Skip to content

Commit

Permalink
Unit tests for Pod Security Admission Integrations (kyverno#8585)
Browse files Browse the repository at this point in the history 
* feat: enable field-restricted exclusions using the psa

Signed-off-by: Liang Deng <[email protected]>

* fix ci error

Signed-off-by: Liang Deng <[email protected]>

* fix ci error

Signed-off-by: Liang Deng <[email protected]>

* initial unit tests

* Add all remaining unit tests

Signed-off-by: Gurmannat Sohal <[email protected]>

* fine grain unit tests by adding fields and values

* add detailed pod level exclusion and related tests

* add tests for init & ephemeral containers

* add kuttl tests for the new advanced support

* add kuttl tests for the new advanced support

* add readme for kuttl tests

* add replacement in go.mod

* resolving CI errors

Signed-off-by: Gurmannat Sohal <[email protected]>

* fix ci errors

Signed-off-by: Gurmannat Sohal <[email protected]>

* fix ci errors

Signed-off-by: Gurmannat Sohal <[email protected]>

* updating pod-security-admissio

Signed-off-by: Gurmannat Sohal <[email protected]>

* resolving null pointer panic

Signed-off-by: Gurmannat Sohal <[email protected]>

* resolved conformance error

Signed-off-by: Gurmannat Sohal <[email protected]>

* chainsaw

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* chainsaw

Signed-off-by: Gurmannat Sohal <[email protected]>

* remove duplication

Signed-off-by: Gurmannat Sohal <[email protected]>

* fix linting

Signed-off-by: Gurmannat Sohal <[email protected]>

* remove over computation

Signed-off-by: Gurmannat Sohal <[email protected]>

* added field checks, pss skip condition

Signed-off-by: Gurmannat Sohal <[email protected]>

* correcting chainsaw tests

Signed-off-by: Gurmannat Sohal <[email protected]>

* merge branch 'main' into unit-tests

Signed-off-by: Gurmannat Sohal <[email protected]>

* fix builds

Signed-off-by: ShutingZhao <[email protected]>

---------

Signed-off-by: Liang Deng <[email protected]>
Signed-off-by: Gurmannat Sohal <[email protected]>
Signed-off-by: shuting <[email protected]>
Signed-off-by: Gurmannat Sohal <[email protected]>
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
Signed-off-by: ShutingZhao <[email protected]>
Co-authored-by: Liang Deng <[email protected]>
Co-authored-by: shuting <[email protected]>
Co-authored-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
@itsgurmannatsohal @YTGhost
@realshuting @eddycharly
4 people authored Dec 26, 2023
1 parent 4fff841 commit 6902a2b
Show file tree
Hide file tree
Showing 239 changed files with 12,291 additions and 1,106 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,4 @@ cmd/background-controller/background-controller
.dist
.manifest
kyverno.tar.gz
vendor/
18 changes: 18 additions & 0 deletions api/kyverno/v1/common_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,24 @@ type PodSecurityStandard struct {
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +optional
Images []string `json:"images,omitempty" yaml:"images,omitempty"`

// RestrictedField selects the field for the given Pod Security Standard control.
// When not set, all restricted fields for the control are selected.
// +optional
RestrictedField string `json:"restrictedField,omitempty" yaml:"restrictedField,omitempty"`

// Values defines the allowed values that can be excluded.
// +optional
Values []string `json:"values,omitempty" yaml:"values,omitempty"`
}

// Validate checks if the values in the PodSecurityStandard struct are valid.
func (pss *PodSecurityStandard) Validate(exclude PodSecurityStandard) error {
if (exclude.RestrictedField != "" && len(exclude.Values) == 0) || (exclude.RestrictedField == "" && len(exclude.Values) != 0) {
return fmt.Errorf("Values[] and RestrictedField must be set together")
}

return nil
}

// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down
5 changes: 5 additions & 0 deletions api/kyverno/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

96 changes: 96 additions & 0 deletions charts/kyverno/charts/crds/templates/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13424,6 +13424,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -17919,6 +17931,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -22180,6 +22204,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -26649,6 +26685,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -31184,6 +31232,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -35680,6 +35740,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -39942,6 +40014,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -44411,6 +44495,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down
48 changes: 48 additions & 0 deletions cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3473,6 +3473,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -7968,6 +7980,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -12229,6 +12253,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -16698,6 +16734,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down
48 changes: 48 additions & 0 deletions cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3474,6 +3474,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -7970,6 +7982,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -12232,6 +12256,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for the
control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down Expand Up @@ -16701,6 +16737,18 @@ spec:
items:
type: string
type: array
restrictedField:
description: RestrictedField selects the field
for the given Pod Security Standard control.
When not set, all restricted fields for
the control are selected.
type: string
values:
description: Values defines the allowed values
that can be excluded.
items:
type: string
type: array
required:
- controlName
type: object
Expand Down
Loading

0 comments on commit 6902a2b

Please sign in to comment.