forked from kyverno/kyverno
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #152 from nirmata/NDEV-20176-1.11-extended
NDEV-20176 : Backport (fix) skip processing the oldObject for audit policies for n4k-1.11
- Loading branch information
Showing
9 changed files
with
189 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
test/conformance/chainsaw/reports/admission/update-deployment/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
## Description | ||
|
||
This test verifies that policy report doesn't change when a resource is updated and the engine response is the same as before. | ||
|
||
A policy in Audit mode is created. | ||
A deployment is created, the deployment violates the policy and we assert the policy report contains a `warn` result. | ||
The deployment is then updated but it still violates the policy. | ||
|
||
## Expected result | ||
|
||
When the resource is updated and it still violates the policy, the policy report should not change. | ||
|
||
## Related issue(s) | ||
|
||
- https://github.com/kyverno/kyverno/issues/10169 |
41 changes: 41 additions & 0 deletions
41
test/conformance/chainsaw/reports/admission/update-deployment/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: update-deployment | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: policy.yaml | ||
- assert: | ||
file: policy-assert.yaml | ||
- name: step-02 | ||
try: | ||
- apply: | ||
file: deployment.yaml | ||
- assert: | ||
file: deployment.yaml | ||
- name: step-03 | ||
try: | ||
- sleep: | ||
duration: 5s | ||
- name: step-04 | ||
try: | ||
- assert: | ||
file: report-assert.yaml | ||
- name: step-05 | ||
try: | ||
- apply: | ||
file: update-deployment.yaml | ||
- assert: | ||
file: update-deployment.yaml | ||
- name: step-06 | ||
try: | ||
- sleep: | ||
duration: 5s | ||
- name: step-07 | ||
try: | ||
- assert: | ||
file: report-assert.yaml |
19 changes: 19 additions & 0 deletions
19
test/conformance/chainsaw/reports/admission/update-deployment/deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: nginx | ||
name: nginx-test | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:latest |
9 changes: 9 additions & 0 deletions
9
test/conformance/chainsaw/reports/admission/update-deployment/policy-assert.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-multiple-replicas | ||
status: | ||
conditions: | ||
- reason: Succeeded | ||
status: "True" | ||
type: Ready |
29 changes: 29 additions & 0 deletions
29
test/conformance/chainsaw/reports/admission/update-deployment/policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: require-multiple-replicas | ||
annotations: | ||
policies.kyverno.io/category: Best Practises | ||
policies.kyverno.io/minversion: 1.9.2 | ||
policies.kyverno.io/severity: low | ||
policies.kyverno.io/subject: Deployment,StatefulSet | ||
policies.kyverno.io/title: Require Multiple Replicas | ||
policies.kyverno.io/scored: "false" | ||
spec: | ||
background: false | ||
rules: | ||
- name: require-multiple-replicas | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- Deployment | ||
- StatefulSet | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
validate: | ||
pattern: | ||
spec: | ||
replicas: ">1" | ||
validationFailureAction: Audit |
23 changes: 23 additions & 0 deletions
23
test/conformance/chainsaw/reports/admission/update-deployment/report-assert.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: wgpolicyk8s.io/v1alpha2 | ||
kind: PolicyReport | ||
metadata: | ||
ownerReferences: | ||
- apiVersion: apps/v1 | ||
kind: Deployment | ||
name: nginx-test | ||
results: | ||
- message: 'validation error: rule require-multiple-replicas failed at path /spec/replicas/' | ||
policy: require-multiple-replicas | ||
result: warn | ||
rule: require-multiple-replicas | ||
source: kyverno | ||
scope: | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
name: nginx-test | ||
summary: | ||
error: 0 | ||
fail: 0 | ||
pass: 0 | ||
skip: 0 | ||
warn: 1 |
19 changes: 19 additions & 0 deletions
19
test/conformance/chainsaw/reports/admission/update-deployment/update-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
labels: | ||
app: nginx | ||
name: nginx-test | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
spec: | ||
containers: | ||
- name: nginx-1 | ||
image: nginx:latest |