chore: added chainsaw tests for backport

Signed-off-by: Ved Ratan <[email protected]>

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md

@@ -0,0 +1,13 @@
+## Description
+
+This test mainly verifies that an enforce validate policy blocks changes in old objects that were present before policy was created when `allowExistingViolations` is set to `false`
+
+## Expected Behavior
+
+1. A bad pod is created that violates the policy.
+2. The policy is applied.
+3. Violating changes in bad pod causes error becuase `allowExistingViolations` is set to `false`
+
+## Reference Issue(s)
+
+10084

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod-allow-existing
+  namespace: default

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh

@@ -0,0 +1,8 @@
+if kubectl label po badpod-allow-existing foo=bad1 --overwrite 2>&1 | grep -q  "validation error: rule check-labels" 
+then 
+  echo "Test succeed, updating violating preexisting resource does throw error"
+  exit 0
+else 
+  echo "Test failed, updating violating preexisting resource should throw error"
+  exit 1
+fi

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod-allow-existing
+  namespace: default
+  labels:
+    foo: bad
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml

@@ -0,0 +1,25 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-validate-existing
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: bad-pod.yaml
+    - assert:
+        file: bad-pod-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - script:
+        content: ./bad-pod-update-test.sh
+        timeout: 30s
+

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml

@@ -0,0 +1,4 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-labels-allow-existing

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-labels-allow-existing
+spec:
+  background: true
+  rules:
+    - name: check-labels
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        failureAction: Enforce
+        allowExistingViolations: false
+        deny:
+          conditions:
+            any:
+            - key: "{{ request.object.metadata.labels.foo || '' }}"
+              operator: NotEquals
+              value: 'bar'

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md

@@ -0,0 +1,15 @@
+## Description
+
+This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created
+
+## Expected Behavior
+
+1. A pod is created that violates the policy.
+2. The policy is applied.
+3. A pod is created that follows the policy.
+4. Violating changes on bad pad does not cause error.
+5. Violating changes in good pod causes error.
+6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes.
+## Reference Issue(s)
+
+8837

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod-deny
+  namespace: default

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh

@@ -0,0 +1,8 @@
+if kubectl label po badpod-deny foo=bad1 --overwrite 2>&1 | grep -q  "validation error: rule check-labels" 
+then 
+  echo "Test failed, updating violating preexisting resource should not throw error"
+  exit 1
+else 
+  echo "Test succeed, updating violating preexisting resource does not throw error"
+  exit 0
+fi

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod-deny
+  namespace: default
+  labels:
+    foo: bad
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml

@@ -0,0 +1,40 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: enforce-validate-existing
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: bad-pod.yaml
+    - assert:
+        file: bad-pod-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: good-pod.yaml
+    - assert:
+        file: good-pod-ready.yaml
+  - name: step-04
+    try:
+    - script:
+        content: ./bad-pod-update-test.sh
+        timeout: 30s
+  - name: step-05
+    try:
+    - script:
+        content: ./good-pod-update-test.sh
+        timeout: 30s
+  - name: step-06
+    try:
+    - script:
+        content: ./update-bad-pod-to-comply.sh
+        timeout: 30s

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod-deny
+  namespace: default

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh

@@ -0,0 +1,8 @@
+if kubectl label po goodpod-deny foo=bad1 --overwrite 2>&1 | grep -q  "validation error: rule check-labels" 
+then 
+  echo "Test succeed, updating violating resource throws error"
+  exit 0
+else 
+  echo "Test failed, updating violating resource did not throw error"
+  exit 1
+fi

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod-deny
+  namespace: default
+  labels:
+    foo: bar
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    args:
+    - sleep
+    - 1d

test/conformance/chainsaw/assert/allow-existing-violations/policy-ready.yaml → test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml

@@ -1,4 +1,4 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: check-old-object
+  name: check-labels-deny

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-labels-deny
+spec:
+  background: true
+  rules:
+    - name: check-labels
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        failureAction: Enforce
+        deny:
+          conditions:
+            any:
+            - key: "{{ request.object.metadata.labels.foo || '' }}"
+              operator: NotEquals
+              value: 'bar'

test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh

@@ -0,0 +1,9 @@
+kubectl label po badpod-deny foo=bar --overwrite
+if kubectl label po badpod-deny foo=bad1 --overwrite 2>&1 | grep -q  "validation error: rule check-labels" 
+then 
+  echo "Test succeed, updating violating resource throws error"
+  exit 0
+else 
+  echo "Test failed, updating violating resource did not throw error"
+  exit 1
+fi