Merge branch 'main' into disallow-cri-sock-mount-dockerd

kyverno · Sep 19, 2023 · 5efac74 · 5efac74
2 parents af223dd + d9d7b7d
commit 5efac74
Show file tree

Hide file tree

Showing 220 changed files with 2,727 additions and 7,045 deletions.
diff --git a/argo/appproject-clusterresourceblacklist/kyverno-test.yaml b/argo/appproject-clusterresourceblacklist/kyverno-test.yaml
@@ -1,42 +1,35 @@
-name: appproject-clusterresourceblacklist
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: appproject-clusterresourceblacklist
 policies:
 - appproject-clusterresourceblacklist.yaml
 resources:
 - resources.yaml
 results:
-- kind: AppProject
-  policy: appproject-clusterresourceblacklist
-  resources:
-  - goodappproj01
-  result: pass
-  rule: has-wildcard
-- kind: AppProject
-  policy: appproject-clusterresourceblacklist
-  resources:
-  - goodappproj02
-  result: pass
-  rule: validate-clusterresourceblacklist
 - kind: AppProject
   policy: appproject-clusterresourceblacklist
   resources:
   - badappproj01
+  - badappproj02
+  - badappproj03
   result: fail
   rule: has-wildcard
 - kind: AppProject
   policy: appproject-clusterresourceblacklist
   resources:
-  - badappproj02
-  result: fail
+  - goodappproj01
+  result: pass
   rule: has-wildcard
 - kind: AppProject
   policy: appproject-clusterresourceblacklist
   resources:
-  - badappproj03
+  - badappproj04
   result: fail
-  rule: has-wildcard
+  rule: validate-clusterresourceblacklist
 - kind: AppProject
   policy: appproject-clusterresourceblacklist
   resources:
-  - badappproj04
-  result: fail
+  - goodappproj02
+  result: pass
   rule: validate-clusterresourceblacklist
diff --git a/best-practices/add-network-policy/kyverno-test.yaml b/best-practices/add-network-policy/kyverno-test.yaml
@@ -1,4 +1,7 @@
-name: deny-all-traffic
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: deny-all-traffic
 policies:
 - add-network-policy.yaml
 resources:

diff --git a/best-practices/add-ns-quota/kyverno-test.yaml b/best-practices/add-ns-quota/kyverno-test.yaml
@@ -1,20 +1,23 @@
-name: add-quota
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-quota
 policies:
 - add-ns-quota.yaml
 resources:
 - resource.yaml
 results:
-- generatedResource: generatedResourceQuota.yaml
+- generatedResource: generatedLimitRange.yaml
   kind: Namespace
   policy: add-ns-quota
   resources:
   - hello-world-namespace
   result: pass
-  rule: generate-resourcequota
-- generatedResource: generatedLimitRange.yaml
+  rule: generate-limitrange
+- generatedResource: generatedResourceQuota.yaml
   kind: Namespace
   policy: add-ns-quota
   resources:
   - hello-world-namespace
   result: pass
-  rule: generate-limitrange
+  rule: generate-resourcequota
diff --git a/best-practices/add-safe-to-evict/kyverno-test.yaml b/best-practices/add-safe-to-evict/kyverno-test.yaml
@@ -1,27 +1,24 @@
-name: add-safe-to-evict
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-safe-to-evict
 policies:
 - add-safe-to-evict.yaml
 resources:
 - resource.yaml
 results:
 - kind: Pod
+  patchedResource: myapp-pod03-patched.yaml
   policy: add-safe-to-evict
   resources:
-  - myapp-pod01
-  result: skip
+  - myapp-pod03
+  result: pass
   rule: annotate-empty-dir
 - kind: Pod
   policy: add-safe-to-evict
   resources:
-  - myapp-pod02
+  - myapp-pod01
   result: skip
-  rule: annotate-host-path
-- kind: Pod
-  patchedResource: myapp-pod03-patched.yaml
-  policy: add-safe-to-evict
-  resources:
-  - myapp-pod03
-  result: pass
   rule: annotate-empty-dir
 - kind: Pod
   patchedResource: myapp-pod04-patched.yaml
@@ -30,3 +27,9 @@ results:
   - myapp-pod04
   result: pass
   rule: annotate-host-path
+- kind: Pod
+  policy: add-safe-to-evict
+  resources:
+  - myapp-pod02
+  result: skip
+  rule: annotate-host-path
diff --git a/best-practices/check-deprecated-apis/kyverno-test.yaml b/best-practices/check-deprecated-apis/kyverno-test.yaml
@@ -1,4 +1,7 @@
-name: check-deprecated-apis
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: check-deprecated-apis
 policies:
 - check-deprecated-apis.yaml
 resources:

diff --git a/best-practices/disallow-cri-sock-mount/kyverno-test.yaml b/best-practices/disallow-cri-sock-mount/kyverno-test.yaml
@@ -1,4 +1,7 @@
-name: disallow-cri-sock-mount
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-cri-sock-mount
 policies:
 - disallow-cri-sock-mount.yaml
 resources:
@@ -8,35 +11,25 @@ results:
   policy: disallow-container-sock-mounts
   resources:
   - pod-with-docker-sock-mount
-  result: fail
-  rule: validate-docker-sock-mount
-- kind: Pod
-  policy: disallow-container-sock-mounts
-  resources:
-  - pod-with-docker-sock-mount
+  - goodpod01
   result: pass
   rule: validate-containerd-sock-mount
 - kind: Pod
   policy: disallow-container-sock-mounts
   resources:
   - pod-with-docker-sock-mount
+  - goodpod01
   result: pass
   rule: validate-crio-sock-mount
 - kind: Pod
   policy: disallow-container-sock-mounts
   resources:
-  - goodpod01
-  result: pass
+  - pod-with-docker-sock-mount
+  result: fail
   rule: validate-docker-sock-mount
 - kind: Pod
   policy: disallow-container-sock-mounts
   resources:
   - goodpod01
   result: pass
-  rule: validate-containerd-sock-mount
-- kind: Pod
-  policy: disallow-container-sock-mounts
-  resources:
-  - goodpod01
-  result: pass
-  rule: validate-crio-sock-mount
+  rule: validate-docker-sock-mount
diff --git a/best-practices/disallow-default-namespace/kyverno-test.yaml b/best-practices/disallow-default-namespace/kyverno-test.yaml
@@ -1,4 +1,7 @@
-name: disallow-default-namespace
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-default-namespace
 policies:
 - disallow-default-namespace.yaml
 resources:

diff --git a/best-practices/disallow-empty-ingress-host/kyverno-test.yaml b/best-practices/disallow-empty-ingress-host/kyverno-test.yaml
@@ -1,4 +1,7 @@
-name: disallow-empty-ingress-host
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-empty-ingress-host
 policies:
 - disallow-empty-ingress-host.yaml
 resources:
@@ -7,12 +10,12 @@ results:
 - kind: Ingress
   policy: disallow-empty-ingress-host
   resources:
-  - ingress-wildcard-host
-  result: pass
+  - minimal-ingress
+  result: fail
   rule: disallow-empty-ingress-host
 - kind: Ingress
   policy: disallow-empty-ingress-host
   resources:
-  - minimal-ingress
-  result: fail
+  - ingress-wildcard-host
+  result: pass
   rule: disallow-empty-ingress-host
diff --git a/best-practices/disallow-helm-tiller/kyverno-test.yaml b/best-practices/disallow-helm-tiller/kyverno-test.yaml
@@ -1,42 +1,35 @@
-name: disallow-helm-tiller
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-helm-tiller
 policies:
 - disallow-helm-tiller.yaml
 resources:
 - resource.yaml
 results:
-- kind: Pod
+- kind: Deployment
   policy: disallow-helm-tiller
   resources:
-  - badpod01
+  - baddeployment01
   result: fail
   rule: validate-helm-tiller
 - kind: Pod
   policy: disallow-helm-tiller
   resources:
+  - badpod01
   - badpod02
   result: fail
   rule: validate-helm-tiller
-- kind: Pod
+- kind: Deployment
   policy: disallow-helm-tiller
   resources:
-  - goodpod01
+  - gooddeployment01
   result: pass
   rule: validate-helm-tiller
 - kind: Pod
   policy: disallow-helm-tiller
   resources:
+  - goodpod01
   - goodpod02
   result: pass
   rule: validate-helm-tiller
-- kind: Deployment
-  policy: disallow-helm-tiller
-  resources:
-  - gooddeployment01
-  result: pass
-  rule: validate-helm-tiller
-- kind: Deployment
-  policy: disallow-helm-tiller
-  resources:
-  - baddeployment01
-  result: fail
-  rule: validate-helm-tiller
diff --git a/best-practices/disallow-latest-tag/kyverno-test.yaml b/best-practices/disallow-latest-tag/kyverno-test.yaml
@@ -1,24 +1,22 @@
-name: disallow-latest-tag
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-latest-tag
 policies:
 - disallow-latest-tag.yaml
 resources:
 - resource.yaml
 results:
-- kind: Pod
-  policy: disallow-latest-tag
-  resources:
-  - myapp-pod
-  result: pass
-  rule: require-image-tag
-- kind: Pod
+- kind: Deployment
   policy: disallow-latest-tag
   resources:
-  - badpod01
+  - baddeployment01
   result: fail
   rule: require-image-tag
 - kind: Pod
   policy: disallow-latest-tag
   resources:
+  - badpod01
   - badpod02
   result: fail
   rule: require-image-tag
@@ -28,27 +26,22 @@ results:
   - gooddeployment01
   result: pass
   rule: require-image-tag
-- kind: Deployment
-  policy: disallow-latest-tag
-  resources:
-  - baddeployment01
-  result: fail
-  rule: require-image-tag
 - kind: Pod
   policy: disallow-latest-tag
   resources:
   - myapp-pod
   result: pass
-  rule: validate-image-tag
-- kind: Pod
+  rule: require-image-tag
+- kind: Deployment
   policy: disallow-latest-tag
   resources:
-  - vit-badpod01
+  - vit-baddeployment01
   result: fail
   rule: validate-image-tag
 - kind: Pod
   policy: disallow-latest-tag
   resources:
+  - vit-badpod01
   - vit-badpod02
   result: fail
   rule: validate-image-tag
@@ -58,9 +51,9 @@ results:
   - gooddeployment01
   result: pass
   rule: validate-image-tag
-- kind: Deployment
+- kind: Pod
   policy: disallow-latest-tag
   resources:
-  - vit-baddeployment01
-  result: fail
+  - myapp-pod
+  result: pass
   rule: validate-image-tag
diff --git a/best-practices/require-drop-all/kyverno-test.yaml b/best-practices/require-drop-all/kyverno-test.yaml
@@ -1,4 +1,7 @@
-name: require-drop-all
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: require-drop-all
 policies:
 - require-drop-all.yaml
 resources:
@@ -7,12 +10,12 @@ results:
 - kind: Pod
   policy: drop-all-capabilities
   resources:
-  - add-capabilities
-  result: pass
+  - add-capabilities-bad
+  result: fail
   rule: require-drop-all
 - kind: Pod
   policy: drop-all-capabilities
   resources:
-  - add-capabilities-bad
-  result: fail
+  - add-capabilities
+  result: pass
   rule: require-drop-all