace: match-trigger-namespace-ns +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + data: + data: + modify: Zm9v + kind: ConfigMap + name: '{{request.object.metadata.name}}-modify' + namespace: match-trigger-namespace-ns + synchronize: true + match: + resources: + kinds: + - Secret + selector: + matchLabels: + example.com/sm-sync: "true" + name: get-synced-secrets diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..48acf967ae1a --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: match-trigger-namespace + namespace: match-trigger-namespace-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-03-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-03-assert-1-1.yaml new file mode 100755 index 000000000000..5e83213e8906 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-step-03-assert-1-1.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + modify: Zm9v +kind: ConfigMap +metadata: + name: regcred-modify + namespace: match-trigger-namespace-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..3816ff9cabaa --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace-deprecated/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: match-trigger-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - sleep: + duration: 3s + - name: step-03 + try: + - assert: + file: chainsaw-step-03-assert-1-1.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-step-01-apply-1-3.yaml index 18085b3d6d09..ca70ce160d18 100755 --- a/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-step-01-apply-1-3.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/existing/match-trigger-namespace/chainsaw-step-01-apply-1-3.yaml @@ -4,9 +4,9 @@ metadata: name: match-trigger-namespace namespace: match-trigger-namespace-ns spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/README.md b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/README.md new file mode 100644 index 000000000000..05eb9aaaf882 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks the generateExisting namespaced policy is not applied when the trigger is not found in the same namespace as the policy. + +## Expected Behavior + +If the resource secret is not created, the test passes. If it is created, the test fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6519 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-1.yaml new file mode 100755 index 000000000000..e779d4aa0624 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: non-match-trigger-namespace-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-2.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-2.yaml new file mode 100755 index 000000000000..5271f5ca7408 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-2.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: non-match-trigger-namespace-ns-2 diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-3.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-3.yaml new file mode 100755 index 000000000000..ae2090884017 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-3.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + labels: + example.com/sm-sync: "true" + name: regcred + namespace: non-match-trigger-namespace-ns-2 +type: Opaque diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-4.yaml new file mode 100755 index 000000000000..01678848d6fc --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-apply-1-4.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: non-match-trigger-namespace + namespace: non-match-trigger-namespace-ns +spec: + generateExisting: true + rules: + - generate: + apiVersion: v1 + data: + data: + modify: Zm9v + kind: ConfigMap + name: '{{request.object.metadata.name}}-modify' + namespace: non-match-trigger-namespace-ns + synchronize: true + match: + resources: + kinds: + - Secret + selector: + matchLabels: + example.com/sm-sync: "true" + name: get-synced-secrets diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-assert-1-1.yaml new file mode 100755 index 000000000000..4445c4cb259b --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-01-assert-1-1.yaml @@ -0,0 +1,10 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: non-match-trigger-namespace + namespace: non-match-trigger-namespace-ns +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-03-error-1-1.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-03-error-1-1.yaml new file mode 100755 index 000000000000..b4d9b2fb12e6 --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-step-03-error-1-1.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + modify: Zm9v +kind: ConfigMap +metadata: + name: regcred-modify + namespace: non-match-trigger-namespace-ns diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-test.yaml new file mode 100755 index 000000000000..ab9557ce919d --- /dev/null +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace-deprecated/chainsaw-test.yaml @@ -0,0 +1,27 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: non-match-trigger-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1-1.yaml + - apply: + file: chainsaw-step-01-apply-1-2.yaml + - apply: + file: chainsaw-step-01-apply-1-3.yaml + - apply: + file: chainsaw-step-01-apply-1-4.yaml + - assert: + file: chainsaw-step-01-assert-1-1.yaml + - name: step-02 + try: + - sleep: + duration: 3s + - name: step-03 + try: + - error: + file: chainsaw-step-03-error-1-1.yaml diff --git a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/chainsaw-step-01-apply-1-4.yaml index 01678848d6fc..914403660006 100755 --- a/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/chainsaw-step-01-apply-1-4.yaml +++ b/test/conformance/chainsaw/generate/policy/standard/existing/non-match-trigger-namespace/chainsaw-step-01-apply-1-4.yaml @@ -4,9 +4,9 @@ metadata: name: non-match-trigger-namespace namespace: non-match-trigger-namespace-ns spec: - generateExisting: true rules: - generate: + generateExisting: true apiVersion: v1 data: data: diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml index 10821ad2a71c..3a1e4566707d 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-fail-2-ns-cluster-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: target-namespace-scope-pass-1 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml index 8908257a95ca..295eaa21bd49 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: user-per-namespace-pass-2 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml index bd8c77fe622d..3d2ac19a259e 100644 --- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: target-namespace-scope-pass-1 spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md new file mode 100644 index 000000000000..466682496008 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that the creation of a generate policy that makes use of `spec.generateExistingOnPolicyUpdate` is blocked since it is a deprecated field. + +## Expected Behavior + +The test passes if the policy creation is blocked, otherwise fails. diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml new file mode 100755 index 000000000000..b160f2e70bc8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: use-generate-existing-on-policy-update +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml new file mode 100644 index 000000000000..8969b27855b8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/use-generate-existing-on-policy-update/policy.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-policy +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: generate-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml index 2291bdd1aa24..116b459c8ec6 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-1.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-1 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: iam.aws.crossplane.io/v1beta1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml index 81d76143de13..e68fe76496eb 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-2.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-2 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml index 41c369ce2dfe..f09121c55ac4 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-fail-3.yaml @@ -5,7 +5,7 @@ metadata: name: pol-target-namespace-scope-fail-3 namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml index ec0d97e11c8f..3ed90d89220c 100644 --- a/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml +++ b/test/conformance/chainsaw/generate/validation/policy/target-namespace-scope/policy-pass.yaml @@ -4,7 +4,7 @@ metadata: name: user-per-namespace-pass namespace: default spec: - generateExistingOnPolicyUpdate: true + generateExisting: true rules: - generate: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md new file mode 100644 index 000000000000..466682496008 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/README.md @@ -0,0 +1,7 @@ +## Description + +This test ensures that the creation of a generate policy that makes use of `spec.generateExistingOnPolicyUpdate` is blocked since it is a deprecated field. + +## Expected Behavior + +The test passes if the policy creation is blocked, otherwise fails. diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml new file mode 100755 index 000000000000..b160f2e70bc8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/chainsaw-test.yaml @@ -0,0 +1,14 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: use-generate-existing-on-policy-update +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy.yaml diff --git a/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml new file mode 100644 index 000000000000..a2e909e98096 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/policy/use-generate-existing-on-policy-update/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: generate-policy + namespace: default +spec: + generateExistingOnPolicyUpdate: true + rules: + - name: generate-rule + match: + any: + - resources: + kinds: + - Namespace + selector: + matchLabels: + color: blue + generate: + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: default-deny + namespace: "{{request.object.metadata.name}}" + synchronize: true + data: + metadata: + labels: + created-by: kyverno + spec: + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml index 31c1c8adf240..4b9f45cdeb2e 100755 --- a/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/apicall-correct/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-apicall-correct spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml index bce134a38992..8d892bda144e 100755 --- a/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/gctxentry-not-exist/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-gctxentry-not-exist spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml index da32709a9e03..68354b635715 100755 --- a/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/not-ready/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-not-ready spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml index ec2126c4f518..bc0011f2c00a 100755 --- a/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/resource-correct/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-resource-correct spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -25,6 +24,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml b/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml index f2ea6475262c..09d25573eeeb 100755 --- a/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml +++ b/test/conformance/chainsaw/globalcontext/validate-reference/clusterpolicy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: cpol-gctx-validate-reference spec: - validationFailureAction: Enforce failurePolicy: Fail rules: - name: main-deployment-exists @@ -24,6 +23,7 @@ spec: - CREATE - UPDATE validate: + validationFailureAction: Enforce deny: conditions: any: diff --git a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml index d94cbeb7f8bd..8cf139161030 100644 --- a/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml +++ b/test/conformance/chainsaw/mutate/cascading/first-rule-is-foreach/policy.yaml @@ -4,7 +4,6 @@ metadata: name: mutate-chain spec: background: false - validationFailureAction: Enforce rules: - name: mutation1 match: diff --git a/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml index 69baa7b93bbe..922e47ec7224 100644 --- a/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml +++ b/test/conformance/chainsaw/mutate/cascading/no-foreach/policy.yaml @@ -4,7 +4,6 @@ metadata: name: mutate-chain spec: background: false - validationFailureAction: Enforce rules: - name: mutation1 match: diff --git a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml index 11d393a9c84d..0aa5b4733656 100644 --- a/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml +++ b/test/conformance/chainsaw/mutate/cascading/two-foreach-rules/policy.yaml @@ -4,7 +4,6 @@ metadata: name: mutate-chain spec: background: false - validationFailureAction: Enforce rules: - name: mutation1 match: diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml index fc8832cc8375..1558296ba2f7 100755 --- a/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/basic-check-output/chainsaw-step-01-apply-1-1.yaml @@ -20,4 +20,3 @@ spec: labels: foo: bar name: add-labels - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/README.md new file mode 100644 index 000000000000..34af69e06a52 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/README.md @@ -0,0 +1,22 @@ +## Description + +This test ensures that a mutate policy of two rules; one of which sets the `mutateExistingOnPolicyUpdate` while the other doesn't, works as expected. + +## Expected Behavior + +1. Create two Namespaces `staging-2` and `staging-3`. + +2. Create two Secrets `test-secret-2` and `test-secret-3` in Namespaces `staging-2` and `staging-3` respectively. + +3. Create two ConfigMaps `dictionary-2` and `dictionary-3` in Namespaces `staging-2` and `staging-3` respectively. + +4. Create a ClusterPolicy with two mutate rules: + - The first rule matches a ConfigMap named `dictionary-3` in Namespace `staging-3` and doesn't set the `mutateExistingOnPolicyUpdate`. Its target is to mutate a Secret named `test-secret-3` in Namespace `staging-3`. In this case, the rule will take the value from `spec.mutateExistingOnPolicyUpdate` field. + + - The second rule matches a ConfigMap named `dictionary-2` in Namespace `staging-2` and sets the value of `mutateExistingOnPolicyUpdate` to `false`. Its target is to mutate a Secret named `test-secret-2` in Namespace `staging-2`. + +5. On policy creation, the Secret `test-secret-3` in Namespace `staging-3` should be mutated whereas the Secret `test-secret-2` in Namespace `staging-2` should not be mutated. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/chainsaw-test.yaml new file mode 100755 index 000000000000..2a6099d20e3e --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-configurations-for-mutate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: namespaces.yaml + - apply: + file: configmaps.yaml + - apply: + file: secrets.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - assert: + file: mutated-secret.yaml + - name: step-04 + try: + - error: + file: mutated-secret-error.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/configmaps.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/configmaps.yaml new file mode 100755 index 000000000000..6cc0e9ec997b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/configmaps.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-3 + namespace: staging-3 +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-2 + namespace: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/mutated-secret-error.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/mutated-secret-error.yaml new file mode 100755 index 000000000000..6ad79a82de24 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/mutated-secret-error.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + foo: dictionary-2 + name: test-secret-2 + namespace: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/mutated-secret.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/mutated-secret.yaml new file mode 100755 index 000000000000..9a97e2d31a57 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/mutated-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + foo: dictionary-3 + name: test-secret-3 + namespace: staging-3 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/namespaces.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/namespaces.yaml new file mode 100755 index 000000000000..af5ec53136d4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/namespaces.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + cloud.platformzero.com/serviceClass: xl2 + labels: + app-type: corp + name: staging-3 +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + cloud.platformzero.com/serviceClass: xl2 + labels: + app-type: corp + name: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/policy-ready.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/policy-ready.yaml new file mode 100755 index 000000000000..b70ab413882d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/policy.yaml new file mode 100755 index 000000000000..4565f4b0ae9c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/policy.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +spec: + mutateExistingOnPolicyUpdate: true + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-3 + namespaces: + - staging-3 + mutate: + patchStrategicMerge: + metadata: + labels: + foo: '{{ request.object.metadata.name }}' + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-3 + namespace: '{{ request.object.metadata.namespace }}' + name: mutate-secret-on-policy-create + - match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-2 + namespaces: + - staging-2 + mutate: + mutateExistingOnPolicyUpdate: false + patchStrategicMerge: + metadata: + labels: + foo: '{{ request.object.metadata.name }}' + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-2 + namespace: '{{ request.object.metadata.namespace }}' + name: disable-mutate-existing diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/secrets.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/secrets.yaml new file mode 100755 index 000000000000..740ed3ba26e6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-configurations-for-mutate-existing/secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-3 + namespace: staging-3 +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-2 + namespace: staging-2 +type: Opaque diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/README.md new file mode 100644 index 000000000000..2b3be6ce2329 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/README.md @@ -0,0 +1,22 @@ +## Description + +This test ensures that a mutate policy of two rules with different values of `mutateExistingOnPolicyUpdate` works as expected. + +## Expected Behavior + +1. Create two Namespaces `staging-2` and `staging-3`. + +2. Create two Secrets `test-secret-2` and `test-secret-3` in Namespaces `staging-2` and `staging-3` respectively. + +3. Create two ConfigMaps `dictionary-2` and `dictionary-3` in Namespaces `staging-2` and `staging-3` respectively. + +4. Create a ClusterPolicy with two mutate rules: + - The first rule matches a ConfigMap named `dictionary-3` in Namespace `staging-3` and sets the value of `mutateExistingOnPolicyUpdate` to `false`. Its target is to mutate a Secret named `test-secret-3` in Namespace `staging-3`. + + - The second rule matches a ConfigMap named `dictionary-2` in Namespace `staging-2` and sets the value of `mutateExistingOnPolicyUpdate` to `false`. Its target is to mutate a Secret named `test-secret-2` in Namespace `staging-2`. + +5. On policy creation, the Secret `test-secret-3` in Namespace `staging-3` should be mutated whereas the Secret `test-secret-2` in Namespace `staging-2` should not be mutated. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/chainsaw-test.yaml new file mode 100755 index 000000000000..684f32d6dc41 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-mutate-existing-values +spec: + steps: + - name: step-01 + try: + - apply: + file: namespaces.yaml + - apply: + file: configmaps.yaml + - apply: + file: secrets.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - assert: + file: mutated-secret.yaml + - name: step-04 + try: + - error: + file: mutated-secret-error.yaml diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/configmaps.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/configmaps.yaml new file mode 100755 index 000000000000..6cc0e9ec997b --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/configmaps.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-3 + namespace: staging-3 +--- +apiVersion: v1 +data: + foo: bar +kind: ConfigMap +metadata: + name: dictionary-2 + namespace: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/mutated-secret-error.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/mutated-secret-error.yaml new file mode 100755 index 000000000000..6ad79a82de24 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/mutated-secret-error.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + foo: dictionary-2 + name: test-secret-2 + namespace: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/mutated-secret.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/mutated-secret.yaml new file mode 100755 index 000000000000..9a97e2d31a57 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/mutated-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: + foo: dictionary-3 + name: test-secret-3 + namespace: staging-3 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/namespaces.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/namespaces.yaml new file mode 100755 index 000000000000..af5ec53136d4 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/namespaces.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: + cloud.platformzero.com/serviceClass: xl2 + labels: + app-type: corp + name: staging-3 +--- +apiVersion: v1 +kind: Namespace +metadata: + annotations: + cloud.platformzero.com/serviceClass: xl2 + labels: + app-type: corp + name: staging-2 diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/policy-ready.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/policy-ready.yaml new file mode 100755 index 000000000000..b70ab413882d --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/policy.yaml new file mode 100755 index 000000000000..da53873e64f2 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/policy.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-post-mutation-create-policy +spec: + rules: + - match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-3 + namespaces: + - staging-3 + mutate: + mutateExistingOnPolicyUpdate: true + patchStrategicMerge: + metadata: + labels: + foo: '{{ request.object.metadata.name }}' + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-3 + namespace: '{{ request.object.metadata.namespace }}' + name: mutate-secret-on-policy-create + - match: + any: + - resources: + kinds: + - ConfigMap + names: + - dictionary-2 + namespaces: + - staging-2 + mutate: + mutateExistingOnPolicyUpdate: false + patchStrategicMerge: + metadata: + labels: + foo: '{{ request.object.metadata.name }}' + targets: + - apiVersion: v1 + kind: Secret + name: test-secret-2 + namespace: '{{ request.object.metadata.namespace }}' + name: disable-mutate-existing diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/secrets.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/secrets.yaml new file mode 100755 index 000000000000..740ed3ba26e6 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/onpolicyupdate/different-mutate-existing-values/secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-3 + namespace: staging-3 +type: Opaque +--- +apiVersion: v1 +data: + foo: YmFy +kind: Secret +metadata: + name: test-secret-2 + namespace: staging-2 +type: Opaque diff --git a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml index c3fd83da3136..807ef2aafd30 100755 --- a/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml +++ b/test/conformance/chainsaw/mutate/e2e/foreach-patchStrategicMerge-context/chainsaw-step-02-apply-1-1.yaml @@ -32,4 +32,3 @@ spec: value: - CREATE - UPDATE - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml index c81b03bebc24..054ecb988017 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-generate.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: generate spec: - validationFailureAction: Audit admission: false background: true rules: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml index c32a42c7511a..37cd9ee095fd 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-mutate.yaml @@ -21,4 +21,3 @@ spec: labels: foo: bar name: mutate - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml index 49e9184d5648..5a5b1b122b90 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-validate.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml index 84169ccd4603..d797d5bc11a8 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/admission-disabled/policy-verify-image.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: verify-image spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - "ghcr.io/kyverno/test-verify-image:*" attestors: - entries: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml index 0370eaa4f7e8..26703a717fd0 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/all-disabled/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: all-disabled spec: - validationFailureAction: Audit admission: false background: false rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml index 1e105b2f9be0..a06e1790a9a4 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml index ee896b453550..45434a4b2d61 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml index 42f110e636c0..8ecde3c0e29f 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-3.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/* validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml index 1636a5b6ba16..dda595fcb094 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-4.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/*' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml index 0ba57c663bf4..832a0f11a37c 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-subresource/policy-5.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/status' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml index 3d67a52e6fa9..8ab96974fc76 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy-update.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: background-variables-update spec: - validationFailureAction: Audit background: true rules: - name: ns-vars-userinfo @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml index 90e89fba8967..995abd40ebe4 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/background-variables-update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: background-variables-update spec: - validationFailureAction: Audit background: false rules: - name: ns-vars-userinfo @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml index 1cddc15c9d66..e11c052e6437 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny-secret-service-account-token spec: - validationFailureAction: Enforce background: true rules: - name: check-service-account-token @@ -13,6 +12,7 @@ spec: kinds: - Secret validate: + validationFailureAction: Enforce cel: expressions: - message: "long lived API tokens are not allowed" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml index dc764e125ba3..92fd8bd417bc 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/cel-expressions/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-deployment-replicas spec: - validationFailureAction: Enforce background: true rules: - name: check-deployment-replicas @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce cel: expressions: - expression: "object.replicas > 1" # should be "object.spec.replicas > 1" diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml index deab31c588ca..2c0a59573fbe 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-deprecated-operator.yaml @@ -14,6 +14,7 @@ spec: - Pod name: test-not-in validate: + validationFailureAction: Enforce deny: conditions: any: @@ -23,4 +24,3 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml index ab7153766576..2ab30eaee7d0 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/deprecated-operations/policy-invalid-operator.yaml @@ -14,6 +14,7 @@ spec: - Pod name: test-invalid validate: + validationFailureAction: Enforce deny: conditions: any: @@ -23,4 +24,3 @@ spec: value: - busybox - busybox1 - validationFailureAction: Enforce \ No newline at end of file diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml index 81d411c59f59..8648e1c0e05f 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-1.yaml @@ -4,7 +4,6 @@ metadata: name: psa-1 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml index a69449e48538..097645885679 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-pod-security-rule/policy-2.yaml @@ -4,7 +4,6 @@ metadata: name: psa-2 spec: background: true - validationFailureAction: Enforce rules: - name: baseline match: @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: baseline version: latest diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml index 2c73d95718fb..0235e29ebe2a 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: -1 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml index c7510ba423c2..69eba343d744 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout-deprecated/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: 31 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml index 3f48c1eb06b2..7061887c51bc 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit rules: - name: deny match: @@ -12,6 +11,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} webhookConfiguration: timeoutSeconds: -1 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml index 11a0a39da11c..d320e00d9826 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: deny spec: - validationFailureAction: Audit rules: - name: deny match: @@ -12,6 +11,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} webhookConfiguration: timeoutSeconds: 31 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml index f69ca35c4566..b14f32e885fb 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-app-label spec: - validationFailureAction: Enforce background: false rules: - name: require-app-label @@ -14,6 +13,7 @@ spec: - Pod - Deployment validate: + validationFailureAction: Enforce message: Pod must include the 'app=my-app' label pattern: metadata: diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml index 61ca7890c725..093577340c64 100755 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/schema-validation-crd/chainsaw-step-01-apply-1.yaml @@ -38,4 +38,3 @@ spec: - key: '{{ request.object.spec.scope }}' operator: Equals value: Namespaced - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml index 1904697dc957..bfd61ec25e0e 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/success/policy-1.yaml @@ -6,7 +6,6 @@ metadata: policies.kyverno.io/title: Inject vault init Container spec: background: false - validationFailureAction: Audit rules: - name: inject-vault-sidecar match: diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml index d12a8e299b49..30467564907d 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-mutate.yaml @@ -22,4 +22,3 @@ spec: labels: foo: bar name: mutate - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml index 8a334b28d664..b8a4fc6c5fe6 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-validate.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: validate spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml index 10f32ee1e1d0..532c65b17e2b 100644 --- a/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/admission-disabled/policy-verify-image.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: verify-image spec: - validationFailureAction: Audit admission: false background: true rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - "ghcr.io/kyverno/test-verify-image:*" attestors: - entries: diff --git a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml index 207a93769bd5..5d975e9e32df 100644 --- a/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/all-disabled/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: all-disabled spec: - validationFailureAction: Audit admission: false background: false rules: @@ -14,4 +13,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml index 34b13f163947..4691296bf6a9 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-1.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml index 8be60c2d6543..541eb45edf50 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-2.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/scale validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml index 1a30fa8798ce..9d027cbc4533 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-3.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod/* validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml index ca34bbbf1d56..e311f15fb8a3 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-4.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/*' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml index 33e9a6611bd1..333c711ffa4b 100644 --- a/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/background-subresource/policy-5.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit background: true rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - '*/status' validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml index 87d62b44d9fb..bddc817a9d54 100644 --- a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-1.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: -1 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml index 3200c841f295..ddd8d604c8fd 100644 --- a/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/policy/invalid-timeout/policy-2.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: deny spec: - validationFailureAction: Audit webhookTimeoutSeconds: 31 rules: - name: deny @@ -13,4 +12,5 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit deny: {} diff --git a/test/conformance/chainsaw/rangeoperators/standard/policy.yaml b/test/conformance/chainsaw/rangeoperators/standard/policy.yaml index 488b2f902348..c7d0abd79da1 100644 --- a/test/conformance/chainsaw/rangeoperators/standard/policy.yaml +++ b/test/conformance/chainsaw/rangeoperators/standard/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-value spec: - validationFailureAction: Enforce rules: - name: check-value match: @@ -12,6 +11,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: "All data values must be in the specified range." pattern: data: diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md new file mode 100644 index 000000000000..9e88be826697 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that a policy is successfully created since it is given the necessary permissions to delete a secret named `test-secret`. + +## Expected Behavior + +The test passes if the policy is successfully created. Otherwise, it fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/10221 diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml new file mode 100644 index 000000000000..66a043fa0ec7 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cleanup-policy-with-clusterrole +spec: + steps: + - name: step-01 + try: + - apply: + file: clusterrole.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml new file mode 100644 index 000000000000..a615c6241068 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:cleanup-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - test-secret + verbs: + - list + - delete diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml new file mode 100644 index 000000000000..523fe8d84cf7 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy-assert.yaml @@ -0,0 +1,5 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: test-secret-removal +spec: {} diff --git a/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml new file mode 100644 index 000000000000..be1f01da4289 --- /dev/null +++ b/test/conformance/chainsaw/rbac/cleanup-policy-with-clusterrole/policy.yaml @@ -0,0 +1,13 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterCleanupPolicy +metadata: + name: test-secret-removal +spec: + match: + any: + - resources: + kinds: + - Secret + names: + - test-secret + schedule: "*/10 * * * *" diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md new file mode 100644 index 000000000000..6abe1d04cdbf --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures that a policy is successfully created since it is given the necessary permissions to mutate a Deployment named `monitor-grafana`. + +## Expected Behavior + +The test passes if the policy is successfully created. Otherwise, it fails. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/9133 diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml new file mode 100644 index 000000000000..ab556a41b8ce --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: mutate-policy-with-clusterrole +spec: + steps: + - name: step-01 + try: + - apply: + file: clusterrole.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml new file mode 100644 index 000000000000..cc0c0b1b4618 --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno:mutate-deployments +rules: +- apiGroups: + - apps + resources: + - deployments + resourceNames: + - "monitor-grafana" + verbs: + - get + - list + - patch + - update + - watch diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml new file mode 100644 index 000000000000..e0768771ae24 --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-reload-on-secret-update +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml new file mode 100644 index 000000000000..f7f8f10dc0da --- /dev/null +++ b/test/conformance/chainsaw/rbac/mutate-policy-with-clusterrole/policy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-reload-on-secret-update +spec: + rules: + - name: update-secret + match: + any: + - resources: + kinds: + - Secret + names: + - applicationsecret + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: Equals + value: UPDATE + mutate: + mutateExistingOnPolicyUpdate: false + targets: + - apiVersion: apps/v1 + kind: Deployment + name: monitor-grafana + patchStrategicMerge: + spec: + template: + metadata: + annotations: + example.com/triggerrestart: "{{ request.object.metadata.resourceVersion }}" diff --git a/test/conformance/chainsaw/reports/admission/exception/policy.yaml b/test/conformance/chainsaw/reports/admission/exception/policy.yaml index 401eadbcf591..fb7a31272006 100644 --- a/test/conformance/chainsaw/reports/admission/exception/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/exception/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce background: true rules: - name: require-team @@ -13,6 +12,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml index 16f853fdeb20..e842dd0fb791 100644 --- a/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/namespaceselector/policy.yaml @@ -7,7 +7,6 @@ metadata: spec: background: false mutateExistingOnPolicyUpdate: false - validationFailureAction: Audit rules: - name: test-audit-reports-namespacesselector match: @@ -20,6 +19,7 @@ spec: - key: org operator: Exists validate: + validationFailureAction: Audit pattern: metadata: annotations: diff --git a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml index 4443bd68bef1..f31c09206796 100755 --- a/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/reports/admission/test-report-admission-mode/chainsaw-step-01-apply-1.yaml @@ -12,9 +12,9 @@ spec: - Namespace name: check-owner validate: + validationFailureAction: Audit message: The `owner` label is required for all Namespaces. pattern: metadata: labels: owner: ?* - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/README.md b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/README.md new file mode 100644 index 000000000000..5f5ca4c5b333 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/README.md @@ -0,0 +1,23 @@ +## Description + +This test ensures that a policy with two rules with different modes is applied correctly on resources and reports are successfully created. + +## Expected Behavior + +1. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` in the `Audit` mode that requires the `environment` field to be set on namespaces. + +2. Create a `good-ns-1` namespace that has the `purpose` label. It is expected that the namespace will be created successfully. + +3. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. It is expected that the namespace will be created successfully. + +4. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. It is expected that the namespace will be blocked with a message reporting the violation of the `require-ns-purpose-label` rule. + +5. Create a `bad-ns-2` namespace that doesn't have any labels. It is expected that the namespace will be blocked with messages reporting the violations of both rules. + +6. Two ClusterPolicyReports will be created for each of the `good-ns-1` and `good-ns-2` namespaces. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/bad-resources.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/bad-resources.yaml new file mode 100644 index 000000000000..8284996c7390 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/chainsaw-test.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/chainsaw-test.yaml new file mode 100644 index 000000000000..c2695c338ec1 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/chainsaw-test.yaml @@ -0,0 +1,34 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: two-rules-with-different-modes +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: good-resources.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-resources.yaml + - name: step-04 + try: + - sleep: + duration: 5s + - name: step-05 + try: + - assert: + file: reports-assert.yaml + - error: + file: reports-error.yaml diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/good-resources.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/good-resources.yaml new file mode 100644 index 000000000000..487bdbed1753 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy-assert.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy-assert.yaml new file mode 100644 index 000000000000..3d14b530d703 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml new file mode 100644 index 000000000000..0706a5b3dd67 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Audit + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-assert.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-assert.yaml new file mode 100644 index 000000000000..e74e9b1c4250 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-assert.yaml @@ -0,0 +1,66 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-1 +results: +- message: 'validation error: You must have label `environment` with value `production` + set on all new namespaces. rule require-ns-env-label failed at path /metadata/labels/environment/' + policy: check-ns-labels + result: fail + rule: require-ns-env-label + scored: true + source: kyverno +- message: validation rule 'require-ns-purpose-label' passed. + policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-1 +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-2 +results: +- message: validation rule 'require-ns-env-label' passed. + policy: check-ns-labels + result: pass + rule: require-ns-env-label + scored: true + source: kyverno +- message: validation rule 'require-ns-purpose-label' passed. + policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-2 +summary: + error: 0 + fail: 0 + pass: 2 + skip: 0 + warn: 0 diff --git a/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-error.yaml b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-error.yaml new file mode 100644 index 000000000000..4e4e1b87dd38 --- /dev/null +++ b/test/conformance/chainsaw/reports/admission/two-rules-with-different-modes/reports-error.yaml @@ -0,0 +1,15 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-1 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-2 diff --git a/test/conformance/chainsaw/reports/admission/update/policy.yaml b/test/conformance/chainsaw/reports/admission/update/policy.yaml index e296c0d44a62..7045fdb916cd 100644 --- a/test/conformance/chainsaw/reports/admission/update/policy.yaml +++ b/test/conformance/chainsaw/reports/admission/update/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: disallow-latest-tag spec: - validationFailureAction: Audit background: true rules: - name: validate-image-tag-pod @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: "Using a mutable image tag e.g. 'latest' is not allowed." pattern: spec: diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml index 04610644da19..cf0ea015f007 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: check-deployment-replicas spec: - validationFailureAction: Enforce background: true rules: - name: check-deployment-replicas @@ -13,6 +12,7 @@ spec: kinds: - Deployment validate: + validationFailureAction: Enforce message: "Deployment should have at most 1 replica" deny: conditions: diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml index e2db6ec9b092..904270563625 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce podSecurity: level: restricted version: latest diff --git a/test/conformance/chainsaw/reports/background/exception/policy.yaml b/test/conformance/chainsaw/reports/background/exception/policy.yaml index 3fcd7b2fe50a..f7602782bbc6 100644 --- a/test/conformance/chainsaw/reports/background/exception/policy.yaml +++ b/test/conformance/chainsaw/reports/background/exception/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: require-labels spec: - validationFailureAction: Enforce admission: false background: true rules: @@ -14,6 +13,7 @@ spec: kinds: - ConfigMap validate: + validationFailureAction: Enforce message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml index a823bc17204b..4cede2a12376 100644 --- a/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml +++ b/test/conformance/chainsaw/reports/background/report-deletion/policy.yaml @@ -13,7 +13,7 @@ spec: - Pod name: restricted validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml index f1332d1189e2..58d9e83ff0c9 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy-assert.yaml @@ -12,10 +12,10 @@ spec: - Pod name: restricted validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest - validationFailureAction: Audit status: conditions: - reason: Succeeded diff --git a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml index 074dd3e88385..67776cbd45ca 100644 --- a/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml +++ b/test/conformance/chainsaw/reports/background/test-report-background-mode/policy.yaml @@ -18,7 +18,6 @@ metadata: restricted profile through the latest version of the Pod Security Standards cluster wide. spec: background: true - validationFailureAction: Audit rules: - name: restricted match: @@ -27,6 +26,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit podSecurity: level: restricted version: latest \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/README.md b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/README.md new file mode 100644 index 000000000000..93077371891d --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/README.md @@ -0,0 +1,23 @@ +## Description + +This test ensures that reports are generated as a result of background scanning when a policy with two rules with different modes is applied on resources. + +## Expected Behavior + +1. Create a `good-ns-1` namespace that has the `purpose` label. + +2. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. + +3. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. + +4. Create a `bad-ns-2` namespace that doesn't have any labels. + +5. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` in the `Audit` mode that requires the `environment` field to be set on namespaces. + +6. Four ClusterPolicyReports will be created for each of the `good-ns-1`, `good-ns-2`, `bad-ns-1`, and `bad-ns-2` namespaces. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/bad-resources.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/bad-resources.yaml new file mode 100644 index 000000000000..8284996c7390 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/chainsaw-test.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/chainsaw-test.yaml new file mode 100644 index 000000000000..12232dc3313f --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: two-rules-with-different-modes +spec: + steps: + - name: step-01 + try: + - apply: + file: good-resources.yaml + - name: step-02 + try: + - apply: + file: bad-resources.yaml + - name: step-03 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-04 + try: + - sleep: + duration: 10s + - name: step-05 + try: + - assert: + file: reports-assert.yaml diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/good-resources.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/good-resources.yaml new file mode 100644 index 000000000000..487bdbed1753 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy-assert.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy-assert.yaml new file mode 100644 index 000000000000..3d14b530d703 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml new file mode 100644 index 000000000000..0706a5b3dd67 --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Audit + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/reports-assert.yaml b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/reports-assert.yaml new file mode 100644 index 000000000000..b2c44435b1fb --- /dev/null +++ b/test/conformance/chainsaw/reports/background/two-rules-with-different-modes/reports-assert.yaml @@ -0,0 +1,123 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-1 +results: +- policy: check-ns-labels + result: fail + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-1 +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: good-ns-2 +results: +- policy: check-ns-labels + result: pass + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: pass + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: good-ns-2 +summary: + error: 0 + fail: 0 + pass: 2 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-1 +results: +- policy: check-ns-labels + result: pass + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: fail + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: bad-ns-1 +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: bad-ns-2 +results: +- policy: check-ns-labels + result: fail + rule: require-ns-env-label + scored: true + source: kyverno +- policy: check-ns-labels + result: fail + rule: require-ns-purpose-label + scored: true + source: kyverno +scope: + apiVersion: v1 + kind: Namespace + name: bad-ns-2 +summary: + error: 0 + fail: 2 + pass: 0 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml index 3831d9ced551..ba04cc6f5c4a 100644 --- a/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml +++ b/test/conformance/chainsaw/reports/background/verify-image-fail/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: keyed-basic-policy spec: - validationFailureAction: Audit background: true webhookTimeoutSeconds: 30 rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - ghcr.io/kyverno/test-verify-image:* verifyDigest: false mutateDigest: false diff --git a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml index a0c6b904c867..0c15e58bde90 100644 --- a/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml +++ b/test/conformance/chainsaw/reports/background/verify-image-pass/policy.yaml @@ -3,7 +3,6 @@ kind: Policy metadata: name: keyed-basic-policy spec: - validationFailureAction: Audit background: true webhookTimeoutSeconds: 30 rules: @@ -14,7 +13,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Audit + imageReferences: - ghcr.io/kyverno/test-verify-image:* verifyDigest: false mutateDigest: false diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/README.md new file mode 100644 index 000000000000..2a7544c8213b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/README.md @@ -0,0 +1,21 @@ +## Description + +This test ensures that a policy with two rules; one of which doesn't specify the `ValidationFailureAction` field, and the other specifies the `ValidationFailureAction` field, works as expected. The rule which don't specify the action should use the default action in `spec.ValidationFailureAction`. + +## Expected Behavior + +1. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` requires the `environment` field to be set on namespaces and doesn't specify the `ValidationFailureAction` field. + +2. Create a `good-ns-1` namespace that has the `purpose` label. It is expected that the namespace will be created successfully. + +3. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. It is expected that the namespace will be created successfully. + +4. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. It is expected that the namespace will be blocked with a message reporting the violation of the `require-ns-purpose-label` rule. + +5. Create a `bad-ns-2` namespace that doesn't have any labels. It is expected that the namespace will be blocked with messages reporting the violations of both rules. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/bad-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/bad-resources.yaml new file mode 100644 index 000000000000..8284996c7390 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/chainsaw-test.yaml new file mode 100644 index 000000000000..32fb2f26a290 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: different-configuration-for-actions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: good-resources.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-resources.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/good-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/good-resources.yaml new file mode 100644 index 000000000000..487bdbed1753 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy-assert.yaml new file mode 100644 index 000000000000..3d14b530d703 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml new file mode 100644 index 000000000000..bebcb945a38c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/different-configuration-for-actions/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + validationFailureAction: Audit + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml index a8140c18c8ae..7fb8105163de 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/psa-run-as-non-root/policy.yaml @@ -6,7 +6,6 @@ metadata: pod-policies.kyverno.io/autogen-controllers: none spec: background: true - validationFailureAction: Enforce rules: - name: restricted match: @@ -17,6 +16,7 @@ spec: namespaces: - default validate: + validationFailureAction: Enforce podSecurity: level: restricted version: v1.29 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/README.md b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/README.md new file mode 100644 index 000000000000..43892dea2341 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/README.md @@ -0,0 +1,21 @@ +## Description + +This test ensures that a policy with two rules with different modes is applied correctly on resources. + +## Expected Behavior + +1. Create a policy that has two rules: + - The first rule is `require-ns-purpose-label` in the `Enforce` mode that requires the `purpose` label to be set on namespaces. + - The second rule is `require-ns-env-label` in the `Audit` mode that requires the `environment` field to be set on namespaces. + +2. Create a `good-ns-1` namespace that has the `purpose` label. It is expected that the namespace will be created successfully. + +3. Create a `good-ns-2` namespace that has both the `purpose` and `environment` labels. It is expected that the namespace will be created successfully. + +4. Create a `bad-ns-1` namespace that doesn't have the `purpose` label. It is expected that the namespace will be blocked with a message reporting the violation of the `require-ns-purpose-label` rule. + +5. Create a `bad-ns-2` namespace that doesn't have any labels. It is expected that the namespace will be blocked with messages reporting the violations of both rules. + +## Reference Issue(s) + +#10682 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/bad-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/bad-resources.yaml new file mode 100644 index 000000000000..8284996c7390 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/bad-resources.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-1 + labels: + environment: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: bad-ns-2 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/chainsaw-test.yaml new file mode 100644 index 000000000000..f5c34cbf4994 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/chainsaw-test.yaml @@ -0,0 +1,28 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: two-rules-with-different-action +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: good-resources.yaml + - name: step-03 + try: + - apply: + expect: + - check: + ($error != null): true + file: bad-resources.yaml + - name: step-04 + try: + - assert: + file: events-assert.yaml diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/events-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/events-assert.yaml new file mode 100644 index 000000000000..033ad9e418fd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/events-assert.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +message: 'Namespace good-ns-1: [require-ns-env-label] fail; validation error: You + must have label `environment` with value `production` set on all new namespaces. + rule require-ns-env-label failed at path /metadata/labels/environment/' +reason: PolicyViolation +related: + apiVersion: v1 + kind: Namespace + name: good-ns-1 +reportingComponent: kyverno-admission +type: Warning +action: Resource Passed +--- +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +message: 'Namespace good-ns-2: pass' +reason: PolicyApplied +related: + apiVersion: v1 + kind: Namespace + name: good-ns-2 +reportingComponent: kyverno-admission +type: Normal +action: Resource Passed +--- +apiVersion: v1 +kind: Event +metadata: + namespace: default +message: 'Namespace bad-ns-1: [require-ns-purpose-label] fail (blocked); validation + error: You must have label `purpose` with value `production` set on all new namespaces. + rule require-ns-purpose-label failed at path /metadata/labels/purpose/' +reason: PolicyViolation +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +related: + apiVersion: v1 + kind: Namespace + name: bad-ns-1 +reportingComponent: kyverno-admission +type: Warning +action: Resource Blocked +--- +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: check-ns-labels +message: 'Namespace bad-ns-2: [require-ns-purpose-label] fail (blocked); validation + error: You must have label `purpose` with value `production` set on all new namespaces. + rule require-ns-purpose-label failed at path /metadata/labels/purpose/' +reason: PolicyViolation +related: + apiVersion: v1 + kind: Namespace + name: bad-ns-2 +reportingComponent: kyverno-admission +type: Warning +action: Resource Blocked diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/good-resources.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/good-resources.yaml new file mode 100644 index 000000000000..487bdbed1753 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/good-resources.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-1 + labels: + purpose: production +--- +apiVersion: v1 +kind: Namespace +metadata: + name: good-ns-2 + labels: + purpose: production + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy-assert.yaml new file mode 100644 index 000000000000..3d14b530d703 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml new file mode 100644 index 000000000000..0706a5b3dd67 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/two-rules-with-different-action/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-ns-labels +spec: + rules: + - name: require-ns-purpose-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Enforce + message: "You must have label `purpose` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + purpose: production + - name: require-ns-env-label + match: + any: + - resources: + kinds: + - Namespace + validate: + validationFailureAction: Audit + message: "You must have label `environment` with value `production` set on all new namespaces." + pattern: + metadata: + labels: + environment: production diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml index 6f0075b77732..027cd88fd746 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: restrict-operations-on-pod spec: - validationFailureAction: Enforce background: true rules: - name: rule-1 @@ -13,6 +12,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Enforce cel: expressions: - expression: "false" diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml index b0a27bf77de6..1123785487bf 100644 --- a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate-yaml spec: - validationFailureAction: Enforce background: false rules: - name: validate-yaml @@ -13,6 +12,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce manifests: attestors: - entries: diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml index 755b343c2979..f670b248eef5 100644 --- a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: validate-yaml spec: - validationFailureAction: Enforce background: false rules: - name: validate-yaml @@ -13,6 +12,7 @@ spec: kinds: - Service validate: + validationFailureAction: Enforce manifests: attestors: - count: 1 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml index 53b79ca17386..f710f0d67827 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/cornercases/multiple-attestors/chainsaw-step-01-apply-1.yaml @@ -33,6 +33,7 @@ spec: mutateDigest: true required: true verifyDigest: true + validationFailureAction: Enforce - match: any: - resources: @@ -59,5 +60,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml index d361ec52ccd5..d25a23bafbdf 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/configmap-context-lookup/chainsaw-step-01-apply-2.yaml @@ -32,4 +32,4 @@ spec: verifyImages: - image: '*' key: '{{ keys.data.org }}' - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml index 1d643820140d..290d302bf0bb 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/empty-image/policy.yaml @@ -35,5 +35,5 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml index 2b7067296066..09c10a0cf0d3 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success-deprecated/policy.yaml @@ -33,5 +33,5 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true - validationFailureAction: Audit + validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml index 10a3818996ee..1fd9619da0ae 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -32,7 +32,7 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true - validationFailureAction: Audit + validationFailureAction: Audit webhookConfiguration: timeoutSeconds: 30 failurePolicy: Ignore diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml index b5e0e3fc413b..297f6abd04e1 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex-keyless/policy.yaml @@ -38,5 +38,5 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml index a0d1272bb196..32e414350471 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-complex/policy.yaml @@ -32,4 +32,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml index b45ba79cb9ce..ade1c0c0fa74 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-none/policy.yaml @@ -29,4 +29,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml index 2e89d77ee3f5..a8d05d48ccf1 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/imageExtractors-simple/policy.yaml @@ -29,4 +29,4 @@ spec: required: true useCache: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml index 942cc6a54260..c6c8040c5aba 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic-namespace-selector/chainsaw-step-01-apply-3.yaml @@ -32,5 +32,5 @@ spec: url: https://rekor.sigstore.dev imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml index 727c09b992ec..a4fefc67bd54 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-basic/chainsaw-step-01-apply-2.yaml @@ -26,5 +26,5 @@ spec: url: https://rekor.sigstore.dev imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml index 6b92c397bd7b..5f39ff9cc574 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml @@ -27,5 +27,5 @@ spec: imageReferences: - ghcr.io/kyverno/test-verify-image:* cosignOCI11: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml index 3ac61b2c923b..093e05501e35 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-secret/chainsaw-step-01-apply-2.yaml @@ -24,5 +24,5 @@ spec: namespace: test-verify-images imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml index ca1f24ce90b4..7e6de3d2894b 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-tsa/chainsaw-step-01-apply-2.yaml @@ -70,5 +70,5 @@ spec: -----END CERTIFICATE----- imageReferences: - ghcr.io/kyverno/test-verify-image:* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml index 8d65e30c395f..5f1a1f046cf3 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestation-invalid-attestor/policy.yaml @@ -6,7 +6,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 background: false rules: @@ -17,7 +16,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Enforce + imageReferences: - "ghcr.io/chipzoller/zulu*" attestations: - type: https://slsa.dev/provenance/v0.2 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml index f74d62ee3e47..556dd798376b 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-1/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml index 5fffbaf808b0..84fbaaa1913a 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-2/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: cosign.sigstore.dev/attestation/vuln/v1 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml index b820b47535dc..24507344a3fc 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-3/chainsaw-step-01-apply-1.yaml @@ -33,5 +33,5 @@ spec: predicateType: cosign.sigstore.dev/attestation/vuln/v1 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml index cf3307f8182d..4b3ebbe47b30 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-4/chainsaw-step-01-apply-1.yaml @@ -24,4 +24,4 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml index 05dfa87385c8..a938c04972c5 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-1/chainsaw-step-01-apply-1.yaml @@ -41,5 +41,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml index a0d23659dd01..e74fc35f0686 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-2/chainsaw-step-01-apply-1.yaml @@ -41,5 +41,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml index 6918b9e0cc21..e8e6896d046d 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-attestations-multiple-subjects-counts-3/chainsaw-step-01-apply-1.yaml @@ -40,5 +40,5 @@ spec: predicateType: https://slsa.dev/provenance/v0.2 imageReferences: - ghcr.io/chipzoller/zulu* - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml index 450d4c7034a4..87ea8d8d6a3a 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-image-invalid-attestor/policy.yaml @@ -6,7 +6,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 background: false rules: @@ -17,7 +16,8 @@ spec: kinds: - Pod verifyImages: - - imageReferences: + - validationFailureAction: Enforce + imageReferences: - "ghcr.io/chipzoller/zulu:*" attestors: - count: 1 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml index 64ab6c3f3c95..2e8ecfa4f0f8 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-mutatedigest-verifydigest-required/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: true required: true verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml index c64414d589b5..11666a4f0b15 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-norequired/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: false required: false verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml index 661d6f37e412..ceae28603654 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyless-nomutatedigest-noverifydigest-required/chainsaw-step-01-apply-1.yaml @@ -25,5 +25,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml index ad51cf21278c..70e90579c74c 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/mutateDigest-noverifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -16,5 +16,5 @@ spec: mutateDigest: true required: false verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml index f2180b171a88..07c493fee356 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/policy.yaml @@ -28,5 +28,5 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap.data.configmapkey}}' - validationFailureAction: Audit + validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml index ac01c744bb90..20e86fc64389 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/noconfigmap-diffimage-success/update-policy.yaml @@ -28,5 +28,5 @@ spec: - entries: - keys: publicKeys: '{{myconfigmap1.data.configmapkey}}' - validationFailureAction: Audit + validationFailureAction: Audit webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml index b0431c4fde10..fefc197b9cdd 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/nomutateDigest-verifyDigest-norequired/chainsaw-step-01-apply-1.yaml @@ -16,5 +16,5 @@ spec: mutateDigest: false required: false verifyDigest: true - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml index 7109213e243f..a704bde92cf1 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-attestation-verification/policy.yaml @@ -36,7 +36,6 @@ kind: ClusterPolicy metadata: name: check-image-attestation spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 failurePolicy: Fail rules: @@ -52,7 +51,8 @@ spec: name: keys namespace: notary-verify-attestation verifyImages: - - type: Notary + - validationFailureAction: Enforce + type: Notary imageReferences: - "ghcr.io/kyverno/test-verify-image*" attestations: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml index 0ec78cbc373a..0fd56037c6e6 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification-secret-from-policy/chainsaw-step-01-apply-3.yaml @@ -28,5 +28,5 @@ spec: secrets: - regcred type: Notary - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml index 05d6d6311c87..2bd389216e95 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/notary-image-verification/policy.yaml @@ -36,7 +36,6 @@ kind: ClusterPolicy metadata: name: check-image-notary spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 failurePolicy: Fail rules: @@ -55,6 +54,7 @@ spec: - type: Notary imageReferences: - "ghcr.io/kyverno/test-verify-image*" + validationFailureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml index 297fdbfaae08..9de539b70fe4 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/rollback-image-verification/policy.yaml @@ -8,7 +8,6 @@ kind: ClusterPolicy metadata: name: check-image spec: - validationFailureAction: Enforce background: false webhookTimeoutSeconds: 30 failurePolicy: Fail @@ -22,6 +21,7 @@ spec: verifyImages: - imageReferences: - "ghcr.io/kyverno*" + validationFailureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml index 339878346c29..cf20a2047df0 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/skip-image-reference/policy.yaml @@ -36,7 +36,6 @@ kind: ClusterPolicy metadata: name: verify-exclude-refs spec: - validationFailureAction: Enforce webhookTimeoutSeconds: 30 failurePolicy: Fail rules: @@ -57,6 +56,7 @@ spec: - "ghcr.io/*" skipImageReferences: - "ghcr.io/chipzoller*" + validationFailureAction: Enforce attestors: - count: 1 entries: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml index 5a23716568fa..e86b47e35940 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/update-multi-containers/policy.yaml @@ -27,5 +27,5 @@ spec: mutateDigest: false required: true verifyDigest: false - validationFailureAction: Enforce + validationFailureAction: Enforce webhookTimeoutSeconds: 30 \ No newline at end of file diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml index c74f309ac3ab..7bb7cd78d34a 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-audit/chainsaw-step-01-apply-2.yaml @@ -6,7 +6,6 @@ spec: background: true failurePolicy: Fail webhookTimeoutSeconds: 30 - validationFailureAction: Audit rules: - match: any: @@ -30,6 +29,7 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false + validationFailureAction: Audit - name: require-ns-purpose-label match: any: @@ -37,6 +37,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: "You must have label `purpose` with value `production` set on all new namespaces." pattern: metadata: diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml index ae90f26f5f8f..e4b58c17107d 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-basic/chainsaw-step-01-apply-2.yaml @@ -6,7 +6,6 @@ spec: background: true failurePolicy: Fail webhookTimeoutSeconds: 30 - validationFailureAction: Audit rules: - match: any: @@ -30,4 +29,5 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml index ae90f26f5f8f..e4b58c17107d 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/verify-image-background-existing/chainsaw-step-02-apply-1.yaml @@ -6,7 +6,6 @@ spec: background: true failurePolicy: Fail webhookTimeoutSeconds: 30 - validationFailureAction: Audit rules: - match: any: @@ -30,4 +29,5 @@ spec: - ghcr.io/kyverno/test-verify-image:* mutateDigest: false verifyDigest: false + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml index 723b37a4556b..a839c049351c 100644 --- a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-block/policy.yaml @@ -22,6 +22,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -34,10 +35,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml index 178f3d593544..77ae41595ea5 100644 --- a/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/cpol-match-conditions-pass/policy.yaml @@ -22,6 +22,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -34,10 +35,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml b/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml index 507f8e063a26..ddf7ecebcdd5 100644 --- a/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/match-conditions-standard/policy.yaml @@ -19,6 +19,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -31,10 +32,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml b/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml index d59f928dca10..6fd58805c964 100644 --- a/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/match-conditions-userinfo/policy.yaml @@ -21,6 +21,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -33,10 +34,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml b/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml index 8404cb2216fb..aa3fa097726c 100644 --- a/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml +++ b/test/conformance/chainsaw/webhook-configurations/webhook-registeration/policy.yaml @@ -20,6 +20,7 @@ spec: - Pod name: require-image-tag validate: + validationFailureAction: Enforce message: An image tag is required pattern: spec: @@ -32,10 +33,10 @@ spec: - Pod name: validate-image-tag validate: + validationFailureAction: Enforce message: Using a mutable image tag e.g. 'latest' is not allowed pattern: spec: containers: - image: '!*:latest' - validationFailureAction: Enforce failurePolicy: Ignore \ No newline at end of file diff --git a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml index 292f5ba0b872..a749f0c98b59 100644 --- a/test/conformance/chainsaw/webhooks/all-scale/policy.yaml +++ b/test/conformance/chainsaw/webhooks/all-scale/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*/scale' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml index ce9f80c1e305..7c61ceb47e6d 100644 --- a/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml +++ b/test/conformance/chainsaw/webhooks/clusterpolicy/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml index 92d84826be1a..951931822958 100644 --- a/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml +++ b/test/conformance/chainsaw/webhooks/double-wildcard/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*/*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml index 8e4bb6e9962f..7f5f8b8fc897 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy-01.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -17,6 +16,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml index 8e4bb6e9962f..7f5f8b8fc897 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-and-mutate/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -17,6 +16,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml index 71dc17c05bde..c442cf70c364 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate-multiple/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -20,6 +19,7 @@ spec: operations: - DELETE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: @@ -33,7 +33,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-match @@ -45,6 +44,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `match` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml b/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml index 8e4bb6e9962f..7f5f8b8fc897 100644 --- a/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml +++ b/test/conformance/chainsaw/webhooks/dyn-op-validate/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -17,6 +16,7 @@ spec: operations: - CREATE validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml index 8349e314ecc0..6ff29ed068dc 100644 --- a/test/conformance/chainsaw/webhooks/only-pod/policy.yaml +++ b/test/conformance/chainsaw/webhooks/only-pod/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Pod validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml index 2faf58589016..5fc38af611e3 100644 --- a/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml +++ b/test/conformance/chainsaw/webhooks/pod-all-subresources/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Pod/* validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml index 80b7e1bfce0e..8e86a3f95f31 100644 --- a/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml @@ -18,4 +18,3 @@ spec: path: "/command/0" value: "bash" name: std-shell-replace - validationFailureAction: Audit diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml index 9028c9511c1a..635d737a1058 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-1.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'CustomResourceDefinition' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml index bec3ea8a72b5..1100d8fc2144 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-different-resource-group/policy-2.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml index 1ec38d8f1800..42efff177029 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-clusterscoped-resources/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -16,6 +15,7 @@ spec: - 'ConfigMap' - 'CustomResourceDefinition' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml index c8ff72949e20..6cb24c796827 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml index 78bebbcb69a6..9fcbad1a0db1 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-namespaced-resources/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'Secret' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml index c8ff72949e20..6cb24c796827 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml index 7f8e05495964..3a8073437f2d 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-same-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml index ce9f80c1e305..7c61ceb47e6d 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/clusterpolicy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml index d0975a89f4ae..2d58a039021f 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterpolicy-wildcard-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml index f7711bd6feaa..150b643e560a 100644 --- a/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-clusterscope-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'CustomResourceDefinition' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml index ca237157c69b..d4cd9e81b111 100644 --- a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-1.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'Deployment' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml index bec3ea8a72b5..1100d8fc2144 100644 --- a/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/policy-different-resource-group/policy-2.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - 'ConfigMap' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml index ce9f80c1e305..7c61ceb47e6d 100644 --- a/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy-wildcard-resource/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/policy/policy.yaml b/test/conformance/chainsaw/webhooks/policy/policy.yaml index d0975a89f4ae..2d58a039021f 100644 --- a/test/conformance/chainsaw/webhooks/policy/policy.yaml +++ b/test/conformance/chainsaw/webhooks/policy/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - '*' validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/scale/policy.yaml b/test/conformance/chainsaw/webhooks/scale/policy.yaml index bd4a502ad9b1..8ea3b6dd9a9d 100644 --- a/test/conformance/chainsaw/webhooks/scale/policy.yaml +++ b/test/conformance/chainsaw/webhooks/scale/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - validationFailureAction: Audit background: false rules: - name: require-team @@ -15,6 +14,7 @@ spec: kinds: - Scale validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml index 5a6be035504c..05f5aecfa4c0 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-1.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - Foo validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml index 7d0cf31fc565..e658e6658a1f 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-2.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - Foo/* validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml index 57d255ae5b96..f3fa8dde6e89 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-3.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - v2/Pod validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: diff --git a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml index f77bc622c6f8..28d8aa6dc23b 100644 --- a/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml +++ b/test/conformance/chainsaw/webhooks/unknown-kind/policy-4.yaml @@ -3,7 +3,6 @@ kind: ClusterPolicy metadata: name: unknown spec: - validationFailureAction: Audit background: false rules: - name: unknown @@ -13,6 +12,7 @@ spec: kinds: - Pod/foo validate: + validationFailureAction: Audit message: 'The label `team` is required.' pattern: metadata: