From 3dba66c14ee787afe9a8372c82f78b9e990ad425 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Wed, 18 Sep 2024 17:11:28 +0530 Subject: [PATCH] chore: added chainsaw tests for backport Signed-off-by: Ved Ratan --- .../allow-existing-violations/README.md | 11 ----- .../chainsaw-test.yaml | 34 -------------- .../allow-existing-violations/ns-ready.yaml | 7 --- .../ns-update-bad.yaml | 7 --- .../ns-update-good.yaml | 7 --- .../allow-existing-violations/ns-update.yaml | 7 --- .../assert/allow-existing-violations/ns.yaml | 7 --- .../allow-existing-violations/policy.yaml | 35 --------------- .../README.md | 13 ++++++ .../bad-pod-ready.yaml | 5 +++ .../bad-pod-update-test.sh | 8 ++++ .../bad-pod.yaml | 14 ++++++ .../chainsaw-test.yaml | 25 +++++++++++ .../policy-ready.yaml | 4 ++ .../policy.yaml | 22 +++++++++ .../enforce-validate-existing-deny/README.md | 15 +++++++ .../bad-pod-ready.yaml | 5 +++ .../bad-pod-update-test.sh | 8 ++++ .../bad-pod.yaml | 14 ++++++ .../chainsaw-test.yaml | 40 +++++++++++++++++ .../good-pod-ready.yaml | 5 +++ .../good-pod-update-test.sh | 8 ++++ .../good-pod.yaml | 14 ++++++ .../policy-ready.yaml | 2 +- .../policy.yaml | 21 +++++++++ .../update-bad-pod-to-comply.sh | 9 ++++ .../enforce-validate-existing-pss/README.md | 17 +++++++ .../bad-deploy-ready.yaml | 6 +++ .../bad-deploy-update-comply.yaml | 41 +++++++++++++++++ .../bad-deploy-update-remove-comply.yaml | 40 +++++++++++++++++ .../bad-deploy-update.yaml | 35 +++++++++++++++ .../bad-deploy.yaml | 39 ++++++++++++++++ .../chainsaw-test.yaml | 45 +++++++++++++++++++ .../good-deploy-ready.yaml | 6 +++ .../good-deploy-update.yaml | 40 +++++++++++++++++ .../good-deploy.yaml | 42 +++++++++++++++++ .../policy-ready.yaml | 4 ++ .../enforce-validate-existing-pss/policy.yaml | 19 ++++++++ .../enforce-validate-existing/README.md | 15 +++++++ .../bad-pod-ready.yaml | 5 +++ .../bad-pod-update-test.sh | 8 ++++ .../enforce-validate-existing/bad-pod.yaml | 14 ++++++ .../chainsaw-test.yaml | 40 +++++++++++++++++ .../good-pod-ready.yaml | 5 +++ .../good-pod-update-test.sh | 8 ++++ .../enforce-validate-existing/good-pod.yaml | 14 ++++++ .../policy-ready.yaml | 4 ++ .../enforce-validate-existing/policy.yaml | 19 ++++++++ .../update-bad-pod-to-comply.sh | 9 ++++ 49 files changed, 706 insertions(+), 116 deletions(-) delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/README.md delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/chainsaw-test.yaml delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/ns-ready.yaml delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/ns-update-bad.yaml delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/ns-update-good.yaml delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/ns-update.yaml delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/ns.yaml delete mode 100644 test/conformance/chainsaw/assert/allow-existing-violations/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml rename test/conformance/chainsaw/{assert/allow-existing-violations => validate/clusterpolicy/enforce/enforce-validate-existing-deny}/policy-ready.yaml (68%) create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml create mode 100644 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml create mode 100755 test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/README.md b/test/conformance/chainsaw/assert/allow-existing-violations/README.md deleted file mode 100644 index 1701aff0cc6c..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/README.md +++ /dev/null @@ -1,11 +0,0 @@ -## Description - -This test ensures that request.oldObject is not null on UPDATE operations when there are multiple rules in a policy. - -## Expected Behavior - -The namespace update operation is allowed. - -## Reference Issue(s) - -https://github.com/kyverno/kyverno/issues/9885 \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/chainsaw-test.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/chainsaw-test.yaml deleted file mode 100644 index b8850a7bb5d4..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/chainsaw-test.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - creationTimestamp: null - name: check-old-object -spec: - steps: - - name: step-01 - try: - - create: - file: ns.yaml - - assert: - file: ns-ready.yaml - - name: step-02 - try: - - create: - file: policy.yaml - - assert: - file: policy-ready.yaml - - name: step-03 - try: - - update: - file: ns-update.yaml - - name: step-04 - try: - - update: - file: ns-update-good.yaml - - name: step-05 - try: - - update: - file: ns-update-bad.yaml - expect: - - check: - ($error != null): true \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/ns-ready.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/ns-ready.yaml deleted file mode 100644 index bea450097731..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/ns-ready.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - kubernetes.io/metadata.name: test - size: unknown \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/ns-update-bad.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/ns-update-bad.yaml deleted file mode 100644 index 54f71928db34..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/ns-update-bad.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - kubernetes.io/metadata.name: test - size: bad \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/ns-update-good.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/ns-update-good.yaml deleted file mode 100644 index f1b3a6b105d3..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/ns-update-good.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - kubernetes.io/metadata.name: test - size: large \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/ns-update.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/ns-update.yaml deleted file mode 100644 index 0f0016f3021b..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/ns-update.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - kubernetes.io/metadata.name: test - size: extralarge \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/ns.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/ns.yaml deleted file mode 100644 index bea450097731..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/ns.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test - labels: - kubernetes.io/metadata.name: test - size: unknown \ No newline at end of file diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/policy.yaml b/test/conformance/chainsaw/assert/allow-existing-violations/policy.yaml deleted file mode 100644 index 030d72678606..000000000000 --- a/test/conformance/chainsaw/assert/allow-existing-violations/policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: check-old-object -spec: - background: false - rules: - - name: require-labels - match: - all: - - resources: - operations: - - CREATE - - UPDATE - kinds: - - Namespace - context: - - name: small - variable: - value: small - - name: medium - variable: - value: medium - - name: large - variable: - value: large - validate: - failureAction: Enforce - message: "The label `size` is required" - assert: - object: - metadata: - labels: - size: - (@ == $small || @ == $medium || @ == $large): true \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md new file mode 100644 index 000000000000..d91e5186229a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md @@ -0,0 +1,13 @@ +## Description + +This test mainly verifies that an enforce validate policy blocks changes in old objects that were present before policy was created when `allowExistingViolations` is set to `false` + +## Expected Behavior + +1. A bad pod is created that violates the policy. +2. The policy is applied. +3. Violating changes in bad pod causes error becuase `allowExistingViolations` is set to `false` + +## Reference Issue(s) + +10084 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml new file mode 100644 index 000000000000..8121c350a433 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-allow-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh new file mode 100755 index 000000000000..80f311769b1a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-allow-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating preexisting resource does throw error" + exit 0 +else + echo "Test failed, updating violating preexisting resource should throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml new file mode 100644 index 000000000000..1a80a58bac28 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-allow-existing + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml new file mode 100755 index 000000000000..f992a75aeb1c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml new file mode 100644 index 000000000000..217cca6ae5b7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-allow-existing diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml new file mode 100644 index 000000000000..d6a44b304f41 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-allow-existing +spec: + background: true + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Enforce + allowExistingViolations: false + deny: + conditions: + any: + - key: "{{ request.object.metadata.labels.foo || '' }}" + operator: NotEquals + value: 'bar' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md new file mode 100644 index 000000000000..b80a44599252 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md @@ -0,0 +1,15 @@ +## Description + +This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. A pod is created that follows the policy. +4. Violating changes on bad pad does not cause error. +5. Violating changes in good pod causes error. +6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes. +## Reference Issue(s) + +8837 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml new file mode 100644 index 000000000000..bc6248a74045 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-deny + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh new file mode 100755 index 000000000000..a5d61cb12f35 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-deny foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test failed, updating violating preexisting resource should not throw error" + exit 1 +else + echo "Test succeed, updating violating preexisting resource does not throw error" + exit 0 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml new file mode 100644 index 000000000000..ca1e01c4f3d3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-deny + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml new file mode 100755 index 000000000000..8074137604e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: good-pod.yaml + - assert: + file: good-pod-ready.yaml + - name: step-04 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + - name: step-05 + try: + - script: + content: ./good-pod-update-test.sh + timeout: 30s + - name: step-06 + try: + - script: + content: ./update-bad-pod-to-comply.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml new file mode 100644 index 000000000000..3650580e3837 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-deny + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh new file mode 100755 index 000000000000..142f25c21d6e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po goodpod-deny foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml new file mode 100644 index 000000000000..0f686b3bf4f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-deny + namespace: default + labels: + foo: bar +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/assert/allow-existing-violations/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml similarity index 68% rename from test/conformance/chainsaw/assert/allow-existing-violations/policy-ready.yaml rename to test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml index c8d7af3e03f1..b99900de5421 100644 --- a/test/conformance/chainsaw/assert/allow-existing-violations/policy-ready.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml @@ -1,4 +1,4 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: check-old-object \ No newline at end of file + name: check-labels-deny diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml new file mode 100644 index 000000000000..f900d3c3b006 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-deny +spec: + background: true + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Enforce + deny: + conditions: + any: + - key: "{{ request.object.metadata.labels.foo || '' }}" + operator: NotEquals + value: 'bar' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh new file mode 100755 index 000000000000..ecb9628c9f10 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh @@ -0,0 +1,9 @@ +kubectl label po badpod-deny foo=bar --overwrite +if kubectl label po badpod-deny foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md new file mode 100644 index 000000000000..5bdeb8018a9f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md @@ -0,0 +1,17 @@ +## Description + +This test mainly verifies that an pss validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. The bad pod is updated with a bad change, it is applied +4. The bad pod is made to comply +5. A bad change in that pod does not go through +6. A good pod is created +7. Violating changes in good pod causes error. + +## Reference Issue(s) + +8837 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml new file mode 100644 index 000000000000..fef0b8c73e53 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml new file mode 100644 index 000000000000..9436cf473ed2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + hostNetwork: false + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml new file mode 100644 index 000000000000..ee5352580497 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml new file mode 100644 index 000000000000..b5cb70b0433c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull-new-image + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml new file mode 100644 index 000000000000..7be7a35af449 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml new file mode 100755 index 000000000000..9e34cf238201 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml @@ -0,0 +1,45 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-deploy.yaml + - assert: + file: bad-deploy-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: bad-deploy-update.yaml + - name: step-04 + try: + - apply: + file: bad-deploy-update-comply.yaml + - name: step-05 + try: + - apply: + file: bad-deploy-update-remove-comply.yaml + expect: + - check: + ($error != `null`): true + - name: step-06 + try: + - apply: + file: good-deploy.yaml + - name: step-07 + try: + - apply: + file: good-deploy-update.yaml + expect: + - check: + ($error != `null`): true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml new file mode 100644 index 000000000000..6d9e203586b7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml new file mode 100644 index 000000000000..45485de220dd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + hostNetwork: false + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml new file mode 100644 index 000000000000..85e1933a0c81 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + hostNetwork: false + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml new file mode 100644 index 000000000000..a192a3f658ad --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-baseline diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml new file mode 100644 index 000000000000..ffa74cb5eca2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-baseline +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + - Deployment + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md new file mode 100644 index 000000000000..b80a44599252 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md @@ -0,0 +1,15 @@ +## Description + +This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. A pod is created that follows the policy. +4. Violating changes on bad pad does not cause error. +5. Violating changes in good pod causes error. +6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes. +## Reference Issue(s) + +8837 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml new file mode 100644 index 000000000000..6237f13b1333 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-validate-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh new file mode 100755 index 000000000000..0b014f2f510b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test failed, updating violating preexisting resource should not throw error" + exit 1 +else + echo "Test succeed, updating violating preexisting resource does not throw error" + exit 0 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml new file mode 100644 index 000000000000..74872026de44 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-validate-existing + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml new file mode 100755 index 000000000000..8074137604e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: good-pod.yaml + - assert: + file: good-pod-ready.yaml + - name: step-04 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + - name: step-05 + try: + - script: + content: ./good-pod-update-test.sh + timeout: 30s + - name: step-06 + try: + - script: + content: ./update-bad-pod-to-comply.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml new file mode 100644 index 000000000000..09cd254f5073 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-validate-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh new file mode 100755 index 000000000000..611bd8ee9df7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po goodpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml new file mode 100644 index 000000000000..917664364d31 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-validate-existing + namespace: default + labels: + foo: bar +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml new file mode 100644 index 000000000000..e8be2f369bf9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-validate-existing diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml new file mode 100644 index 000000000000..e8c1397c88f5 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-validate-existing +spec: + background: true + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + failureAction: Enforce + pattern: + metadata: + labels: + =(foo): "bar" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh new file mode 100755 index 000000000000..27437a10d640 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh @@ -0,0 +1,9 @@ +kubectl label po badpod-validate-existing foo=bar --overwrite +if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi