fix chainsaw tests

Signed-off-by: Mariam Fahmy <[email protected]>
kyverno · Jan 2, 2024 · 81b5e22 · 81b5e22
1 parent d926f21
commit 81b5e22
Show file tree

Hide file tree

Showing 30 changed files with 207 additions and 155 deletions.
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,37 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-capabilities-strict
+spec:
+  steps:
+  - name: step-01
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-capabilities-strict.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-capabilities-strict/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: disallow-capabilities-strict
diff --git a/...low-capabilities-strict/kyverno-test.yaml → ...es-strict/.kyverno-test/kyverno-test.yaml b/...low-capabilities-strict/kyverno-test.yaml → ...es-strict/.kyverno-test/kyverno-test.yaml
@@ -3,9 +3,9 @@ kind: Test
 metadata:
   name: disallow-capabilities-strict
 policies:
-- disallow-capabilities-strict.yaml
+- ../disallow-capabilities-strict.yaml
 resources:
-- ../../../pod-security/restricted/disallow-capabilities-strict/resource.yaml
+- ../../../../pod-security/restricted/disallow-capabilities-strict/.kyverno-test/resource.yaml
 results:
 - kind: CronJob
   policy: disallow-capabilities-strict

diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-assert.yaml
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/01-enforce.yaml
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/02-manifests.yaml
diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/99-delete.yaml
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,37 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-privilege-escalation
+spec:
+  steps:
+  - name: step-01
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../disallow-privilege-escalation.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/disallow-privilege-escalation/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: disallow-privilege-escalation
diff --git a/...ow-privilege-escalation/kyverno-test.yaml → ...scalation/.kyverno-test/kyverno-test.yaml b/...ow-privilege-escalation/kyverno-test.yaml → ...scalation/.kyverno-test/kyverno-test.yaml
@@ -3,9 +3,9 @@ kind: Test
 metadata:
   name: disallow-privilege-escalation
 policies:
-- disallow-privilege-escalation.yaml
+- ../disallow-privilege-escalation.yaml
 resources:
-- ../../../pod-security/restricted/disallow-privilege-escalation/resource.yaml
+- ../../../../pod-security/restricted/disallow-privilege-escalation/.kyverno-test/resource.yaml
 results:
 - kind: CronJob
   policy: disallow-privilege-escalation

diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-assert.yaml
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/01-enforce.yaml
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/02-manifests.yaml
diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/99-delete.yaml
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,37 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: require-run-as-non-root-user
+spec:
+  steps:
+  - name: step-01
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../require-run-as-non-root-user.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/require-run-as-non-root-user/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: require-run-as-non-root-user
diff --git a/...re-run-as-non-root-user/kyverno-test.yaml → ...root-user/.kyverno-test/kyverno-test.yaml b/...re-run-as-non-root-user/kyverno-test.yaml → ...root-user/.kyverno-test/kyverno-test.yaml
@@ -3,9 +3,9 @@ kind: Test
 metadata:
   name: require-run-as-non-root-user
 policies:
-- require-run-as-non-root-user.yaml
+- ../require-run-as-non-root-user.yaml
 resources:
-- ../../../pod-security/restricted/require-run-as-non-root-user/resource.yaml
+- ../../../../pod-security/restricted/require-run-as-non-root-user/.kyverno-test/resource.yaml
 results:
 - kind: CronJob
   policy: require-run-as-non-root-user

diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-assert.yaml
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/01-enforce.yaml
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/02-manifests.yaml
diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/99-delete.yaml
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test.yaml/chainsaw-test.yaml
@@ -0,0 +1,37 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-seccomp-strict
+spec:
+  steps:
+  - name: step-01
+    try:
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-seccomp-strict.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/restrict-seccomp-strict/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: restrict-seccomp-strict
diff --git a/...restrict-seccomp-strict/kyverno-test.yaml → ...rict/.kyverno-test.yaml/kyverno-test.yaml b/...restrict-seccomp-strict/kyverno-test.yaml → ...rict/.kyverno-test.yaml/kyverno-test.yaml
@@ -3,9 +3,9 @@ kind: Test
 metadata:
   name: restrict-seccomp-strict
 policies:
-- restrict-seccomp-strict.yaml
+- ../restrict-seccomp-strict.yaml
 resources:
-- ../../../pod-security/restricted/restrict-seccomp-strict/resource.yaml
+- ../../../../pod-security/restricted/restrict-seccomp-strict/.kyverno-test/resource.yaml
 results:
 - kind: CronJob
   policy: restrict-seccomp-strict

diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-assert.yaml
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/01-enforce.yaml
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/02-manifests.yaml
diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/99-delete.yaml
diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,49 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-volume-types
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ns.yaml
+    - script:
+        content: |
+          sed 's/validationFailureAction: Audit/validationFailureAction: Enforce/' ../restrict-volume-types.yaml | kubectl create -f -
+    - assert:
+        file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/pod-bad.yaml
+    - apply:
+        file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ../../../../pod-security/restricted/restrict-volume-types/.chainsaw-test/podcontroller-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: restrict-volume-types
+    - command:
+        args:
+        - delete
+        - all
+        - --all
+        - --force
+        - --grace-period=0
+        - -n
+        - restrict-voltypes-ns
+        entrypoint: kubectl
diff --git a/...d/restrict-volume-types/kyverno-test.yaml → ...ume-types/.kyverno-test/kyverno-test.yaml b/...d/restrict-volume-types/kyverno-test.yaml → ...ume-types/.kyverno-test/kyverno-test.yaml
@@ -3,9 +3,9 @@ kind: Test
 metadata:
   name: restrict-volume-types
 policies:
-- restrict-volume-types.yaml
+- ../restrict-volume-types.yaml
 resources:
-- ../../../pod-security/restricted/restrict-volume-types/resource.yaml
+- ../../../../pod-security/restricted/restrict-volume-types/.kyverno-test/resource.yaml
 results:
 - kind: CronJob
   policy: restrict-volume-types

diff --git a/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml b/pod-security-cel/restricted/restrict-volume-types/01-assert.yaml