diff --git a/pkg/policy/load_test.go b/pkg/policy/load_test.go new file mode 100644 index 00000000..380475e1 --- /dev/null +++ b/pkg/policy/load_test.go @@ -0,0 +1,126 @@ +package policy + +import ( + "path/filepath" + "testing" + + "github.com/kyverno/kyverno-json/pkg/apis/v1alpha1" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestLoad(t *testing.T) { + basePath := "../../test/policy" + tests := []struct { + name string + path string + want []*v1alpha1.ValidatingPolicy + wantErr bool + }{{ + name: "confimap", + path: filepath.Join(basePath, "configmap.yaml"), + wantErr: true, + }, { + name: "not found", + path: filepath.Join(basePath, "not-found.yaml"), + wantErr: true, + }, { + name: "empty", + path: filepath.Join(basePath, "empty.yaml"), + wantErr: false, + }, { + name: "no spec", + path: filepath.Join(basePath, "no-spec.yaml"), + wantErr: true, + }, { + name: "no rules", + path: filepath.Join(basePath, "no-rules.yaml"), + wantErr: true, + }, { + name: "invalid rule", + path: filepath.Join(basePath, "bad-rule.yaml"), + wantErr: true, + }, { + name: "rule name missing", + path: filepath.Join(basePath, "rule-name-missing.yaml"), + wantErr: true, + }, { + name: "ok", + path: filepath.Join(basePath, "ok.yaml"), + want: []*v1alpha1.ValidatingPolicy{{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "json.kyverno.io/v1alpha1", + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + }, + Spec: v1alpha1.ValidatingPolicySpec{ + Rules: []v1alpha1.ValidatingRule{{ + Name: "pod-no-latest", + Match: &v1alpha1.Match{ + Any: []v1alpha1.Any{{ + Value: map[string]interface{}{ + "apiVersion": "v1", + "kind": "Pod", + }, + }}, + }, + Assert: &v1alpha1.Assert{ + All: []v1alpha1.Assertion{{ + Check: v1alpha1.Any{ + Value: map[string]interface{}{ + "spec": map[string]interface{}{ + "~foo.containers->foos": map[string]interface{}{ + "(at($foos, $foo).image)->foo": map[string]interface{}{ + "(contains($foo, ':'))": true, + "(ends_with($foo, ':latest'))": false, + }, + }, + }, + }, + }, + }}, + }, + }}, + }, + }}, + }, { + name: "multiple", + path: filepath.Join(basePath, "multiple.yaml"), + want: []*v1alpha1.ValidatingPolicy{{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "json.kyverno.io/v1alpha1", + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-1", + }, + Spec: v1alpha1.ValidatingPolicySpec{ + Rules: []v1alpha1.ValidatingRule{}, + }, + }, { + TypeMeta: metav1.TypeMeta{ + APIVersion: "json.kyverno.io/v1alpha1", + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-2", + }, + Spec: v1alpha1.ValidatingPolicySpec{ + Rules: []v1alpha1.ValidatingRule{}, + }, + }}, + }} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := Load(tt.path) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.want, got) + }) + } +} diff --git a/test/policy/bad-rule.yaml b/test/policy/bad-rule.yaml new file mode 100644 index 00000000..e01e2aaa --- /dev/null +++ b/test/policy/bad-rule.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: + rules: + - name: pod-no-latest + # matches instead of match + matches: + any: + - apiVersion: v1 + kind: Pod + assert: + all: + - check: + spec: + ~foo.containers->foos: + (at($foos, $foo).image)->foo: + # an image tag is required + (contains($foo, ':')): true + # using a mutable image tag e.g. 'latest' is not allowed + (ends_with($foo, ':latest')): false \ No newline at end of file diff --git a/test/policy/configmap.yaml b/test/policy/configmap.yaml new file mode 100644 index 00000000..a1d88436 --- /dev/null +++ b/test/policy/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: default +data: + foo: bar \ No newline at end of file diff --git a/test/policy/empty.yaml b/test/policy/empty.yaml new file mode 100644 index 00000000..e69de29b diff --git a/test/policy/multiple.yaml b/test/policy/multiple.yaml new file mode 100644 index 00000000..29b5dab1 --- /dev/null +++ b/test/policy/multiple.yaml @@ -0,0 +1,13 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test-1 +spec: + rules: [] +--- +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test-2 +spec: + rules: [] diff --git a/test/policy/no-rules.yaml b/test/policy/no-rules.yaml new file mode 100644 index 00000000..173604b4 --- /dev/null +++ b/test/policy/no-rules.yaml @@ -0,0 +1,5 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: {} diff --git a/test/policy/no-spec.yaml b/test/policy/no-spec.yaml new file mode 100644 index 00000000..411dabe4 --- /dev/null +++ b/test/policy/no-spec.yaml @@ -0,0 +1,4 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test diff --git a/test/policy/ok.yaml b/test/policy/ok.yaml new file mode 100644 index 00000000..3ee779a9 --- /dev/null +++ b/test/policy/ok.yaml @@ -0,0 +1,21 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: + rules: + - name: pod-no-latest + match: + any: + - apiVersion: v1 + kind: Pod + assert: + all: + - check: + spec: + ~foo.containers->foos: + (at($foos, $foo).image)->foo: + # an image tag is required + (contains($foo, ':')): true + # using a mutable image tag e.g. 'latest' is not allowed + (ends_with($foo, ':latest')): false \ No newline at end of file diff --git a/test/policy/rule-name-missing.yaml b/test/policy/rule-name-missing.yaml new file mode 100644 index 00000000..164e7afa --- /dev/null +++ b/test/policy/rule-name-missing.yaml @@ -0,0 +1,20 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: + rules: + - match: + any: + - apiVersion: v1 + kind: Pod + assert: + all: + - check: + spec: + ~foo.containers->foos: + (at($foos, $foo).image)->foo: + # an image tag is required + (contains($foo, ':')): true + # using a mutable image tag e.g. 'latest' is not allowed + (ends_with($foo, ':latest')): false \ No newline at end of file