From 70cc1082e6903812f64db7744ac5c787490ff64f Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 2 Dec 2024 14:55:15 -0500 Subject: [PATCH 1/4] Upgrade to Kyverno 1.13.1 --- .github/workflows/test-private.yaml | 2 +- .github/workflows/test.yaml | 2 +- Makefile | 2 +- charts/kyverno-policies/Chart.yaml | 6 +- .../add-account/kyverno-test.yaml | 5 +- .../add-account/variables.yaml | 4 + .../add-annotations/kyverno-test.yaml | 5 +- .../add-annotations/variables.yaml | 4 + .../add-image-pull-secret/kyverno-test.yaml | 5 +- .../add-ingress-class-name/kyverno-test.yaml | 5 +- .../add-ingress-class-name/variables.yaml | 4 + .../add-nodeselector/kyverno-test.yaml | 5 +- .../add-nodeselector/variables.yaml | 4 + .../add-role/kyverno-test.yaml | 5 +- .../kyverno-policies/add-role/variables.yaml | 4 + .../add-service-account/kyverno-test.yaml | 5 +- .../add-service-account/variables.yaml | 4 + .../authorized-registries/kyverno-test.yaml | 40 ++++--- .../authorized-registries/variables.yaml | 4 + .../kyverno-test.yaml | 5 +- .../block-images-with-volumes/variables.yaml | 4 + .../kyverno-test.yaml | 5 +- .../disallow-nfs/kyverno-test.yaml | 5 +- .../imagepullpolicy-always/kyverno-test.yaml | 5 +- .../ingress-require-tls/kyverno-test.yaml | 5 +- .../mutate-calico-registry/kyverno-test.yaml | 5 +- .../mutate-calico-registry/variables.yaml | 4 + .../namespace-account/kyverno-test.yaml | 5 +- .../namespace-account/variables.yaml | 4 + .../namespace-role/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../no-ingress/kyverno-test.yaml | 11 +- .../no-localhost-service/kyverno-test.yaml | 5 +- .../pod-account-validation/kyverno-test.yaml | 5 +- .../pod-account-validation/variables.yaml | 4 + .../pod-groups-validation/kyverno-test.yaml | 16 +-- .../pod-groups-validation/variables.yaml | 4 + .../pod-lifetime/kyverno-test.yaml | 23 ++-- .../pod-nodeselector/kyverno-test.yaml | 52 ++++----- .../pod-nodeselector/variables.yaml | 4 + .../pod-resources/kyverno-test.yaml | 66 +++++------- .../pod-resources/variables.yaml | 4 + .../kyverno-test.yaml | 102 ++++++++---------- .../variables.yaml | 4 + .../pod-user-validation/kyverno-test.yaml | 57 +++++----- .../pod-user-validation/variables.yaml | 4 + .../restrict-external-ips/kyverno-test.yaml | 5 +- .../restrict-host-path/kyverno-test.yaml | 44 ++++---- .../restrict-host-path/variables.yaml | 4 + .../restrict-registries/kyverno-test.yaml | 11 +- .../restrict-registries/variables.yaml | 4 + .../role-validation/kyverno-test.yaml | 5 +- .../role-validation/variables.yaml | 4 + 53 files changed, 346 insertions(+), 264 deletions(-) diff --git a/.github/workflows/test-private.yaml b/.github/workflows/test-private.yaml index 73f3cf1b..78544061 100644 --- a/.github/workflows/test-private.yaml +++ b/.github/workflows/test-private.yaml @@ -87,7 +87,7 @@ jobs: - name: Install Kyverno run: | helm repo add kyverno https://kyverno.github.io/kyverno/ - helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.1.4 + helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.3.3 timeout 120 /bin/bash -c 'until kubectl get pods -n kyverno -l app.kubernetes.io/component=admission-controller -o jsonpath="{range .items[*]}{.status.containerStatuses[*].ready}{end}" | grep "true" ; do echo "Waiting for Kyverno" ; sleep 10 ; done' helm dependency build charts/kyverno-policies helm install kyverno-policies charts/kyverno-policies -n kyverno -f .github/config/kyverno-policies-values.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 2a8f899b..d3df4a7c 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -94,7 +94,7 @@ jobs: - name: Install Kyverno run: | helm repo add kyverno https://kyverno.github.io/kyverno/ - helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.1.4 + helm install kyverno kyverno/kyverno -n kyverno --create-namespace -f .github/config/kyverno-values.yaml --version 3.3.3 timeout 60 /bin/bash -c 'until kubectl get pods -n kyverno -l app.kubernetes.io/component=admission-controller -o jsonpath="{.items[0].status.phase}" | grep Running ; do echo "Waiting for Kyverno" ; sleep 10 ; done' sleep 60 - name: Install cert-manager diff --git a/Makefile b/Makefile index 5e245fdd..4809ba3e 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) KYVERNO_GIT = https://github.com/kyverno/kyverno.git -KYVERNO_VERSION := "v1.11.4" +KYVERNO_VERSION := "v1.13.1" KYVERNO_DIR := $(ROOT_DIR)/kyverno-cli #KYVENOR_CLI := $(KYVERNO_DIR)/cmd/cli/kubectl-kyverno/kubectl-kyverno KYVENOR_CLI := $(KYVERNO_DIR)/kyverno diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 2b86d99f..1585ef6b 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -2,13 +2,13 @@ apiVersion: v2 name: kyverno-policies description: OSC Kyverno policies deployment type: application -version: 0.28.1 -appVersion: "v1.11.4" +version: 0.29.0 +appVersion: "v1.13.1" maintainers: - name: treydock dependencies: - name: kyverno-policies - version: 3.1.4 + version: 3.3.1 repository: https://kyverno.github.io/kyverno/ - name: osc-common version: 0.7.0 diff --git a/tests/kyverno-policies/add-account/kyverno-test.yaml b/tests/kyverno-policies/add-account/kyverno-test.yaml index b57dcdc6..44d77feb 100644 --- a/tests/kyverno-policies/add-account/kyverno-test.yaml +++ b/tests/kyverno-policies/add-account/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: add-account +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-account policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-account/variables.yaml b/tests/kyverno-policies/add-account/variables.yaml index fd94769c..0e48a511 100644 --- a/tests/kyverno-policies/add-account/variables.yaml +++ b/tests/kyverno-policies/add-account/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: add-account rules: diff --git a/tests/kyverno-policies/add-annotations/kyverno-test.yaml b/tests/kyverno-policies/add-annotations/kyverno-test.yaml index f12e8278..195f3f53 100644 --- a/tests/kyverno-policies/add-annotations/kyverno-test.yaml +++ b/tests/kyverno-policies/add-annotations/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: add-annotations +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: values policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-annotations/variables.yaml b/tests/kyverno-policies/add-annotations/variables.yaml index 7b029682..5251b6ca 100644 --- a/tests/kyverno-policies/add-annotations/variables.yaml +++ b/tests/kyverno-policies/add-annotations/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: user-test labels: diff --git a/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml b/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml index a965b96f..0c357f0f 100644 --- a/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml +++ b/tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: add-image-pull-secret +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-image-pull-secret policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml b/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml index b7ceb7f0..2d8bd583 100644 --- a/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml +++ b/tests/kyverno-policies/add-ingress-class-name/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: add-ingress-class-name +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-ingress-class-name policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-ingress-class-name/variables.yaml b/tests/kyverno-policies/add-ingress-class-name/variables.yaml index 70f6e450..441cb3cc 100644 --- a/tests/kyverno-policies/add-ingress-class-name/variables.yaml +++ b/tests/kyverno-policies/add-ingress-class-name/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: webservice labels: diff --git a/tests/kyverno-policies/add-nodeselector/kyverno-test.yaml b/tests/kyverno-policies/add-nodeselector/kyverno-test.yaml index 8dfd290d..ac727770 100644 --- a/tests/kyverno-policies/add-nodeselector/kyverno-test.yaml +++ b/tests/kyverno-policies/add-nodeselector/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: ondemand +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ondemand policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-nodeselector/variables.yaml b/tests/kyverno-policies/add-nodeselector/variables.yaml index 7b029682..5251b6ca 100644 --- a/tests/kyverno-policies/add-nodeselector/variables.yaml +++ b/tests/kyverno-policies/add-nodeselector/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: user-test labels: diff --git a/tests/kyverno-policies/add-role/kyverno-test.yaml b/tests/kyverno-policies/add-role/kyverno-test.yaml index 38e10918..a2d8ff08 100644 --- a/tests/kyverno-policies/add-role/kyverno-test.yaml +++ b/tests/kyverno-policies/add-role/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: add-role +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-role policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-role/variables.yaml b/tests/kyverno-policies/add-role/variables.yaml index 3a00ccc6..39d17d54 100644 --- a/tests/kyverno-policies/add-role/variables.yaml +++ b/tests/kyverno-policies/add-role/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: add-role rules: diff --git a/tests/kyverno-policies/add-service-account/kyverno-test.yaml b/tests/kyverno-policies/add-service-account/kyverno-test.yaml index 1513b438..60dcf119 100644 --- a/tests/kyverno-policies/add-service-account/kyverno-test.yaml +++ b/tests/kyverno-policies/add-service-account/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: add-service-account +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-service-account policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/add-service-account/variables.yaml b/tests/kyverno-policies/add-service-account/variables.yaml index 0a3c3e96..98a3e72f 100644 --- a/tests/kyverno-policies/add-service-account/variables.yaml +++ b/tests/kyverno-policies/add-service-account/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: add-service-account rules: diff --git a/tests/kyverno-policies/authorized-registries/kyverno-test.yaml b/tests/kyverno-policies/authorized-registries/kyverno-test.yaml index 6c842663..d1f8cca0 100644 --- a/tests/kyverno-policies/authorized-registries/kyverno-test.yaml +++ b/tests/kyverno-policies/authorized-registries/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: authorized-registries +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: authorized-registries policies: - policy.yaml resources: @@ -9,24 +12,21 @@ results: - policy: authorized-registries rule: authorized-registries-users resources: - - test-skip + - test/test-skip kind: Pod - namespace: foo result: skip - policy: authorized-registries rule: authorized-registries-users resources: - - test-pass - - test-pass-site + - user-test/test-pass + - user-test/test-pass-site kind: Pod - namespace: user-test result: pass - policy: authorized-registries rule: authorized-registries-users resources: - - test-fail + - user-test/test-fail kind: Pod - namespace: user-test result: fail - policy: authorized-registries rule: authorized-registries-webservices @@ -37,19 +37,17 @@ results: - policy: authorized-registries rule: authorized-registries-webservices resources: - - test-pass-webservice - - test-pass2-webservice - - test-pass3-webservice - - test-pass-site-webservice + - webservice/test-pass-webservice + - webservice/test-pass2-webservice + - webservice/test-pass3-webservice + - webservice/test-pass-site-webservice kind: Pod - namespace: webservice result: pass - policy: authorized-registries rule: authorized-registries-webservices resources: - - test-fail-webservice + - webservice/test-fail-webservice kind: Pod - namespace: webservice result: fail - policy: authorized-registries rule: authorized-registries-paas @@ -60,17 +58,15 @@ results: - policy: authorized-registries rule: authorized-registries-paas resources: - - test-pass-paas - - test-pass2-paas - - test-pass3-paas - - test-pass-site-paas + - paas/test-pass-paas + - paas/test-pass2-paas + - paas/test-pass3-paas + - paas/test-pass-site-paas kind: Pod - namespace: paas result: pass - policy: authorized-registries rule: authorized-registries-paas resources: - - test-fail-paas + - paas/test-fail-paas kind: Pod - namespace: paas result: fail \ No newline at end of file diff --git a/tests/kyverno-policies/authorized-registries/variables.yaml b/tests/kyverno-policies/authorized-registries/variables.yaml index 296831db..89e0f2a1 100644 --- a/tests/kyverno-policies/authorized-registries/variables.yaml +++ b/tests/kyverno-policies/authorized-registries/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: test labels: diff --git a/tests/kyverno-policies/block-images-with-volumes/kyverno-test.yaml b/tests/kyverno-policies/block-images-with-volumes/kyverno-test.yaml index 2fb10872..7bd79742 100644 --- a/tests/kyverno-policies/block-images-with-volumes/kyverno-test.yaml +++ b/tests/kyverno-policies/block-images-with-volumes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: block-images-with-volumes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-images-with-volumes policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/block-images-with-volumes/variables.yaml b/tests/kyverno-policies/block-images-with-volumes/variables.yaml index 94ceec67..d09b738e 100644 --- a/tests/kyverno-policies/block-images-with-volumes/variables.yaml +++ b/tests/kyverno-policies/block-images-with-volumes/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: block-images-with-volumes resources: diff --git a/tests/kyverno-policies/disallow-container-sock-mounts/kyverno-test.yaml b/tests/kyverno-policies/disallow-container-sock-mounts/kyverno-test.yaml index 87a0baf8..a1d1f405 100644 --- a/tests/kyverno-policies/disallow-container-sock-mounts/kyverno-test.yaml +++ b/tests/kyverno-policies/disallow-container-sock-mounts/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: disallow-container-sock-mounts +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-container-sock-mounts policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/disallow-nfs/kyverno-test.yaml b/tests/kyverno-policies/disallow-nfs/kyverno-test.yaml index 4a20e781..79e22551 100644 --- a/tests/kyverno-policies/disallow-nfs/kyverno-test.yaml +++ b/tests/kyverno-policies/disallow-nfs/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: disallow-nfs +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-nfs policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/imagepullpolicy-always/kyverno-test.yaml b/tests/kyverno-policies/imagepullpolicy-always/kyverno-test.yaml index d968c8d4..3292ead0 100644 --- a/tests/kyverno-policies/imagepullpolicy-always/kyverno-test.yaml +++ b/tests/kyverno-policies/imagepullpolicy-always/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: imagepullpolicy-always +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: imagepullpolicy-always policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/ingress-require-tls/kyverno-test.yaml b/tests/kyverno-policies/ingress-require-tls/kyverno-test.yaml index 8ab99251..c986faeb 100644 --- a/tests/kyverno-policies/ingress-require-tls/kyverno-test.yaml +++ b/tests/kyverno-policies/ingress-require-tls/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: ingress-require-tls +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ingress-require-tls policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/mutate-calico-registry/kyverno-test.yaml b/tests/kyverno-policies/mutate-calico-registry/kyverno-test.yaml index 5058a7eb..ac228be6 100644 --- a/tests/kyverno-policies/mutate-calico-registry/kyverno-test.yaml +++ b/tests/kyverno-policies/mutate-calico-registry/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: mutate-calico-registry +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: mutate-calico-registry policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/mutate-calico-registry/variables.yaml b/tests/kyverno-policies/mutate-calico-registry/variables.yaml index bdfa758c..c4549058 100644 --- a/tests/kyverno-policies/mutate-calico-registry/variables.yaml +++ b/tests/kyverno-policies/mutate-calico-registry/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: mutate-calico-registry resources: diff --git a/tests/kyverno-policies/namespace-account/kyverno-test.yaml b/tests/kyverno-policies/namespace-account/kyverno-test.yaml index 9fe4bd74..94cff64b 100644 --- a/tests/kyverno-policies/namespace-account/kyverno-test.yaml +++ b/tests/kyverno-policies/namespace-account/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: namespace-account +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: namespace-account policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/namespace-account/variables.yaml b/tests/kyverno-policies/namespace-account/variables.yaml index efc7f30d..4fc5f1ff 100644 --- a/tests/kyverno-policies/namespace-account/variables.yaml +++ b/tests/kyverno-policies/namespace-account/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: namespace-account rules: diff --git a/tests/kyverno-policies/namespace-role/kyverno-test.yaml b/tests/kyverno-policies/namespace-role/kyverno-test.yaml index 3b6c0179..b3aa7cb6 100644 --- a/tests/kyverno-policies/namespace-role/kyverno-test.yaml +++ b/tests/kyverno-policies/namespace-role/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: namespace-role +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: namespace-role policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/namespace-service-account/kyverno-test.yaml b/tests/kyverno-policies/namespace-service-account/kyverno-test.yaml index a1e48e94..78281eed 100644 --- a/tests/kyverno-policies/namespace-service-account/kyverno-test.yaml +++ b/tests/kyverno-policies/namespace-service-account/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: namespace-service-account +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: namespace-service-account policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/no-ingress/kyverno-test.yaml b/tests/kyverno-policies/no-ingress/kyverno-test.yaml index 3814deca..abdbf2da 100644 --- a/tests/kyverno-policies/no-ingress/kyverno-test.yaml +++ b/tests/kyverno-policies/no-ingress/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: no-ingress +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-ingress policies: - policy.yaml resources: @@ -8,14 +11,12 @@ results: - policy: no-ingress rule: user-no-ingress resources: - - test-pass + - test/test-pass kind: Ingress - namespace: test result: skip - policy: no-ingress rule: user-no-ingress resources: - - test-fail + - user-test/test-fail kind: Ingress - namespace: user-test result: fail diff --git a/tests/kyverno-policies/no-localhost-service/kyverno-test.yaml b/tests/kyverno-policies/no-localhost-service/kyverno-test.yaml index fa8e069c..d34b3f9c 100644 --- a/tests/kyverno-policies/no-localhost-service/kyverno-test.yaml +++ b/tests/kyverno-policies/no-localhost-service/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: no-localhost-service +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-localhost-service policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml index 71e39318..9bd74056 100644 --- a/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-account-validation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-account-validation policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/pod-account-validation/variables.yaml b/tests/kyverno-policies/pod-account-validation/variables.yaml index a8054770..83305463 100644 --- a/tests/kyverno-policies/pod-account-validation/variables.yaml +++ b/tests/kyverno-policies/pod-account-validation/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: pod-account-validation rules: diff --git a/tests/kyverno-policies/pod-groups-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-groups-validation/kyverno-test.yaml index 18571b7c..61421cb6 100644 --- a/tests/kyverno-policies/pod-groups-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-groups-validation/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-groups-validation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-groups-validation policies: - policy.yaml resources: @@ -15,22 +18,19 @@ results: - policy: pod-groups-validation rule: pods-user-authorized-for-groups resources: - - test-skip-op - - test-skip-len + - user-test/test-skip-op + - user-test/test-skip-len kind: Pod - namespace: user-test result: skip - policy: pod-groups-validation rule: pods-user-authorized-for-groups resources: - - test-pass + - user-test/test-pass kind: Pod - namespace: user-test result: pass - policy: pod-groups-validation rule: pods-user-authorized-for-groups resources: - - test-fail + - user-test/test-fail kind: Pod - namespace: user-test result: fail diff --git a/tests/kyverno-policies/pod-groups-validation/variables.yaml b/tests/kyverno-policies/pod-groups-validation/variables.yaml index 06e47355..b77a8a53 100644 --- a/tests/kyverno-policies/pod-groups-validation/variables.yaml +++ b/tests/kyverno-policies/pod-groups-validation/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: pod-groups-validation rules: diff --git a/tests/kyverno-policies/pod-lifetime/kyverno-test.yaml b/tests/kyverno-policies/pod-lifetime/kyverno-test.yaml index 8bc766e7..2de1865b 100644 --- a/tests/kyverno-policies/pod-lifetime/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-lifetime/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-lifetime +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-lifetime policies: - policy.yaml resources: @@ -8,42 +11,36 @@ results: - policy: pod-lifetime rule: pods-require-lifetime resources: - - test-lifetime-skip + - test/test-lifetime-skip kind: Pod - namespace: test result: skip - policy: pod-lifetime rule: pods-require-lifetime resources: - - test-lifetime-pass + - user-test/test-lifetime-pass kind: Pod - namespace: user-test result: pass - policy: pod-lifetime rule: pods-require-lifetime resources: - - test-lifetime-fail + - user-test/test-lifetime-fail kind: Pod - namespace: user-test result: fail - policy: pod-lifetime rule: pods-max-lifetime resources: - - test-max-lifetime-skip + - test/test-max-lifetime-skip kind: Pod - namespace: test result: skip - policy: pod-lifetime rule: pods-max-lifetime resources: - - test-lifetime-max-pass + - user-test/test-lifetime-max-pass kind: Pod - namespace: user-test result: pass - policy: pod-lifetime rule: pods-max-lifetime resources: - - test-lifetime-max-fail + - user-test/test-lifetime-max-fail kind: Pod - namespace: user-test result: fail diff --git a/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml b/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml index b0ecaae9..89d3759f 100644 --- a/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-nodeselector/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-nodeselector +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-nodeselector policies: - policy.yaml resources: @@ -9,73 +12,64 @@ results: - policy: pod-nodeselector rule: pod-nodeselector-user resources: - - test-user-skip + - test/test-user-skip kind: Pod - namespace: test result: skip - policy: pod-nodeselector rule: pod-nodeselector-user resources: - - test-user-pass - - test-user-pass2 + - user-test/test-user-pass + - user-test/test-user-pass2 kind: Pod - namespace: user-test result: pass - policy: pod-nodeselector rule: pod-nodeselector-user resources: - - test-user-fail-omit - - test-user-fail-mismatch + - user-test/test-user-fail-omit + - user-test/test-user-fail-mismatch kind: Pod - namespace: user-test result: fail - policy: pod-nodeselector rule: pod-nodeselector-webservice resources: - - test-webservice-skip + - user-test/test-webservice-skip kind: Pod - namespace: webservice result: skip - policy: pod-nodeselector rule: pod-nodeselector-webservice resources: - - test-webservice-pass - - test-webservice-pass2 - - test-webservice-pass3 - - test-webservice-pass-infra + - webservice/test-webservice-pass + - webservice/test-webservice-pass2 + - webservice/test-webservice-pass3 + - webservice/test-webservice-pass-infra kind: Pod - namespace: webservice result: pass - policy: pod-nodeselector rule: pod-nodeselector-webservice resources: - - test-webservice-fail-omit - - test-webservice-fail-mismatch + - webservice/test-webservice-fail-omit + - webservice/test-webservice-fail-mismatch kind: Pod - namespace: webservice result: fail - policy: pod-nodeselector rule: pod-nodeselector-paas resources: - - test-paas-skip + - user-test/test-paas-skip kind: Pod - namespace: paas result: skip - policy: pod-nodeselector rule: pod-nodeselector-paas resources: - - test-paas-pass - - test-paas-pass2 + - paas/test-paas-pass + - paas/test-paas-pass2 kind: Pod - namespace: paas result: pass - policy: pod-nodeselector rule: pod-nodeselector-paas resources: - - test-paas-fail-omit - - test-paas-fail-mismatch - - test-paas-fail3 - - test-paas-fail-infra + - paas/test-paas-fail-omit + - paas/test-paas-fail-mismatch + - paas/test-paas-fail3 + - paas/test-paas-fail-infra kind: Pod - namespace: paas result: fail diff --git a/tests/kyverno-policies/pod-nodeselector/variables.yaml b/tests/kyverno-policies/pod-nodeselector/variables.yaml index 296831db..89e0f2a1 100644 --- a/tests/kyverno-policies/pod-nodeselector/variables.yaml +++ b/tests/kyverno-policies/pod-nodeselector/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: test labels: diff --git a/tests/kyverno-policies/pod-resources/kyverno-test.yaml b/tests/kyverno-policies/pod-resources/kyverno-test.yaml index 5a43f420..5d2ea762 100644 --- a/tests/kyverno-policies/pod-resources/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-resources/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-resources +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-resources policies: - policy.yaml resources: @@ -9,102 +12,89 @@ results: - policy: pod-resources rule: pods-require-resources resources: - - test-limits-skip + - test/test-limits-skip kind: Pod - namespace: test result: skip - policy: pod-resources rule: pods-require-resources resources: - - test-limits-pass - - test-limits-with-init-pass + - user-test/test-limits-pass + - user-test/test-limits-with-init-pass kind: Pod - namespace: user-test result: pass - policy: pod-resources rule: pods-require-resources resources: - - test-limits-memory-limits-fail - - test-limits-with-init-memory-limits-fail - - test-limits-cpu-limits-fail - - test-limits-cpu-requests-missing - - test-limits-memory-requests-fail + - user-test/test-limits-memory-limits-fail + - user-test/test-limits-with-init-memory-limits-fail + - user-test/test-limits-cpu-limits-fail + - user-test/test-limits-cpu-requests-missing + - user-test/test-limits-memory-requests-fail kind: Pod - namespace: user-test result: fail - policy: pod-resources rule: pods-require-resources resources: - - test-limits-pass-webservice + - webservice/test-limits-pass-webservice kind: Pod - namespace: webservice result: pass - policy: pod-resources rule: pods-require-resources resources: - - test-limits-memory-requests-fail-webservice + - webservice/test-limits-memory-requests-fail-webservice kind: Pod - namespace: webservice result: fail - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-pass-cpu-limits1 - - test-limits-pass-cpu-limits2 + - user-test/test-limits-pass-cpu-limits1 + - user-test/test-limits-pass-cpu-limits2 kind: Pod - namespace: user-test result: pass - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-webservice-pass-limits + - webservice/test-limits-webservice-pass-limits kind: Pod - namespace: webservice result: pass - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-with-init-pass-cpu-limits2 + - user-test/test-limits-with-init-pass-cpu-limits2 kind: Pod - namespace: user-test result: pass - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-fail-cpu-limits1 - - test-limits-fail-cpu-limits2 - - test-limits-with-init-fail-cpu-limits1 + - user-test/test-limits-fail-cpu-limits1 + - user-test/test-limits-fail-cpu-limits2 + - user-test/test-limits-with-init-fail-cpu-limits1 kind: Pod - namespace: user-test result: fail - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-webservice-fail-cpu-limits + - webservice/test-limits-webservice-fail-cpu-limits kind: Pod - namespace: webservice result: fail - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-pass-mem-limits1 - - test-limits-pass-mem-limits2 - - test-limits-cpu-requests-missing2 + - user-test/test-limits-pass-mem-limits1 + - user-test/test-limits-pass-mem-limits2 + - user-test/test-limits-cpu-requests-missing2 kind: Pod - namespace: user-test result: pass - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-fail-mem-limits1 - - test-limits-fail-mem-limits2 + - user-test/test-limits-fail-mem-limits1 + - user-test/test-limits-fail-mem-limits2 kind: Pod - namespace: user-test result: fail - policy: pod-resources rule: pods-max-user-resources resources: - - test-limits-webservice-fail-mem-limits + - webservice/test-limits-webservice-fail-mem-limits kind: Pod - namespace: webservice result: fail diff --git a/tests/kyverno-policies/pod-resources/variables.yaml b/tests/kyverno-policies/pod-resources/variables.yaml index 7f090596..93561811 100644 --- a/tests/kyverno-policies/pod-resources/variables.yaml +++ b/tests/kyverno-policies/pod-resources/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: test labels: diff --git a/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml index 17204a8e..fde637f1 100644 --- a/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-service-account-validation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-service-account-validation policies: - policy.yaml resources: @@ -9,154 +12,135 @@ results: - policy: pod-service-account-validation rule: webservice-require-service-account resources: - - test-service-account-skip + - user-test/test-service-account-skip kind: Pod - namespace: user-test result: skip - policy: pod-service-account-validation rule: webservice-require-service-account resources: - - test-service-account-pass + - webservice/test-service-account-pass kind: Pod - namespace: webservice result: pass - policy: pod-service-account-validation rule: webservice-require-service-account resources: - - test-service-account-fail + - webservice/test-service-account-fail kind: Pod - namespace: webservice result: fail - policy: pod-service-account-validation rule: webservice-require-valid-service-account resources: - - pods-require-valid-service-account-pass - - pods-require-valid-service-account-container-pass - - pods-require-valid-service-account-init-pass + - webservice/pods-require-valid-service-account-pass + - webservice/pods-require-valid-service-account-container-pass + - webservice/pods-require-valid-service-account-init-pass kind: Pod - namespace: webservice result: pass - policy: pod-service-account-validation rule: webservice-require-valid-service-account resources: - - pods-require-valid-service-account-skip + - user-test/pods-require-valid-service-account-skip kind: Pod - namespace: user-test result: skip - policy: pod-service-account-validation rule: webservice-require-valid-service-account resources: - - pods-require-valid-service-account-skip-op + - webservice/pods-require-valid-service-account-skip-op kind: Pod - namespace: webservice result: skip - policy: pod-service-account-validation rule: webservice-require-valid-service-account resources: - - pods-require-valid-service-account-runasnonroot-fail - - pods-require-valid-service-account-uid-fail - - pods-require-valid-service-account-uid-container-fail - - pods-require-valid-service-account-uid-init-fail - - pods-require-valid-service-account-gid-fail - - pods-require-valid-service-account-gid-container-fail - - pods-require-valid-service-account-gid-init-fail - - fsgroup-require-valid-service-account-gid-fail + - webservice/pods-require-valid-service-account-runasnonroot-fail + - webservice/pods-require-valid-service-account-uid-fail + - webservice/pods-require-valid-service-account-uid-container-fail + - webservice/pods-require-valid-service-account-uid-init-fail + - webservice/pods-require-valid-service-account-gid-fail + - webservice/pods-require-valid-service-account-gid-container-fail + - webservice/pods-require-valid-service-account-gid-init-fail + - webservice/fsgroup-require-valid-service-account-gid-fail kind: Pod - namespace: webservice result: fail - policy: pod-service-account-validation rule: webservice-require-valid-service-account resources: - - test-groups-skip + - user-test/test-groups-skip kind: Pod - namespace: user-test result: skip - policy: pod-service-account-validation rule: webservice-service-account-authorized-for-groups resources: - - test-groups-skip-op - - test-groups-skip-len + - webservice/test-groups-skip-op + - webservice/test-groups-skip-len kind: Pod - namespace: webservice result: skip - policy: pod-service-account-validation rule: webservice-service-account-authorized-for-groups resources: - - test-groups-pass + - webservice/test-groups-pass kind: Pod - namespace: webservice result: pass - policy: pod-service-account-validation rule: webservice-service-account-authorized-for-groups resources: - - test-groups-fail + - webservice/test-groups-fail kind: Pod - namespace: webservice result: fail - policy: pod-service-account-validation rule: paas-require-valid-service-account resources: - - paas-pods-require-valid-service-account-pass - - paas-pods-require-valid-service-account-container-pass - - paas-pods-require-valid-service-account-init-pass + - paas/paas-pods-require-valid-service-account-pass + - paas/paas-pods-require-valid-service-account-container-pass + - paas/paas-pods-require-valid-service-account-init-pass kind: Pod - namespace: paas result: pass - policy: pod-service-account-validation rule: paas-require-valid-service-account resources: - - pods-require-valid-service-account-skip + - user-test/pods-require-valid-service-account-skip kind: Pod - namespace: user-test result: skip - policy: pod-service-account-validation rule: paas-require-valid-service-account resources: - - paas-pods-require-valid-service-account-skip-op + - paas/paas-pods-require-valid-service-account-skip-op kind: Pod - namespace: paas result: skip - policy: pod-service-account-validation rule: paas-require-valid-service-account resources: - - paas-pods-require-valid-service-account-runasnonroot-fail - - paas-pods-require-valid-service-account-uid-fail - - paas-pods-require-valid-service-account-uid-container-fail - - paas-pods-require-valid-service-account-uid-init-fail - - paas-pods-require-valid-service-account-gid-fail - - paas-pods-require-valid-service-account-gid-container-fail - - paas-pods-require-valid-service-account-gid-init-fail - - paas-fsgroup-require-valid-service-account-gid-fail + - paas/paas-pods-require-valid-service-account-runasnonroot-fail + - paas/paas-pods-require-valid-service-account-uid-fail + - paas/paas-pods-require-valid-service-account-uid-container-fail + - paas/paas-pods-require-valid-service-account-uid-init-fail + - paas/paas-pods-require-valid-service-account-gid-fail + - paas/paas-pods-require-valid-service-account-gid-container-fail + - paas/paas-pods-require-valid-service-account-gid-init-fail + - paas/paas-fsgroup-require-valid-service-account-gid-fail kind: Pod - namespace: paas result: fail - policy: pod-service-account-validation rule: paas-require-valid-service-account resources: - - test-groups-skip + - user-test/test-groups-skip kind: Pod - namespace: user-test result: skip - policy: pod-service-account-validation rule: paas-service-account-authorized-for-groups resources: - - paas-test-groups-skip-op - - paas-test-groups-skip-len + - paas/paas-test-groups-skip-op + - paas/paas-test-groups-skip-len kind: Pod - namespace: paas result: skip - policy: pod-service-account-validation rule: paas-service-account-authorized-for-groups resources: - - paas-test-groups-pass + - paas/paas-test-groups-pass kind: Pod - namespace: paas result: pass - policy: pod-service-account-validation rule: paas-service-account-authorized-for-groups resources: - - paas-test-groups-fail + - paas/paas-test-groups-fail kind: Pod - namespace: paas result: fail diff --git a/tests/kyverno-policies/pod-service-account-validation/variables.yaml b/tests/kyverno-policies/pod-service-account-validation/variables.yaml index 6f21ee19..9985d166 100644 --- a/tests/kyverno-policies/pod-service-account-validation/variables.yaml +++ b/tests/kyverno-policies/pod-service-account-validation/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: pod-service-account-validation rules: diff --git a/tests/kyverno-policies/pod-user-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-user-validation/kyverno-test.yaml index 0220e280..d6dc0039 100644 --- a/tests/kyverno-policies/pod-user-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/pod-user-validation/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: pod-user-validation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-user-validation policies: - policy.yaml resources: @@ -9,92 +12,80 @@ results: - policy: pod-user-validation rule: pods-require-valid-uid resources: - - pods-require-valid-uid-skip + - test/pods-require-valid-uid-skip kind: Pod - namespace: test result: skip - policy: pod-user-validation rule: pods-require-valid-uid resources: - - pods-require-valid-uid-skip-op + - user-test/pods-require-valid-uid-skip-op kind: Pod - namespace: user-test result: skip - policy: pod-user-validation rule: pods-require-valid-uid resources: - - pods-require-valid-uid-pass - - pods-require-valid-uid-container-pass - - pods-require-valid-uid-init-pass + - user-test/pods-require-valid-uid-pass + - user-test/pods-require-valid-uid-container-pass + - user-test/pods-require-valid-uid-init-pass kind: Pod - namespace: user-test result: pass - policy: pod-user-validation rule: pods-require-valid-uid resources: - - pods-require-valid-uid-fail - - pods-require-valid-uid-container-fail - - pods-require-valid-uid-init-fail + - user-test/pods-require-valid-uid-fail + - user-test/pods-require-valid-uid-container-fail + - user-test/pods-require-valid-uid-init-fail kind: Pod - namespace: user-test result: fail - policy: pod-user-validation rule: pods-require-valid-gid resources: - - pods-require-valid-gid-skip + - test/pods-require-valid-gid-skip kind: Pod - namespace: test result: skip - policy: pod-user-validation rule: pods-require-valid-gid resources: - - pods-require-valid-gid-skip-op + - user-test/pods-require-valid-gid-skip-op kind: Pod - namespace: user-test result: skip - policy: pod-user-validation rule: pods-require-valid-gid resources: - - pods-require-valid-gid-pass - - pods-require-valid-gid-container-pass - - pods-require-valid-gid-init-pass + - user-test/pods-require-valid-gid-pass + - user-test/pods-require-valid-gid-container-pass + - user-test/pods-require-valid-gid-init-pass kind: Pod - namespace: user-test result: pass - policy: pod-user-validation rule: pods-require-valid-gid resources: - - pods-require-valid-gid-fail - - pods-require-valid-gid-container-fail - - pods-require-valid-gid-init-fail + - user-test/pods-require-valid-gid-fail + - user-test/pods-require-valid-gid-container-fail + - user-test/pods-require-valid-gid-init-fail kind: Pod - namespace: user-test result: fail - policy: pod-user-validation rule: fsgroup-require-valid-gid resources: - - fsgroup-require-valid-gid-skip + - test/fsgroup-require-valid-gid-skip kind: Pod - namespace: test result: skip - policy: pod-user-validation rule: fsgroup-require-valid-gid resources: - - fsgroup-require-valid-gid-skip-op + - user-test/fsgroup-require-valid-gid-skip-op kind: Pod - namespace: user-test result: skip - policy: pod-user-validation rule: fsgroup-require-valid-gid resources: - - fsgroup-require-valid-gid-pass + - user-test/fsgroup-require-valid-gid-pass kind: Pod - namespace: user-test result: pass - policy: pod-user-validation rule: fsgroup-require-valid-gid resources: - - fsgroup-require-valid-gid-fail + - user-test/fsgroup-require-valid-gid-fail kind: Pod - namespace: user-test result: fail diff --git a/tests/kyverno-policies/pod-user-validation/variables.yaml b/tests/kyverno-policies/pod-user-validation/variables.yaml index 5d383ce0..a6b0ad88 100644 --- a/tests/kyverno-policies/pod-user-validation/variables.yaml +++ b/tests/kyverno-policies/pod-user-validation/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values policies: - name: pod-user-validation rules: diff --git a/tests/kyverno-policies/restrict-external-ips/kyverno-test.yaml b/tests/kyverno-policies/restrict-external-ips/kyverno-test.yaml index b7a33eb2..dca6435d 100644 --- a/tests/kyverno-policies/restrict-external-ips/kyverno-test.yaml +++ b/tests/kyverno-policies/restrict-external-ips/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: restrict-external-ips +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-external-ips policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml b/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml index f5acd51f..be8ab79c 100644 --- a/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml +++ b/tests/kyverno-policies/restrict-host-path/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: restrict-host-path +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-host-path policies: - policy.yaml resources: @@ -9,80 +12,69 @@ results: - policy: restrict-host-path rule: users-host-path resources: - - test-skip - namespace: test + - test/test-skip kind: Pod result: skip - policy: restrict-host-path rule: users-host-path resources: - - test-pass - - test-no-hostpath-pass + - user-test/test-pass + - user-test/test-no-hostpath-pass kind: Pod - namespace: user-test result: pass - policy: restrict-host-path rule: users-host-path resources: - - test-fail + - user-test/test-fail kind: Pod - namespace: user-test result: fail - policy: restrict-host-path rule: webservices-host-path resources: - - test-skip-webservice + - user-test/test-skip-webservice kind: Pod - namespace: user-test result: skip - policy: restrict-host-path rule: webservices-host-path resources: - - test-pass-webservice - - test-no-hostpath-pass-webservice + - webservice/test-pass-webservice + - webservice/test-no-hostpath-pass-webservice kind: Pod - namespace: webservice result: pass - policy: restrict-host-path rule: webservices-host-path resources: - - test-fail-webservice + - webservice/test-fail-webservice kind: Pod - namespace: webservice result: fail - policy: restrict-host-path rule: webservices-host-path resources: - - test-webservice-mariadb + - webservice/test-webservice-mariadb kind: Pod - namespace: webservice result: pass - policy: restrict-host-path rule: paas-host-path resources: - - test-skip-paas + - user-test/test-skip-paas kind: Pod - namespace: user-test result: skip - policy: restrict-host-path rule: paas-host-path resources: - - test-pass-paas - - test-no-hostpath-pass-paas + - paas/test-pass-paas + - paas/test-no-hostpath-pass-paas kind: Pod - namespace: paas result: pass - policy: restrict-host-path rule: paas-host-path resources: - - test-fail-paas + - paas/test-fail-paas kind: Pod - namespace: paas result: fail - policy: restrict-host-path rule: paas-host-path resources: - - test-paas-mariadb + - paas/test-paas-mariadb kind: Pod - namespace: paas result: pass diff --git a/tests/kyverno-policies/restrict-host-path/variables.yaml b/tests/kyverno-policies/restrict-host-path/variables.yaml index 296831db..89e0f2a1 100644 --- a/tests/kyverno-policies/restrict-host-path/variables.yaml +++ b/tests/kyverno-policies/restrict-host-path/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: test labels: diff --git a/tests/kyverno-policies/restrict-registries/kyverno-test.yaml b/tests/kyverno-policies/restrict-registries/kyverno-test.yaml index b1cfad74..8259f821 100644 --- a/tests/kyverno-policies/restrict-registries/kyverno-test.yaml +++ b/tests/kyverno-policies/restrict-registries/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: restrict-registries +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-registries policies: - policy.yaml resources: @@ -9,14 +12,12 @@ results: - policy: restrict-registries rule: restrict-registry-docker.io resources: - - test-pass + - test/test-pass kind: Pod - namespace: test result: pass - policy: restrict-registries rule: restrict-registry-docker.io resources: - - test-fail + - test/test-fail kind: Pod - namespace: test result: fail diff --git a/tests/kyverno-policies/restrict-registries/variables.yaml b/tests/kyverno-policies/restrict-registries/variables.yaml index 62fdec35..3121411d 100644 --- a/tests/kyverno-policies/restrict-registries/variables.yaml +++ b/tests/kyverno-policies/restrict-registries/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: test labels: diff --git a/tests/kyverno-policies/role-validation/kyverno-test.yaml b/tests/kyverno-policies/role-validation/kyverno-test.yaml index c84be9f6..7313e643 100644 --- a/tests/kyverno-policies/role-validation/kyverno-test.yaml +++ b/tests/kyverno-policies/role-validation/kyverno-test.yaml @@ -1,5 +1,8 @@ --- -name: role-validation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: role-validation policies: - policy.yaml resources: diff --git a/tests/kyverno-policies/role-validation/variables.yaml b/tests/kyverno-policies/role-validation/variables.yaml index 7b029682..5251b6ca 100644 --- a/tests/kyverno-policies/role-validation/variables.yaml +++ b/tests/kyverno-policies/role-validation/variables.yaml @@ -1,3 +1,7 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values +metadata: + name: values namespaceSelector: - name: user-test labels: From 1e7dc5005b021d9cf93a24a8f879d0e3c5e4dc19 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 2 Dec 2024 15:01:06 -0500 Subject: [PATCH 2/4] Fix syntax --- .github/config/kyverno-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/config/kyverno-values.yaml b/.github/config/kyverno-values.yaml index 0f68313a..441ce107 100644 --- a/.github/config/kyverno-values.yaml +++ b/.github/config/kyverno-values.yaml @@ -33,7 +33,7 @@ config: - "[ClusterReportChangeRequest,*,*]" - "[*,keycloak,*]" webhooks: - - namespaceSelector: + namespaceSelector: matchExpressions: - key: osc.edu/role operator: In From fff198ac1b9d10db05543096b4f2bf2c8feb4911 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Fri, 6 Dec 2024 08:52:13 -0500 Subject: [PATCH 3/4] Update kyverno values to match what will be used similar to OSC --- .github/config/kyverno-values.yaml | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/.github/config/kyverno-values.yaml b/.github/config/kyverno-values.yaml index 441ce107..9fb28a14 100644 --- a/.github/config/kyverno-values.yaml +++ b/.github/config/kyverno-values.yaml @@ -12,26 +12,11 @@ admissionController: exceptionNamespace: kyverno webhookTimeout: 30 config: - # TODO: Remove once fixed: https://github.com/kyverno/kyverno/issues/3190 - resourceFilters: - - "[ConfigMap,*,*]" - - "[*,local-path-storage,*]" - - "[Event,*,*]" - - "[*,default,*]" - - "[*,kube-system,*]" - - "[*,kube-public,*]" - - "[*,kube-node-lease,*]" - - "[Node,*,*]" - - "[APIService,*,*]" - - "[TokenReview,*,*]" - - "[SubjectAccessReview,*,*]" - - "[SelfSubjectAccessReview,*,*]" - - "[*,kyverno,*]" - - "[Binding,*,*]" - - "[ReplicaSet,*,*]" - - "[ReportChangeRequest,*,*]" - - "[ClusterReportChangeRequest,*,*]" - - "[*,keycloak,*]" + resourceFiltersIncludeNamespaces: + - local-path-storage + - default + - kyverno + - keycloak webhooks: namespaceSelector: matchExpressions: From a53bd1be0ea34e29adfce23e00af06ea07f054ee Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Sat, 7 Dec 2024 12:44:16 -0500 Subject: [PATCH 4/4] Cleanup TODOs for OnDemand policy exclusions --- charts/kyverno-policies/values.yaml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 114ebeaf..705b79b5 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -65,13 +65,6 @@ kyverno-policies: # - external-dns # - prometheus policyExclude: - disallow-capabilities-strict: - any: - # TODO: Remove once ood_core updated - # https://github.com/OSC/ood_core/pull/748 - - resources: - namespaces: - - "user-?*" disallow-host-path: any: - resources: @@ -87,13 +80,6 @@ kyverno-policies: values: - webservice - paas - restrict-seccomp-strict: - any: - # TODO: Remove once ood_core updated - # https://github.com/OSC/ood_core/pull/748 - - resources: - namespaces: - - "user-?*" restrict-volume-types: any: - resources: