diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2e195837f..634ad2ce7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -51,10 +51,10 @@ jobs: - other/rec-req - other/res - other/s-z - - pod-security - - pod-security-cel - - psa - - psp-migration + # - pod-security + # - pod-security-cel + # - psa + # - psp-migration # - tekton # - traefik # - velero @@ -126,10 +126,10 @@ jobs: # - other/rec-req # - other/res # - other/s-z - # - pod-security - # - pod-security-cel - # - psa - # - psp-migration + - pod-security + - pod-security-cel + - psa + - psp-migration # - tekton # - traefik # - velero diff --git a/pod-security-cel/baseline/disallow-capabilities/01-assert.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-capabilities/01-assert.yaml rename to pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..a718cb05c --- /dev/null +++ b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities diff --git a/pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml b/pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml deleted file mode 100644 index f51ea9025..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-capabilities.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml b/pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml deleted file mode 100644 index c9967624c..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-capabilities/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-capabilities/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-capabilities/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-capabilities/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-capabilities/99-delete.yaml b/pod-security-cel/baseline/disallow-capabilities/99-delete.yaml deleted file mode 100644 index 4dc5ad316..000000000 --- a/pod-security-cel/baseline/disallow-capabilities/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-capabilities diff --git a/pod-security-cel/baseline/disallow-host-namespaces/01-assert.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-host-namespaces/01-assert.yaml rename to pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..b0a048c35 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-namespaces +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-namespaces.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces diff --git a/pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml deleted file mode 100644 index e3f57aa1c..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-namespaces.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml deleted file mode 100644 index 77a7de379..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-host-namespaces/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-namespaces/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-host-namespaces/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-namespaces/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml b/pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml deleted file mode 100644 index f577764c7..000000000 --- a/pod-security-cel/baseline/disallow-host-namespaces/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-namespaces diff --git a/pod-security-cel/baseline/disallow-host-path/01-assert.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-host-path/01-assert.yaml rename to pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..9ec93936f --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-path +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-path.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path diff --git a/pod-security-cel/baseline/disallow-host-path/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-path/01-enforce.yaml deleted file mode 100644 index d1affbcc6..000000000 --- a/pod-security-cel/baseline/disallow-host-path/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-path.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-path/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-path/02-manifests.yaml deleted file mode 100644 index a87b79caa..000000000 --- a/pod-security-cel/baseline/disallow-host-path/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-host-path/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-path/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-host-path/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-path/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-path/99-delete.yaml b/pod-security-cel/baseline/disallow-host-path/99-delete.yaml deleted file mode 100644 index 35071a4d8..000000000 --- a/pod-security-cel/baseline/disallow-host-path/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-path diff --git a/pod-security-cel/baseline/disallow-host-ports-range/01-assert.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-host-ports-range/01-assert.yaml rename to pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..f07516b9d --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports-range +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-ports-range.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range diff --git a/pod-security-cel/baseline/disallow-host-ports-range/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-ports-range/01-enforce.yaml deleted file mode 100644 index 6041cf0a5..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/01-enforce.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-ports-range.yaml | kubectl create -f - - \ No newline at end of file diff --git a/pod-security-cel/baseline/disallow-host-ports-range/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-ports-range/02-manifests.yaml deleted file mode 100644 index 85f6ceb55..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-host-ports-range/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-ports-range/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-host-ports-range/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-ports-range/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-ports-range/99-delete.yaml b/pod-security-cel/baseline/disallow-host-ports-range/99-delete.yaml deleted file mode 100644 index f8301db4e..000000000 --- a/pod-security-cel/baseline/disallow-host-ports-range/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-ports-range diff --git a/pod-security-cel/baseline/disallow-host-ports/01-assert.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-host-ports/01-assert.yaml rename to pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..f9d365042 --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-ports.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports diff --git a/pod-security-cel/baseline/disallow-host-ports/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-ports/01-enforce.yaml deleted file mode 100644 index 1435eb6e1..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-ports.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-ports/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-ports/02-manifests.yaml deleted file mode 100644 index 6a5b6cd13..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-host-ports/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-ports/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-host-ports/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-ports/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-ports/99-delete.yaml b/pod-security-cel/baseline/disallow-host-ports/99-delete.yaml deleted file mode 100644 index a77641b34..000000000 --- a/pod-security-cel/baseline/disallow-host-ports/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-ports diff --git a/pod-security-cel/baseline/disallow-host-process/01-assert.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-host-process/01-assert.yaml rename to pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7efb9328b --- /dev/null +++ b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-process +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-host-process.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process diff --git a/pod-security-cel/baseline/disallow-host-process/01-enforce.yaml b/pod-security-cel/baseline/disallow-host-process/01-enforce.yaml deleted file mode 100644 index 91be34fe8..000000000 --- a/pod-security-cel/baseline/disallow-host-process/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-host-process.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-host-process/02-manifests.yaml b/pod-security-cel/baseline/disallow-host-process/02-manifests.yaml deleted file mode 100644 index b7564019d..000000000 --- a/pod-security-cel/baseline/disallow-host-process/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-host-process/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-process/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-host-process/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-host-process/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-host-process/99-delete.yaml b/pod-security-cel/baseline/disallow-host-process/99-delete.yaml deleted file mode 100644 index 9257c16ef..000000000 --- a/pod-security-cel/baseline/disallow-host-process/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-process diff --git a/pod-security-cel/baseline/disallow-privileged-containers/01-assert.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-privileged-containers/01-assert.yaml rename to pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..bc555d7bf --- /dev/null +++ b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privileged-containers +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privileged-containers.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers diff --git a/pod-security-cel/baseline/disallow-privileged-containers/01-enforce.yaml b/pod-security-cel/baseline/disallow-privileged-containers/01-enforce.yaml deleted file mode 100644 index 50b00eaa5..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-privileged-containers.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-privileged-containers/02-manifests.yaml b/pod-security-cel/baseline/disallow-privileged-containers/02-manifests.yaml deleted file mode 100644 index 777b73a6b..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-privileged-containers/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-privileged-containers/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-privileged-containers/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-privileged-containers/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-privileged-containers/99-delete.yaml b/pod-security-cel/baseline/disallow-privileged-containers/99-delete.yaml deleted file mode 100644 index 998752ce9..000000000 --- a/pod-security-cel/baseline/disallow-privileged-containers/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-privileged-containers diff --git a/pod-security-cel/baseline/disallow-selinux/01-assert.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/disallow-selinux/01-assert.yaml rename to pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7b4aebb67 --- /dev/null +++ b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-selinux +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-selinux.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-selinux diff --git a/pod-security-cel/baseline/disallow-selinux/01-enforce.yaml b/pod-security-cel/baseline/disallow-selinux/01-enforce.yaml deleted file mode 100644 index 648737241..000000000 --- a/pod-security-cel/baseline/disallow-selinux/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' disallow-selinux.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/disallow-selinux/02-manifests.yaml b/pod-security-cel/baseline/disallow-selinux/02-manifests.yaml deleted file mode 100644 index bf1b3cb81..000000000 --- a/pod-security-cel/baseline/disallow-selinux/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/disallow-selinux/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-selinux/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/disallow-selinux/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/disallow-selinux/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/disallow-selinux/99-delete.yaml b/pod-security-cel/baseline/disallow-selinux/99-delete.yaml deleted file mode 100644 index 7814df27d..000000000 --- a/pod-security-cel/baseline/disallow-selinux/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-selinux diff --git a/pod-security-cel/baseline/restrict-seccomp/01-assert.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/restrict-seccomp/01-assert.yaml rename to pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..cf4c39a3d --- /dev/null +++ b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp diff --git a/pod-security-cel/baseline/restrict-seccomp/01-enforce.yaml b/pod-security-cel/baseline/restrict-seccomp/01-enforce.yaml deleted file mode 100644 index b8358851f..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/01-enforce.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-seccomp.yaml | kubectl create -f - - \ No newline at end of file diff --git a/pod-security-cel/baseline/restrict-seccomp/02-manifests.yaml b/pod-security-cel/baseline/restrict-seccomp/02-manifests.yaml deleted file mode 100644 index 6000b03ef..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/restrict-seccomp/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/restrict-seccomp/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/restrict-seccomp/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/restrict-seccomp/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/restrict-seccomp/99-delete.yaml b/pod-security-cel/baseline/restrict-seccomp/99-delete.yaml deleted file mode 100644 index 1a23863f5..000000000 --- a/pod-security-cel/baseline/restrict-seccomp/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-seccomp diff --git a/pod-security-cel/baseline/restrict-sysctls/01-assert.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 100% rename from pod-security-cel/baseline/restrict-sysctls/01-assert.yaml rename to pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..43c5a44da --- /dev/null +++ b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-sysctls +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-sysctls.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml + - apply: + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ../../../../pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls diff --git a/pod-security-cel/baseline/restrict-sysctls/01-enforce.yaml b/pod-security-cel/baseline/restrict-sysctls/01-enforce.yaml deleted file mode 100644 index 029c152da..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' restrict-sysctls.yaml | kubectl create -f - diff --git a/pod-security-cel/baseline/restrict-sysctls/02-manifests.yaml b/pod-security-cel/baseline/restrict-sysctls/02-manifests.yaml deleted file mode 100644 index d6275fcd4..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ../../../pod-security/baseline/restrict-sysctls/pod-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/restrict-sysctls/pod-bad.yaml - shouldFail: true -- file: ../../../pod-security/baseline/restrict-sysctls/podcontroller-good.yaml - shouldFail: false -- file: ../../../pod-security/baseline/restrict-sysctls/podcontroller-bad.yaml - shouldFail: true diff --git a/pod-security-cel/baseline/restrict-sysctls/99-delete.yaml b/pod-security-cel/baseline/restrict-sysctls/99-delete.yaml deleted file mode 100644 index 201ec51b4..000000000 --- a/pod-security-cel/baseline/restrict-sysctls/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-sysctls diff --git a/pod-security/baseline/disallow-capabilities/01-assert.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/baseline/disallow-capabilities/01-assert.yaml rename to pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 2a4c28f00..5c1ca4056 --- a/pod-security/baseline/disallow-capabilities/01-assert.yaml +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-capabilities status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..a6dbd6744 --- /dev/null +++ b/pod-security/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-capabilities.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities diff --git a/pod-security/baseline/disallow-capabilities/pod-bad.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-capabilities/pod-bad.yaml rename to pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-capabilities/pod-good.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-capabilities/pod-good.yaml rename to pod-security/baseline/disallow-capabilities/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-capabilities/podcontroller-bad.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-capabilities/podcontroller-bad.yaml rename to pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-capabilities/podcontroller-good.yaml b/pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-capabilities/podcontroller-good.yaml rename to pod-security/baseline/disallow-capabilities/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-capabilities/01-enforce.yaml b/pod-security/baseline/disallow-capabilities/01-enforce.yaml deleted file mode 100644 index d8f6739c3..000000000 --- a/pod-security/baseline/disallow-capabilities/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-capabilities.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-capabilities/02-manifests.yaml b/pod-security/baseline/disallow-capabilities/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-capabilities/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-capabilities/99-delete.yaml b/pod-security/baseline/disallow-capabilities/99-delete.yaml deleted file mode 100644 index 92ef79a7d..000000000 --- a/pod-security/baseline/disallow-capabilities/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-capabilities \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/01-assert.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/baseline/disallow-host-namespaces/01-assert.yaml rename to pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 1da32838a..728930b26 --- a/pod-security/baseline/disallow-host-namespaces/01-assert.yaml +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-namespaces status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..948f8f0ce --- /dev/null +++ b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-namespaces +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-namespaces.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-namespaces diff --git a/pod-security/baseline/disallow-host-namespaces/pod-bad.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-namespaces/pod-bad.yaml rename to pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-host-namespaces/pod-good.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-namespaces/pod-good.yaml rename to pod-security/baseline/disallow-host-namespaces/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-host-namespaces/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-namespaces/podcontroller-bad.yaml rename to pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-host-namespaces/podcontroller-good.yaml b/pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-namespaces/podcontroller-good.yaml rename to pod-security/baseline/disallow-host-namespaces/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-host-namespaces/01-enforce.yaml b/pod-security/baseline/disallow-host-namespaces/01-enforce.yaml deleted file mode 100644 index d2e916df1..000000000 --- a/pod-security/baseline/disallow-host-namespaces/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-host-namespaces.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/02-manifests.yaml b/pod-security/baseline/disallow-host-namespaces/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-host-namespaces/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-namespaces/99-delete.yaml b/pod-security/baseline/disallow-host-namespaces/99-delete.yaml deleted file mode 100644 index 97b52f4f3..000000000 --- a/pod-security/baseline/disallow-host-namespaces/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-namespaces \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-path/01-assert.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 86% rename from pod-security/baseline/disallow-host-path/01-assert.yaml rename to pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 64c20b4ef..5bc41e9b1 --- a/pod-security/baseline/disallow-host-path/01-assert.yaml +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-path status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..c467859cd --- /dev/null +++ b/pod-security/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-path +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-path.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-path diff --git a/pod-security/baseline/disallow-host-path/pod-bad.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-path/pod-bad.yaml rename to pod-security/baseline/disallow-host-path/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-host-path/pod-good.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-path/pod-good.yaml rename to pod-security/baseline/disallow-host-path/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-host-path/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-path/podcontroller-bad.yaml rename to pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-host-path/podcontroller-good.yaml b/pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-path/podcontroller-good.yaml rename to pod-security/baseline/disallow-host-path/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-host-path/01-enforce.yaml b/pod-security/baseline/disallow-host-path/01-enforce.yaml deleted file mode 100644 index a80ea141b..000000000 --- a/pod-security/baseline/disallow-host-path/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-host-path.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-path/02-manifests.yaml b/pod-security/baseline/disallow-host-path/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-host-path/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-path/99-delete.yaml b/pod-security/baseline/disallow-host-path/99-delete.yaml deleted file mode 100644 index 00705915b..000000000 --- a/pod-security/baseline/disallow-host-path/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-path \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports-range/01-assert.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/baseline/disallow-host-ports-range/01-assert.yaml rename to pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 12a96d646..f4e6012b3 --- a/pod-security/baseline/disallow-host-ports-range/01-assert.yaml +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-ports-range status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..bcba94f64 --- /dev/null +++ b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports-range +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-ports-range.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports-range diff --git a/pod-security/baseline/disallow-host-ports-range/pod-bad.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports-range/pod-bad.yaml rename to pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-host-ports-range/pod-good.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports-range/pod-good.yaml rename to pod-security/baseline/disallow-host-ports-range/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-host-ports-range/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports-range/podcontroller-bad.yaml rename to pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-host-ports-range/podcontroller-good.yaml b/pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports-range/podcontroller-good.yaml rename to pod-security/baseline/disallow-host-ports-range/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-host-ports-range/01-enforce.yaml b/pod-security/baseline/disallow-host-ports-range/01-enforce.yaml deleted file mode 100644 index 3706073da..000000000 --- a/pod-security/baseline/disallow-host-ports-range/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-host-ports-range.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports-range/02-manifests.yaml b/pod-security/baseline/disallow-host-ports-range/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-host-ports-range/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports-range/99-delete.yaml b/pod-security/baseline/disallow-host-ports-range/99-delete.yaml deleted file mode 100644 index 40bf164c5..000000000 --- a/pod-security/baseline/disallow-host-ports-range/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-ports-range \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/01-assert.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 86% rename from pod-security/baseline/disallow-host-ports/01-assert.yaml rename to pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml index bebb82e00..7630931c6 --- a/pod-security/baseline/disallow-host-ports/01-assert.yaml +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-ports status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..d7e2f2ebf --- /dev/null +++ b/pod-security/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-ports +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-ports.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-ports diff --git a/pod-security/baseline/disallow-host-ports/pod-bad.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports/pod-bad.yaml rename to pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-host-ports/pod-good.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports/pod-good.yaml rename to pod-security/baseline/disallow-host-ports/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-host-ports/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports/podcontroller-bad.yaml rename to pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-host-ports/podcontroller-good.yaml b/pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-ports/podcontroller-good.yaml rename to pod-security/baseline/disallow-host-ports/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-host-ports/01-enforce.yaml b/pod-security/baseline/disallow-host-ports/01-enforce.yaml deleted file mode 100644 index 3777d5796..000000000 --- a/pod-security/baseline/disallow-host-ports/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-host-ports.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/02-manifests.yaml b/pod-security/baseline/disallow-host-ports/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-host-ports/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-ports/99-delete.yaml b/pod-security/baseline/disallow-host-ports/99-delete.yaml deleted file mode 100644 index f3c3ec048..000000000 --- a/pod-security/baseline/disallow-host-ports/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-ports \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-process/01-assert.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/baseline/disallow-host-process/01-assert.yaml rename to pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml index ae5df7018..ddce453da --- a/pod-security/baseline/disallow-host-process/01-assert.yaml +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-host-process status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..d0217a838 --- /dev/null +++ b/pod-security/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-host-process +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-host-process.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-host-process diff --git a/pod-security/baseline/disallow-host-process/pod-bad.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-process/pod-bad.yaml rename to pod-security/baseline/disallow-host-process/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-host-process/pod-good.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-process/pod-good.yaml rename to pod-security/baseline/disallow-host-process/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-host-process/podcontroller-bad.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-host-process/podcontroller-bad.yaml rename to pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-host-process/podcontroller-good.yaml b/pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-host-process/podcontroller-good.yaml rename to pod-security/baseline/disallow-host-process/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-host-process/01-enforce.yaml b/pod-security/baseline/disallow-host-process/01-enforce.yaml deleted file mode 100644 index 1d12f67b4..000000000 --- a/pod-security/baseline/disallow-host-process/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-host-process.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-process/02-manifests.yaml b/pod-security/baseline/disallow-host-process/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-host-process/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-host-process/99-delete.yaml b/pod-security/baseline/disallow-host-process/99-delete.yaml deleted file mode 100644 index d2b197557..000000000 --- a/pod-security/baseline/disallow-host-process/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-host-process \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/01-assert.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from pod-security/baseline/disallow-privileged-containers/01-assert.yaml rename to pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 1479af11d..cc13a32d2 --- a/pod-security/baseline/disallow-privileged-containers/01-assert.yaml +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-privileged-containers status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..fc401ccbc --- /dev/null +++ b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privileged-containers +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-privileged-containers.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privileged-containers diff --git a/pod-security/baseline/disallow-privileged-containers/pod-bad.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-privileged-containers/pod-bad.yaml rename to pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-privileged-containers/pod-good.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-privileged-containers/pod-good.yaml rename to pod-security/baseline/disallow-privileged-containers/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-privileged-containers/podcontroller-bad.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-privileged-containers/podcontroller-bad.yaml rename to pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-privileged-containers/podcontroller-good.yaml b/pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-privileged-containers/podcontroller-good.yaml rename to pod-security/baseline/disallow-privileged-containers/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-privileged-containers/01-enforce.yaml b/pod-security/baseline/disallow-privileged-containers/01-enforce.yaml deleted file mode 100644 index 1094c4a88..000000000 --- a/pod-security/baseline/disallow-privileged-containers/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-privileged-containers.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/02-manifests.yaml b/pod-security/baseline/disallow-privileged-containers/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-privileged-containers/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-privileged-containers/99-delete.yaml b/pod-security/baseline/disallow-privileged-containers/99-delete.yaml deleted file mode 100644 index 50f3a96e0..000000000 --- a/pod-security/baseline/disallow-privileged-containers/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-privileged-containers \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/01-assert.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 86% rename from pod-security/baseline/disallow-selinux/01-assert.yaml rename to pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 177e4b272..1971822e2 --- a/pod-security/baseline/disallow-selinux/01-assert.yaml +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-selinux status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..774b95c26 --- /dev/null +++ b/pod-security/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-selinux +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-selinux.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-selinux diff --git a/pod-security/baseline/disallow-selinux/pod-bad.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-selinux/pod-bad.yaml rename to pod-security/baseline/disallow-selinux/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/disallow-selinux/pod-good.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/disallow-selinux/pod-good.yaml rename to pod-security/baseline/disallow-selinux/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/disallow-selinux/podcontroller-bad.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/disallow-selinux/podcontroller-bad.yaml rename to pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/disallow-selinux/podcontroller-good.yaml b/pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/disallow-selinux/podcontroller-good.yaml rename to pod-security/baseline/disallow-selinux/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/disallow-selinux/01-enforce.yaml b/pod-security/baseline/disallow-selinux/01-enforce.yaml deleted file mode 100644 index d9729f916..000000000 --- a/pod-security/baseline/disallow-selinux/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-selinux.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/02-manifests.yaml b/pod-security/baseline/disallow-selinux/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/disallow-selinux/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/disallow-selinux/99-delete.yaml b/pod-security/baseline/disallow-selinux/99-delete.yaml deleted file mode 100644 index e5a8729c4..000000000 --- a/pod-security/baseline/disallow-selinux/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-selinux \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/01-assert.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/baseline/restrict-apparmor-profiles/01-assert.yaml rename to pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml index f8f092929..7c5650ac0 --- a/pod-security/baseline/restrict-apparmor-profiles/01-assert.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-apparmor-profiles status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..3260f1663 --- /dev/null +++ b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-apparmor-profiles +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-apparmor-profiles.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-apparmor-profiles diff --git a/pod-security/baseline/restrict-apparmor-profiles/pod-bad.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/restrict-apparmor-profiles/pod-bad.yaml rename to pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/restrict-apparmor-profiles/pod-good.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/restrict-apparmor-profiles/pod-good.yaml rename to pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/restrict-apparmor-profiles/podcontroller-bad.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/restrict-apparmor-profiles/podcontroller-bad.yaml rename to pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/restrict-apparmor-profiles/podcontroller-good.yaml b/pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/restrict-apparmor-profiles/podcontroller-good.yaml rename to pod-security/baseline/restrict-apparmor-profiles/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/restrict-apparmor-profiles/01-enforce.yaml b/pod-security/baseline/restrict-apparmor-profiles/01-enforce.yaml deleted file mode 100644 index e5345e12d..000000000 --- a/pod-security/baseline/restrict-apparmor-profiles/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-apparmor-profiles.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/02-manifests.yaml b/pod-security/baseline/restrict-apparmor-profiles/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/restrict-apparmor-profiles/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/restrict-apparmor-profiles/99-delete.yaml b/pod-security/baseline/restrict-apparmor-profiles/99-delete.yaml deleted file mode 100644 index 64746ba27..000000000 --- a/pod-security/baseline/restrict-apparmor-profiles/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-apparmor-profiles \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/01-assert.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 86% rename from pod-security/baseline/restrict-seccomp/01-assert.yaml rename to pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 1d5116941..92459aedf --- a/pod-security/baseline/restrict-seccomp/01-assert.yaml +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-seccomp status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..53b1a231a --- /dev/null +++ b/pod-security/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-seccomp.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp diff --git a/pod-security/baseline/restrict-seccomp/pod-bad.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/restrict-seccomp/pod-bad.yaml rename to pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/restrict-seccomp/pod-good.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/restrict-seccomp/pod-good.yaml rename to pod-security/baseline/restrict-seccomp/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/restrict-seccomp/podcontroller-bad.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/restrict-seccomp/podcontroller-bad.yaml rename to pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/restrict-seccomp/podcontroller-good.yaml b/pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/restrict-seccomp/podcontroller-good.yaml rename to pod-security/baseline/restrict-seccomp/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/restrict-seccomp/01-enforce.yaml b/pod-security/baseline/restrict-seccomp/01-enforce.yaml deleted file mode 100644 index 937165a30..000000000 --- a/pod-security/baseline/restrict-seccomp/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-seccomp.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/02-manifests.yaml b/pod-security/baseline/restrict-seccomp/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/restrict-seccomp/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/restrict-seccomp/99-delete.yaml b/pod-security/baseline/restrict-seccomp/99-delete.yaml deleted file mode 100644 index f6dfdcb06..000000000 --- a/pod-security/baseline/restrict-seccomp/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-seccomp \ No newline at end of file diff --git a/pod-security/baseline/restrict-sysctls/01-assert.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 86% rename from pod-security/baseline/restrict-sysctls/01-assert.yaml rename to pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8e368923f..a7afea7ef --- a/pod-security/baseline/restrict-sysctls/01-assert.yaml +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-sysctls status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..e872e47e0 --- /dev/null +++ b/pod-security/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-sysctls +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-sysctls.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-sysctls diff --git a/pod-security/baseline/restrict-sysctls/pod-bad.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/baseline/restrict-sysctls/pod-bad.yaml rename to pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/baseline/restrict-sysctls/pod-good.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/baseline/restrict-sysctls/pod-good.yaml rename to pod-security/baseline/restrict-sysctls/.chainsaw-test/pod-good.yaml diff --git a/pod-security/baseline/restrict-sysctls/podcontroller-bad.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/baseline/restrict-sysctls/podcontroller-bad.yaml rename to pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/baseline/restrict-sysctls/podcontroller-good.yaml b/pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/baseline/restrict-sysctls/podcontroller-good.yaml rename to pod-security/baseline/restrict-sysctls/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/baseline/restrict-sysctls/01-enforce.yaml b/pod-security/baseline/restrict-sysctls/01-enforce.yaml deleted file mode 100644 index 2bbe09608..000000000 --- a/pod-security/baseline/restrict-sysctls/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-sysctls.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/baseline/restrict-sysctls/02-manifests.yaml b/pod-security/baseline/restrict-sysctls/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/baseline/restrict-sysctls/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/baseline/restrict-sysctls/99-delete.yaml b/pod-security/baseline/restrict-sysctls/99-delete.yaml deleted file mode 100644 index 98f8c0561..000000000 --- a/pod-security/baseline/restrict-sysctls/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-sysctls \ No newline at end of file diff --git a/pod-security/restricted/disallow-capabilities-strict/01-assert.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/restricted/disallow-capabilities-strict/01-assert.yaml rename to pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 573a3126f..a7bd6b8fa --- a/pod-security/restricted/disallow-capabilities-strict/01-assert.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-capabilities-strict status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..2bdf86803 --- /dev/null +++ b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-capabilities-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-capabilities-strict diff --git a/pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/restricted/disallow-capabilities-strict/pod-bad.yaml rename to pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/restricted/disallow-capabilities-strict/pod-good.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/restricted/disallow-capabilities-strict/pod-good.yaml rename to pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml diff --git a/pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/restricted/disallow-capabilities-strict/podcontroller-bad.yaml rename to pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml b/pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/restricted/disallow-capabilities-strict/podcontroller-good.yaml rename to pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml b/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml deleted file mode 100644 index 53d22e1ed..000000000 --- a/pod-security/restricted/disallow-capabilities-strict/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-capabilities-strict.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/disallow-capabilities-strict/02-manifests.yaml b/pod-security/restricted/disallow-capabilities-strict/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/restricted/disallow-capabilities-strict/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/restricted/disallow-capabilities-strict/99-delete.yaml b/pod-security/restricted/disallow-capabilities-strict/99-delete.yaml deleted file mode 100644 index a10f04bf8..000000000 --- a/pod-security/restricted/disallow-capabilities-strict/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-capabilities-strict \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/01-assert.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/restricted/disallow-privilege-escalation/01-assert.yaml rename to pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8168fe9be..30a5747c2 --- a/pod-security/restricted/disallow-privilege-escalation/01-assert.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: disallow-privilege-escalation status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..f50453dba --- /dev/null +++ b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disallow-privilege-escalation +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: disallow-privilege-escalation diff --git a/pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/restricted/disallow-privilege-escalation/pod-bad.yaml rename to pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/restricted/disallow-privilege-escalation/pod-good.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/restricted/disallow-privilege-escalation/pod-good.yaml rename to pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml diff --git a/pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/restricted/disallow-privilege-escalation/podcontroller-bad.yaml rename to pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml b/pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/restricted/disallow-privilege-escalation/podcontroller-good.yaml rename to pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml b/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml deleted file mode 100644 index c06e78ab5..000000000 --- a/pod-security/restricted/disallow-privilege-escalation/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' disallow-privilege-escalation.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/02-manifests.yaml b/pod-security/restricted/disallow-privilege-escalation/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/restricted/disallow-privilege-escalation/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/restricted/disallow-privilege-escalation/99-delete.yaml b/pod-security/restricted/disallow-privilege-escalation/99-delete.yaml deleted file mode 100644 index 50a8cf50a..000000000 --- a/pod-security/restricted/disallow-privilege-escalation/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: disallow-privilege-escalation \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/01-assert.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/restricted/require-run-as-non-root-user/01-assert.yaml rename to pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml index a8e6b6fd5..3a15a8755 --- a/pod-security/restricted/require-run-as-non-root-user/01-assert.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: require-run-as-non-root-user status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..4ca60b0bb --- /dev/null +++ b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-non-root-user +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-non-root-user/pod-bad.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/restricted/require-run-as-non-root-user/pod-bad.yaml rename to pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/restricted/require-run-as-non-root-user/pod-good.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/restricted/require-run-as-non-root-user/pod-good.yaml rename to pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml diff --git a/pod-security/restricted/require-run-as-non-root-user/podcontroller-bad.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/restricted/require-run-as-non-root-user/podcontroller-bad.yaml rename to pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/restricted/require-run-as-non-root-user/podcontroller-good.yaml b/pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/restricted/require-run-as-non-root-user/podcontroller-good.yaml rename to pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml b/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml deleted file mode 100644 index 6feabf7db..000000000 --- a/pod-security/restricted/require-run-as-non-root-user/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' require-run-as-non-root-user.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/02-manifests.yaml b/pod-security/restricted/require-run-as-non-root-user/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/restricted/require-run-as-non-root-user/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-non-root-user/99-delete.yaml b/pod-security/restricted/require-run-as-non-root-user/99-delete.yaml deleted file mode 100644 index e82e22317..000000000 --- a/pod-security/restricted/require-run-as-non-root-user/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-run-as-non-root-user \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/01-assert.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/restricted/require-run-as-nonroot/01-assert.yaml rename to pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 812719b6d..d97abc312 --- a/pod-security/restricted/require-run-as-nonroot/01-assert.yaml +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: require-run-as-nonroot status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..ca1d27b73 --- /dev/null +++ b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-run-as-nonroot +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../require-run-as-nonroot.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: require-run-as-nonroot diff --git a/pod-security/restricted/require-run-as-nonroot/pod-bad.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/restricted/require-run-as-nonroot/pod-bad.yaml rename to pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/restricted/require-run-as-nonroot/pod-good.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/restricted/require-run-as-nonroot/pod-good.yaml rename to pod-security/restricted/require-run-as-nonroot/.chainsaw-test/pod-good.yaml diff --git a/pod-security/restricted/require-run-as-nonroot/podcontroller-bad.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/restricted/require-run-as-nonroot/podcontroller-bad.yaml rename to pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/restricted/require-run-as-nonroot/podcontroller-good.yaml b/pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/restricted/require-run-as-nonroot/podcontroller-good.yaml rename to pod-security/restricted/require-run-as-nonroot/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml b/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml deleted file mode 100644 index d9eb9482e..000000000 --- a/pod-security/restricted/require-run-as-nonroot/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' require-run-as-nonroot.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/02-manifests.yaml b/pod-security/restricted/require-run-as-nonroot/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/restricted/require-run-as-nonroot/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/restricted/require-run-as-nonroot/99-delete.yaml b/pod-security/restricted/require-run-as-nonroot/99-delete.yaml deleted file mode 100644 index f09a542ad..000000000 --- a/pod-security/restricted/require-run-as-nonroot/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: require-run-as-nonroot \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/01-assert.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/restricted/restrict-seccomp-strict/01-assert.yaml rename to pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml index f0c0d614f..db4a4dc3a --- a/pod-security/restricted/restrict-seccomp-strict/01-assert.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-seccomp-strict status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..1e3a4b7f5 --- /dev/null +++ b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-seccomp-strict +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-seccomp-strict diff --git a/pod-security/restricted/restrict-seccomp-strict/pod-bad.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/restricted/restrict-seccomp-strict/pod-bad.yaml rename to pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/restricted/restrict-seccomp-strict/pod-good.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/restricted/restrict-seccomp-strict/pod-good.yaml rename to pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml diff --git a/pod-security/restricted/restrict-seccomp-strict/podcontroller-bad.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/restricted/restrict-seccomp-strict/podcontroller-bad.yaml rename to pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/restricted/restrict-seccomp-strict/podcontroller-good.yaml b/pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/restricted/restrict-seccomp-strict/podcontroller-good.yaml rename to pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml b/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml deleted file mode 100644 index 4d438a322..000000000 --- a/pod-security/restricted/restrict-seccomp-strict/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-seccomp-strict.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/02-manifests.yaml b/pod-security/restricted/restrict-seccomp-strict/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/restricted/restrict-seccomp-strict/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/restricted/restrict-seccomp-strict/99-delete.yaml b/pod-security/restricted/restrict-seccomp-strict/99-delete.yaml deleted file mode 100644 index 4773c32c4..000000000 --- a/pod-security/restricted/restrict-seccomp-strict/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-seccomp-strict \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/01-assert.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from pod-security/restricted/restrict-volume-types/01-assert.yaml rename to pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 7e40641cc..417239b4b --- a/pod-security/restricted/restrict-volume-types/01-assert.yaml +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: restrict-volume-types status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7c80e2f12 --- /dev/null +++ b/pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,49 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-volume-types +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-volume-types + - command: + args: + - delete + - all + - --all + - --force + - --grace-period=0 + - -n + - restrict-voltypes-ns + entrypoint: kubectl diff --git a/pod-security/restricted/restrict-volume-types/ns.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml similarity index 100% rename from pod-security/restricted/restrict-volume-types/ns.yaml rename to pod-security/restricted/restrict-volume-types/.chainsaw-test/ns.yaml diff --git a/pod-security/restricted/restrict-volume-types/pod-bad.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/restricted/restrict-volume-types/pod-bad.yaml rename to pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/restricted/restrict-volume-types/pod-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/restricted/restrict-volume-types/pod-good.yaml rename to pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml diff --git a/pod-security/restricted/restrict-volume-types/podcontroller-bad.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/restricted/restrict-volume-types/podcontroller-bad.yaml rename to pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/restricted/restrict-volume-types/podcontroller-good.yaml b/pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/restricted/restrict-volume-types/podcontroller-good.yaml rename to pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/restricted/restrict-volume-types/01-enforce.yaml b/pod-security/restricted/restrict-volume-types/01-enforce.yaml deleted file mode 100644 index 92ff83731..000000000 --- a/pod-security/restricted/restrict-volume-types/01-enforce.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-volume-types.yaml | kubectl create -f - -apply: -- ns.yaml \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/02-manifests.yaml b/pod-security/restricted/restrict-volume-types/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/restricted/restrict-volume-types/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/restricted/restrict-volume-types/99-delete.yaml b/pod-security/restricted/restrict-volume-types/99-delete.yaml deleted file mode 100644 index dd89e4658..000000000 --- a/pod-security/restricted/restrict-volume-types/99-delete.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-volume-types -commands: -- command: kubectl delete all --all --force --grace-period=0 -n restrict-voltypes-ns \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..0eeef7b34 --- /dev/null +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restricted-exclude-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restricted-exclude-capabilities.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/pod-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-capabilities/pod-bad.yaml rename to pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/pod-good.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-capabilities/pod-good.yaml rename to pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/pod-good.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-capabilities/podcontroller-bad.yaml rename to pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-capabilities/podcontroller-good.yaml rename to pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/policy-ready.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-capabilities/policy-ready.yaml rename to pod-security/subrule/restricted/restricted-exclude-capabilities/.chainsaw-test/policy-ready.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/01-policy.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/01-policy.yaml deleted file mode 100644 index 101b9fef3..000000000 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- restricted-exclude-capabilities.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/02-manifests.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..25533518d --- /dev/null +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restricted-exclude-seccomp +spec: + steps: + - name: step-01 + try: + - apply: + file: ../restricted-exclude-seccomp.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/pod-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-seccomp/pod-bad.yaml rename to pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/pod-good.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-seccomp/pod-good.yaml rename to pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/pod-good.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-seccomp/podcontroller-bad.yaml rename to pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-seccomp/podcontroller-good.yaml rename to pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/policy-ready.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-exclude-seccomp/policy-ready.yaml rename to pod-security/subrule/restricted/restricted-exclude-seccomp/.chainsaw-test/policy-ready.yaml diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/01-policy.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/01-policy.yaml deleted file mode 100644 index bb39fab3f..000000000 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- restricted-exclude-seccomp.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/02-manifests.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-latest/01-assert.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from pod-security/subrule/restricted/restricted-latest/01-assert.yaml rename to pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 293054bf0..03e743584 --- a/pod-security/subrule/restricted/restricted-latest/01-assert.yaml +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: podsecurity-subrule-restricted status: - ready: true \ No newline at end of file + ready: true diff --git a/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..9a8127221 --- /dev/null +++ b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restricted-latest +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restricted-latest.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: podsecurity-subrule-restricted diff --git a/pod-security/subrule/restricted/restricted-latest/pod-bad.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-latest/pod-bad.yaml rename to pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-latest/pod-good.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-latest/pod-good.yaml rename to pod-security/subrule/restricted/restricted-latest/.chainsaw-test/pod-good.yaml diff --git a/pod-security/subrule/restricted/restricted-latest/podcontroller-bad.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-latest/podcontroller-bad.yaml rename to pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-bad.yaml diff --git a/pod-security/subrule/restricted/restricted-latest/podcontroller-good.yaml b/pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from pod-security/subrule/restricted/restricted-latest/podcontroller-good.yaml rename to pod-security/subrule/restricted/restricted-latest/.chainsaw-test/podcontroller-good.yaml diff --git a/pod-security/subrule/restricted/restricted-latest/01-enforce.yaml b/pod-security/subrule/restricted/restricted-latest/01-enforce.yaml deleted file mode 100644 index cdfc3aa5e..000000000 --- a/pod-security/subrule/restricted/restricted-latest/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restricted-latest.yaml | kubectl create -f - \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-latest/02-manifests.yaml b/pod-security/subrule/restricted/restricted-latest/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/pod-security/subrule/restricted/restricted-latest/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/pod-security/subrule/restricted/restricted-latest/99-delete.yaml b/pod-security/subrule/restricted/restricted-latest/99-delete.yaml deleted file mode 100644 index 1a8251590..000000000 --- a/pod-security/subrule/restricted/restricted-latest/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: podsecurity-subrule-restricted \ No newline at end of file diff --git a/psa/add-privileged-existing-namespaces/00-clusterrole.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-00-apply-1.yaml old mode 100644 new mode 100755 similarity index 96% rename from psa/add-privileged-existing-namespaces/00-clusterrole.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-00-apply-1.yaml index 34c1f9f0f..1c10a23ce --- a/psa/add-privileged-existing-namespaces/00-clusterrole.yaml +++ b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-00-apply-1.yaml @@ -1,15 +1,15 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:background-controller:add-privileged-existing-namespaces labels: app.kubernetes.io/component: background-controller app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno + name: kyverno:background-controller:add-privileged-existing-namespaces rules: - apiGroups: - "" resources: - namespaces verbs: - - update \ No newline at end of file + - update diff --git a/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-01-apply-1.yaml new file mode 100755 index 000000000..567364432 --- /dev/null +++ b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: add-privileged-existing-ns01 diff --git a/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..2e28b2966 --- /dev/null +++ b/psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,41 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-privileged-existing-namespaces +spec: + steps: + - name: step-00 + try: + - apply: + file: chainsaw-step-00-apply-1.yaml + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - name: step-02 + try: + - apply: + file: ../add-privileged-existing-namespaces.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: ns.yaml + - name: step-04 + try: + - assert: + file: patched-ns01.yaml + - assert: + file: patched-ns02.yaml + - error: + file: not-patched-ns03.yaml + - name: step-05 + try: + - apply: + file: policy-update.yaml + - assert: + file: patched-again-ns01.yaml + - assert: + file: patched-again-ns02.yaml diff --git a/psa/add-privileged-existing-namespaces/not-patched-ns03.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/not-patched-ns03.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/not-patched-ns03.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/not-patched-ns03.yaml diff --git a/psa/add-privileged-existing-namespaces/ns.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/ns.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/ns.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/ns.yaml diff --git a/psa/add-privileged-existing-namespaces/patched-again-ns01.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/patched-again-ns01.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/patched-again-ns01.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/patched-again-ns01.yaml diff --git a/psa/add-privileged-existing-namespaces/patched-again-ns02.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/patched-again-ns02.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/patched-again-ns02.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/patched-again-ns02.yaml diff --git a/psa/add-privileged-existing-namespaces/patched-ns01.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/patched-ns01.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/patched-ns01.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/patched-ns01.yaml diff --git a/psa/add-privileged-existing-namespaces/patched-ns02.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/patched-ns02.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/patched-ns02.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/patched-ns02.yaml diff --git a/psa/add-privileged-existing-namespaces/policy-ready.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/policy-ready.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/policy-ready.yaml diff --git a/psa/add-privileged-existing-namespaces/policy-update.yaml b/psa/add-privileged-existing-namespaces/.chainsaw-test/policy-update.yaml similarity index 100% rename from psa/add-privileged-existing-namespaces/policy-update.yaml rename to psa/add-privileged-existing-namespaces/.chainsaw-test/policy-update.yaml diff --git a/psa/add-privileged-existing-namespaces/02-policy.yaml b/psa/add-privileged-existing-namespaces/02-policy.yaml deleted file mode 100644 index a0d3b21f5..000000000 --- a/psa/add-privileged-existing-namespaces/02-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- add-privileged-existing-namespaces.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/psa/add-privileged-existing-namespaces/03-resources.yaml b/psa/add-privileged-existing-namespaces/03-resources.yaml deleted file mode 100644 index 74a92493e..000000000 --- a/psa/add-privileged-existing-namespaces/03-resources.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ns.yaml \ No newline at end of file diff --git a/psa/add-privileged-existing-namespaces/04-mutated.yaml b/psa/add-privileged-existing-namespaces/04-mutated.yaml deleted file mode 100644 index 8dc33573b..000000000 --- a/psa/add-privileged-existing-namespaces/04-mutated.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -assert: -- patched-ns01.yaml -- patched-ns02.yaml -error: -- not-patched-ns03.yaml \ No newline at end of file diff --git a/psa/add-privileged-existing-namespaces/05-update-policy.yaml b/psa/add-privileged-existing-namespaces/05-update-policy.yaml deleted file mode 100644 index a290d7f33..000000000 --- a/psa/add-privileged-existing-namespaces/05-update-policy.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- policy-update.yaml -assert: -- patched-again-ns01.yaml -- patched-again-ns02.yaml \ No newline at end of file diff --git a/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml b/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..aa82b737a --- /dev/null +++ b/psa/add-psa-labels/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-psa-labels +spec: + steps: + - name: step-01 + try: + - apply: + file: ../add-psa-labels.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - name: step-03 + try: + - assert: + file: patched-ns01.yaml + - assert: + file: patched-ns02.yaml + - assert: + file: patched-ns03.yaml diff --git a/psa/add-psa-labels/ns.yaml b/psa/add-psa-labels/.chainsaw-test/ns.yaml similarity index 100% rename from psa/add-psa-labels/ns.yaml rename to psa/add-psa-labels/.chainsaw-test/ns.yaml diff --git a/psa/add-psa-labels/patched-ns01.yaml b/psa/add-psa-labels/.chainsaw-test/patched-ns01.yaml similarity index 100% rename from psa/add-psa-labels/patched-ns01.yaml rename to psa/add-psa-labels/.chainsaw-test/patched-ns01.yaml diff --git a/psa/add-psa-labels/patched-ns02.yaml b/psa/add-psa-labels/.chainsaw-test/patched-ns02.yaml similarity index 100% rename from psa/add-psa-labels/patched-ns02.yaml rename to psa/add-psa-labels/.chainsaw-test/patched-ns02.yaml diff --git a/psa/add-psa-labels/patched-ns03.yaml b/psa/add-psa-labels/.chainsaw-test/patched-ns03.yaml similarity index 100% rename from psa/add-psa-labels/patched-ns03.yaml rename to psa/add-psa-labels/.chainsaw-test/patched-ns03.yaml diff --git a/psa/add-psa-labels/policy-ready.yaml b/psa/add-psa-labels/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psa/add-psa-labels/policy-ready.yaml rename to psa/add-psa-labels/.chainsaw-test/policy-ready.yaml diff --git a/psa/add-psa-labels/01-policy.yaml b/psa/add-psa-labels/01-policy.yaml deleted file mode 100644 index 27c43f0e9..000000000 --- a/psa/add-psa-labels/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: - - add-psa-labels.yaml -assert: - - policy-ready.yaml diff --git a/psa/add-psa-labels/02-resources.yaml b/psa/add-psa-labels/02-resources.yaml deleted file mode 100644 index 74a92493e..000000000 --- a/psa/add-psa-labels/02-resources.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- ns.yaml \ No newline at end of file diff --git a/psa/add-psa-labels/03-mutated.yaml b/psa/add-psa-labels/03-mutated.yaml deleted file mode 100644 index f3742f0d0..000000000 --- a/psa/add-psa-labels/03-mutated.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -assert: - - patched-ns01.yaml - - patched-ns02.yaml - - patched-ns03.yaml \ No newline at end of file diff --git a/psa/deny-privileged-profile/01-assert.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from psa/deny-privileged-profile/01-assert.yaml rename to psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 7dda458d6..93dfa2f2d --- a/psa/deny-privileged-profile/01-assert.yaml +++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: deny-privileged-profile status: - ready: true \ No newline at end of file + ready: true diff --git a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml new file mode 100755 index 000000000..f39afe9fc --- /dev/null +++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-1.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ns-deleter +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create diff --git a/psa/deny-privileged-profile/03-cluster-role-binding.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml old mode 100644 new mode 100755 similarity index 52% rename from psa/deny-privileged-profile/03-cluster-role-binding.yaml rename to psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml index a84e59a32..1f3cc8101 --- a/psa/deny-privileged-profile/03-cluster-role-binding.yaml +++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-step-03-apply-2.yaml @@ -1,21 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ns-deleter -rules: -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ns-deleter:denyprivilegeduser -subjects: -- kind: User - name: denyprivilegeduser - apiGroup: rbac.authorization.k8s.io roleRef: + apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: ns-deleter - apiGroup: rbac.authorization.k8s.io \ No newline at end of file +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: denyprivilegeduser diff --git a/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..ae5f3ca4a --- /dev/null +++ b/psa/deny-privileged-profile/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,108 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: deny-privileged-profile +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../deny-privileged-profile.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - script: + content: | + #!/bin/bash + set -eu + export USERNAME=denyprivilegeduser + export CA=ca.crt + #### Get CA certificate from kubeconfig assuming it's the first in the list. + kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt + #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. + CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" + #### Set CLUSTER from kubeconfig assuming it's the first in the list. + CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" + #### Generate private key + openssl genrsa -out $USERNAME.key 2048 + #### Create CSR + openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" + #### Send CSR to kube-apiserver for approval + cat < $USERNAME.crt + #### + #### Create the credential object and output the new kubeconfig file + kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs + #### Set the context + kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER + # Delete CSR + kubectl delete csr $USERNAME + - name: step-03 + try: + - apply: + file: chainsaw-step-03-apply-1.yaml + - apply: + file: chainsaw-step-03-apply-2.yaml + - name: step-04 + try: + - command: + args: + - --context=denyprivilegeduser-context + - create + - -f + - ns-good.yaml + entrypoint: kubectl + - script: + content: if kubectl --context=denyprivilegeduser-context create -f ns-bad.yaml; + then exit 1; else exit 0; fi + - command: + args: + - delete + - -f + - ns-good.yaml + entrypoint: kubectl + - command: + args: + - "5" + entrypoint: sleep + - name: step-05 + try: + - apply: + file: ns-good.yaml + - apply: + file: ns-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: deny-privileged-profile + - command: + args: + - config + - unset + - users.denyprivilegeduser + entrypoint: kubectl + - command: + args: + - config + - unset + - contexts.denyprivilegeduser-context + entrypoint: kubectl diff --git a/psa/deny-privileged-profile/ns-bad.yaml b/psa/deny-privileged-profile/.chainsaw-test/ns-bad.yaml similarity index 100% rename from psa/deny-privileged-profile/ns-bad.yaml rename to psa/deny-privileged-profile/.chainsaw-test/ns-bad.yaml diff --git a/psa/deny-privileged-profile/ns-good.yaml b/psa/deny-privileged-profile/.chainsaw-test/ns-good.yaml similarity index 100% rename from psa/deny-privileged-profile/ns-good.yaml rename to psa/deny-privileged-profile/.chainsaw-test/ns-good.yaml diff --git a/psa/deny-privileged-profile/01-enforce.yaml b/psa/deny-privileged-profile/01-enforce.yaml deleted file mode 100644 index d0004e896..000000000 --- a/psa/deny-privileged-profile/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' deny-privileged-profile.yaml | kubectl create -f - \ No newline at end of file diff --git a/psa/deny-privileged-profile/02-setup-user.yaml b/psa/deny-privileged-profile/02-setup-user.yaml deleted file mode 100644 index b711a5853..000000000 --- a/psa/deny-privileged-profile/02-setup-user.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - #!/bin/bash - set -eu - export USERNAME=denyprivilegeduser - export CA=ca.crt - #### Get CA certificate from kubeconfig assuming it's the first in the list. - kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt - #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. - CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" - #### Set CLUSTER from kubeconfig assuming it's the first in the list. - CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" - #### Generate private key - openssl genrsa -out $USERNAME.key 2048 - #### Create CSR - openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" - #### Send CSR to kube-apiserver for approval - cat < $USERNAME.crt - #### - #### Create the credential object and output the new kubeconfig file - kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs - #### Set the context - kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER - # Delete CSR - kubectl delete csr $USERNAME \ No newline at end of file diff --git a/psa/deny-privileged-profile/04-manifests-user.yaml b/psa/deny-privileged-profile/04-manifests-user.yaml deleted file mode 100644 index 72d0d9d22..000000000 --- a/psa/deny-privileged-profile/04-manifests-user.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- command: kubectl --context=denyprivilegeduser-context create -f ns-good.yaml -- script: if kubectl --context=denyprivilegeduser-context create -f ns-bad.yaml; then exit 1; else exit 0; fi -- command: kubectl delete -f ns-good.yaml -- command: sleep 5 \ No newline at end of file diff --git a/psa/deny-privileged-profile/05-manifests-admin.yaml b/psa/deny-privileged-profile/05-manifests-admin.yaml deleted file mode 100644 index a40065e7b..000000000 --- a/psa/deny-privileged-profile/05-manifests-admin.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: ns-good.yaml - shouldFail: false -- file: ns-bad.yaml - shouldFail: false diff --git a/psa/deny-privileged-profile/99-delete.yaml b/psa/deny-privileged-profile/99-delete.yaml deleted file mode 100644 index 596cb49e5..000000000 --- a/psa/deny-privileged-profile/99-delete.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: deny-privileged-profile -commands: -- command: kubectl config unset users.denyprivilegeduser -- command: kubectl config unset contexts.denyprivilegeduser-context \ No newline at end of file diff --git a/psp-migration/add-apparmor/02-ns.yaml b/psp-migration/add-apparmor/.chainsaw-test/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 77% rename from psp-migration/add-apparmor/02-ns.yaml rename to psp-migration/add-apparmor/.chainsaw-test/chainsaw-step-02-apply-1.yaml index 8e80824d9..be0f4fd11 --- a/psp-migration/add-apparmor/02-ns.yaml +++ b/psp-migration/add-apparmor/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: foo \ No newline at end of file + name: foo diff --git a/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml b/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..96f13f49f --- /dev/null +++ b/psp-migration/add-apparmor/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-apparmor +spec: + steps: + - name: step-01 + try: + - apply: + file: ../add-apparmor.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - apply: + file: ../.kyverno-test/resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/psp-migration/add-apparmor/policy-ready.yaml b/psp-migration/add-apparmor/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psp-migration/add-apparmor/policy-ready.yaml rename to psp-migration/add-apparmor/.chainsaw-test/policy-ready.yaml diff --git a/psp-migration/add-apparmor/resource-mutated.yaml b/psp-migration/add-apparmor/.chainsaw-test/resource-mutated.yaml similarity index 100% rename from psp-migration/add-apparmor/resource-mutated.yaml rename to psp-migration/add-apparmor/.chainsaw-test/resource-mutated.yaml diff --git a/psp-migration/add-apparmor/01-policy.yaml b/psp-migration/add-apparmor/01-policy.yaml deleted file mode 100644 index 26fd954a6..000000000 --- a/psp-migration/add-apparmor/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- add-apparmor.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/psp-migration/add-apparmor/03-resource.yaml b/psp-migration/add-apparmor/03-resource.yaml deleted file mode 100644 index 7f5ad41ad..000000000 --- a/psp-migration/add-apparmor/03-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- .kyverno-test/resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/psp-migration/add-capabilities/02-ns.yaml b/psp-migration/add-capabilities/.chainsaw-test/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 62% rename from psp-migration/add-capabilities/02-ns.yaml rename to psp-migration/add-capabilities/.chainsaw-test/chainsaw-step-02-apply-1.yaml index 2fe37d95c..fc20d6ba9 --- a/psp-migration/add-capabilities/02-ns.yaml +++ b/psp-migration/add-capabilities/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: add-capabilities \ No newline at end of file + name: add-capabilities diff --git a/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml b/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..c34382e8f --- /dev/null +++ b/psp-migration/add-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-capabilities +spec: + steps: + - name: step-01 + try: + - apply: + file: ../add-capabilities.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - apply: + file: ../.kyverno-test/resource.yaml + - assert: + file: resource-mutated.yaml diff --git a/psp-migration/add-capabilities/policy-ready.yaml b/psp-migration/add-capabilities/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psp-migration/add-capabilities/policy-ready.yaml rename to psp-migration/add-capabilities/.chainsaw-test/policy-ready.yaml diff --git a/psp-migration/add-capabilities/resource-mutated.yaml b/psp-migration/add-capabilities/.chainsaw-test/resource-mutated.yaml similarity index 100% rename from psp-migration/add-capabilities/resource-mutated.yaml rename to psp-migration/add-capabilities/.chainsaw-test/resource-mutated.yaml diff --git a/psp-migration/add-capabilities/01-policy.yaml b/psp-migration/add-capabilities/01-policy.yaml deleted file mode 100644 index e2dbab04f..000000000 --- a/psp-migration/add-capabilities/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- add-capabilities.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/psp-migration/add-capabilities/03-resource.yaml b/psp-migration/add-capabilities/03-resource.yaml deleted file mode 100644 index 7f5ad41ad..000000000 --- a/psp-migration/add-capabilities/03-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- .kyverno-test/resource.yaml -assert: -- resource-mutated.yaml \ No newline at end of file diff --git a/psa/add-privileged-existing-namespaces/01-setup.yaml b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml old mode 100644 new mode 100755 similarity index 53% rename from psa/add-privileged-existing-namespaces/01-setup.yaml rename to psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml index 89b8a20c0..8287b16ae --- a/psa/add-privileged-existing-namespaces/01-setup.yaml +++ b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: add-privileged-existing-ns01 \ No newline at end of file + name: add-runtimeclassname diff --git a/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml new file mode 100755 index 000000000..5616c1916 --- /dev/null +++ b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml @@ -0,0 +1,5 @@ +apiVersion: node.k8s.io/v1 +handler: prodconfig +kind: RuntimeClass +metadata: + name: prodclass diff --git a/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..4182fd496 --- /dev/null +++ b/psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-runtimeclassname +spec: + steps: + - name: step-01 + try: + - apply: + file: ../add-runtimeClassName.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - apply: + file: chainsaw-step-02-apply-2.yaml + - name: step-03 + try: + - apply: + file: ../.kyverno-test/resource.yaml + - assert: + file: ../.kyverno-test/patchedResource1.yaml diff --git a/psp-migration/add-runtimeClassName/policy-ready.yaml b/psp-migration/add-runtimeClassName/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psp-migration/add-runtimeClassName/policy-ready.yaml rename to psp-migration/add-runtimeClassName/.chainsaw-test/policy-ready.yaml diff --git a/psp-migration/add-runtimeClassName/01-policy.yaml b/psp-migration/add-runtimeClassName/01-policy.yaml deleted file mode 100644 index 37dcb2d2a..000000000 --- a/psp-migration/add-runtimeClassName/01-policy.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- add-runtimeClassName.yaml -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/psp-migration/add-runtimeClassName/02-manifests.yaml b/psp-migration/add-runtimeClassName/02-manifests.yaml deleted file mode 100644 index a51c5930c..000000000 --- a/psp-migration/add-runtimeClassName/02-manifests.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: add-runtimeclassname ---- -apiVersion: node.k8s.io/v1 -kind: RuntimeClass -metadata: - name: prodclass -handler: prodconfig \ No newline at end of file diff --git a/psp-migration/add-runtimeClassName/03-resource.yaml b/psp-migration/add-runtimeClassName/03-resource.yaml deleted file mode 100644 index d7add4c10..000000000 --- a/psp-migration/add-runtimeClassName/03-resource.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- .kyverno-test/resource.yaml -assert: -- .kyverno-test/patchedResource1.yaml \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/01-assert.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 87% rename from psp-migration/check-supplemental-groups/01-assert.yaml rename to psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 76343231d..d68e9bb1c --- a/psp-migration/check-supplemental-groups/01-assert.yaml +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: psp-check-supplemental-groups status: - ready: true \ No newline at end of file + ready: true diff --git a/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..60a6bfd92 --- /dev/null +++ b/psp-migration/check-supplemental-groups/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: check-supplemental-groups +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../check-supplemental-groups.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: psp-check-supplemental-groups diff --git a/psp-migration/check-supplemental-groups/pod-bad.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml similarity index 100% rename from psp-migration/check-supplemental-groups/pod-bad.yaml rename to psp-migration/check-supplemental-groups/.chainsaw-test/pod-bad.yaml diff --git a/psp-migration/check-supplemental-groups/pod-good.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml similarity index 100% rename from psp-migration/check-supplemental-groups/pod-good.yaml rename to psp-migration/check-supplemental-groups/.chainsaw-test/pod-good.yaml diff --git a/psp-migration/check-supplemental-groups/podcontroller-bad.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from psp-migration/check-supplemental-groups/podcontroller-bad.yaml rename to psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-bad.yaml diff --git a/psp-migration/check-supplemental-groups/podcontroller-good.yaml b/psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from psp-migration/check-supplemental-groups/podcontroller-good.yaml rename to psp-migration/check-supplemental-groups/.chainsaw-test/podcontroller-good.yaml diff --git a/psp-migration/check-supplemental-groups/01-enforce.yaml b/psp-migration/check-supplemental-groups/01-enforce.yaml deleted file mode 100644 index fa816f374..000000000 --- a/psp-migration/check-supplemental-groups/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' check-supplemental-groups.yaml | kubectl create -f - \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/02-manifests.yaml b/psp-migration/check-supplemental-groups/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/psp-migration/check-supplemental-groups/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/psp-migration/check-supplemental-groups/99-delete.yaml b/psp-migration/check-supplemental-groups/99-delete.yaml deleted file mode 100644 index c58b71abd..000000000 --- a/psp-migration/check-supplemental-groups/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: psp-check-supplemental-groups \ No newline at end of file diff --git a/psp-migration/restrict-adding-capabilities/01-assert.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml old mode 100644 new mode 100755 similarity index 88% rename from psp-migration/restrict-adding-capabilities/01-assert.yaml rename to psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 060b6c279..e870f077e --- a/psp-migration/restrict-adding-capabilities/01-assert.yaml +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -3,4 +3,4 @@ kind: ClusterPolicy metadata: name: psp-restrict-adding-capabilities status: - ready: true \ No newline at end of file + ready: true diff --git a/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..2a8994667 --- /dev/null +++ b/psp-migration/restrict-adding-capabilities/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,37 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-adding-capabilities +spec: + steps: + - name: step-01 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-adding-capabilities.yaml | kubectl create -f - + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: psp-restrict-adding-capabilities diff --git a/psp-migration/restrict-adding-capabilities/pod-bad.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml similarity index 100% rename from psp-migration/restrict-adding-capabilities/pod-bad.yaml rename to psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-bad.yaml diff --git a/psp-migration/restrict-adding-capabilities/pod-good.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml similarity index 100% rename from psp-migration/restrict-adding-capabilities/pod-good.yaml rename to psp-migration/restrict-adding-capabilities/.chainsaw-test/pod-good.yaml diff --git a/psp-migration/restrict-adding-capabilities/podcontroller-bad.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml similarity index 100% rename from psp-migration/restrict-adding-capabilities/podcontroller-bad.yaml rename to psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-bad.yaml diff --git a/psp-migration/restrict-adding-capabilities/podcontroller-good.yaml b/psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml similarity index 100% rename from psp-migration/restrict-adding-capabilities/podcontroller-good.yaml rename to psp-migration/restrict-adding-capabilities/.chainsaw-test/podcontroller-good.yaml diff --git a/psp-migration/restrict-adding-capabilities/01-enforce.yaml b/psp-migration/restrict-adding-capabilities/01-enforce.yaml deleted file mode 100644 index b488116e9..000000000 --- a/psp-migration/restrict-adding-capabilities/01-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-adding-capabilities.yaml | kubectl create -f - \ No newline at end of file diff --git a/psp-migration/restrict-adding-capabilities/02-manifests.yaml b/psp-migration/restrict-adding-capabilities/02-manifests.yaml deleted file mode 100644 index 71dab6eb2..000000000 --- a/psp-migration/restrict-adding-capabilities/02-manifests.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: pod-good.yaml - shouldFail: false -- file: pod-bad.yaml - shouldFail: true -- file: podcontroller-good.yaml - shouldFail: false -- file: podcontroller-bad.yaml - shouldFail: true \ No newline at end of file diff --git a/psp-migration/restrict-adding-capabilities/99-delete.yaml b/psp-migration/restrict-adding-capabilities/99-delete.yaml deleted file mode 100644 index e9c43520d..000000000 --- a/psp-migration/restrict-adding-capabilities/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: psp-restrict-adding-capabilities \ No newline at end of file diff --git a/psp-migration/restrict-runtimeClassName/bad.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/bad.yaml similarity index 100% rename from psp-migration/restrict-runtimeClassName/bad.yaml rename to psp-migration/restrict-runtimeClassName/.chainsaw-test/bad.yaml diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml new file mode 100755 index 000000000..121c85370 --- /dev/null +++ b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: restrict-runtimeclassname diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml new file mode 100755 index 000000000..5616c1916 --- /dev/null +++ b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml @@ -0,0 +1,5 @@ +apiVersion: node.k8s.io/v1 +handler: prodconfig +kind: RuntimeClass +metadata: + name: prodclass diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-3.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-3.yaml new file mode 100755 index 000000000..0318454a0 --- /dev/null +++ b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-3.yaml @@ -0,0 +1,5 @@ +apiVersion: node.k8s.io/v1 +handler: expconfig +kind: RuntimeClass +metadata: + name: expclass diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-4.yaml new file mode 100755 index 000000000..6d03f568e --- /dev/null +++ b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-4.yaml @@ -0,0 +1,5 @@ +apiVersion: node.k8s.io/v1 +handler: fooconfig +kind: RuntimeClass +metadata: + name: fooclass diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..6df1ac090 --- /dev/null +++ b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,42 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: restrict-runtimeclassname +spec: + steps: + - name: step-00 + try: + - script: + content: | + sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' ../restrict-runtimeClassName.yaml | kubectl create -f - + - name: step-01 + try: + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - apply: + file: chainsaw-step-02-apply-2.yaml + - apply: + file: chainsaw-step-02-apply-3.yaml + - apply: + file: chainsaw-step-02-apply-4.yaml + - name: step-03 + try: + - apply: + file: good.yaml + - apply: + expect: + - check: + ($error != null): true + file: bad.yaml + - name: step-99 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: restrict-runtimeclass diff --git a/psp-migration/restrict-runtimeClassName/good.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/good.yaml similarity index 100% rename from psp-migration/restrict-runtimeClassName/good.yaml rename to psp-migration/restrict-runtimeClassName/.chainsaw-test/good.yaml diff --git a/psp-migration/restrict-runtimeClassName/policy-ready.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml similarity index 100% rename from psp-migration/restrict-runtimeClassName/policy-ready.yaml rename to psp-migration/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml diff --git a/psp-migration/restrict-runtimeClassName/report.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/report.yaml similarity index 100% rename from psp-migration/restrict-runtimeClassName/report.yaml rename to psp-migration/restrict-runtimeClassName/.chainsaw-test/report.yaml diff --git a/psp-migration/restrict-runtimeClassName/00-enforce.yaml b/psp-migration/restrict-runtimeClassName/00-enforce.yaml deleted file mode 100644 index dc3133980..000000000 --- a/psp-migration/restrict-runtimeClassName/00-enforce.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - sed 's/validationFailureAction: audit/validationFailureAction: Enforce/' restrict-runtimeClassName.yaml | kubectl create -f - \ No newline at end of file diff --git a/psp-migration/restrict-runtimeClassName/01-policy.yaml b/psp-migration/restrict-runtimeClassName/01-policy.yaml deleted file mode 100644 index f3b629376..000000000 --- a/psp-migration/restrict-runtimeClassName/01-policy.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -assert: -- policy-ready.yaml \ No newline at end of file diff --git a/psp-migration/restrict-runtimeClassName/02-manifests.yaml b/psp-migration/restrict-runtimeClassName/02-manifests.yaml deleted file mode 100644 index 9ac76c3dd..000000000 --- a/psp-migration/restrict-runtimeClassName/02-manifests.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: restrict-runtimeclassname ---- -apiVersion: node.k8s.io/v1 -kind: RuntimeClass -metadata: - name: prodclass -handler: prodconfig ---- -apiVersion: node.k8s.io/v1 -kind: RuntimeClass -metadata: - name: expclass -handler: expconfig ---- -apiVersion: node.k8s.io/v1 -kind: RuntimeClass -metadata: - name: fooclass -handler: fooconfig \ No newline at end of file diff --git a/psp-migration/restrict-runtimeClassName/03-resource.yaml b/psp-migration/restrict-runtimeClassName/03-resource.yaml deleted file mode 100644 index 2410d87e1..000000000 --- a/psp-migration/restrict-runtimeClassName/03-resource.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -apply: -- file: good.yaml - shouldFail: false -- file: bad.yaml - shouldFail: true diff --git a/psp-migration/restrict-runtimeClassName/99-delete.yaml b/psp-migration/restrict-runtimeClassName/99-delete.yaml deleted file mode 100644 index c90e88fc3..000000000 --- a/psp-migration/restrict-runtimeClassName/99-delete.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -delete: -- apiVersion: kyverno.io/v1 - kind: ClusterPolicy - name: restrict-runtimeclass