From 999d84ac041b621bf7b97a4cbf667ec4ac0266d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 18 Sep 2023 15:01:25 +0200 Subject: [PATCH 1/2] fix: invalid kuttl test step MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- other/m-q/prepend-image-registry/02-manifests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/m-q/prepend-image-registry/02-manifests.yaml b/other/m-q/prepend-image-registry/02-manifests.yaml index f82033030..096b4fd9d 100644 --- a/other/m-q/prepend-image-registry/02-manifests.yaml +++ b/other/m-q/prepend-image-registry/02-manifests.yaml @@ -8,6 +8,6 @@ apply: assert: - patchedResource.yaml - pods-patched.yaml -errors: +error: - patchedResourceWithoutInitContainer.yaml - failpatchedResource.yaml \ No newline at end of file From d9d7b7dd5acce7824cb1affa044ddd97f047725d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 19 Sep 2023 05:38:30 +0200 Subject: [PATCH 2/2] fix: test files cleanup (#755) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: test files cleanup Signed-off-by: Charles-Edouard Brétéché * fixes Signed-off-by: Charles-Edouard Brétéché * fixes Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- .../kyverno-test.yaml | 31 +- .../add-network-policy/kyverno-test.yaml | 5 +- best-practices/add-ns-quota/kyverno-test.yaml | 13 +- .../add-safe-to-evict/kyverno-test.yaml | 25 +- .../check-deprecated-apis/kyverno-test.yaml | 5 +- .../disallow-cri-sock-mount/kyverno-test.yaml | 25 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 13 +- .../disallow-helm-tiller/kyverno-test.yaml | 27 +- .../disallow-latest-tag/kyverno-test.yaml | 35 +- .../require-drop-all/kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 16 +- .../require-labels/kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 28 +- .../require-probes/kyverno-test.yaml | 41 +- .../require-ro-rootfs/kyverno-test.yaml | 20 +- .../kyverno-test.yaml | 30 +- .../restrict-node-port/kyverno-test.yaml | 10 +- .../kyverno-test.yaml | 16 +- .../kyverno-test.yaml | 19 +- cert-manager/limit-dnsnames/kyverno-test.yaml | 5 +- cert-manager/limit-duration/kyverno-test.yaml | 13 +- .../restrict-issuer/kyverno-test.yaml | 13 +- .../enforce-min-tls-version/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 8 +- .../kyverno-test.yaml | 19 +- .../kyverno-test.yaml | 49 +- kasten/k10-3-2-1-backup/kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 5 +- .../test-values.yaml | 18 +- kasten/k10-hourly-rpo/kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 13 +- .../k10-minimum-retention/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 26 +- .../kyverno-test.yaml | 15 +- .../require-kubecost-labels/kyverno-test.yaml | 41 +- kubevirt/add-services/kyverno-test.yaml | 23 +- .../enforce-instancetype/kyverno-test.yaml | 23 +- .../kyverno-test.yaml | 15 +- .../restrict-annotations/kyverno-test.yaml | 38 +- .../restrict-ingress-paths/kyverno-test.yaml | 26 +- openshift/check-routes/kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 17 +- .../kyverno-test.yaml | 41 +- .../kyverno-test.yaml | 10 +- .../values.yaml | 16 +- .../enforce-etcd-encryption/kyverno-test.yaml | 5 +- .../team-validate-ns-name/kyverno-test.yaml | 5 +- openshift/unique-routes/kyverno-test.yaml | 13 +- openshift/unique-routes/mock.yaml | 14 +- .../add-certificates-volume/kyverno-test.yaml | 5 +- .../a/add-default-resources/kyverno-test.yaml | 17 +- .../kyverno-test.yaml | 5 +- .../a/add-env-vars-from-cm/kyverno-test.yaml | 5 +- .../a/add-image-as-env-var/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../a/add-imagepullsecrets/kyverno-test.yaml | 5 +- other/a/add-labels/kyverno-test.yaml | 11 +- other/a/add-ndots/kyverno-test.yaml | 8 +- other/a/add-node-affinity/kyverno-test.yaml | 5 +- other/a/add-nodeSelector/kyverno-test.yaml | 8 +- .../kyverno-test.yaml | 8 +- other/a/add-pod-priorityclassname/values.yaml | 14 +- other/a/add-pod-proxies/kyverno-test.yaml | 5 +- other/a/add-tolerations/kyverno-test.yaml | 5 +- other/a/add-ttl-jobs/kyverno-test.yaml | 10 +- .../a/add-volume-deployment/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 13 +- .../values.yaml | 24 +- other/a/allowed-annotations/kyverno-test.yaml | 5 +- .../a/allowed-label-changes/kyverno-test.yaml | 5 +- other/a/allowed-label-changes/values.yaml | 4 +- .../allowed-pod-priorities/kyverno-test.yaml | 17 +- other/a/allowed-pod-priorities/values.yaml | 46 +- other/a/always-pull-images/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../b-d/block-images-with-volumes/values.yaml | 12 +- .../b-d/block-large-images/kyverno-test.yaml | 5 +- other/b-d/block-large-images/values.yaml | 13 +- .../b-d/block-stale-images/kyverno-test.yaml | 5 +- other/b-d/block-stale-images/values.yaml | 11 +- .../block-updates-deletes/kyverno-test.yaml | 13 +- other/b-d/block-updates-deletes/values.yaml | 14 +- other/b-d/check-env-vars/kyverno-test.yaml | 5 +- other/b-d/check-nvidia-gpu/kyverno-test.yaml | 17 +- other/b-d/check-nvidia-gpu/values.yaml | 26 +- .../check-serviceaccount/kyverno-test.yaml | 5 +- other/b-d/check-serviceaccount/values.yaml | 2 + .../b-d/create-default-pdb/kyverno-test.yaml | 8 +- .../create-pod-antiaffinity/kyverno-test.yaml | 41 +- .../kyverno-test.yaml | 53 +- .../kyverno-test.yaml | 5 +- .../disallow-all-secrets/kyverno-test.yaml | 53 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 21 +- .../kyverno-test.yaml | 8 +- .../dns-policy-and-dns-config/variables.yaml | 115 ++- .../kyverno-test.yaml | 49 +- .../enforce-pod-duration/kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 5 +- .../enforce-resources-as-ratio/values.yaml | 6 +- .../ensure-probes-different/kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 29 +- .../values.yaml | 45 +- .../kyverno-test.yaml | 5 +- .../e-l/ensure-readonly-hostpath/values.yaml | 6 +- .../kyverno-test.yaml | 20 +- .../values.yaml | 21 +- other/e-l/forbid-cpu-limits/kyverno-test.yaml | 37 +- .../imagepullpolicy-always/kyverno-test.yaml | 19 +- .../ingress-host-match-tls/kyverno-test.yaml | 25 +- .../kyverno-test.yaml | 5 +- .../limit-configmap-for-sa/kyverno-test.yaml | 5 +- .../e-l/limit-configmap-for-sa/variables.yaml | 18 +- .../kyverno-test.yaml | 29 +- .../limit-hostpath-type-pv/kyverno-test.yaml | 13 +- .../e-l/limit-hostpath-vols/kyverno-test.yaml | 13 +- other/e-l/limit-hostpath-vols/values.yaml | 12 +- .../kyverno-test.yaml | 17 +- .../m-q/mitigate-log4shell/kyverno-test.yaml | 17 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 10 +- .../values.yaml | 23 +- .../m-q/pdb-maxunavailable/kyverno-test.yaml | 29 +- other/m-q/pdb-minavailable/kyverno-test.yaml | 11 +- other/m-q/pdb-minavailable/values.yaml | 20 +- .../prepend-image-registry/kyverno-test.yaml | 33 +- other/m-q/prevent-cr8escape/kyverno-test.yaml | 10 +- .../remove-hostpath-volumes/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../replace-image-registry/kyverno-test.yaml | 19 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 51 +- .../values.yaml | 12 +- .../require-image-checksum/kyverno-test.yaml | 17 +- .../require-image-source/kyverno-test.yaml | 5 +- .../rec-req/require-image-source/values.yaml | 28 +- .../kyverno-test.yaml | 13 +- .../rec-req/require-netpol/kyverno-test.yaml | 5 +- other/rec-req/require-netpol/values.yaml | 4 +- .../require-non-root-groups/kyverno-test.yaml | 628 ++---------- other/rec-req/require-pdb/kyverno-test.yaml | 37 +- other/rec-req/require-pdb/values.yaml | 10 +- .../kyverno-test.yaml | 13 +- .../require-qos-burstable/kyverno-test.yaml | 39 +- .../require-qos-guaranteed/kyverno-test.yaml | 39 +- .../require-storageclass/kyverno-test.yaml | 24 +- .../kyverno-test.yaml | 5 +- .../require-unique-external-dns/values.yaml | 20 +- .../kyverno-test.yaml | 5 +- .../variables.yaml | 12 +- .../resolve-image-to-digest/kyverno-test.yaml | 5 +- other/res/resolve-image-to-digest/values.yaml | 20 +- .../restrict-annotations/kyverno-test.yaml | 13 +- .../kyverno-test.yaml | 21 +- .../kyverno-test.yaml | 25 +- .../kyverno-test.yaml | 11 +- .../kyverno-test.yaml | 37 +- .../kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 11 +- .../restrict-ingress-host/kyverno-test.yaml | 13 +- other/res/restrict-ingress-host/values.yaml | 4 +- .../kyverno-test.yaml | 15 +- .../restrict-loadbalancer/kyverno-test.yaml | 11 +- .../kyverno-test.yaml | 40 +- .../restrict-node-affinity/kyverno-test.yaml | 19 +- .../restrict-node-selection/kyverno-test.yaml | 25 +- .../kyverno-test.yaml | 5 +- .../restrict-pod-count-per-node/values.yaml | 8 +- .../kyverno-test.yaml | 36 +- .../res/restrict-secrets-by-label/values.yaml | 28 +- .../kyverno-test.yaml | 49 +- .../kyverno-test.yaml | 13 +- .../res/restrict-service-account/values.yaml | 15 +- .../kyverno-test.yaml | 5 +- .../restrict-storageclass/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 18 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 72 +- .../disallow-capabilities/kyverno-test.yaml | 215 +--- .../kyverno-test.yaml | 158 +-- .../disallow-host-path/kyverno-test.yaml | 63 +- .../kyverno-test.yaml | 367 +------ .../disallow-host-ports/kyverno-test.yaml | 367 +------ .../disallow-host-process/kyverno-test.yaml | 196 +--- .../kyverno-test.yaml | 196 +--- .../disallow-proc-mount/kyverno-test.yaml | 196 +--- .../disallow-selinux/kyverno-test.yaml | 966 +++--------------- .../kyverno-test.yaml | 63 +- .../restrict-seccomp/kyverno-test.yaml | 329 +----- .../restrict-sysctls/kyverno-test.yaml | 158 +-- .../kyverno-test.yaml | 705 +++---------- .../kyverno-test.yaml | 196 +--- .../kyverno-test.yaml | 291 +----- .../require-run-as-nonroot/kyverno-test.yaml | 462 ++------- .../restrict-seccomp-strict/kyverno-test.yaml | 310 +----- .../restrict-volume-types/kyverno-test.yaml | 542 ++-------- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../restricted-latest/kyverno-test.yaml | 5 +- psa/add-psa-labels/kyverno-test.yaml | 17 +- psp-migration/add-apparmor/kyverno-test.yaml | 5 +- .../add-capabilities/kyverno-test.yaml | 5 +- .../add-runtimeClassName/kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 5 +- .../kyverno-test.yaml | 95 +- .../kyverno-test.yaml | 15 +- .../kyverno-test.yaml | 5 +- velero/backup-all-volumes/kyverno-test.yaml | 26 +- velero/backup-all-volumes/values.yaml | 14 +- velero/block-velero-restore/kyverno-test.yaml | 10 +- .../validate-cron-schedule/kyverno-test.yaml | 13 +- 219 files changed, 2726 insertions(+), 7044 deletions(-) diff --git a/argo/appproject-clusterresourceblacklist/kyverno-test.yaml b/argo/appproject-clusterresourceblacklist/kyverno-test.yaml index ae9c6d500..c57a62693 100644 --- a/argo/appproject-clusterresourceblacklist/kyverno-test.yaml +++ b/argo/appproject-clusterresourceblacklist/kyverno-test.yaml @@ -1,42 +1,35 @@ -name: appproject-clusterresourceblacklist +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: appproject-clusterresourceblacklist policies: - appproject-clusterresourceblacklist.yaml resources: - resources.yaml results: -- kind: AppProject - policy: appproject-clusterresourceblacklist - resources: - - goodappproj01 - result: pass - rule: has-wildcard -- kind: AppProject - policy: appproject-clusterresourceblacklist - resources: - - goodappproj02 - result: pass - rule: validate-clusterresourceblacklist - kind: AppProject policy: appproject-clusterresourceblacklist resources: - badappproj01 + - badappproj02 + - badappproj03 result: fail rule: has-wildcard - kind: AppProject policy: appproject-clusterresourceblacklist resources: - - badappproj02 - result: fail + - goodappproj01 + result: pass rule: has-wildcard - kind: AppProject policy: appproject-clusterresourceblacklist resources: - - badappproj03 + - badappproj04 result: fail - rule: has-wildcard + rule: validate-clusterresourceblacklist - kind: AppProject policy: appproject-clusterresourceblacklist resources: - - badappproj04 - result: fail + - goodappproj02 + result: pass rule: validate-clusterresourceblacklist diff --git a/best-practices/add-network-policy/kyverno-test.yaml b/best-practices/add-network-policy/kyverno-test.yaml index 916e05a6d..169d33e9a 100644 --- a/best-practices/add-network-policy/kyverno-test.yaml +++ b/best-practices/add-network-policy/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: deny-all-traffic +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deny-all-traffic policies: - add-network-policy.yaml resources: diff --git a/best-practices/add-ns-quota/kyverno-test.yaml b/best-practices/add-ns-quota/kyverno-test.yaml index 587c4c0dd..bd1c80cf7 100644 --- a/best-practices/add-ns-quota/kyverno-test.yaml +++ b/best-practices/add-ns-quota/kyverno-test.yaml @@ -1,20 +1,23 @@ -name: add-quota +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-quota policies: - add-ns-quota.yaml resources: - resource.yaml results: -- generatedResource: generatedResourceQuota.yaml +- generatedResource: generatedLimitRange.yaml kind: Namespace policy: add-ns-quota resources: - hello-world-namespace result: pass - rule: generate-resourcequota -- generatedResource: generatedLimitRange.yaml + rule: generate-limitrange +- generatedResource: generatedResourceQuota.yaml kind: Namespace policy: add-ns-quota resources: - hello-world-namespace result: pass - rule: generate-limitrange + rule: generate-resourcequota diff --git a/best-practices/add-safe-to-evict/kyverno-test.yaml b/best-practices/add-safe-to-evict/kyverno-test.yaml index 542bfd8ba..cf4be09a4 100644 --- a/best-practices/add-safe-to-evict/kyverno-test.yaml +++ b/best-practices/add-safe-to-evict/kyverno-test.yaml @@ -1,27 +1,24 @@ -name: add-safe-to-evict +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-safe-to-evict policies: - add-safe-to-evict.yaml resources: - resource.yaml results: - kind: Pod + patchedResource: myapp-pod03-patched.yaml policy: add-safe-to-evict resources: - - myapp-pod01 - result: skip + - myapp-pod03 + result: pass rule: annotate-empty-dir - kind: Pod policy: add-safe-to-evict resources: - - myapp-pod02 + - myapp-pod01 result: skip - rule: annotate-host-path -- kind: Pod - patchedResource: myapp-pod03-patched.yaml - policy: add-safe-to-evict - resources: - - myapp-pod03 - result: pass rule: annotate-empty-dir - kind: Pod patchedResource: myapp-pod04-patched.yaml @@ -30,3 +27,9 @@ results: - myapp-pod04 result: pass rule: annotate-host-path +- kind: Pod + policy: add-safe-to-evict + resources: + - myapp-pod02 + result: skip + rule: annotate-host-path diff --git a/best-practices/check-deprecated-apis/kyverno-test.yaml b/best-practices/check-deprecated-apis/kyverno-test.yaml index d9a8ccd1a..ddda905e3 100644 --- a/best-practices/check-deprecated-apis/kyverno-test.yaml +++ b/best-practices/check-deprecated-apis/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-deprecated-apis +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-deprecated-apis policies: - check-deprecated-apis.yaml resources: diff --git a/best-practices/disallow-cri-sock-mount/kyverno-test.yaml b/best-practices/disallow-cri-sock-mount/kyverno-test.yaml index 2c2c09107..7156072c5 100644 --- a/best-practices/disallow-cri-sock-mount/kyverno-test.yaml +++ b/best-practices/disallow-cri-sock-mount/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: disallow-cri-sock-mount +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-cri-sock-mount policies: - disallow-cri-sock-mount.yaml resources: @@ -8,35 +11,25 @@ results: policy: disallow-container-sock-mounts resources: - pod-with-docker-sock-mount - result: fail - rule: validate-docker-sock-mount -- kind: Pod - policy: disallow-container-sock-mounts - resources: - - pod-with-docker-sock-mount + - goodpod01 result: pass rule: validate-containerd-sock-mount - kind: Pod policy: disallow-container-sock-mounts resources: - pod-with-docker-sock-mount + - goodpod01 result: pass rule: validate-crio-sock-mount - kind: Pod policy: disallow-container-sock-mounts resources: - - goodpod01 - result: pass + - pod-with-docker-sock-mount + result: fail rule: validate-docker-sock-mount - kind: Pod policy: disallow-container-sock-mounts resources: - goodpod01 result: pass - rule: validate-containerd-sock-mount -- kind: Pod - policy: disallow-container-sock-mounts - resources: - - goodpod01 - result: pass - rule: validate-crio-sock-mount + rule: validate-docker-sock-mount diff --git a/best-practices/disallow-default-namespace/kyverno-test.yaml b/best-practices/disallow-default-namespace/kyverno-test.yaml index 53e3b33f3..c1429e0a4 100644 --- a/best-practices/disallow-default-namespace/kyverno-test.yaml +++ b/best-practices/disallow-default-namespace/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: disallow-default-namespace +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-default-namespace policies: - disallow-default-namespace.yaml resources: diff --git a/best-practices/disallow-empty-ingress-host/kyverno-test.yaml b/best-practices/disallow-empty-ingress-host/kyverno-test.yaml index 335f5721a..0bae70029 100644 --- a/best-practices/disallow-empty-ingress-host/kyverno-test.yaml +++ b/best-practices/disallow-empty-ingress-host/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: disallow-empty-ingress-host +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-empty-ingress-host policies: - disallow-empty-ingress-host.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Ingress policy: disallow-empty-ingress-host resources: - - ingress-wildcard-host - result: pass + - minimal-ingress + result: fail rule: disallow-empty-ingress-host - kind: Ingress policy: disallow-empty-ingress-host resources: - - minimal-ingress - result: fail + - ingress-wildcard-host + result: pass rule: disallow-empty-ingress-host diff --git a/best-practices/disallow-helm-tiller/kyverno-test.yaml b/best-practices/disallow-helm-tiller/kyverno-test.yaml index 7f81b797d..c541fc34a 100644 --- a/best-practices/disallow-helm-tiller/kyverno-test.yaml +++ b/best-practices/disallow-helm-tiller/kyverno-test.yaml @@ -1,42 +1,35 @@ -name: disallow-helm-tiller +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-helm-tiller policies: - disallow-helm-tiller.yaml resources: - resource.yaml results: -- kind: Pod +- kind: Deployment policy: disallow-helm-tiller resources: - - badpod01 + - baddeployment01 result: fail rule: validate-helm-tiller - kind: Pod policy: disallow-helm-tiller resources: + - badpod01 - badpod02 result: fail rule: validate-helm-tiller -- kind: Pod +- kind: Deployment policy: disallow-helm-tiller resources: - - goodpod01 + - gooddeployment01 result: pass rule: validate-helm-tiller - kind: Pod policy: disallow-helm-tiller resources: + - goodpod01 - goodpod02 result: pass rule: validate-helm-tiller -- kind: Deployment - policy: disallow-helm-tiller - resources: - - gooddeployment01 - result: pass - rule: validate-helm-tiller -- kind: Deployment - policy: disallow-helm-tiller - resources: - - baddeployment01 - result: fail - rule: validate-helm-tiller diff --git a/best-practices/disallow-latest-tag/kyverno-test.yaml b/best-practices/disallow-latest-tag/kyverno-test.yaml index cd8b2d9b9..3508f1dd1 100644 --- a/best-practices/disallow-latest-tag/kyverno-test.yaml +++ b/best-practices/disallow-latest-tag/kyverno-test.yaml @@ -1,24 +1,22 @@ -name: disallow-latest-tag +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-latest-tag policies: - disallow-latest-tag.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-latest-tag - resources: - - myapp-pod - result: pass - rule: require-image-tag -- kind: Pod +- kind: Deployment policy: disallow-latest-tag resources: - - badpod01 + - baddeployment01 result: fail rule: require-image-tag - kind: Pod policy: disallow-latest-tag resources: + - badpod01 - badpod02 result: fail rule: require-image-tag @@ -28,27 +26,22 @@ results: - gooddeployment01 result: pass rule: require-image-tag -- kind: Deployment - policy: disallow-latest-tag - resources: - - baddeployment01 - result: fail - rule: require-image-tag - kind: Pod policy: disallow-latest-tag resources: - myapp-pod result: pass - rule: validate-image-tag -- kind: Pod + rule: require-image-tag +- kind: Deployment policy: disallow-latest-tag resources: - - vit-badpod01 + - vit-baddeployment01 result: fail rule: validate-image-tag - kind: Pod policy: disallow-latest-tag resources: + - vit-badpod01 - vit-badpod02 result: fail rule: validate-image-tag @@ -58,9 +51,9 @@ results: - gooddeployment01 result: pass rule: validate-image-tag -- kind: Deployment +- kind: Pod policy: disallow-latest-tag resources: - - vit-baddeployment01 - result: fail + - myapp-pod + result: pass rule: validate-image-tag diff --git a/best-practices/require-drop-all/kyverno-test.yaml b/best-practices/require-drop-all/kyverno-test.yaml index 3cf562306..7d6c743ae 100644 --- a/best-practices/require-drop-all/kyverno-test.yaml +++ b/best-practices/require-drop-all/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-drop-all +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-drop-all policies: - require-drop-all.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Pod policy: drop-all-capabilities resources: - - add-capabilities - result: pass + - add-capabilities-bad + result: fail rule: require-drop-all - kind: Pod policy: drop-all-capabilities resources: - - add-capabilities-bad - result: fail + - add-capabilities + result: pass rule: require-drop-all diff --git a/best-practices/require-drop-cap-net-raw/kyverno-test.yaml b/best-practices/require-drop-cap-net-raw/kyverno-test.yaml index 528513da1..6c5707dac 100644 --- a/best-practices/require-drop-cap-net-raw/kyverno-test.yaml +++ b/best-practices/require-drop-cap-net-raw/kyverno-test.yaml @@ -1,24 +1,22 @@ -name: require-drop-cap-net-raw +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-drop-cap-net-raw policies: - require-drop-cap-net-raw.yaml resources: - resource.yaml results: -- kind: Pod - policy: drop-cap-net-raw - resources: - - drop-good - result: pass - rule: require-drop-cap-net-raw - kind: Pod policy: drop-cap-net-raw resources: - badpod01 + - badpod02 result: fail rule: require-drop-cap-net-raw - kind: Pod policy: drop-cap-net-raw resources: - - badpod02 - result: fail + - drop-good + result: pass rule: require-drop-cap-net-raw diff --git a/best-practices/require-labels/kyverno-test.yaml b/best-practices/require-labels/kyverno-test.yaml index fdbf1b860..777759192 100644 --- a/best-practices/require-labels/kyverno-test.yaml +++ b/best-practices/require-labels/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-labels +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-labels policies: - require-labels.yaml resources: @@ -8,11 +11,6 @@ results: policy: require-labels resources: - badpod01 - result: fail - rule: check-for-labels -- kind: Pod - policy: require-labels - resources: - badpod02 result: fail rule: check-for-labels @@ -20,11 +18,6 @@ results: policy: require-labels resources: - goodpod01 - result: pass - rule: check-for-labels -- kind: Pod - policy: require-labels - resources: - goodpod02 result: pass rule: check-for-labels diff --git a/best-practices/require-pod-requests-limits/kyverno-test.yaml b/best-practices/require-pod-requests-limits/kyverno-test.yaml index 818cab65b..2a62d88e6 100644 --- a/best-practices/require-pod-requests-limits/kyverno-test.yaml +++ b/best-practices/require-pod-requests-limits/kyverno-test.yaml @@ -1,36 +1,24 @@ -name: require-requests-limits +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-requests-limits policies: - require-pod-requests-limits.yaml resources: - resource.yaml results: -- kind: Pod - policy: require-requests-limits - resources: - - goodpod01 - result: pass - rule: validate-resources -- kind: Pod - policy: require-requests-limits - resources: - - goodpod02 - result: pass - rule: validate-resources - kind: Pod policy: require-requests-limits resources: - badpod01 - result: fail - rule: validate-resources -- kind: Pod - policy: require-requests-limits - resources: - badpod02 + - badpod03 result: fail rule: validate-resources - kind: Pod policy: require-requests-limits resources: - - badpod03 - result: fail + - goodpod01 + - goodpod02 + result: pass rule: validate-resources diff --git a/best-practices/require-probes/kyverno-test.yaml b/best-practices/require-probes/kyverno-test.yaml index 17d77f899..5ae1833b0 100644 --- a/best-practices/require-probes/kyverno-test.yaml +++ b/best-practices/require-probes/kyverno-test.yaml @@ -1,22 +1,25 @@ -name: require-pod-probes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-pod-probes policies: - - require-probes.yaml +- require-probes.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-pod-probes - rule: validate-probes - resources: - - goodpod01 - - goodpod02 - - goodpod03 - - goodpod04 - kind: Pod - result: pass - - policy: require-pod-probes - rule: validate-probes - resources: - - badpod01 - - badpod02 - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: require-pod-probes + resources: + - badpod01 + - badpod02 + result: fail + rule: validate-probes +- kind: Pod + policy: require-pod-probes + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + result: pass + rule: validate-probes diff --git a/best-practices/require-ro-rootfs/kyverno-test.yaml b/best-practices/require-ro-rootfs/kyverno-test.yaml index dc0b30bfb..b4a64f159 100644 --- a/best-practices/require-ro-rootfs/kyverno-test.yaml +++ b/best-practices/require-ro-rootfs/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-ro-rootfs +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-ro-rootfs policies: - require-ro-rootfs.yaml resources: @@ -8,17 +11,7 @@ results: policy: require-ro-rootfs resources: - badpod01 - result: fail - rule: validate-readOnlyRootFilesystem -- kind: Pod - policy: require-ro-rootfs - resources: - badpod02 - result: fail - rule: validate-readOnlyRootFilesystem -- kind: Pod - policy: require-ro-rootfs - resources: - badpod03 result: fail rule: validate-readOnlyRootFilesystem @@ -26,11 +19,6 @@ results: policy: require-ro-rootfs resources: - goodpod01 - result: pass - rule: validate-readOnlyRootFilesystem -- kind: Pod - policy: require-ro-rootfs - resources: - goodpod02 result: pass rule: validate-readOnlyRootFilesystem diff --git a/best-practices/restrict-image-registries/kyverno-test.yaml b/best-practices/restrict-image-registries/kyverno-test.yaml index 96da63f07..c9dd903c6 100644 --- a/best-practices/restrict-image-registries/kyverno-test.yaml +++ b/best-practices/restrict-image-registries/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-image-registries +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-image-registries policies: - restrict-image-registries.yaml resources: @@ -8,23 +11,8 @@ results: policy: restrict-image-registries resources: - badpod01 - result: fail - rule: validate-registries -- kind: Pod - policy: restrict-image-registries - resources: - badpod02 - result: fail - rule: validate-registries -- kind: Pod - policy: restrict-image-registries - resources: - badpod03 - result: fail - rule: validate-registries -- kind: Pod - policy: restrict-image-registries - resources: - badpod04 result: fail rule: validate-registries @@ -32,17 +20,7 @@ results: policy: restrict-image-registries resources: - goodpod01 - result: pass - rule: validate-registries -- kind: Pod - policy: restrict-image-registries - resources: - goodpod02 - result: pass - rule: validate-registries -- kind: Pod - policy: restrict-image-registries - resources: - goodpod03 result: pass rule: validate-registries diff --git a/best-practices/restrict-node-port/kyverno-test.yaml b/best-practices/restrict-node-port/kyverno-test.yaml index 08a30ebc2..e3e0f496d 100644 --- a/best-practices/restrict-node-port/kyverno-test.yaml +++ b/best-practices/restrict-node-port/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-node-port +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-node-port policies: - restrict-node-port.yaml resources: @@ -14,11 +17,6 @@ results: policy: restrict-nodeport resources: - goodservice01 - result: pass - rule: validate-nodeport -- kind: Service - policy: restrict-nodeport - resources: - goodservice02 result: pass rule: validate-nodeport diff --git a/best-practices/restrict-service-external-ips/kyverno-test.yaml b/best-practices/restrict-service-external-ips/kyverno-test.yaml index d4cfca0bf..2242f86e9 100644 --- a/best-practices/restrict-service-external-ips/kyverno-test.yaml +++ b/best-practices/restrict-service-external-ips/kyverno-test.yaml @@ -1,24 +1,22 @@ -name: restrict-external-ips +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-external-ips policies: - restrict-service-external-ips.yaml resources: - resource.yaml results: -- kind: Service - policy: restrict-external-ips - resources: - - goodservice01 - result: pass - rule: check-ips - kind: Service policy: restrict-external-ips resources: - badservice01 + - badservice02 result: fail rule: check-ips - kind: Service policy: restrict-external-ips resources: - - badservice02 - result: fail + - goodservice01 + result: pass rule: check-ips diff --git a/castai/add-castai-removal-disabled/kyverno-test.yaml b/castai/add-castai-removal-disabled/kyverno-test.yaml index 0f182e19e..72423d47a 100644 --- a/castai/add-castai-removal-disabled/kyverno-test.yaml +++ b/castai/add-castai-removal-disabled/kyverno-test.yaml @@ -1,16 +1,12 @@ -name: add-castai-removal-disabled +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-castai-removal-disabled policies: - add-castai-removal-disabled.yaml resources: - resources.yaml results: -- kind: Job - patchedResource: patched01.yaml - policy: add-castai-removal-disabled - resources: - - addjob01 - result: pass - rule: do-not-evict-jobs - kind: CronJob patchedResource: patched02.yaml policy: add-castai-removal-disabled @@ -18,3 +14,10 @@ results: - addcronjob01 result: pass rule: do-not-evict-cronjobs +- kind: Job + patchedResource: patched01.yaml + policy: add-castai-removal-disabled + resources: + - addjob01 + result: pass + rule: do-not-evict-jobs diff --git a/cert-manager/limit-dnsnames/kyverno-test.yaml b/cert-manager/limit-dnsnames/kyverno-test.yaml index 6c661ec7d..7d210e4a6 100644 --- a/cert-manager/limit-dnsnames/kyverno-test.yaml +++ b/cert-manager/limit-dnsnames/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: limit_dnsnames +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit_dnsnames policies: - limit-dnsnames.yaml resources: diff --git a/cert-manager/limit-duration/kyverno-test.yaml b/cert-manager/limit-duration/kyverno-test.yaml index b997197ed..5b90ed748 100644 --- a/cert-manager/limit-duration/kyverno-test.yaml +++ b/cert-manager/limit-duration/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: limit-duration +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-duration policies: - limit-duration.yaml resources: @@ -7,8 +10,8 @@ results: - kind: Certificate policy: cert-manager-limit-duration resources: - - acme-crt - result: skip + - acme-crt-long + result: fail rule: certificate-duration-max-100days - kind: Certificate policy: cert-manager-limit-duration @@ -19,6 +22,6 @@ results: - kind: Certificate policy: cert-manager-limit-duration resources: - - acme-crt-long - result: fail + - acme-crt + result: skip rule: certificate-duration-max-100days diff --git a/cert-manager/restrict-issuer/kyverno-test.yaml b/cert-manager/restrict-issuer/kyverno-test.yaml index 92ac1283f..e64bea4af 100644 --- a/cert-manager/restrict-issuer/kyverno-test.yaml +++ b/cert-manager/restrict-issuer/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-issuer +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-issuer policies: - restrict-issuer.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Certificate policy: cert-manager-restrict-issuer resources: - - letsencrypt-crt - result: pass + - acme-crt + result: fail rule: restrict-corp-cert-issuer - kind: Certificate policy: cert-manager-restrict-issuer resources: - - acme-crt - result: fail + - letsencrypt-crt + result: pass rule: restrict-corp-cert-issuer diff --git a/consul/enforce-min-tls-version/kyverno-test.yaml b/consul/enforce-min-tls-version/kyverno-test.yaml index d83e21579..5e41666bf 100644 --- a/consul/enforce-min-tls-version/kyverno-test.yaml +++ b/consul/enforce-min-tls-version/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: enforce-min-tls-version +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-min-tls-version policies: - enforce-min-tls-version.yaml resources: diff --git a/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml b/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml index 4edab2491..63fb99773 100644 --- a/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml +++ b/external-secret-operator/add-external-secret-prefix/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-external-secret-prefix +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-external-secret-prefix policies: - add-external-secret-prefix.yaml resources: diff --git a/istio/restrict-virtual-service-wildcard/kyverno-test.yaml b/istio/restrict-virtual-service-wildcard/kyverno-test.yaml index 93573cf66..0fb34299d 100644 --- a/istio/restrict-virtual-service-wildcard/kyverno-test.yaml +++ b/istio/restrict-virtual-service-wildcard/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-virtual-service-wildcard +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-virtual-service-wildcard policies: - restrict-virtual-service-wildcard.yaml resources: diff --git a/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml b/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml index cd97849e2..2fa368a49 100644 --- a/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml +++ b/karpenter/add-karpenter-daemonset-priority-class/kyverno-test.yaml @@ -1,14 +1,16 @@ -name: test-add-karpenter-daemonset-priority-class +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: test-add-karpenter-daemonset-priority-class policies: - add-karpenter-daemonset-priority-class.yaml resources: - daemonset.yaml results: - kind: DaemonSet - namespace: test patchedResource: daemonset-patched.yaml policy: add-karpenter-daemonset-priority-class resources: - - test + - test/test result: pass rule: add-karpenter-daemonset-priority-class diff --git a/karpenter/add-karpenter-donot-evict/kyverno-test.yaml b/karpenter/add-karpenter-donot-evict/kyverno-test.yaml index d620e6744..449e2f3c0 100644 --- a/karpenter/add-karpenter-donot-evict/kyverno-test.yaml +++ b/karpenter/add-karpenter-donot-evict/kyverno-test.yaml @@ -1,16 +1,12 @@ -name: add-karpenter-donot-evict +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-karpenter-donot-evict policies: - add-karpenter-donot-evict.yaml resources: - resource.yaml results: -- kind: Job - patchedResource: patched01.yaml - policy: add-karpenter-donot-evict - resources: - - addjob01 - result: pass - rule: do-not-evict-jobs - kind: CronJob patchedResource: patched02.yaml policy: add-karpenter-donot-evict @@ -18,3 +14,10 @@ results: - addcronjob01 result: pass rule: do-not-evict-cronjobs +- kind: Job + patchedResource: patched01.yaml + policy: add-karpenter-donot-evict + resources: + - addjob01 + result: pass + rule: do-not-evict-jobs diff --git a/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml b/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml index aa646d6e9..ea9df80b3 100644 --- a/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml +++ b/karpenter/set-karpenter-non-cpu-limits/kyverno-test.yaml @@ -1,70 +1,65 @@ -name: set-karpenter-non-cpu-limits +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: set-karpenter-non-cpu-limits policies: - set-karpenter-non-cpu-limits.yaml resources: - resources.yaml results: - kind: Pod - namespace: test patchedResource: pod-ephemeral-storage-patched1.yaml policy: set-karpenter-non-cpu-limits resources: - - test1 + - test/test1 result: pass rule: set-ephemeral-storage - kind: Pod - namespace: test - patchedResource: pod-memory-patched1.yaml + patchedResource: pod-ephemeral-storage-patched2.yaml policy: set-karpenter-non-cpu-limits resources: - - test1 + - test/test2 result: pass - rule: set-memory + rule: set-ephemeral-storage - kind: Pod - namespace: test - patchedResource: pod-ephemeral-storage-patched2.yaml + patchedResource: pod-ephemeral-storage-patched3.yaml policy: set-karpenter-non-cpu-limits resources: - - test2 + - test/test3 result: pass rule: set-ephemeral-storage - kind: Pod - namespace: test - patchedResource: pod-memory-patched2.yaml + patchedResource: pod-ephemeral-storage-patched4.yaml policy: set-karpenter-non-cpu-limits resources: - - test2 + - test/test4 result: pass - rule: set-memory + rule: set-ephemeral-storage - kind: Pod - namespace: test - patchedResource: pod-ephemeral-storage-patched3.yaml + patchedResource: pod-memory-patched1.yaml policy: set-karpenter-non-cpu-limits resources: - - test3 + - test/test1 result: pass - rule: set-ephemeral-storage + rule: set-memory - kind: Pod - namespace: test - patchedResource: pod-memory-patched3.yaml + patchedResource: pod-memory-patched2.yaml policy: set-karpenter-non-cpu-limits resources: - - test3 + - test/test2 result: pass rule: set-memory - kind: Pod - namespace: test - patchedResource: pod-ephemeral-storage-patched4.yaml + patchedResource: pod-memory-patched3.yaml policy: set-karpenter-non-cpu-limits resources: - - test4 + - test/test3 result: pass - rule: set-ephemeral-storage + rule: set-memory - kind: Pod - namespace: test patchedResource: pod-memory-patched4.yaml policy: set-karpenter-non-cpu-limits resources: - - test4 + - test/test4 result: skip rule: set-memory diff --git a/kasten/k10-3-2-1-backup/kyverno-test.yaml b/kasten/k10-3-2-1-backup/kyverno-test.yaml index de2fac82a..827f2110c 100644 --- a/kasten/k10-3-2-1-backup/kyverno-test.yaml +++ b/kasten/k10-3-2-1-backup/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: kyverno_data_protection_tests +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests policies: - k10-3-2-1-backup.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Policy policy: k10-3-2-1-backup-policy resources: - - sample-custom-backup-policy - result: pass + - sample-custom-backup-policy-invalid + result: fail rule: k10-3-2-1-backup-policy - kind: Policy policy: k10-3-2-1-backup-policy resources: - - sample-custom-backup-policy-invalid - result: fail + - sample-custom-backup-policy + result: pass rule: k10-3-2-1-backup-policy diff --git a/kasten/k10-data-protection-by-label/kyverno-test.yaml b/kasten/k10-data-protection-by-label/kyverno-test.yaml index b17da245e..63d0db628 100644 --- a/kasten/k10-data-protection-by-label/kyverno-test.yaml +++ b/kasten/k10-data-protection-by-label/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: kyverno_data_protection_tests +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests policies: - k10-data-protection-by-label.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Deployment policy: k10-data-protection-by-label resources: - - nginx-deployment - result: pass + - nginx-deployment-invalid + result: fail rule: k10-data-protection-by-label - kind: Deployment policy: k10-data-protection-by-label resources: - - nginx-deployment-invalid - result: fail + - nginx-deployment + result: pass rule: k10-data-protection-by-label diff --git a/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml b/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml index f8e535290..2bbae7c85 100644 --- a/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml +++ b/kasten/k10-generate-policy-by-preset-label/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: k10-generate-policy-by-preset-label-test +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: k10-generate-policy-by-preset-label-test policies: - k10-generate-policy-by-preset-label.yaml resources: diff --git a/kasten/k10-generate-policy-by-preset-label/test-values.yaml b/kasten/k10-generate-policy-by-preset-label/test-values.yaml index 25c84c53e..a1dd29ca5 100644 --- a/kasten/k10-generate-policy-by-preset-label/test-values.yaml +++ b/kasten/k10-generate-policy-by-preset-label/test-values.yaml @@ -1,10 +1,12 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: +- name: k10-generate-policy-by-preset-label + resources: + - name: test-namespace + values: + request.namespace: test-namespace + rules: - name: k10-generate-policy-by-preset-label - rules: - - name: k10-generate-policy-by-preset-label - values: - existingPolicy: 0 - resources: - - name: test-namespace - values: - request.namespace: test-namespace \ No newline at end of file + values: + existingPolicy: 0 diff --git a/kasten/k10-hourly-rpo/kyverno-test.yaml b/kasten/k10-hourly-rpo/kyverno-test.yaml index 8d07970f2..a0037eae2 100644 --- a/kasten/k10-hourly-rpo/kyverno-test.yaml +++ b/kasten/k10-hourly-rpo/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: kyverno_data_protection_tests +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests policies: - k10-hourly-rpo.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Policy policy: k10-policy-hourly-rpo resources: - - hourly-policy - result: pass + - daily-policy + result: fail rule: k10-policy-hourly-rpo - kind: Policy policy: k10-policy-hourly-rpo resources: - - daily-policy - result: fail + - hourly-policy + result: pass rule: k10-policy-hourly-rpo diff --git a/kasten/k10-immutable-location-profile/kyverno-test.yaml b/kasten/k10-immutable-location-profile/kyverno-test.yaml index 3af24a913..8f99d4dd8 100644 --- a/kasten/k10-immutable-location-profile/kyverno-test.yaml +++ b/kasten/k10-immutable-location-profile/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: kyverno_data_protection_tests +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests policies: - k10-immutable-location-profile.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Profile policy: k10-immutable-location-profile resources: - - sample-location-profile - result: pass + - sample-location-profile-invalid + result: fail rule: k10-immutable-location-profile - kind: Profile policy: k10-immutable-location-profile resources: - - sample-location-profile-invalid - result: fail + - sample-location-profile + result: pass rule: k10-immutable-location-profile diff --git a/kasten/k10-minimum-retention/kyverno-test.yaml b/kasten/k10-minimum-retention/kyverno-test.yaml index 285d9be6c..fb1e62ab9 100644 --- a/kasten/k10-minimum-retention/kyverno-test.yaml +++ b/kasten/k10-minimum-retention/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: kyverno_data_protection_tests +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno_data_protection_tests policies: - k10-minimum-retention.yaml resources: diff --git a/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml b/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml index 0f6b64f6c..03943d8f7 100644 --- a/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml +++ b/kasten/k10-validate-ns-by-preset-label/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: k10-validate-ns-by-preset-label-test +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: k10-validate-ns-by-preset-label-test policies: - k10-validate-ns-by-preset-label.yaml resources: @@ -7,30 +10,15 @@ results: - kind: Namespace policy: k10-validate-ns-by-preset-label resources: - - namespace-gold - result: pass + - namespace-invalid + result: fail rule: k10-validate-ns-by-preset-label - kind: Namespace policy: k10-validate-ns-by-preset-label resources: + - namespace-gold - namespace-silver - result: pass - rule: k10-validate-ns-by-preset-label -- kind: Namespace - policy: k10-validate-ns-by-preset-label - resources: - namespace-bronze - result: pass - rule: k10-validate-ns-by-preset-label -- kind: Namespace - policy: k10-validate-ns-by-preset-label - resources: - namespace-none result: pass rule: k10-validate-ns-by-preset-label -- kind: Namespace - policy: k10-validate-ns-by-preset-label - resources: - - namespace-invalid - result: fail - rule: k10-validate-ns-by-preset-label diff --git a/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml b/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml index 1dd050697..342e06c49 100644 --- a/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml +++ b/kubecost/enable-kubecost-continuous-rightsizing/kyverno-test.yaml @@ -1,19 +1,22 @@ -name: enable-kubecost-continuous-rightsizing +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enable-kubecost-continuous-rightsizing policies: - enable-kubecost-continuous-rightsizing.yaml resources: - resource.yaml results: - kind: Deployment + patchedResource: patchedResource1.yaml policy: enable-kubecost-continuous-rightsizing resources: - - deploy01 - result: skip + - deploy02 + result: pass rule: enable-kubecost-autoscaling - kind: Deployment - patchedResource: patchedResource1.yaml policy: enable-kubecost-continuous-rightsizing resources: - - deploy02 - result: pass + - deploy01 + result: skip rule: enable-kubecost-autoscaling diff --git a/kubecost/require-kubecost-labels/kyverno-test.yaml b/kubecost/require-kubecost-labels/kyverno-test.yaml index a89a55946..2d861228d 100644 --- a/kubecost/require-kubecost-labels/kyverno-test.yaml +++ b/kubecost/require-kubecost-labels/kyverno-test.yaml @@ -1,22 +1,25 @@ -name: require-kubecost-labels +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-kubecost-labels policies: - - require-kubecost-labels.yaml +- require-kubecost-labels.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-kubecost-labels - rule: require-labels - resources: - - goodpod - kind: Pod - result: pass - - policy: require-kubecost-labels - rule: require-labels - resources: - - badpod01 - - badpod02 - - badpod03 - - badpod04 - - badpod05 - kind: Pod - result: fail +- kind: Pod + policy: require-kubecost-labels + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + result: fail + rule: require-labels +- kind: Pod + policy: require-kubecost-labels + resources: + - goodpod + result: pass + rule: require-labels diff --git a/kubevirt/add-services/kyverno-test.yaml b/kubevirt/add-services/kyverno-test.yaml index 0327eb1e2..96eca6307 100644 --- a/kubevirt/add-services/kyverno-test.yaml +++ b/kubevirt/add-services/kyverno-test.yaml @@ -1,13 +1,16 @@ -name: add-service-ssh +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-service-ssh policies: - - add-services.yaml +- add-services.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: k6t-add-services - rule: k6t-add-service-ssh - kind: VirtualMachineInstance - resources: - - vmi-name - generatedResource: generatedResource.yaml - result: pass +- generatedResource: generatedResource.yaml + kind: VirtualMachineInstance + policy: k6t-add-services + resources: + - vmi-name + result: pass + rule: k6t-add-service-ssh diff --git a/kubevirt/enforce-instancetype/kyverno-test.yaml b/kubevirt/enforce-instancetype/kyverno-test.yaml index 47f445aa1..041d83a5f 100644 --- a/kubevirt/enforce-instancetype/kyverno-test.yaml +++ b/kubevirt/enforce-instancetype/kyverno-test.yaml @@ -1,18 +1,21 @@ -name: enforce-instancetype +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-instancetype policies: - - enforce-instancetype.yaml +- enforce-instancetype.yaml resources: - - resource.yaml +- resource.yaml results: -- policy: k6t-enforce-instancetype +- kind: VirtualMachine + policy: k6t-enforce-instancetype + resources: + - vm-invalid + result: fail rule: k6t-ensure-instance-type-and-preference - kind: VirtualMachine +- kind: VirtualMachine + policy: k6t-enforce-instancetype resources: - vm-valid result: pass -- policy: k6t-enforce-instancetype rule: k6t-ensure-instance-type-and-preference - kind: VirtualMachine - resources: - - vm-invalid - result: fail diff --git a/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml b/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml index f12af650a..1ad43ff31 100644 --- a/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml +++ b/nginx-ingress/disallow-ingress-nginx-custom-snippets/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: disallow_nginx_custom_snippets +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow_nginx_custom_snippets policies: - disallow-ingress-nginx-custom-snippets.yaml resources: @@ -14,17 +17,7 @@ results: policy: disallow-ingress-nginx-custom-snippets resources: - config-map-false - result: pass - rule: check-config-map -- kind: ConfigMap - policy: disallow-ingress-nginx-custom-snippets - resources: - config-map-other - result: pass - rule: check-config-map -- kind: ConfigMap - policy: disallow-ingress-nginx-custom-snippets - resources: - config-map-empty result: pass rule: check-config-map diff --git a/nginx-ingress/restrict-annotations/kyverno-test.yaml b/nginx-ingress/restrict-annotations/kyverno-test.yaml index 284df3a23..56df93e64 100644 --- a/nginx-ingress/restrict-annotations/kyverno-test.yaml +++ b/nginx-ingress/restrict-annotations/kyverno-test.yaml @@ -1,48 +1,26 @@ -name: restrict-annotations +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-annotations policies: - restrict-annotations.yaml resources: - resources.yaml results: -- kind: Ingress - policy: restrict-annotations - resources: - - no-annotations - result: pass - rule: check-ingress -- kind: Ingress - policy: restrict-annotations - resources: - - good-annotations - result: pass - rule: check-ingress - kind: Ingress policy: restrict-annotations resources: - alias - result: fail - rule: check-ingress -- kind: Ingress - policy: restrict-annotations - resources: - root - result: fail - rule: check-ingress -- kind: Ingress - policy: restrict-annotations - resources: - etc-passwd - result: fail - rule: check-ingress -- kind: Ingress - policy: restrict-annotations - resources: - var-run-secrets + - lua result: fail rule: check-ingress - kind: Ingress policy: restrict-annotations resources: - - lua - result: fail + - no-annotations + - good-annotations + result: pass rule: check-ingress diff --git a/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml b/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml index 94df8ebb4..dfb846699 100644 --- a/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml +++ b/nginx-ingress/restrict-ingress-paths/kyverno-test.yaml @@ -1,36 +1,24 @@ -name: restrict-annotations +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-annotations policies: - restrict-ingress-paths.yaml resources: - resources.yaml results: -- kind: Ingress - policy: restrict-ingress-paths - resources: - - good-paths - result: pass - rule: check-paths - kind: Ingress policy: restrict-ingress-paths resources: - bad-path-root - result: fail - rule: check-paths -- kind: Ingress - policy: restrict-ingress-paths - resources: - bad-path-etc - result: fail - rule: check-paths -- kind: Ingress - policy: restrict-ingress-paths - resources: - bad-path-serviceaccount + - bad-path-secrets result: fail rule: check-paths - kind: Ingress policy: restrict-ingress-paths resources: - - bad-path-secrets - result: fail + - good-paths + result: pass rule: check-paths diff --git a/openshift/check-routes/kyverno-test.yaml b/openshift/check-routes/kyverno-test.yaml index bf9d06554..67b89aa91 100644 --- a/openshift/check-routes/kyverno-test.yaml +++ b/openshift/check-routes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-routes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes policies: - check-routes.yaml resources: @@ -14,17 +17,7 @@ results: policy: check-routes resources: - frontend - result: pass - rule: require-tls-routes -- kind: Route - policy: check-routes - resources: - frontend-edge - result: pass - rule: require-tls-routes -- kind: Route - policy: check-routes - resources: - route-passthrough-secured result: pass rule: require-tls-routes diff --git a/openshift/disallow-deprecated-apis/kyverno-test.yaml b/openshift/disallow-deprecated-apis/kyverno-test.yaml index 5ce2cdafa..c380c2ea2 100644 --- a/openshift/disallow-deprecated-apis/kyverno-test.yaml +++ b/openshift/disallow-deprecated-apis/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-routes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes policies: - disallow-deprecated-apis.yaml resources: diff --git a/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml b/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml index 433ae5430..16a3d03a5 100644 --- a/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml +++ b/openshift/disallow-jenkins-pipeline-strategy/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-policy +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-policy policies: - disallow-jenkins-pipeline-strategy.yaml resources: @@ -8,23 +11,13 @@ results: policy: disallow-jenkins-pipeline-strategy resources: - sample-jenkins-pipeline - result: fail - rule: check-build-strategy -- kind: BuildConfig - policy: disallow-jenkins-pipeline-strategy - resources: - - sample-pipeline-no-jenkins - result: pass - rule: check-build-strategy -- kind: BuildConfig - policy: disallow-jenkins-pipeline-strategy - resources: - sample-jenkins-pipeline-new result: fail rule: check-build-strategy - kind: BuildConfig policy: disallow-jenkins-pipeline-strategy resources: + - sample-pipeline-no-jenkins - sample-pipeline-no-jenkins-new result: pass rule: check-build-strategy diff --git a/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml b/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml index d647a2e33..5a0e2778a 100644 --- a/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml +++ b/openshift/disallow-security-context-constraint-anyuid/kyverno-test.yaml @@ -1,45 +1,44 @@ -name: check-routes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes policies: - disallow-security-context-constraint-anyuid.yaml resources: - resources.yaml results: -- kind: Role +- kind: ClusterRole policy: disallow-security-context-constraint-anyuid resources: - - pod-role-anyuid-use + - secret-reader-anyuid-use + - secret-reader-anyuid-all result: fail rule: check-security-context-constraint - kind: Role policy: disallow-security-context-constraint-anyuid resources: - - pod-role - result: pass - rule: check-security-context-constraint -- kind: Role - policy: disallow-security-context-constraint-anyuid - resources: + - pod-role-anyuid-use - pod-role-anyuid-all result: fail rule: check-security-context-constraint - kind: ClusterRole policy: disallow-security-context-constraint-anyuid resources: - - secret-reader-anyuid-use - result: fail + - secret-reader + result: pass rule: check-security-context-constraint -- kind: ClusterRole +- kind: Role policy: disallow-security-context-constraint-anyuid resources: - - secret-reader + - pod-role result: pass rule: check-security-context-constraint -- kind: ClusterRole +- kind: ClusterRoleBinding policy: disallow-security-context-constraint-anyuid resources: - - secret-reader-anyuid-all + - clusterrolebinding-anyuid result: fail - rule: check-security-context-constraint + rule: check-security-context-roleref - kind: RoleBinding policy: disallow-security-context-constraint-anyuid resources: @@ -49,8 +48,8 @@ results: - kind: ClusterRoleBinding policy: disallow-security-context-constraint-anyuid resources: - - clusterrolebinding-anyuid - result: fail + - clusterrolebinding-test + result: pass rule: check-security-context-roleref - kind: RoleBinding policy: disallow-security-context-constraint-anyuid @@ -58,9 +57,3 @@ results: - rolebinding-test result: pass rule: check-security-context-roleref -- kind: ClusterRoleBinding - policy: disallow-security-context-constraint-anyuid - resources: - - clusterrolebinding-test - result: pass - rule: check-security-context-roleref diff --git a/openshift/disallow-self-provisioner-binding/kyverno-test.yaml b/openshift/disallow-self-provisioner-binding/kyverno-test.yaml index b87c7e66a..17f06ceca 100644 --- a/openshift/disallow-self-provisioner-binding/kyverno-test.yaml +++ b/openshift/disallow-self-provisioner-binding/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-routes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-routes policies: - disallow-self-provisioner-binding.yaml resources: @@ -14,11 +17,6 @@ results: policy: disallow-self-provisioner-binding resources: - self-provisioners-custom - result: fail - rule: check-self-provisioner-binding-with-subject -- kind: ClusterRoleBinding - policy: disallow-self-provisioner-binding - resources: - self-provisioners-custom-test result: fail rule: check-self-provisioner-binding-with-subject diff --git a/openshift/disallow-self-provisioner-binding/values.yaml b/openshift/disallow-self-provisioner-binding/values.yaml index 760f2b426..1a0f122b0 100644 --- a/openshift/disallow-self-provisioner-binding/values.yaml +++ b/openshift/disallow-self-provisioner-binding/values.yaml @@ -1,8 +1,10 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: disallow-self-provisioner-binding - rules: - - name: check-self-provisioner-binding-no-subject - resources: - - name: self-provisioners - values: - request.operation: UPDATE +- name: disallow-self-provisioner-binding + resources: + - name: self-provisioners + values: + request.operation: UPDATE + rules: + - name: check-self-provisioner-binding-no-subject diff --git a/openshift/enforce-etcd-encryption/kyverno-test.yaml b/openshift/enforce-etcd-encryption/kyverno-test.yaml index 2b263afac..016e7b7b2 100644 --- a/openshift/enforce-etcd-encryption/kyverno-test.yaml +++ b/openshift/enforce-etcd-encryption/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-policy +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-policy policies: - enforce-etcd-encryption.yaml resources: diff --git a/openshift/team-validate-ns-name/kyverno-test.yaml b/openshift/team-validate-ns-name/kyverno-test.yaml index 2f830fbe4..00f61c85a 100644 --- a/openshift/team-validate-ns-name/kyverno-test.yaml +++ b/openshift/team-validate-ns-name/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: team-validate-ns-name +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: team-validate-ns-name policies: - team-validate-ns-name.yaml resources: diff --git a/openshift/unique-routes/kyverno-test.yaml b/openshift/unique-routes/kyverno-test.yaml index e8656766e..b39f5dba5 100644 --- a/openshift/unique-routes/kyverno-test.yaml +++ b/openshift/unique-routes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: unique-routes-tests +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: unique-routes-tests policies: - unique-routes.yaml resources: @@ -7,13 +10,13 @@ results: - kind: Route policy: unique-routes resources: - - hello-openshift-good - result: pass + - hello-openshift-bad + result: fail rule: require-unique-routes - kind: Route policy: unique-routes resources: - - hello-openshift-bad - result: fail + - hello-openshift-good + result: pass rule: require-unique-routes variables: mock.yaml diff --git a/openshift/unique-routes/mock.yaml b/openshift/unique-routes/mock.yaml index 45684bde9..c6c81b378 100644 --- a/openshift/unique-routes/mock.yaml +++ b/openshift/unique-routes/mock.yaml @@ -1,8 +1,8 @@ ---- -# this will mock the apiCall +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: unique-routes - rules: - - name: require-unique-routes - values: - hosts: "[\"hello-openshift-bad.mydomain\"]" +- name: unique-routes + rules: + - name: require-unique-routes + values: + hosts: '["hello-openshift-bad.mydomain"]' diff --git a/other/a/add-certificates-volume/kyverno-test.yaml b/other/a/add-certificates-volume/kyverno-test.yaml index 6e7258ce0..618435378 100644 --- a/other/a/add-certificates-volume/kyverno-test.yaml +++ b/other/a/add-certificates-volume/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-volume +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-volume policies: - add-certificates-volume.yaml resources: diff --git a/other/a/add-default-resources/kyverno-test.yaml b/other/a/add-default-resources/kyverno-test.yaml index 1ae3faa92..fbade4df0 100644 --- a/other/a/add-default-resources/kyverno-test.yaml +++ b/other/a/add-default-resources/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-default-resources +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-default-resources policies: - add-default-resources.yaml resources: @@ -12,16 +15,16 @@ results: result: pass rule: add-default-requests - kind: Pod - patchedResource: patchedResource2.yaml + patchedResource: patchedResource3.yaml policy: add-default-resources resources: - - nginx-demo2 - result: skip + - nginx-demo3 + result: pass rule: add-default-requests - kind: Pod - patchedResource: patchedResource3.yaml + patchedResource: patchedResource2.yaml policy: add-default-resources resources: - - nginx-demo3 - result: pass + - nginx-demo2 + result: skip rule: add-default-requests diff --git a/other/a/add-default-securitycontext/kyverno-test.yaml b/other/a/add-default-securitycontext/kyverno-test.yaml index bf67c18e8..9c27c3987 100644 --- a/other/a/add-default-securitycontext/kyverno-test.yaml +++ b/other/a/add-default-securitycontext/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-default-securitycontext +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-default-securitycontext policies: - add-default-securitycontext.yaml resources: diff --git a/other/a/add-env-vars-from-cm/kyverno-test.yaml b/other/a/add-env-vars-from-cm/kyverno-test.yaml index 9a41fde43..4b9b7677c 100644 --- a/other/a/add-env-vars-from-cm/kyverno-test.yaml +++ b/other/a/add-env-vars-from-cm/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-env-vars-from-cm +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-env-vars-from-cm policies: - add-env-vars-from-cm.yaml resources: diff --git a/other/a/add-image-as-env-var/kyverno-test.yaml b/other/a/add-image-as-env-var/kyverno-test.yaml index 98ee9a180..f23a40588 100644 --- a/other/a/add-image-as-env-var/kyverno-test.yaml +++ b/other/a/add-image-as-env-var/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-image-as-env-var +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-image-as-env-var policies: - add-image-as-env-var.yaml resources: diff --git a/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml b/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml index b3796df8f..378d6cf55 100644 --- a/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml +++ b/other/a/add-imagepullsecrets-for-containers-and-initcontainers/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-imagepullsecrets-for-containers-and-initcontainers +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-imagepullsecrets-for-containers-and-initcontainers policies: - add-imagepullsecrets-for-containers-and-initcontainers.yaml resources: diff --git a/other/a/add-imagepullsecrets/kyverno-test.yaml b/other/a/add-imagepullsecrets/kyverno-test.yaml index 8fbbc7b82..f17511352 100644 --- a/other/a/add-imagepullsecrets/kyverno-test.yaml +++ b/other/a/add-imagepullsecrets/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-imagepullsecrets +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-imagepullsecrets policies: - add-imagepullsecrets.yaml resources: diff --git a/other/a/add-labels/kyverno-test.yaml b/other/a/add-labels/kyverno-test.yaml index e92576dac..9b5cc1b7f 100644 --- a/other/a/add-labels/kyverno-test.yaml +++ b/other/a/add-labels/kyverno-test.yaml @@ -1,22 +1,23 @@ -name: add-labels +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-labels policies: - add-labels.yaml resources: - resource.yaml results: - kind: Pod - namespace: default patchedResource: patchedResource.yaml policy: add-labels resources: - - myapp-pod + - default/myapp-pod result: pass rule: add-labels - kind: Service - namespace: default patchedResource: patchedResource1.yaml policy: add-labels resources: - - my-service + - default/my-service result: pass rule: add-labels diff --git a/other/a/add-ndots/kyverno-test.yaml b/other/a/add-ndots/kyverno-test.yaml index 924a178b9..b118c9b82 100644 --- a/other/a/add-ndots/kyverno-test.yaml +++ b/other/a/add-ndots/kyverno-test.yaml @@ -1,14 +1,16 @@ -name: add-ndots +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-ndots policies: - add-ndots.yaml resources: - resource.yaml results: - kind: Pod - namespace: default patchedResource: patchedResource.yaml policy: add-ndots resources: - - myapp-pod + - default/myapp-pod result: pass rule: add-ndots diff --git a/other/a/add-node-affinity/kyverno-test.yaml b/other/a/add-node-affinity/kyverno-test.yaml index da18cd01b..2b527b6fe 100644 --- a/other/a/add-node-affinity/kyverno-test.yaml +++ b/other/a/add-node-affinity/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-node-affinity +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-node-affinity policies: - add-node-affinity.yaml resources: diff --git a/other/a/add-nodeSelector/kyverno-test.yaml b/other/a/add-nodeSelector/kyverno-test.yaml index 1b0ec91f4..e1fd36df6 100644 --- a/other/a/add-nodeSelector/kyverno-test.yaml +++ b/other/a/add-nodeSelector/kyverno-test.yaml @@ -1,14 +1,16 @@ -name: add-nodeselector +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-nodeselector policies: - add-nodeSelector.yaml resources: - resource.yaml results: - kind: Pod - namespace: default patchedResource: patchedResource.yaml policy: add-nodeselector resources: - - myapp-pod + - default/myapp-pod result: pass rule: add-nodeselector diff --git a/other/a/add-pod-priorityclassname/kyverno-test.yaml b/other/a/add-pod-priorityclassname/kyverno-test.yaml index 67bc7ebfc..03947e356 100644 --- a/other/a/add-pod-priorityclassname/kyverno-test.yaml +++ b/other/a/add-pod-priorityclassname/kyverno-test.yaml @@ -1,15 +1,17 @@ -name: add-pod-priorityclassname +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-pod-priorityclassname policies: - add-pod-priorityclassname.yaml resources: - resource.yaml results: - kind: Pod - namespace: foo patchedResource: patchedResource.yaml policy: add-pod-priorityclassname resources: - - blank + - foo/blank result: pass rule: add-priorityclass-pods variables: values.yaml diff --git a/other/a/add-pod-priorityclassname/values.yaml b/other/a/add-pod-priorityclassname/values.yaml index 834d3082e..336293100 100644 --- a/other/a/add-pod-priorityclassname/values.yaml +++ b/other/a/add-pod-priorityclassname/values.yaml @@ -1,7 +1,9 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values namespaceSelector: - - name: foo - labels: - env: foo - - name: production - labels: - env: production \ No newline at end of file +- labels: + env: foo + name: foo +- labels: + env: production + name: production diff --git a/other/a/add-pod-proxies/kyverno-test.yaml b/other/a/add-pod-proxies/kyverno-test.yaml index 8f06b7591..58f8643e6 100644 --- a/other/a/add-pod-proxies/kyverno-test.yaml +++ b/other/a/add-pod-proxies/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-pod-proxies +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-pod-proxies policies: - add-pod-proxies.yaml resources: diff --git a/other/a/add-tolerations/kyverno-test.yaml b/other/a/add-tolerations/kyverno-test.yaml index 01549eaef..353c5795f 100644 --- a/other/a/add-tolerations/kyverno-test.yaml +++ b/other/a/add-tolerations/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: apply-pss-restricted-profile +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: apply-pss-restricted-profile policies: - add-tolerations.yaml resources: diff --git a/other/a/add-ttl-jobs/kyverno-test.yaml b/other/a/add-ttl-jobs/kyverno-test.yaml index db4d3daae..c31970123 100644 --- a/other/a/add-ttl-jobs/kyverno-test.yaml +++ b/other/a/add-ttl-jobs/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-ttl-jobs +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-ttl-jobs policies: - add-ttl-jobs.yaml resources: @@ -15,11 +18,6 @@ results: policy: add-ttl-jobs resources: - skipjob01 - result: skip - rule: add-ttlSecondsAfterFinished -- kind: Job - policy: add-ttl-jobs - resources: - skipjob02 result: skip rule: add-ttlSecondsAfterFinished diff --git a/other/a/add-volume-deployment/kyverno-test.yaml b/other/a/add-volume-deployment/kyverno-test.yaml index 3a3976cbb..319a93cb5 100644 --- a/other/a/add-volume-deployment/kyverno-test.yaml +++ b/other/a/add-volume-deployment/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-volume +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-volume policies: - add-volume-deployment.yaml resources: diff --git a/other/a/advanced-restrict-image-registries/kyverno-test.yaml b/other/a/advanced-restrict-image-registries/kyverno-test.yaml index b3ba77bc0..ad4dac5f0 100644 --- a/other/a/advanced-restrict-image-registries/kyverno-test.yaml +++ b/other/a/advanced-restrict-image-registries/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: advanced-restrict-image-registries +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: advanced-restrict-image-registries policies: - advanced-restrict-image-registries.yaml resources: @@ -7,13 +10,13 @@ results: - kind: Pod policy: advanced-restrict-image-registries resources: - - good-pod - result: pass + - bad-pod + result: fail rule: validate-corp-registries - kind: Pod policy: advanced-restrict-image-registries resources: - - bad-pod - result: fail + - good-pod + result: pass rule: validate-corp-registries variables: values.yaml diff --git a/other/a/advanced-restrict-image-registries/values.yaml b/other/a/advanced-restrict-image-registries/values.yaml index 4d0d79a47..b0c3f1a37 100644 --- a/other/a/advanced-restrict-image-registries/values.yaml +++ b/other/a/advanced-restrict-image-registries/values.yaml @@ -1,12 +1,14 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: advanced-restrict-image-registries - rules: - - name: validate-corp-registries - values: - nsregistries: "docker.io/*" - clusterregistries.data.registries: "docker.io/*" - request.namespace: default - resources: - - name: bad-pod - values: - request.operation: UPDATE \ No newline at end of file +- name: advanced-restrict-image-registries + resources: + - name: bad-pod + values: + request.operation: UPDATE + rules: + - name: validate-corp-registries + values: + clusterregistries.data.registries: docker.io/* + nsregistries: docker.io/* + request.namespace: default diff --git a/other/a/allowed-annotations/kyverno-test.yaml b/other/a/allowed-annotations/kyverno-test.yaml index 5ea0b39e3..48cb6a05a 100644 --- a/other/a/allowed-annotations/kyverno-test.yaml +++ b/other/a/allowed-annotations/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: allowed-annotations +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-annotations policies: - allowed-annotations.yaml resources: diff --git a/other/a/allowed-label-changes/kyverno-test.yaml b/other/a/allowed-label-changes/kyverno-test.yaml index dbf90d70e..e34ecc3d3 100644 --- a/other/a/allowed-label-changes/kyverno-test.yaml +++ b/other/a/allowed-label-changes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: allowed-label-changes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-label-changes policies: - allowed-label-changes.yaml resources: diff --git a/other/a/allowed-label-changes/values.yaml b/other/a/allowed-label-changes/values.yaml index cd30335e4..21c010f2a 100644 --- a/other/a/allowed-label-changes/values.yaml +++ b/other/a/allowed-label-changes/values.yaml @@ -1,3 +1,5 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - name: allowed-label-changes resources: @@ -6,4 +8,4 @@ policies: request.operation: UPDATE - name: goodpod01 values: - request.operation: UPDATE \ No newline at end of file + request.operation: UPDATE diff --git a/other/a/allowed-pod-priorities/kyverno-test.yaml b/other/a/allowed-pod-priorities/kyverno-test.yaml index e5d78dcf4..ec4debba8 100644 --- a/other/a/allowed-pod-priorities/kyverno-test.yaml +++ b/other/a/allowed-pod-priorities/kyverno-test.yaml @@ -1,15 +1,12 @@ -name: allowed-podpriorities +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-podpriorities policies: - allowed-pod-priorities.yaml resources: - resource.yaml results: -- kind: Pod - policy: allowed-podpriorities - resources: - - myapp-pod - result: pass - rule: validate-pod-priority-pods - kind: Deployment policy: allowed-podpriorities resources: @@ -22,4 +19,10 @@ results: - hello result: pass rule: validate-pod-priority-cronjob +- kind: Pod + policy: allowed-podpriorities + resources: + - myapp-pod + result: pass + rule: validate-pod-priority-pods variables: values.yaml diff --git a/other/a/allowed-pod-priorities/values.yaml b/other/a/allowed-pod-priorities/values.yaml index bc26bba18..6dbab6e10 100644 --- a/other/a/allowed-pod-priorities/values.yaml +++ b/other/a/allowed-pod-priorities/values.yaml @@ -1,23 +1,25 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: allowed-podpriorities - rules: - - name: validate-pod-priority-pods - values: - podprioritydict.data.default: "[\"high-priority\", \"moderate-priority\", \"low-priority\"]" - request.namespace: default - - name: validate-pod-priority - values: - podprioritydict.data.default: "[\"high-priority\", \"moderate-priority\", \"low-priority\"]" - request.namespace: default - - name: validate-pod-priority-cronjob - values: - podprioritydict.data.production: "[\"high-priority\", \"moderate-priority\", \"low-priority\"]" - request.namespace: production - - name: autogen-validate-pod-priority-pods - values: - podprioritydict.data.default: "[\"high-priority\", \"moderate-priority\", \"low-priority\"]" - request.namespace: default - - name: autogen-cronjob-validate-pod-priority-pods - values: - podprioritydict.data.default: "[\"high-priority\", \"moderate-priority\", \"low-priority\"]" - request.namespace: default \ No newline at end of file +- name: allowed-podpriorities + rules: + - name: validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: validate-pod-priority + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: validate-pod-priority-cronjob + values: + podprioritydict.data.production: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: production + - name: autogen-validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default + - name: autogen-cronjob-validate-pod-priority-pods + values: + podprioritydict.data.default: '["high-priority", "moderate-priority", "low-priority"]' + request.namespace: default diff --git a/other/a/always-pull-images/kyverno-test.yaml b/other/a/always-pull-images/kyverno-test.yaml index 67be39eb9..8d01ede84 100644 --- a/other/a/always-pull-images/kyverno-test.yaml +++ b/other/a/always-pull-images/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: always-pull-images +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: always-pull-images policies: - always-pull-images.yaml resources: diff --git a/other/a/apply-pss-restricted-profile/kyverno-test.yaml b/other/a/apply-pss-restricted-profile/kyverno-test.yaml index 1a09ba896..f9528dcfc 100644 --- a/other/a/apply-pss-restricted-profile/kyverno-test.yaml +++ b/other/a/apply-pss-restricted-profile/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: apply-pss-restricted-profile +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: apply-pss-restricted-profile policies: - apply-pss-restricted-profile.yaml resources: diff --git a/other/b-d/block-images-with-volumes/kyverno-test.yaml b/other/b-d/block-images-with-volumes/kyverno-test.yaml index 6462b5af1..532bdb969 100644 --- a/other/b-d/block-images-with-volumes/kyverno-test.yaml +++ b/other/b-d/block-images-with-volumes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: block-images-with-volumes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-images-with-volumes policies: - block-images-with-volumes.yaml resources: diff --git a/other/b-d/block-images-with-volumes/values.yaml b/other/b-d/block-images-with-volumes/values.yaml index 36533a543..878d5cef0 100644 --- a/other/b-d/block-images-with-volumes/values.yaml +++ b/other/b-d/block-images-with-volumes/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: block-images-with-volumes - rules: - - name: block-images-with-vols - values: - imageData.configData.config.Volumes: "1" \ No newline at end of file +- name: block-images-with-volumes + rules: + - name: block-images-with-vols + values: + imageData.configData.config.Volumes: "1" diff --git a/other/b-d/block-large-images/kyverno-test.yaml b/other/b-d/block-large-images/kyverno-test.yaml index c457c7c98..01432fe7a 100644 --- a/other/b-d/block-large-images/kyverno-test.yaml +++ b/other/b-d/block-large-images/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: block-large-images +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-large-images policies: - block-large-images.yaml resources: diff --git a/other/b-d/block-large-images/values.yaml b/other/b-d/block-large-images/values.yaml index c83a642e2..973d99ddf 100644 --- a/other/b-d/block-large-images/values.yaml +++ b/other/b-d/block-large-images/values.yaml @@ -1,7 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: block-large-images - rules: - - name: block-over-twogi - values: - imageSize: "3Gi" - \ No newline at end of file +- name: block-large-images + rules: + - name: block-over-twogi + values: + imageSize: 3Gi diff --git a/other/b-d/block-stale-images/kyverno-test.yaml b/other/b-d/block-stale-images/kyverno-test.yaml index 9e3b03abd..ce20e8948 100644 --- a/other/b-d/block-stale-images/kyverno-test.yaml +++ b/other/b-d/block-stale-images/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: block-stale-images +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-stale-images policies: - block-stale-images.yaml resources: diff --git a/other/b-d/block-stale-images/values.yaml b/other/b-d/block-stale-images/values.yaml index f564dd48d..21c8683e7 100644 --- a/other/b-d/block-stale-images/values.yaml +++ b/other/b-d/block-stale-images/values.yaml @@ -1,7 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: +- name: block-stale-images + rules: - name: block-stale-images - rules: - - name: block-stale-images - values: - imageData.configData.created: "2020-05-01T03:15:12-07:00" - \ No newline at end of file + values: + imageData.configData.created: "2020-05-01T03:15:12-07:00" diff --git a/other/b-d/block-updates-deletes/kyverno-test.yaml b/other/b-d/block-updates-deletes/kyverno-test.yaml index 18cb10d0f..ed0f19ef3 100644 --- a/other/b-d/block-updates-deletes/kyverno-test.yaml +++ b/other/b-d/block-updates-deletes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: block-updates-deletes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-updates-deletes policies: - block-updates-deletes.yaml resources: @@ -7,13 +10,13 @@ results: - kind: Service policy: block-updates-deletes resources: - - my-service-1 - result: pass + - my-service-2 + result: fail rule: block-updates-deletes - kind: Service policy: block-updates-deletes resources: - - my-service-2 - result: fail + - my-service-1 + result: pass rule: block-updates-deletes variables: values.yaml diff --git a/other/b-d/block-updates-deletes/values.yaml b/other/b-d/block-updates-deletes/values.yaml index 8fb5ca496..51d0ab8d0 100644 --- a/other/b-d/block-updates-deletes/values.yaml +++ b/other/b-d/block-updates-deletes/values.yaml @@ -1,8 +1,10 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: +- name: block-updates-deletes + resources: + - name: my-service-2 + values: + request.operation: UPDATE + rules: - name: block-updates-deletes - rules: - - name: block-updates-deletes - resources: - - name: my-service-2 - values: - request.operation: UPDATE \ No newline at end of file diff --git a/other/b-d/check-env-vars/kyverno-test.yaml b/other/b-d/check-env-vars/kyverno-test.yaml index 9ba47b441..0ff13727b 100644 --- a/other/b-d/check-env-vars/kyverno-test.yaml +++ b/other/b-d/check-env-vars/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: opa-env +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: opa-env policies: - check-env-vars.yaml resources: diff --git a/other/b-d/check-nvidia-gpu/kyverno-test.yaml b/other/b-d/check-nvidia-gpu/kyverno-test.yaml index 5b9a6a278..348156a70 100644 --- a/other/b-d/check-nvidia-gpu/kyverno-test.yaml +++ b/other/b-d/check-nvidia-gpu/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-nvidia-gpus +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-nvidia-gpus policies: - check-nvidia-gpu.yaml resources: @@ -11,24 +14,14 @@ results: policy: check-nvidia-gpus resources: - goodpod01 + - badpod01 result: fail rule: check-nvidia-gpus - kind: Pod policy: check-nvidia-gpus resources: - goodpod02 - result: pass - rule: check-nvidia-gpus -- kind: Pod - policy: check-nvidia-gpus - resources: - goodpod03 result: pass rule: check-nvidia-gpus -- kind: Pod - policy: check-nvidia-gpus - resources: - - badpod01 - result: fail - rule: check-nvidia-gpus variables: values.yaml diff --git a/other/b-d/check-nvidia-gpu/values.yaml b/other/b-d/check-nvidia-gpu/values.yaml index 8eacd0050..a42a25be3 100644 --- a/other/b-d/check-nvidia-gpu/values.yaml +++ b/other/b-d/check-nvidia-gpu/values.yaml @@ -1,15 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: +- name: check-nvidia-gpus + resources: + - name: goodpod03 + values: + request.operation: UPDATE + - name: badpod01 + values: + request.operation: UPDATE + rules: - name: check-nvidia-gpus - rules: - - name: check-nvidia-gpus - values: - imageData.configData.config.Env: "all" - resources: - - - name: goodpod03 - values: - request.operation: UPDATE - - - name: badpod01 - values: - request.operation: UPDATE \ No newline at end of file + values: + imageData.configData.config.Env: all diff --git a/other/b-d/check-serviceaccount/kyverno-test.yaml b/other/b-d/check-serviceaccount/kyverno-test.yaml index 914619e74..189c9806c 100644 --- a/other/b-d/check-serviceaccount/kyverno-test.yaml +++ b/other/b-d/check-serviceaccount/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: check-sa +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-sa policies: - check-serviceaccount.yaml resources: diff --git a/other/b-d/check-serviceaccount/values.yaml b/other/b-d/check-serviceaccount/values.yaml index 222553c97..877ddf2b1 100644 --- a/other/b-d/check-serviceaccount/values.yaml +++ b/other/b-d/check-serviceaccount/values.yaml @@ -1,3 +1,5 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - name: check-sa resources: diff --git a/other/b-d/create-default-pdb/kyverno-test.yaml b/other/b-d/create-default-pdb/kyverno-test.yaml index eb365c08e..0c6746c24 100644 --- a/other/b-d/create-default-pdb/kyverno-test.yaml +++ b/other/b-d/create-default-pdb/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: pdb-test +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pdb-test policies: - create-default-pdb.yaml resources: @@ -6,9 +9,8 @@ resources: results: - generatedResource: generatedResource.yaml kind: Deployment - namespace: hello-world policy: create-default-pdb resources: - - nginx-deployment + - hello-world/nginx-deployment result: pass rule: create-default-pdb diff --git a/other/b-d/create-pod-antiaffinity/kyverno-test.yaml b/other/b-d/create-pod-antiaffinity/kyverno-test.yaml index d805c1191..6ba64697f 100644 --- a/other/b-d/create-pod-antiaffinity/kyverno-test.yaml +++ b/other/b-d/create-pod-antiaffinity/kyverno-test.yaml @@ -1,25 +1,22 @@ -name: insert-pod-antiaffinity +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: insert-pod-antiaffinity policies: - - create-pod-antiaffinity.yaml +- create-pod-antiaffinity.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: insert-pod-antiaffinity - rule: insert-pod-antiaffinity - resources: - - mydeploy - patchedResource: patchedResource.yaml - kind: Deployment - result: pass - # - policy: insert-pod-antiaffinity - # rule: insert-pod-antiaffinity - # resources: - # - myapp-pod - # kind: Pod - # result: skip - - policy: insert-pod-antiaffinity - rule: insert-pod-antiaffinity - resources: - - mydeploy-missing-label - kind: Deployment - result: skip +- kind: Deployment + patchedResource: patchedResource.yaml + policy: insert-pod-antiaffinity + resources: + - mydeploy + result: pass + rule: insert-pod-antiaffinity +- kind: Deployment + policy: insert-pod-antiaffinity + resources: + - mydeploy-missing-label + result: skip + rule: insert-pod-antiaffinity diff --git a/other/b-d/deny-commands-in-exec-probe/kyverno-test.yaml b/other/b-d/deny-commands-in-exec-probe/kyverno-test.yaml index f11e82623..6f69b7516 100644 --- a/other/b-d/deny-commands-in-exec-probe/kyverno-test.yaml +++ b/other/b-d/deny-commands-in-exec-probe/kyverno-test.yaml @@ -1,29 +1,30 @@ -name: deny-commands-in-exec-probe +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deny-commands-in-exec-probe policies: - - deny-commands-in-exec-probe.yaml +- deny-commands-in-exec-probe.yaml resources: - - resource.yaml +- resource.yaml results: -###### Pods - Bad - - policy: deny-commands-in-exec-probe - rule: check-commands - resources: - - badpod01 - - badpod02 - - badpod03 - kind: Pod - result: fail -###### Pods - Good - - policy: deny-commands-in-exec-probe - rule: check-commands - resources: - - goodpod01 - kind: Pod - result: skip - - policy: deny-commands-in-exec-probe - rule: check-commands - resources: - - goodpod02 - - goodpod03 - kind: Pod - result: pass +- kind: Pod + policy: deny-commands-in-exec-probe + resources: + - badpod01 + - badpod02 + - badpod03 + result: fail + rule: check-commands +- kind: Pod + policy: deny-commands-in-exec-probe + resources: + - goodpod02 + - goodpod03 + result: pass + rule: check-commands +- kind: Pod + policy: deny-commands-in-exec-probe + resources: + - goodpod01 + result: skip + rule: check-commands diff --git a/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml b/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml index d01b7ab24..b7c34530e 100644 --- a/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml +++ b/other/b-d/disable-automountserviceaccounttoken/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: disable-automountserviceaccounttoken +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disable-automountserviceaccounttoken policies: - disable-automountserviceaccounttoken.yaml resources: diff --git a/other/b-d/disallow-all-secrets/kyverno-test.yaml b/other/b-d/disallow-all-secrets/kyverno-test.yaml index b4db2b25e..696f2d92b 100644 --- a/other/b-d/disallow-all-secrets/kyverno-test.yaml +++ b/other/b-d/disallow-all-secrets/kyverno-test.yaml @@ -1,69 +1,48 @@ -name: no-secrets +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-secrets policies: - disallow-all-secrets.yaml resources: - resource.yaml results: - kind: Pod - namespace: default policy: no-secrets resources: - - secret-env-pod + - default/secret-env-pod result: fail rule: secrets-not-from-env - kind: Pod - namespace: default policy: no-secrets resources: - - secret-env-pod - result: pass - rule: secrets-not-from-envfrom -- kind: Pod - namespace: default - policy: no-secrets - resources: - - secret-env-pod - result: pass - rule: secrets-not-from-volumes -- kind: Pod - namespace: default - policy: no-secrets - resources: - - secret-ref-pod + - default/secret-ref-pod + - default/secret-vol-pod result: pass rule: secrets-not-from-env - kind: Pod - namespace: default policy: no-secrets resources: - - secret-ref-pod + - default/secret-ref-pod result: fail rule: secrets-not-from-envfrom - kind: Pod - namespace: default policy: no-secrets resources: - - secret-ref-pod + - default/secret-env-pod + - default/secret-vol-pod result: pass - rule: secrets-not-from-volumes + rule: secrets-not-from-envfrom - kind: Pod - namespace: default policy: no-secrets resources: - - secret-vol-pod - result: pass - rule: secrets-not-from-env + - default/secret-vol-pod + result: fail + rule: secrets-not-from-volumes - kind: Pod - namespace: default policy: no-secrets resources: - - secret-vol-pod + - default/secret-env-pod + - default/secret-ref-pod result: pass - rule: secrets-not-from-envfrom -- kind: Pod - namespace: default - policy: no-secrets - resources: - - secret-vol-pod - result: fail rule: secrets-not-from-volumes diff --git a/other/b-d/disallow-localhost-services/kyverno-test.yaml b/other/b-d/disallow-localhost-services/kyverno-test.yaml index 7c68442c9..9643d1777 100644 --- a/other/b-d/disallow-localhost-services/kyverno-test.yaml +++ b/other/b-d/disallow-localhost-services/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: no-localhost-service +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-localhost-service policies: - disallow-localhost-services.yaml resources: diff --git a/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml b/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml index ce86a12ad..d100ddf4f 100644 --- a/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml +++ b/other/b-d/disallow-secrets-from-env-vars/kyverno-test.yaml @@ -1,34 +1,33 @@ -name: secrets-not-from-env-vars +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: secrets-not-from-env-vars policies: - disallow-secrets-from-env-vars.yaml resources: - resource.yaml results: - kind: Pod - namespace: default policy: secrets-not-from-env-vars resources: - - secret-env-pod + - default/secret-env-pod result: fail rule: secrets-not-from-env-vars - kind: Pod - namespace: default policy: secrets-not-from-env-vars resources: - - secret-env-pod + - default/secret-ref-pod result: pass - rule: secrets-not-from-envfrom + rule: secrets-not-from-env-vars - kind: Pod - namespace: default policy: secrets-not-from-env-vars resources: - - secret-ref-pod + - default/secret-ref-pod result: fail rule: secrets-not-from-envfrom - kind: Pod - namespace: default policy: secrets-not-from-env-vars resources: - - secret-ref-pod + - default/secret-env-pod result: pass - rule: secrets-not-from-env-vars + rule: secrets-not-from-envfrom diff --git a/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml b/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml index 2a9af3bbd..121e1cac6 100644 --- a/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml +++ b/other/b-d/dns-policy-and-dns-config/kyverno-test.yaml @@ -1,15 +1,17 @@ -name: change-dns-config-policy +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: change-dns-config-policy policies: - dns-policy-and-dns-config.yaml resources: - resource.yaml results: - kind: Pod - namespace: default patchedResource: patchedResource.yaml policy: change-dns-config-policy resources: - - myapp-pod + - default/myapp-pod result: pass rule: dns-policy variables: variables.yaml diff --git a/other/b-d/dns-policy-and-dns-config/variables.yaml b/other/b-d/dns-policy-and-dns-config/variables.yaml index 179ce35a6..40353c330 100644 --- a/other/b-d/dns-policy-and-dns-config/variables.yaml +++ b/other/b-d/dns-policy-and-dns-config/variables.yaml @@ -1,7 +1,110 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: change-dns-config-policy - rules: - - name: dns-policy - values: - request.namespace: default - dictionary.data.ClusterConfiguration: "apiServer:\n certSANs:\n - kubernetes\n - kubernetes.default\n - kubernetes.default.svc\n - kubernetes.default.svc.mycluster\n - 10.233.0.1\n - localhost\n - 127.0.0.1\n - k8s-mycluster-master-1\n - k8s-mycluster-master-2\n - k8s-mycluster-master-3\n - lb-apiserver.kubernetes.local\n - 10.10.88.132\n - 10.10.90.111\n - 10.10.88.50\n - k8s-mycluster-master-1.mycluster\n - k8s-mycluster-master-2.mycluster\n - k8s-mycluster-master-3.mycluster\n extraArgs:\n allow-privileged: \"true\"\n anonymous-auth: \"True\"\n apiserver-count: \"3\"\n audit-log-maxage: \"1\"\n audit-log-maxbackup: \"1\"\n audit-log-maxsize: \"100\"\n audit-log-path: /var/log/audit/kube-apiserver-audit.log\n audit-policy-file: /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml\n authorization-mode: Node,RBAC\n bind-address: 0.0.0.0\n default-not-ready-toleration-seconds: \"300\"\n default-unreachable-toleration-seconds: \"300\"\n enable-aggregator-routing: \"true\"\n endpoint-reconciler-type: lease\n event-ttl: 1h0m0s\n insecure-port: \"0\"\n kubelet-certificate-authority: /etc/kubernetes/ssl/ca.crt\n kubelet-preferred-address-types: InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP\n profiling: \"False\"\n request-timeout: 1m0s\n service-account-lookup: \"True\"\n service-cluster-ip-range: 10.233.0.0/18\n service-node-port-range: 30000-32767\n storage-backend: etcd3\n extraVolumes:\n - hostPath: /etc/kubernetes/audit-policy\n mountPath: /etc/kubernetes/audit-policy\n name: audit-policy\n - hostPath: /var/log/kubernetes/audit\n mountPath: /var/log/audit\n name: audit-logs\n - hostPath: /usr/share/ca-certificates\n mountPath: /usr/share/ca-certificates\n name: usr-share-ca-certificates\n readOnly: true\n timeoutForControlPlane: 5m0s\napiVersion: kubeadm.k8s.io/v1beta3\ncertificatesDir: /etc/kubernetes/ssl\nclusterName: mycluster\ncontrolPlaneEndpoint: 10.10.88.132:6443\ncontrollerManager:\n extraArgs:\n bind-address: 0.0.0.0\n cluster-cidr: 10.233.64.0/18\n configure-cloud-routes: \"false\"\n leader-elect-lease-duration: 15s\n leader-elect-renew-deadline: 10s\n node-cidr-mask-size: \"25\"\n node-monitor-grace-period: 40s\n node-monitor-period: 5s\n profiling: \"False\"\n service-cluster-ip-range: 10.233.0.0/18\n terminated-pod-gc-threshold: \"12500\"\ndns:\n imageRepository: registry.mycluster.com//coredns\n imageTag: v1.8.6\netcd:\n external:\n caFile: /etc/ssl/etcd/ssl/ca.pem\n certFile: /etc/ssl/etcd/ssl/node-k8s-mycluster-master-1.pem\n endpoints:\n - https://10.10.89.133:2379\n - https://10.10.89.197:2379\n - https://10.10.88.98:2379\n keyFile: /etc/ssl/etcd/ssl/node-k8s-mycluster-master-1-key.pem\nimageRepository: registry.mycluster.com/\nkind: ClusterConfiguration\nkubernetesVersion: v1.23.7\nnetworking:\n dnsDomain: mycluster\n podSubnet: 10.233.64.0/18\n serviceSubnet: 10.233.0.0/18\nscheduler:\n extraArgs:\n bind-address: 0.0.0.0\n config: /etc/kubernetes/kubescheduler-config.yaml\n extraVolumes:\n - hostPath: /etc/kubernetes/kubescheduler-config.yaml\n mountPath: /etc/kubernetes/kubescheduler-config.yaml\n name: kubescheduler-config\n readOnly: true\n" \ No newline at end of file +- name: change-dns-config-policy + rules: + - name: dns-policy + values: + dictionary.data.ClusterConfiguration: | + apiServer: + certSANs: + - kubernetes + - kubernetes.default + - kubernetes.default.svc + - kubernetes.default.svc.mycluster + - 10.233.0.1 + - localhost + - 127.0.0.1 + - k8s-mycluster-master-1 + - k8s-mycluster-master-2 + - k8s-mycluster-master-3 + - lb-apiserver.kubernetes.local + - 10.10.88.132 + - 10.10.90.111 + - 10.10.88.50 + - k8s-mycluster-master-1.mycluster + - k8s-mycluster-master-2.mycluster + - k8s-mycluster-master-3.mycluster + extraArgs: + allow-privileged: "true" + anonymous-auth: "True" + apiserver-count: "3" + audit-log-maxage: "1" + audit-log-maxbackup: "1" + audit-log-maxsize: "100" + audit-log-path: /var/log/audit/kube-apiserver-audit.log + audit-policy-file: /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml + authorization-mode: Node,RBAC + bind-address: 0.0.0.0 + default-not-ready-toleration-seconds: "300" + default-unreachable-toleration-seconds: "300" + enable-aggregator-routing: "true" + endpoint-reconciler-type: lease + event-ttl: 1h0m0s + insecure-port: "0" + kubelet-certificate-authority: /etc/kubernetes/ssl/ca.crt + kubelet-preferred-address-types: InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP + profiling: "False" + request-timeout: 1m0s + service-account-lookup: "True" + service-cluster-ip-range: 10.233.0.0/18 + service-node-port-range: 30000-32767 + storage-backend: etcd3 + extraVolumes: + - hostPath: /etc/kubernetes/audit-policy + mountPath: /etc/kubernetes/audit-policy + name: audit-policy + - hostPath: /var/log/kubernetes/audit + mountPath: /var/log/audit + name: audit-logs + - hostPath: /usr/share/ca-certificates + mountPath: /usr/share/ca-certificates + name: usr-share-ca-certificates + readOnly: true + timeoutForControlPlane: 5m0s + apiVersion: kubeadm.k8s.io/v1beta3 + certificatesDir: /etc/kubernetes/ssl + clusterName: mycluster + controlPlaneEndpoint: 10.10.88.132:6443 + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + cluster-cidr: 10.233.64.0/18 + configure-cloud-routes: "false" + leader-elect-lease-duration: 15s + leader-elect-renew-deadline: 10s + node-cidr-mask-size: "25" + node-monitor-grace-period: 40s + node-monitor-period: 5s + profiling: "False" + service-cluster-ip-range: 10.233.0.0/18 + terminated-pod-gc-threshold: "12500" + dns: + imageRepository: registry.mycluster.com//coredns + imageTag: v1.8.6 + etcd: + external: + caFile: /etc/ssl/etcd/ssl/ca.pem + certFile: /etc/ssl/etcd/ssl/node-k8s-mycluster-master-1.pem + endpoints: + - https://10.10.89.133:2379 + - https://10.10.89.197:2379 + - https://10.10.88.98:2379 + keyFile: /etc/ssl/etcd/ssl/node-k8s-mycluster-master-1-key.pem + imageRepository: registry.mycluster.com/ + kind: ClusterConfiguration + kubernetesVersion: v1.23.7 + networking: + dnsDomain: mycluster + podSubnet: 10.233.64.0/18 + serviceSubnet: 10.233.0.0/18 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + config: /etc/kubernetes/kubescheduler-config.yaml + extraVolumes: + - hostPath: /etc/kubernetes/kubescheduler-config.yaml + mountPath: /etc/kubernetes/kubescheduler-config.yaml + name: kubescheduler-config + readOnly: true + request.namespace: default diff --git a/other/b-d/docker-socket-requires-label/kyverno-test.yaml b/other/b-d/docker-socket-requires-label/kyverno-test.yaml index 401858eb8..848e608d2 100644 --- a/other/b-d/docker-socket-requires-label/kyverno-test.yaml +++ b/other/b-d/docker-socket-requires-label/kyverno-test.yaml @@ -1,26 +1,29 @@ -name: docker-socket-check +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: docker-socket-check policies: - - docker-socket-requires-label.yaml +- docker-socket-requires-label.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: docker-socket-check - rule: conditional-anchor-dockersock - resources: - - nginx-bad-1 - - nginx-bad-2 - kind: Pod - result: fail - - policy: docker-socket-check - rule: conditional-anchor-dockersock - resources: - - nginx-allow-2 - kind: Pod - result: pass - - policy: docker-socket-check - rule: conditional-anchor-dockersock - resources: - - nginx-allow-1 - - nginx-allow-3 - kind: Pod - result: skip \ No newline at end of file +- kind: Pod + policy: docker-socket-check + resources: + - nginx-bad-1 + - nginx-bad-2 + result: fail + rule: conditional-anchor-dockersock +- kind: Pod + policy: docker-socket-check + resources: + - nginx-allow-2 + result: pass + rule: conditional-anchor-dockersock +- kind: Pod + policy: docker-socket-check + resources: + - nginx-allow-1 + - nginx-allow-3 + result: skip + rule: conditional-anchor-dockersock diff --git a/other/e-l/enforce-pod-duration/kyverno-test.yaml b/other/e-l/enforce-pod-duration/kyverno-test.yaml index 651b6a099..8d074068d 100644 --- a/other/e-l/enforce-pod-duration/kyverno-test.yaml +++ b/other/e-l/enforce-pod-duration/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: pod-lifetime +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pod-lifetime policies: - enforce-pod-duration.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Pod policy: pod-lifetime resources: - - test-lifetime-pass - result: pass + - test-lifetime-fail + result: fail rule: pods-lifetime - kind: Pod policy: pod-lifetime resources: - - test-lifetime-fail - result: fail + - test-lifetime-pass + result: pass rule: pods-lifetime diff --git a/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml b/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml index e9bad01e7..c1a4100be 100644 --- a/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml +++ b/other/e-l/enforce-resources-as-ratio/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: enforce-resources-as-ratio +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-resources-as-ratio policies: - enforce-resources-as-ratio.yaml resources: diff --git a/other/e-l/enforce-resources-as-ratio/values.yaml b/other/e-l/enforce-resources-as-ratio/values.yaml index 441d68b54..5028e0d5e 100644 --- a/other/e-l/enforce-resources-as-ratio/values.yaml +++ b/other/e-l/enforce-resources-as-ratio/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: -- name: enforce-resources-as-ratio +- name: enforce-resources-as-ratio resources: - name: goodpod values: - request.operation: UPDATE \ No newline at end of file + request.operation: UPDATE diff --git a/other/e-l/ensure-probes-different/kyverno-test.yaml b/other/e-l/ensure-probes-different/kyverno-test.yaml index eea635dcd..fc7dc391b 100644 --- a/other/e-l/ensure-probes-different/kyverno-test.yaml +++ b/other/e-l/ensure-probes-different/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: validate-probes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: validate-probes policies: - ensure-probes-different.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Deployment policy: validate-probes resources: - - mydeploy-1 - result: pass + - mydeploy-2 + result: fail rule: validate-probes - kind: Deployment policy: validate-probes resources: - - mydeploy-2 - result: fail + - mydeploy-1 + result: pass rule: validate-probes diff --git a/other/e-l/ensure-production-matches-staging/kyverno-test.yaml b/other/e-l/ensure-production-matches-staging/kyverno-test.yaml index 3c12fdd6f..e09044d1c 100644 --- a/other/e-l/ensure-production-matches-staging/kyverno-test.yaml +++ b/other/e-l/ensure-production-matches-staging/kyverno-test.yaml @@ -1,26 +1,9 @@ -name: ensure-production-matches-staging +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ensure-production-matches-staging policies: - - ensure-production-matches-staging.yaml +- ensure-production-matches-staging.yaml resources: - - resource.yaml +- resource.yaml variables: values.yaml -results: - # - policy: ensure-production-matches-staging - # rule: require-staging-deployment - # resource: deploy1 - # kind: Deployment - # namespace: staging - # result: skip - # - policy: ensure-production-matches-staging - # rule: require-same-image - # resource: deploy1 - # kind: Deployment - # namespace: staging - # result: skip - # - policy: ensure-production-matches-staging - # rule: require-same-or-older-imageversion - # resource: deploy1 - # kind: Deployment - # namespace: staging - # result: skip - \ No newline at end of file diff --git a/other/e-l/ensure-production-matches-staging/values.yaml b/other/e-l/ensure-production-matches-staging/values.yaml index d0b886af9..0e5d6cbc4 100644 --- a/other/e-l/ensure-production-matches-staging/values.yaml +++ b/other/e-l/ensure-production-matches-staging/values.yaml @@ -1,24 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: ensure-production-matches-staging - rules: - - name: require-staging-deployment - values: - request.namespace: staging - deployment_count: 2 - - - name: require-same-image - values: - deployment_count: 2 - request.namespace: staging - deployment_images: nginx - - - name: require-same-or-older-imageversion - values: - request.namespace: staging - deployment_count: 2 - deployment_containers: 1.22.0 - - resources: - - name: deploy1 - values: - request.namespace: production \ No newline at end of file +- name: ensure-production-matches-staging + resources: + - name: deploy1 + values: + request.namespace: production + rules: + - name: require-staging-deployment + values: + deployment_count: 2 + request.namespace: staging + - name: require-same-image + values: + deployment_count: 2 + deployment_images: nginx + request.namespace: staging + - name: require-same-or-older-imageversion + values: + deployment_containers: 1.22.0 + deployment_count: 2 + request.namespace: staging diff --git a/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml b/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml index a0ad447c2..6f0227161 100644 --- a/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml +++ b/other/e-l/ensure-readonly-hostpath/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: ensure-readonly-hostpath +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ensure-readonly-hostpath policies: - ensure-readonly-hostpath.yaml resources: diff --git a/other/e-l/ensure-readonly-hostpath/values.yaml b/other/e-l/ensure-readonly-hostpath/values.yaml index f1a776f1e..3026f517a 100644 --- a/other/e-l/ensure-readonly-hostpath/values.yaml +++ b/other/e-l/ensure-readonly-hostpath/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: -- name: ensure-readonly-hostpath +- name: ensure-readonly-hostpath resources: - name: good-pod-01 values: - request.operation: UPDATE \ No newline at end of file + request.operation: UPDATE diff --git a/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml b/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml index cb74fb6b7..fdddc3bc4 100644 --- a/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml +++ b/other/e-l/exclude-namespaces-dynamically/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: exclude-namespaces-example +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: exclude-namespaces-example policies: - exclude-namespaces-dynamically.yaml resources: @@ -7,14 +10,8 @@ results: - kind: Pod policy: exclude-namespaces-example resources: - - good-pod01 - result: skip - rule: exclude-namespaces-dynamically-pods -- kind: Pod - policy: exclude-namespaces-example - resources: - - good-pod02 - result: skip + - bad-pod01 + result: fail rule: exclude-namespaces-dynamically-pods - kind: Pod policy: exclude-namespaces-example @@ -25,7 +22,8 @@ results: - kind: Pod policy: exclude-namespaces-example resources: - - bad-pod01 - result: fail + - good-pod01 + - good-pod02 + result: skip rule: exclude-namespaces-dynamically-pods variables: values.yaml diff --git a/other/e-l/exclude-namespaces-dynamically/values.yaml b/other/e-l/exclude-namespaces-dynamically/values.yaml index ee38decd4..bfa98f1b4 100644 --- a/other/e-l/exclude-namespaces-dynamically/values.yaml +++ b/other/e-l/exclude-namespaces-dynamically/values.yaml @@ -1,14 +1,9 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: exclude-namespaces-example - rules: - - name: exclude-namespaces-dynamically-pods - values: - namespacefilters.data.exclude: "[\"default\", \"test\"]" - request.namespace: default - # resources: - # - name: good-pod01 - # values: - # request.namespace: default - # - name: good-pod02 - # values: - # request.namespace: test +- name: exclude-namespaces-example + rules: + - name: exclude-namespaces-dynamically-pods + values: + namespacefilters.data.exclude: '["default", "test"]' + request.namespace: default diff --git a/other/e-l/forbid-cpu-limits/kyverno-test.yaml b/other/e-l/forbid-cpu-limits/kyverno-test.yaml index 34115b783..742b99385 100644 --- a/other/e-l/forbid-cpu-limits/kyverno-test.yaml +++ b/other/e-l/forbid-cpu-limits/kyverno-test.yaml @@ -1,20 +1,23 @@ -name: forbid-cpu-limits +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: forbid-cpu-limits policies: - - forbid-cpu-limits.yaml +- forbid-cpu-limits.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: forbid-cpu-limits - rule: check-cpu-limits - resources: - - good01 - - good02 - kind: Pod - result: pass - - policy: forbid-cpu-limits - rule: check-cpu-limits - resources: - - bad01 - - bad02 - kind: Pod - result: fail +- kind: Pod + policy: forbid-cpu-limits + resources: + - bad01 + - bad02 + result: fail + rule: check-cpu-limits +- kind: Pod + policy: forbid-cpu-limits + resources: + - good01 + - good02 + result: pass + rule: check-cpu-limits diff --git a/other/e-l/imagepullpolicy-always/kyverno-test.yaml b/other/e-l/imagepullpolicy-always/kyverno-test.yaml index 8ec24517d..8059a5c75 100644 --- a/other/e-l/imagepullpolicy-always/kyverno-test.yaml +++ b/other/e-l/imagepullpolicy-always/kyverno-test.yaml @@ -1,14 +1,17 @@ -name: imagepullpolicy-always +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: imagepullpolicy-always policies: - imagepullpolicy-always.yaml resources: - resource.yaml results: -- kind: Pod +- kind: Deployment policy: imagepullpolicy-always resources: - - myapp-pod-1 - result: pass + - mydeploy1 + result: fail rule: imagepullpolicy-always - kind: Pod policy: imagepullpolicy-always @@ -19,12 +22,12 @@ results: - kind: Deployment policy: imagepullpolicy-always resources: - - mydeploy1 - result: fail + - mydeploy2 + result: pass rule: imagepullpolicy-always -- kind: Deployment +- kind: Pod policy: imagepullpolicy-always resources: - - mydeploy2 + - myapp-pod-1 result: pass rule: imagepullpolicy-always diff --git a/other/e-l/ingress-host-match-tls/kyverno-test.yaml b/other/e-l/ingress-host-match-tls/kyverno-test.yaml index b753f155f..3b5ccdf52 100644 --- a/other/e-l/ingress-host-match-tls/kyverno-test.yaml +++ b/other/e-l/ingress-host-match-tls/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: ingress-host-match-tls +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: ingress-host-match-tls policies: - ingress-host-match-tls.yaml resources: @@ -8,11 +11,6 @@ results: policy: ingress-host-match-tls resources: - badingress01 - result: fail - rule: host-match-tls -- kind: Ingress - policy: ingress-host-match-tls - resources: - badingress02 result: fail rule: host-match-tls @@ -20,23 +18,8 @@ results: policy: ingress-host-match-tls resources: - goodingress01 - result: pass - rule: host-match-tls -- kind: Ingress - policy: ingress-host-match-tls - resources: - goodingress02 - result: pass - rule: host-match-tls -- kind: Ingress - policy: ingress-host-match-tls - resources: - goodingress03 - result: pass - rule: host-match-tls -- kind: Ingress - policy: ingress-host-match-tls - resources: - goodingress04 result: pass rule: host-match-tls diff --git a/other/e-l/inject-sidecar-deployment/kyverno-test.yaml b/other/e-l/inject-sidecar-deployment/kyverno-test.yaml index da0e4a5f7..d1e213fca 100644 --- a/other/e-l/inject-sidecar-deployment/kyverno-test.yaml +++ b/other/e-l/inject-sidecar-deployment/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: inject-sidecar +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: inject-sidecar policies: - inject-sidecar-deployment.yaml resources: diff --git a/other/e-l/limit-configmap-for-sa/kyverno-test.yaml b/other/e-l/limit-configmap-for-sa/kyverno-test.yaml index 9f4cb8a19..1c47cf53d 100644 --- a/other/e-l/limit-configmap-for-sa/kyverno-test.yaml +++ b/other/e-l/limit-configmap-for-sa/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: limit-configmap-for-sa +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-configmap-for-sa policies: - limit-configmap-for-sa.yaml resources: diff --git a/other/e-l/limit-configmap-for-sa/variables.yaml b/other/e-l/limit-configmap-for-sa/variables.yaml index c31a2d8a2..1e7a06a48 100644 --- a/other/e-l/limit-configmap-for-sa/variables.yaml +++ b/other/e-l/limit-configmap-for-sa/variables.yaml @@ -1,9 +1,11 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: limit-configmap-for-sa - resources: - - name: any-configmap-name-good - values: - request.operation: UPDATE - - name: any-configmap-name-bad - values: - request.operation: UPDATE +- name: limit-configmap-for-sa + resources: + - name: any-configmap-name-good + values: + request.operation: UPDATE + - name: any-configmap-name-bad + values: + request.operation: UPDATE diff --git a/other/e-l/limit-containers-per-pod/kyverno-test.yaml b/other/e-l/limit-containers-per-pod/kyverno-test.yaml index e13a9507b..2338744b0 100644 --- a/other/e-l/limit-containers-per-pod/kyverno-test.yaml +++ b/other/e-l/limit-containers-per-pod/kyverno-test.yaml @@ -1,30 +1,33 @@ -name: limit-containers-per-pod +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-containers-per-pod policies: - limit-containers-per-pod.yaml resources: - resource.yaml results: -- kind: Pod - policy: limit-containers-per-pod - resources: - - myapp-pod-1 - result: pass - rule: limit-containers-per-pod -- kind: Pod +- kind: CronJob policy: limit-containers-per-pod resources: - - myapp-pod-2 + - mycronjob result: fail - rule: limit-containers-per-pod + rule: autogen-cronjob-limit-containers-per-pod - kind: Deployment policy: limit-containers-per-pod resources: - mydeploy result: pass rule: autogen-limit-containers-per-pod -- kind: CronJob +- kind: Pod policy: limit-containers-per-pod resources: - - mycronjob + - myapp-pod-2 result: fail - rule: autogen-cronjob-limit-containers-per-pod + rule: limit-containers-per-pod +- kind: Pod + policy: limit-containers-per-pod + resources: + - myapp-pod-1 + result: pass + rule: limit-containers-per-pod diff --git a/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml b/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml index c54988b74..bb5f53a95 100644 --- a/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml +++ b/other/e-l/limit-hostpath-type-pv/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: limit-hostpath-type-pv +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-hostpath-type-pv policies: - limit-hostpath-type-pv.yaml resources: @@ -7,12 +10,12 @@ results: - kind: PersistentVolume policy: limit-hostpath-type-pv resources: - - good-pv - result: pass + - bad-pv + result: fail rule: limit-hostpath-type-pv-to-slash-data - kind: PersistentVolume policy: limit-hostpath-type-pv resources: - - bad-pv - result: fail + - good-pv + result: pass rule: limit-hostpath-type-pv-to-slash-data diff --git a/other/e-l/limit-hostpath-vols/kyverno-test.yaml b/other/e-l/limit-hostpath-vols/kyverno-test.yaml index 907e94133..913e3b117 100644 --- a/other/e-l/limit-hostpath-vols/kyverno-test.yaml +++ b/other/e-l/limit-hostpath-vols/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: limit-hostpath-vols +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: limit-hostpath-vols policies: - limit-hostpath-vols.yaml resources: @@ -8,13 +11,13 @@ results: - kind: Pod policy: limit-hostpath-vols resources: - - good-pods-all - result: pass + - bad-pods-all + result: fail rule: limit-hostpath-to-slash-data - kind: Pod policy: limit-hostpath-vols resources: - - bad-pods-all - result: fail + - good-pods-all + result: pass rule: limit-hostpath-to-slash-data variables: values.yaml diff --git a/other/e-l/limit-hostpath-vols/values.yaml b/other/e-l/limit-hostpath-vols/values.yaml index acc0ce51f..f0bdd4ef1 100644 --- a/other/e-l/limit-hostpath-vols/values.yaml +++ b/other/e-l/limit-hostpath-vols/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: limit-hostpath-vols - resources: - - name: bad-pods-all - values: - request.operation: UPDATE +- name: limit-hostpath-vols + resources: + - name: bad-pods-all + values: + request.operation: UPDATE diff --git a/other/m-q/memory-requests-equal-limits/kyverno-test.yaml b/other/m-q/memory-requests-equal-limits/kyverno-test.yaml index e5ed98a0a..c53b8f2b3 100644 --- a/other/m-q/memory-requests-equal-limits/kyverno-test.yaml +++ b/other/m-q/memory-requests-equal-limits/kyverno-test.yaml @@ -1,9 +1,18 @@ -name: memory-requests-equal-limits +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: memory-requests-equal-limits policies: - memory-requests-equal-limits.yaml resources: - resource.yaml results: +- kind: CronJob + policy: memory-requests-equal-limits + resources: + - hello + result: pass + rule: autogen-cronjob-memory-requests-equal-limits - kind: DaemonSet policy: memory-requests-equal-limits resources: @@ -16,9 +25,3 @@ results: - myapp-pod result: fail rule: memory-requests-equal-limits -- kind: CronJob - policy: memory-requests-equal-limits - resources: - - hello - result: pass - rule: autogen-cronjob-memory-requests-equal-limits diff --git a/other/m-q/mitigate-log4shell/kyverno-test.yaml b/other/m-q/mitigate-log4shell/kyverno-test.yaml index d18be6f7f..2dafb1d8a 100644 --- a/other/m-q/mitigate-log4shell/kyverno-test.yaml +++ b/other/m-q/mitigate-log4shell/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: log4shell-mitigation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: log4shell-mitigation policies: - mitigate-log4shell.yaml resources: @@ -10,21 +13,21 @@ results: resources: - demo-pod01 result: pass - rule: add-log4shell-mitigation-initcontainers + rule: add-log4shell-mitigation-containers - kind: Pod - patchedResource: patchedResource.yaml + patchedResource: patchedResource1.yaml policy: log4shell-mitigation resources: - - demo-pod01 + - demo-pod02 result: pass rule: add-log4shell-mitigation-containers - kind: Pod - patchedResource: patchedResource1.yaml + patchedResource: patchedResource.yaml policy: log4shell-mitigation resources: - - demo-pod02 + - demo-pod01 result: pass - rule: add-log4shell-mitigation-containers + rule: add-log4shell-mitigation-initcontainers - kind: Pod patchedResource: patchedResource1.yaml policy: log4shell-mitigation diff --git a/other/m-q/mutate-large-termination-gps/kyverno-test.yaml b/other/m-q/mutate-large-termination-gps/kyverno-test.yaml index 263d7ee33..7963ae105 100644 --- a/other/m-q/mutate-large-termination-gps/kyverno-test.yaml +++ b/other/m-q/mutate-large-termination-gps/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: mutate-termination-grace-period-seconds +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: mutate-termination-grace-period-seconds policies: - mutate-large-termination-gps.yaml resources: diff --git a/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml b/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml index 65368c762..240ef34db 100644 --- a/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml +++ b/other/m-q/nfs-subdir-external-provisioner-storage-path/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: nfs-subdir-external-provisioner-storage-path +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: nfs-subdir-external-provisioner-storage-path policies: - nfs-subdir-external-provisioner-storage-path.yaml resources: @@ -7,12 +10,12 @@ results: - kind: PersistentVolumeClaim policy: nfs-subdir-external-provisioner-storage-path resources: - - goodclaim - result: pass + - badclaim + result: fail rule: enforce-storage-path - kind: PersistentVolumeClaim policy: nfs-subdir-external-provisioner-storage-path resources: - - badclaim - result: fail + - goodclaim + result: pass rule: enforce-storage-path diff --git a/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml b/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml index 029ad326a..2f6be4608 100644 --- a/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml +++ b/other/m-q/only-trustworthy-registries-set-root/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: only-trustworthy-registries-set-root +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: only-trustworthy-registries-set-root policies: - only-trustworthy-registries-set-root.yaml resources: @@ -9,11 +12,6 @@ results: policy: only-trustworthy-registries-set-root resources: - pod-with-trusted-registry - result: pass - rule: only-allow-trusted-images -- kind: Pod - policy: only-trustworthy-registries-set-root - resources: - pod-with-root-user result: pass rule: only-allow-trusted-images diff --git a/other/m-q/only-trustworthy-registries-set-root/values.yaml b/other/m-q/only-trustworthy-registries-set-root/values.yaml index b2da263bb..041510dbf 100644 --- a/other/m-q/only-trustworthy-registries-set-root/values.yaml +++ b/other/m-q/only-trustworthy-registries-set-root/values.yaml @@ -1,12 +1,13 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: only-trustworthy-registries-set-root - rules: - - name: only-allow-trusted-images - values: - imageData.registry: "ghcr.io" - imageData.configData.config.User: "root" - - resources: - - name: pod-with-root-user - values: - request.operation: UPDATE \ No newline at end of file +- name: only-trustworthy-registries-set-root + resources: + - name: pod-with-root-user + values: + request.operation: UPDATE + rules: + - name: only-allow-trusted-images + values: + imageData.configData.config.User: root + imageData.registry: ghcr.io diff --git a/other/m-q/pdb-maxunavailable/kyverno-test.yaml b/other/m-q/pdb-maxunavailable/kyverno-test.yaml index 7b879b075..cfe58a057 100644 --- a/other/m-q/pdb-maxunavailable/kyverno-test.yaml +++ b/other/m-q/pdb-maxunavailable/kyverno-test.yaml @@ -1,34 +1,23 @@ -name: pdb-maxunavailable +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pdb-maxunavailable policies: - pdb-maxunavailable.yaml resources: - resource.yaml results: - kind: PodDisruptionBudget - namespace: kube-system policy: pdb-maxunavailable resources: - - good-pdb - result: pass - rule: pdb-maxunavailable -- kind: PodDisruptionBudget - namespace: kube-system - policy: pdb-maxunavailable - resources: - - good-pdb-none - result: pass - rule: pdb-maxunavailable -- kind: PodDisruptionBudget - namespace: kube-system - policy: pdb-maxunavailable - resources: - - bad-pdb-zero + - kube-system/bad-pdb-zero + - kube-system/bad-pdb-negative-one result: fail rule: pdb-maxunavailable - kind: PodDisruptionBudget - namespace: kube-system policy: pdb-maxunavailable resources: - - bad-pdb-negative-one - result: fail + - kube-system/good-pdb + - kube-system/good-pdb-none + result: pass rule: pdb-maxunavailable diff --git a/other/m-q/pdb-minavailable/kyverno-test.yaml b/other/m-q/pdb-minavailable/kyverno-test.yaml index fee4b73ed..21ec21be3 100644 --- a/other/m-q/pdb-minavailable/kyverno-test.yaml +++ b/other/m-q/pdb-minavailable/kyverno-test.yaml @@ -1,21 +1,22 @@ -name: pdb-minavailable-check +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: pdb-minavailable-check policies: - pdb-minavailable.yaml resources: - resource.yaml results: - kind: StatefulSet - namespace: nginx policy: pdb-minavailable-check resources: - - bad-pdb + - nginx/bad-pdb result: fail rule: pdb-minavailable - kind: StatefulSet - namespace: nginx policy: pdb-minavailable-check resources: - - good-pdb + - nginx/good-pdb result: pass rule: pdb-minavailable variables: values.yaml diff --git a/other/m-q/pdb-minavailable/values.yaml b/other/m-q/pdb-minavailable/values.yaml index b7857f334..fab3b0344 100644 --- a/other/m-q/pdb-minavailable/values.yaml +++ b/other/m-q/pdb-minavailable/values.yaml @@ -1,10 +1,12 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: pdb-minavailable-check - rules: - - name: pdb-minavailable - values: - minavailable: "2" - resources: - - name: bad-pdb - values: - request.operation: CREATE +- name: pdb-minavailable-check + resources: + - name: bad-pdb + values: + request.operation: CREATE + rules: + - name: pdb-minavailable + values: + minavailable: "2" diff --git a/other/m-q/prepend-image-registry/kyverno-test.yaml b/other/m-q/prepend-image-registry/kyverno-test.yaml index 4e77f2ace..e4850bb8c 100644 --- a/other/m-q/prepend-image-registry/kyverno-test.yaml +++ b/other/m-q/prepend-image-registry/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: prepend-image-registry +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prepend-image-registry policies: - prepend-image-registry.yaml resources: @@ -7,25 +10,25 @@ resources: - withoutinitcontainer.yaml results: - kind: Pod - patchedResource: patchedResource.yaml + patchedResource: failpatchedResource.yaml policy: prepend-registry resources: - - mypod - result: pass + - myfailedpod + result: fail rule: prepend-registry-containers - kind: Pod - patchedResource: patchedResource.yaml + patchedResource: patchedResourceWithoutInitContainer.yaml policy: prepend-registry resources: - - mypod - result: pass - rule: prepend-registry-initcontainers + - withoutinitcontainer + result: fail + rule: prepend-registry-containers - kind: Pod - patchedResource: failpatchedResource.yaml + patchedResource: patchedResource.yaml policy: prepend-registry resources: - - myfailedpod - result: fail + - mypod + result: pass rule: prepend-registry-containers - kind: Pod patchedResource: failpatchedResource.yaml @@ -35,9 +38,9 @@ results: result: fail rule: prepend-registry-initcontainers - kind: Pod - patchedResource: patchedResourceWithoutInitContainer.yaml + patchedResource: patchedResource.yaml policy: prepend-registry resources: - - withoutinitcontainer - result: fail - rule: prepend-registry-containers + - mypod + result: pass + rule: prepend-registry-initcontainers diff --git a/other/m-q/prevent-cr8escape/kyverno-test.yaml b/other/m-q/prevent-cr8escape/kyverno-test.yaml index 6d23bc859..47c7e5be0 100644 --- a/other/m-q/prevent-cr8escape/kyverno-test.yaml +++ b/other/m-q/prevent-cr8escape/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict- +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict- policies: - prevent-cr8escape.yaml resources: @@ -14,11 +17,6 @@ results: policy: prevent-cr8escape resources: - pod-sysctl-good - result: pass - rule: restrict-sysctls-cr8escape -- kind: Pod - policy: prevent-cr8escape - resources: - pod-no-sysctl result: pass rule: restrict-sysctls-cr8escape diff --git a/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml b/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml index d9527a6c3..58d6aea22 100644 --- a/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml +++ b/other/rec-req/remove-hostpath-volumes/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: remove-hostpath-volumes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: remove-hostpath-volumes policies: - remove-hostpath-volumes.yaml resources: diff --git a/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml b/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml index 3716f645a..b33b03445 100644 --- a/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml +++ b/other/rec-req/remove-serviceaccount-token/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: remove-serviceaccount-token +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: remove-serviceaccount-token policies: - remove-serviceaccount-token.yaml resources: diff --git a/other/rec-req/replace-image-registry/kyverno-test.yaml b/other/rec-req/replace-image-registry/kyverno-test.yaml index 11cfb7d6c..8ea2ac6ee 100644 --- a/other/rec-req/replace-image-registry/kyverno-test.yaml +++ b/other/rec-req/replace-image-registry/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: replace-image-registry +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: replace-image-registry policies: - replace-image-registry.yaml resources: @@ -11,13 +14,6 @@ results: - myapp-pod1 result: pass rule: replace-image-registry-pod-containers -- kind: Pod - patchedResource: patchedResource1.yaml - policy: replace-image-registry - resources: - - myapp-pod1 - result: skip - rule: replace-image-registry-pod-initcontainers - kind: Pod patchedResource: patchedResource3.yaml policy: replace-image-registry @@ -32,3 +28,10 @@ results: - myapp-pod2 result: pass rule: replace-image-registry-pod-initcontainers +- kind: Pod + patchedResource: patchedResource1.yaml + policy: replace-image-registry + resources: + - myapp-pod1 + result: skip + rule: replace-image-registry-pod-initcontainers diff --git a/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml b/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml index cf5bcb91a..66921f51b 100644 --- a/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml +++ b/other/rec-req/require-deployments-have-multiple-replicas/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: deployment-has-multiple-replicas +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: deployment-has-multiple-replicas policies: - require-deployments-have-multiple-replicas.yaml resources: diff --git a/other/rec-req/require-emptydir-requests-limits/kyverno-test.yaml b/other/rec-req/require-emptydir-requests-limits/kyverno-test.yaml index a4ed7f575..f3b701bcf 100644 --- a/other/rec-req/require-emptydir-requests-limits/kyverno-test.yaml +++ b/other/rec-req/require-emptydir-requests-limits/kyverno-test.yaml @@ -1,27 +1,30 @@ -name: require-emptydir-requests-and-limits +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-emptydir-requests-and-limits policies: - - require-emptydir-requests-limits.yaml +- require-emptydir-requests-limits.yaml resources: - - resource-fail.yaml - - resource-pass.yaml - - resource-skip.yaml -variables: values.yaml +- resource-fail.yaml +- resource-pass.yaml +- resource-skip.yaml results: - - policy: require-emptydir-requests-and-limits - rule: check-emptydir-requests-limits - resources: - - fail-pod - kind: Pod - result: fail - - policy: require-emptydir-requests-and-limits - rule: check-emptydir-requests-limits - resources: - - pass-pod - kind: Pod - result: pass - - policy: require-emptydir-requests-and-limits - rule: check-emptydir-requests-limits - resources: - - skip-pod - kind: Pod - result: skip +- kind: Pod + policy: require-emptydir-requests-and-limits + resources: + - fail-pod + result: fail + rule: check-emptydir-requests-limits +- kind: Pod + policy: require-emptydir-requests-and-limits + resources: + - pass-pod + result: pass + rule: check-emptydir-requests-limits +- kind: Pod + policy: require-emptydir-requests-and-limits + resources: + - skip-pod + result: skip + rule: check-emptydir-requests-limits +variables: values.yaml diff --git a/other/rec-req/require-emptydir-requests-limits/values.yaml b/other/rec-req/require-emptydir-requests-limits/values.yaml index c410c8aa7..3a92addee 100644 --- a/other/rec-req/require-emptydir-requests-limits/values.yaml +++ b/other/rec-req/require-emptydir-requests-limits/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: require-emptydir-requests-and-limits - resources: - - name: bad-pod - values: - request.operation: UPDATE +- name: require-emptydir-requests-and-limits + resources: + - name: bad-pod + values: + request.operation: UPDATE diff --git a/other/rec-req/require-image-checksum/kyverno-test.yaml b/other/rec-req/require-image-checksum/kyverno-test.yaml index 1eddb24b9..ef76f4e67 100644 --- a/other/rec-req/require-image-checksum/kyverno-test.yaml +++ b/other/rec-req/require-image-checksum/kyverno-test.yaml @@ -1,14 +1,17 @@ -name: require-image-checksum +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-image-checksum policies: - require-image-checksum.yaml resources: - resource.yaml results: -- kind: Pod +- kind: CronJob policy: require-image-checksum resources: - - myapp-pod-1 - result: pass + - hello + result: fail rule: require-image-checksum - kind: Pod policy: require-image-checksum @@ -22,9 +25,9 @@ results: - mydeploy result: pass rule: require-image-checksum -- kind: CronJob +- kind: Pod policy: require-image-checksum resources: - - hello - result: fail + - myapp-pod-1 + result: pass rule: require-image-checksum diff --git a/other/rec-req/require-image-source/kyverno-test.yaml b/other/rec-req/require-image-source/kyverno-test.yaml index 45e7cc276..484679da6 100644 --- a/other/rec-req/require-image-source/kyverno-test.yaml +++ b/other/rec-req/require-image-source/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-image-source +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-image-source policies: - require-image-source.yaml resources: diff --git a/other/rec-req/require-image-source/values.yaml b/other/rec-req/require-image-source/values.yaml index 3cdec6f06..bade10af6 100644 --- a/other/rec-req/require-image-source/values.yaml +++ b/other/rec-req/require-image-source/values.yaml @@ -1,14 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: require-image-source - rules: - - name: check-source - values: - imageData: - labels: - org.opencontainers.image.source: "https://github.com/kyverno/kyverno-examples" - annotations: - org.opencontainers.image.source: "https://github.com/kyverno/kyverno-examples" - resources: - - name: goodpod01 - values: - request.operation: UPDATE +- name: require-image-source + resources: + - name: goodpod01 + values: + request.operation: UPDATE + rules: + - name: check-source + values: + imageData: + annotations: + org.opencontainers.image.source: https://github.com/kyverno/kyverno-examples + labels: + org.opencontainers.image.source: https://github.com/kyverno/kyverno-examples diff --git a/other/rec-req/require-imagepullsecrets/kyverno-test.yaml b/other/rec-req/require-imagepullsecrets/kyverno-test.yaml index ca70ec0e3..dec124f30 100644 --- a/other/rec-req/require-imagepullsecrets/kyverno-test.yaml +++ b/other/rec-req/require-imagepullsecrets/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-imagepullsecrets +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-imagepullsecrets policies: - require-imagepullsecrets.yaml resources: @@ -7,14 +10,14 @@ results: - kind: Pod policy: require-imagepullsecrets resources: - - goodpod01 - result: pass + - badpod01 + result: fail rule: check-for-image-pull-secrets - kind: Pod policy: require-imagepullsecrets resources: - - badpod01 - result: fail + - goodpod01 + result: pass rule: check-for-image-pull-secrets - kind: Pod policy: require-imagepullsecrets diff --git a/other/rec-req/require-netpol/kyverno-test.yaml b/other/rec-req/require-netpol/kyverno-test.yaml index 2dac57318..aeccd3d6b 100644 --- a/other/rec-req/require-netpol/kyverno-test.yaml +++ b/other/rec-req/require-netpol/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-network-policy +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-network-policy policies: - require-netpol.yaml resources: diff --git a/other/rec-req/require-netpol/values.yaml b/other/rec-req/require-netpol/values.yaml index c82c1b26b..eb260356d 100644 --- a/other/rec-req/require-netpol/values.yaml +++ b/other/rec-req/require-netpol/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - name: require-network-policy rules: - name: require-network-policy values: - policies_count: "0" \ No newline at end of file + policies_count: "0" diff --git a/other/rec-req/require-non-root-groups/kyverno-test.yaml b/other/rec-req/require-non-root-groups/kyverno-test.yaml index f50f99676..25d181d7b 100644 --- a/other/rec-req/require-non-root-groups/kyverno-test.yaml +++ b/other/rec-req/require-non-root-groups/kyverno-test.yaml @@ -1,600 +1,198 @@ -name: require-non-root-groups +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-non-root-groups policies: - require-non-root-groups.yaml resources: - resource.yaml results: -- kind: Pod +- kind: CronJob policy: require-non-root-groups resources: - - badpod01 + - fsgrp-badcronjob01 result: fail - rule: check-runasgroup -- kind: Pod + rule: check-fsgroup +- kind: Deployment policy: require-non-root-groups resources: - - badpod02 + - fsgrp-baddeployment01 result: fail - rule: check-runasgroup + rule: check-fsgroup - kind: Pod policy: require-non-root-groups resources: - - badpod03 + - fsgrp-badpod01 result: fail - rule: check-runasgroup -- kind: Pod + rule: check-fsgroup +- kind: CronJob policy: require-non-root-groups resources: - - badpod04 - result: fail - rule: check-runasgroup -- kind: Pod + - fsgrp-goodcronjob01 + - fsgrp-goodcronjob02 + result: pass + rule: check-fsgroup +- kind: Deployment policy: require-non-root-groups resources: - - badpod05 - result: fail - rule: check-runasgroup + - fsgrp-gooddeployment01 + - fsgrp-gooddeployment02 + result: pass + rule: check-fsgroup - kind: Pod policy: require-non-root-groups resources: - - badpod06 - result: fail - rule: check-runasgroup -- kind: Pod + - fsgrp-goodpod01 + - fsgrp-goodpod02 + result: pass + rule: check-fsgroup +- kind: CronJob policy: require-non-root-groups resources: - - badpod07 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 result: fail rule: check-runasgroup -- kind: Pod +- kind: Deployment policy: require-non-root-groups resources: - - badpod08 + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 result: fail rule: check-runasgroup - kind: Pod policy: require-non-root-groups resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 - badpod09 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - badpod10 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - badpod11 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - badpod12 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - badpod13 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - badpod14 - result: fail - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - badpod15 result: fail rule: check-runasgroup -- kind: Pod +- kind: CronJob policy: require-non-root-groups resources: - - goodpod01 + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 result: pass rule: check-runasgroup -- kind: Pod +- kind: Deployment policy: require-non-root-groups resources: - - goodpod02 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 result: pass rule: check-runasgroup - kind: Pod policy: require-non-root-groups resources: + - goodpod01 + - goodpod02 - goodpod03 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod04 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod05 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod06 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod07 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod08 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod09 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - goodpod10 result: pass rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment01 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment02 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment03 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment04 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment05 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment06 - result: fail - rule: check-runasgroup -- kind: Deployment +- kind: CronJob policy: require-non-root-groups resources: - - baddeployment07 + - supgrp-badcronjob01 + - supgrp-badcronjob02 result: fail - rule: check-runasgroup + rule: check-supplementalgroups - kind: Deployment policy: require-non-root-groups resources: - - baddeployment08 + - supgrp-baddeployment01 + - supgrp-baddeployment02 result: fail - rule: check-runasgroup -- kind: Deployment + rule: check-supplementalgroups +- kind: Pod policy: require-non-root-groups resources: - - baddeployment09 + - supgrp-badpod01 + - supgrp-badpod02 result: fail - rule: check-runasgroup -- kind: Deployment + rule: check-supplementalgroups +- kind: CronJob policy: require-non-root-groups resources: - - baddeployment10 - result: fail - rule: check-runasgroup + - supgrp-goodcronjob01 + - supgrp-goodcronjob02 + - supgrp-goodcronjob03 + result: pass + rule: check-supplementalgroups - kind: Deployment policy: require-non-root-groups resources: - - baddeployment11 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment12 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment13 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment14 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - baddeployment15 - result: fail - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment01 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment02 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment03 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment04 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment05 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment06 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment07 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment08 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment09 - result: pass - rule: check-runasgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - gooddeployment10 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob01 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob02 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob03 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob04 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob05 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob06 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob07 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob08 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob09 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob10 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob11 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob12 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob13 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob14 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - badcronjob15 - result: fail - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob01 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob02 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob03 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob04 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob05 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob06 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob07 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob08 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob09 - result: pass - rule: check-runasgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - goodcronjob10 - result: pass - rule: check-runasgroup -- kind: Pod - policy: require-non-root-groups - resources: - - supgrp-badpod01 - result: fail - rule: check-supplementalgroups -- kind: Pod - policy: require-non-root-groups - resources: - - supgrp-badpod02 - result: fail - rule: check-supplementalgroups -- kind: Pod + - supgrp-gooddeployment01 + - supgrp-gooddeployment02 + - supgrp-gooddeployment03 + result: pass + rule: check-supplementalgroups +- kind: Pod policy: require-non-root-groups resources: - supgrp-goodpod01 - result: pass - rule: check-supplementalgroups -- kind: Pod - policy: require-non-root-groups - resources: - supgrp-goodpod02 - result: pass - rule: check-supplementalgroups -- kind: Pod - policy: require-non-root-groups - resources: - supgrp-goodpod03 result: pass rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-baddeployment01 - result: fail - rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-baddeployment02 - result: fail - rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-gooddeployment01 - result: pass - rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-gooddeployment02 - result: pass - rule: check-supplementalgroups -- kind: Deployment - policy: require-non-root-groups - resources: - - supgrp-gooddeployment03 - result: pass - rule: check-supplementalgroups -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-badcronjob01 - result: fail - rule: check-supplementalgroups -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-badcronjob02 - result: fail - rule: check-supplementalgroups -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-goodcronjob01 - result: pass - rule: check-supplementalgroups -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-goodcronjob02 - result: pass - rule: check-supplementalgroups -- kind: CronJob - policy: require-non-root-groups - resources: - - supgrp-goodcronjob03 - result: pass - rule: check-supplementalgroups -- kind: Pod - policy: require-non-root-groups - resources: - - fsgrp-badpod01 - result: fail - rule: check-fsgroup -- kind: Pod - policy: require-non-root-groups - resources: - - fsgrp-goodpod01 - result: pass - rule: check-fsgroup -- kind: Pod - policy: require-non-root-groups - resources: - - fsgrp-goodpod02 - result: pass - rule: check-fsgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - fsgrp-baddeployment01 - result: fail - rule: check-fsgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - fsgrp-gooddeployment01 - result: pass - rule: check-fsgroup -- kind: Deployment - policy: require-non-root-groups - resources: - - fsgrp-gooddeployment02 - result: pass - rule: check-fsgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - fsgrp-badcronjob01 - result: fail - rule: check-fsgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - fsgrp-goodcronjob01 - result: pass - rule: check-fsgroup -- kind: CronJob - policy: require-non-root-groups - resources: - - fsgrp-goodcronjob02 - result: pass - rule: check-fsgroup diff --git a/other/rec-req/require-pdb/kyverno-test.yaml b/other/rec-req/require-pdb/kyverno-test.yaml index 048a145a2..56f492d6f 100644 --- a/other/rec-req/require-pdb/kyverno-test.yaml +++ b/other/rec-req/require-pdb/kyverno-test.yaml @@ -1,20 +1,23 @@ -name: require-pdb +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-pdb policies: - - require-pdb.yaml +- require-pdb.yaml resources: - - resource-pass.yaml - - resource-skip.yaml -variables: values.yaml +- resource-pass.yaml +- resource-skip.yaml results: - - policy: require-pdb - rule: require-pdb - resources: - - nginx-deploy-pass - kind: Deployment - result: pass - - policy: require-pdb - rule: require-pdb - resources: - - nginx-deploy-skip - kind: Deployment - result: skip +- kind: Deployment + policy: require-pdb + resources: + - nginx-deploy-pass + result: pass + rule: require-pdb +- kind: Deployment + policy: require-pdb + resources: + - nginx-deploy-skip + result: skip + rule: require-pdb +variables: values.yaml diff --git a/other/rec-req/require-pdb/values.yaml b/other/rec-req/require-pdb/values.yaml index 39d9b07e5..3a84da8ec 100644 --- a/other/rec-req/require-pdb/values.yaml +++ b/other/rec-req/require-pdb/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: +- name: require-pdb + rules: - name: require-pdb - rules: - - name: require-pdb - values: - pdb_count: "1" + values: + pdb_count: "1" diff --git a/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml b/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml index 5bd23c2f2..c25db2394 100644 --- a/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml +++ b/other/rec-req/require-pod-priorityclassname/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-pod-priorityclassname +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-pod-priorityclassname policies: - require-pod-priorityclassname.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Pod policy: require-pod-priorityclassname resources: - - goodpod01 - result: pass + - badpod01 + result: fail rule: check-priorityclassname - kind: Pod policy: require-pod-priorityclassname resources: - - badpod01 - result: fail + - goodpod01 + result: pass rule: check-priorityclassname diff --git a/other/rec-req/require-qos-burstable/kyverno-test.yaml b/other/rec-req/require-qos-burstable/kyverno-test.yaml index 7172bb94a..576105aa3 100644 --- a/other/rec-req/require-qos-burstable/kyverno-test.yaml +++ b/other/rec-req/require-qos-burstable/kyverno-test.yaml @@ -1,21 +1,24 @@ -name: require-qos-burstable +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-qos-burstable policies: - - require-qos-burstable.yaml +- require-qos-burstable.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-qos-burstable - rule: burstable - resources: - - goodpod01 - - goodpod02 - - goodpod03 - kind: Pod - result: pass - - policy: require-qos-burstable - rule: burstable - resources: - - badpod01 - - badpod02 - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: require-qos-burstable + resources: + - badpod01 + - badpod02 + result: fail + rule: burstable +- kind: Pod + policy: require-qos-burstable + resources: + - goodpod01 + - goodpod02 + - goodpod03 + result: pass + rule: burstable diff --git a/other/rec-req/require-qos-guaranteed/kyverno-test.yaml b/other/rec-req/require-qos-guaranteed/kyverno-test.yaml index 2e19f3927..2356d34c4 100644 --- a/other/rec-req/require-qos-guaranteed/kyverno-test.yaml +++ b/other/rec-req/require-qos-guaranteed/kyverno-test.yaml @@ -1,21 +1,24 @@ -name: require-qos-guaranteed +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-qos-guaranteed policies: - - require-qos-guaranteed.yaml +- require-qos-guaranteed.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: require-qos-guaranteed - rule: guaranteed - resources: - - goodpod01 - - goodpod02 - kind: Pod - result: pass - - policy: require-qos-guaranteed - rule: guaranteed - resources: - - badpod01 - - badpod02 - - badpod03 - kind: Pod - result: fail \ No newline at end of file +- kind: Pod + policy: require-qos-guaranteed + resources: + - badpod01 + - badpod02 + - badpod03 + result: fail + rule: guaranteed +- kind: Pod + policy: require-qos-guaranteed + resources: + - goodpod01 + - goodpod02 + result: pass + rule: guaranteed diff --git a/other/rec-req/require-storageclass/kyverno-test.yaml b/other/rec-req/require-storageclass/kyverno-test.yaml index b5517a578..c6bcd3a8d 100644 --- a/other/rec-req/require-storageclass/kyverno-test.yaml +++ b/other/rec-req/require-storageclass/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-storageclass +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-storageclass policies: - require-storageclass.yaml resources: @@ -7,30 +10,25 @@ results: - kind: PersistentVolumeClaim policy: require-storageclass resources: - - goodpvc - result: pass + - badpvc + result: fail rule: pvc-storageclass - kind: PersistentVolumeClaim policy: require-storageclass resources: - - badpvc - result: fail + - goodpvc + result: pass rule: pvc-storageclass - kind: StatefulSet policy: require-storageclass resources: - - goodss - result: pass + - badss + result: fail rule: ss-storageclass - kind: StatefulSet policy: require-storageclass resources: + - goodss - goodss-novct result: pass rule: ss-storageclass -- kind: StatefulSet - policy: require-storageclass - resources: - - badss - result: fail - rule: ss-storageclass diff --git a/other/rec-req/require-unique-external-dns/kyverno-test.yaml b/other/rec-req/require-unique-external-dns/kyverno-test.yaml index c4b5fe2b2..8afb5ab8f 100644 --- a/other/rec-req/require-unique-external-dns/kyverno-test.yaml +++ b/other/rec-req/require-unique-external-dns/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: unique-external-dns +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: unique-external-dns policies: - require-unique-external-dns.yaml resources: diff --git a/other/rec-req/require-unique-external-dns/values.yaml b/other/rec-req/require-unique-external-dns/values.yaml index d235e16fe..6e07e96f8 100644 --- a/other/rec-req/require-unique-external-dns/values.yaml +++ b/other/rec-req/require-unique-external-dns/values.yaml @@ -1,10 +1,12 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: unique-external-dns - rules: - - name: ensure-valid-externaldns-annotation - values: - alldns: "[\"test.external-dns-test.my-org.com\"]" - resources: - - name: bad-svc - values: - request.operation: UPDATE \ No newline at end of file +- name: unique-external-dns + resources: + - name: bad-svc + values: + request.operation: UPDATE + rules: + - name: ensure-valid-externaldns-annotation + values: + alldns: '["test.external-dns-test.my-org.com"]' diff --git a/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml b/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml index 6ef41239a..9f19dc9f0 100644 --- a/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml +++ b/other/rec-req/require-unique-uid-per-workload/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: require-unique-uid-per-workload +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-unique-uid-per-workload policies: - require-unique-uid-per-workload.yaml resources: diff --git a/other/rec-req/require-unique-uid-per-workload/variables.yaml b/other/rec-req/require-unique-uid-per-workload/variables.yaml index d73f411ff..e6ac7d23f 100644 --- a/other/rec-req/require-unique-uid-per-workload/variables.yaml +++ b/other/rec-req/require-unique-uid-per-workload/variables.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: require-unique-uid-per-workload - rules: - - name: require-unique-uid - values: - uidsAllPodsExceptSameOwnerAsRequestObject: "[\"1337\"]" \ No newline at end of file +- name: require-unique-uid-per-workload + rules: + - name: require-unique-uid + values: + uidsAllPodsExceptSameOwnerAsRequestObject: '["1337"]' diff --git a/other/res/resolve-image-to-digest/kyverno-test.yaml b/other/res/resolve-image-to-digest/kyverno-test.yaml index bab87bdb5..9297717cd 100644 --- a/other/res/resolve-image-to-digest/kyverno-test.yaml +++ b/other/res/resolve-image-to-digest/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: resolve-image-to-digest +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: resolve-image-to-digest policies: - resolve-image-to-digest.yaml resources: diff --git a/other/res/resolve-image-to-digest/values.yaml b/other/res/resolve-image-to-digest/values.yaml index d95685638..fc3901230 100644 --- a/other/res/resolve-image-to-digest/values.yaml +++ b/other/res/resolve-image-to-digest/values.yaml @@ -1,10 +1,12 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: resolve-image-to-digest - rules: - - name: resolve-to-digest - values: - resolvedRef: "busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47" - resources: - - name: busybox - values: - request.operation: UPDATE +- name: resolve-image-to-digest + resources: + - name: busybox + values: + request.operation: UPDATE + rules: + - name: resolve-to-digest + values: + resolvedRef: busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 diff --git a/other/res/restrict-annotations/kyverno-test.yaml b/other/res/restrict-annotations/kyverno-test.yaml index 9f2773ab6..a7f11fe74 100644 --- a/other/res/restrict-annotations/kyverno-test.yaml +++ b/other/res/restrict-annotations/kyverno-test.yaml @@ -1,19 +1,22 @@ -name: restrict-annotations +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-annotations policies: - restrict-annotations.yaml resources: - resource.yaml results: -- kind: Pod +- kind: Deployment policy: restrict-annotations resources: - - myapp-pod + - mydeploy result: fail rule: block-flux-v1 -- kind: Deployment +- kind: Pod policy: restrict-annotations resources: - - mydeploy + - myapp-pod result: fail rule: block-flux-v1 - kind: CronJob diff --git a/other/res/restrict-automount-sa-token/kyverno-test.yaml b/other/res/restrict-automount-sa-token/kyverno-test.yaml index 3ab8f4921..73d5290e1 100644 --- a/other/res/restrict-automount-sa-token/kyverno-test.yaml +++ b/other/res/restrict-automount-sa-token/kyverno-test.yaml @@ -1,15 +1,12 @@ -name: restrict-automount-sa-token +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-automount-sa-token policies: - restrict-automount-sa-token.yaml resources: - resource.yaml results: -- kind: Pod - policy: restrict-automount-sa-token - resources: - - myapp-pod - result: pass - rule: validate-automountServiceAccountToken - kind: Deployment policy: restrict-automount-sa-token resources: @@ -19,8 +16,8 @@ results: - kind: Pod policy: restrict-automount-sa-token resources: - - policy-reporter - result: skip + - myapp-pod + result: pass rule: validate-automountServiceAccountToken - kind: Deployment policy: restrict-automount-sa-token @@ -28,3 +25,9 @@ results: - deploy-policy-reporter result: skip rule: validate-automountServiceAccountToken +- kind: Pod + policy: restrict-automount-sa-token + resources: + - policy-reporter + result: skip + rule: validate-automountServiceAccountToken diff --git a/other/res/restrict-controlplane-scheduling/kyverno-test.yaml b/other/res/restrict-controlplane-scheduling/kyverno-test.yaml index 69cf0d61a..9584ef189 100644 --- a/other/res/restrict-controlplane-scheduling/kyverno-test.yaml +++ b/other/res/restrict-controlplane-scheduling/kyverno-test.yaml @@ -1,34 +1,33 @@ -name: restrict-controlplane-scheduling +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-controlplane-scheduling policies: - restrict-controlplane-scheduling.yaml resources: - resource.yaml results: - kind: Pod - namespace: default policy: restrict-controlplane-scheduling resources: - - myapp-pod-1 + - default/myapp-pod-2 result: fail - rule: restrict-controlplane-scheduling-master + rule: restrict-controlplane-scheduling-control-plane - kind: Pod - namespace: default policy: restrict-controlplane-scheduling resources: - - myapp-pod-2 - result: fail + - default/myapp-pod-1 + result: pass rule: restrict-controlplane-scheduling-control-plane - kind: Pod - namespace: default policy: restrict-controlplane-scheduling resources: - - myapp-pod-2 - result: pass + - default/myapp-pod-1 + result: fail rule: restrict-controlplane-scheduling-master - kind: Pod - namespace: default policy: restrict-controlplane-scheduling resources: - - myapp-pod-1 + - default/myapp-pod-2 result: pass - rule: restrict-controlplane-scheduling-control-plane + rule: restrict-controlplane-scheduling-master diff --git a/other/res/restrict-deprecated-registry/kyverno-test.yaml b/other/res/restrict-deprecated-registry/kyverno-test.yaml index d4ad57643..f55b98da5 100644 --- a/other/res/restrict-deprecated-registry/kyverno-test.yaml +++ b/other/res/restrict-deprecated-registry/kyverno-test.yaml @@ -1,20 +1,21 @@ -name: restrict-deprecated-registry +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-deprecated-registry policies: - restrict-deprecated-registry.yaml resources: - resource.yaml results: - kind: Pod - namespace: policy-test policy: restrict-deprecated-registry resources: - - test-pod-bad + - policy-test/test-pod-bad result: fail rule: restrict-deprecated-registry - kind: Pod - namespace: policy-test policy: restrict-deprecated-registry resources: - - test-pod-good + - policy-test/test-pod-good result: pass rule: restrict-deprecated-registry diff --git a/other/res/restrict-escalation-verbs-roles/kyverno-test.yaml b/other/res/restrict-escalation-verbs-roles/kyverno-test.yaml index 57796ab90..d9be88b21 100644 --- a/other/res/restrict-escalation-verbs-roles/kyverno-test.yaml +++ b/other/res/restrict-escalation-verbs-roles/kyverno-test.yaml @@ -1,32 +1,35 @@ -name: restrict-escalation-verbs-roles +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-escalation-verbs-roles policies: - restrict-escalation-verbs-roles.yaml resources: - resource.yaml results: -- policy: restrict-escalation-verbs-roles +- kind: ClusterRole + policy: restrict-escalation-verbs-roles + resources: + - badclusterrole01 + - badclusterrole02 + result: fail + rule: escalate +- kind: Role + policy: restrict-escalation-verbs-roles + resources: + - badrole01 + result: fail rule: escalate +- kind: ClusterRole + policy: restrict-escalation-verbs-roles resources: - goodclusterrole01 - goodclusterrole02 - kind: ClusterRole result: pass -- policy: restrict-escalation-verbs-roles - rule: escalate - resources: - - badclusterrole01 - - badclusterrole02 - kind: ClusterRole - result: fail -- policy: restrict-escalation-verbs-roles rule: escalate +- kind: Role + policy: restrict-escalation-verbs-roles resources: - goodrole01 - kind: Role result: pass -- policy: restrict-escalation-verbs-roles rule: escalate - resources: - - badrole01 - kind: Role - result: fail diff --git a/other/res/restrict-ingress-classes/kyverno-test.yaml b/other/res/restrict-ingress-classes/kyverno-test.yaml index d853ede49..882e40d88 100644 --- a/other/res/restrict-ingress-classes/kyverno-test.yaml +++ b/other/res/restrict-ingress-classes/kyverno-test.yaml @@ -1,20 +1,21 @@ -name: restrict-ingress-classes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-ingress-classes policies: - restrict-ingress-classes.yaml resources: - resource.yaml results: - kind: Ingress - namespace: default policy: restrict-ingress-classes resources: - - minimal-ingress-1 - result: pass + - default/minimal-ingress-2 + result: fail rule: validate-ingress - kind: Ingress - namespace: default policy: restrict-ingress-classes resources: - - minimal-ingress-2 - result: fail + - default/minimal-ingress-1 + result: pass rule: validate-ingress diff --git a/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml b/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml index b88767ae4..03c1dcafd 100644 --- a/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml +++ b/other/res/restrict-ingress-defaultbackend/kyverno-test.yaml @@ -1,20 +1,21 @@ -name: restrict-node-defaultbackend +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-node-defaultbackend policies: - restrict-ingress-defaultbackend.yaml resources: - resource.yaml results: - kind: Ingress - namespace: default policy: restrict-ingress-defaultbackend resources: - - sample-app-1 + - default/sample-app-1 result: fail rule: restrict-ingress-defaultbackend - kind: Ingress - namespace: default policy: restrict-ingress-defaultbackend resources: - - sample-app-2 + - default/sample-app-2 result: pass rule: restrict-ingress-defaultbackend diff --git a/other/res/restrict-ingress-host/kyverno-test.yaml b/other/res/restrict-ingress-host/kyverno-test.yaml index 3f4028366..9660ec028 100644 --- a/other/res/restrict-ingress-host/kyverno-test.yaml +++ b/other/res/restrict-ingress-host/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: unique-ingress-host +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: unique-ingress-host policies: - restrict-ingress-host.yaml resources: @@ -19,13 +22,13 @@ results: - kind: Ingress policy: unique-ingress-host resources: - - ingress-kyverno-host - result: skip + - ingress-foo-host + result: fail rule: deny-multiple-hosts - kind: Ingress policy: unique-ingress-host resources: - - ingress-foo-host - result: fail + - ingress-kyverno-host + result: skip rule: deny-multiple-hosts variables: values.yaml diff --git a/other/res/restrict-ingress-host/values.yaml b/other/res/restrict-ingress-host/values.yaml index 0d64f5699..3cb00ab09 100644 --- a/other/res/restrict-ingress-host/values.yaml +++ b/other/res/restrict-ingress-host/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - name: unique-ingress-host rules: - name: check-single-host-create values: - hosts: "[\"www.github.com\", \"www.kyverno.com\", \"www.nirmata.com\"]" \ No newline at end of file + hosts: '["www.github.com", "www.kyverno.com", "www.nirmata.com"]' diff --git a/other/res/restrict-ingress-wildcard/kyverno-test.yaml b/other/res/restrict-ingress-wildcard/kyverno-test.yaml index d62e5df4c..07c57e046 100644 --- a/other/res/restrict-ingress-wildcard/kyverno-test.yaml +++ b/other/res/restrict-ingress-wildcard/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-ingress-wildcard +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-ingress-wildcard policies: - restrict-ingress-wildcard.yaml resources: @@ -8,11 +11,6 @@ results: policy: restrict-ingress-wildcard resources: - bading01 - result: fail - rule: block-ingress-wildcard -- kind: Ingress - policy: restrict-ingress-wildcard - resources: - bading02 result: fail rule: block-ingress-wildcard @@ -20,11 +18,6 @@ results: policy: restrict-ingress-wildcard resources: - gooding01 - result: pass - rule: block-ingress-wildcard -- kind: Ingress - policy: restrict-ingress-wildcard - resources: - gooding02 result: pass rule: block-ingress-wildcard diff --git a/other/res/restrict-loadbalancer/kyverno-test.yaml b/other/res/restrict-loadbalancer/kyverno-test.yaml index 600b32c23..13a7ea63f 100644 --- a/other/res/restrict-loadbalancer/kyverno-test.yaml +++ b/other/res/restrict-loadbalancer/kyverno-test.yaml @@ -1,20 +1,21 @@ -name: no-loadbalancer-service +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-loadbalancer-service policies: - restrict-loadbalancer.yaml resources: - resource.yaml results: - kind: Service - namespace: default policy: no-loadbalancer-service resources: - - my-service-1 + - default/my-service-1 result: fail rule: no-LoadBalancer - kind: Service - namespace: default policy: no-loadbalancer-service resources: - - my-service-2 + - default/my-service-2 result: pass rule: no-LoadBalancer diff --git a/other/res/restrict-networkpolicy-empty-podselector/kyverno-test.yaml b/other/res/restrict-networkpolicy-empty-podselector/kyverno-test.yaml index 31c930e64..8f2d517f1 100644 --- a/other/res/restrict-networkpolicy-empty-podselector/kyverno-test.yaml +++ b/other/res/restrict-networkpolicy-empty-podselector/kyverno-test.yaml @@ -1,25 +1,21 @@ -name: restrict-networkpolicy-empty-podselector +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-networkpolicy-empty-podselector policies: - - restrict-networkpolicy-empty-podselector.yaml +- restrict-networkpolicy-empty-podselector.yaml resources: - - resource.yaml +- resource.yaml results: - - policy: restrict-networkpolicy-empty-podselector - rule: empty-podselector - resources: - - badnetworkpolicy - kind: NetworkPolicy - result: fail - - policy: restrict-networkpolicy-empty-podselector - rule: empty-podselector - resources: - - goodnetworkpolicy - kind: NetworkPolicy - result: pass - # - policy: restrict-networkpolicy-empty-podselector - # rule: empty-podselector - # resources: - # - default-deny - # kind: NetworkPolicy - # result: skip - \ No newline at end of file +- kind: NetworkPolicy + policy: restrict-networkpolicy-empty-podselector + resources: + - badnetworkpolicy + result: fail + rule: empty-podselector +- kind: NetworkPolicy + policy: restrict-networkpolicy-empty-podselector + resources: + - goodnetworkpolicy + result: pass + rule: empty-podselector diff --git a/other/res/restrict-node-affinity/kyverno-test.yaml b/other/res/restrict-node-affinity/kyverno-test.yaml index 094ae54bc..336a9535d 100644 --- a/other/res/restrict-node-affinity/kyverno-test.yaml +++ b/other/res/restrict-node-affinity/kyverno-test.yaml @@ -1,14 +1,17 @@ -name: restrict-node-affinity +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-node-affinity policies: - restrict-node-affinity.yaml resources: - resource.yaml results: -- kind: Pod +- kind: Deployment policy: restrict-node-affinity resources: - - goodpod01 - result: pass + - baddeploy01 + result: fail rule: check-nodeaffinity - kind: Pod policy: restrict-node-affinity @@ -19,12 +22,12 @@ results: - kind: Deployment policy: restrict-node-affinity resources: - - baddeploy01 - result: fail + - gooddeploy01 + result: pass rule: check-nodeaffinity -- kind: Deployment +- kind: Pod policy: restrict-node-affinity resources: - - gooddeploy01 + - goodpod01 result: pass rule: check-nodeaffinity diff --git a/other/res/restrict-node-selection/kyverno-test.yaml b/other/res/restrict-node-selection/kyverno-test.yaml index 71de5ed98..089014b65 100644 --- a/other/res/restrict-node-selection/kyverno-test.yaml +++ b/other/res/restrict-node-selection/kyverno-test.yaml @@ -1,34 +1,33 @@ -name: restrict-node-selection +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-node-selection policies: - restrict-node-selection.yaml resources: - resource.yaml results: - kind: Pod - namespace: default policy: restrict-node-selection resources: - - myapp-pod-1 + - default/myapp-pod-2 result: fail - rule: restrict-nodeselector + rule: restrict-nodename - kind: Pod - namespace: default policy: restrict-node-selection resources: - - myapp-pod-1 + - default/myapp-pod-1 result: pass rule: restrict-nodename - kind: Pod - namespace: default policy: restrict-node-selection resources: - - myapp-pod-2 - result: pass + - default/myapp-pod-1 + result: fail rule: restrict-nodeselector - kind: Pod - namespace: default policy: restrict-node-selection resources: - - myapp-pod-2 - result: fail - rule: restrict-nodename + - default/myapp-pod-2 + result: pass + rule: restrict-nodeselector diff --git a/other/res/restrict-pod-count-per-node/kyverno-test.yaml b/other/res/restrict-pod-count-per-node/kyverno-test.yaml index ed0ba52bf..69312b9d6 100644 --- a/other/res/restrict-pod-count-per-node/kyverno-test.yaml +++ b/other/res/restrict-pod-count-per-node/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-pod-count +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-pod-count policies: - restrict-pod-count-per-node.yaml resources: diff --git a/other/res/restrict-pod-count-per-node/values.yaml b/other/res/restrict-pod-count-per-node/values.yaml index 54c488317..78a21e93c 100644 --- a/other/res/restrict-pod-count-per-node/values.yaml +++ b/other/res/restrict-pod-count-per-node/values.yaml @@ -1,6 +1,8 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - name: restrict-pod-count rules: - - name: restrict-pod-count - values: - podcounts: "40" + - name: restrict-pod-count + values: + podcounts: "40" diff --git a/other/res/restrict-secrets-by-label/kyverno-test.yaml b/other/res/restrict-secrets-by-label/kyverno-test.yaml index 0ce199d90..d438456eb 100644 --- a/other/res/restrict-secrets-by-label/kyverno-test.yaml +++ b/other/res/restrict-secrets-by-label/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-secrets-by-label +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-secrets-by-label policies: - restrict-secrets-by-label.yaml resources: @@ -10,22 +13,11 @@ results: - secret-env-pod result: pass rule: secrets-lookup-from-env -- kind: Pod - policy: restrict-secrets-by-label - resources: - - secret-env-pod - result: skip - rule: secrets-lookup-from-envfrom -- kind: Pod - policy: restrict-secrets-by-label - resources: - - secret-env-pod - result: skip - rule: secrets-lookup-from-volumes - kind: Pod policy: restrict-secrets-by-label resources: - secret-ref-pod + - secret-vol-pod result: skip rule: secrets-lookup-from-env - kind: Pod @@ -37,25 +29,21 @@ results: - kind: Pod policy: restrict-secrets-by-label resources: - - secret-ref-pod - result: skip - rule: secrets-lookup-from-volumes -- kind: Pod - policy: restrict-secrets-by-label - resources: + - secret-env-pod - secret-vol-pod result: skip - rule: secrets-lookup-from-env + rule: secrets-lookup-from-envfrom - kind: Pod policy: restrict-secrets-by-label resources: - secret-vol-pod - result: skip - rule: secrets-lookup-from-envfrom + result: pass + rule: secrets-lookup-from-volumes - kind: Pod policy: restrict-secrets-by-label resources: - - secret-vol-pod - result: pass + - secret-env-pod + - secret-ref-pod + result: skip rule: secrets-lookup-from-volumes variables: values.yaml diff --git a/other/res/restrict-secrets-by-label/values.yaml b/other/res/restrict-secrets-by-label/values.yaml index b20539e34..574afd248 100644 --- a/other/res/restrict-secrets-by-label/values.yaml +++ b/other/res/restrict-secrets-by-label/values.yaml @@ -1,15 +1,15 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: restrict-secrets-by-label - rules: - - name: secrets-lookup-from-env - values: - status: "demo" - - - name: secrets-lookup-from-envfrom - values: - request.operation: UPDATE - status: "protected" - - - name: secrets-lookup-from-volumes - values: - status: "bar" \ No newline at end of file +- name: restrict-secrets-by-label + rules: + - name: secrets-lookup-from-env + values: + status: demo + - name: secrets-lookup-from-envfrom + values: + request.operation: UPDATE + status: protected + - name: secrets-lookup-from-volumes + values: + status: bar diff --git a/other/res/restrict-secrets-by-name/kyverno-test.yaml b/other/res/restrict-secrets-by-name/kyverno-test.yaml index d9ae146ee..8908cc679 100644 --- a/other/res/restrict-secrets-by-name/kyverno-test.yaml +++ b/other/res/restrict-secrets-by-name/kyverno-test.yaml @@ -1,60 +1,63 @@ -name: test-secrets-policy +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: test-secrets-policy policies: - restrict-secrets-by-name.yaml resources: - resource.yaml results: -- kind: Pod +- kind: Deployment policy: restrict-secrets-by-name resources: - - good-pod-all - result: pass - rule: safe-secrets-from-envfrom + - bad-deploy-env + result: fail + rule: safe-secrets-from-env - kind: Pod policy: restrict-secrets-by-name resources: - - good-pod-all - result: pass + - bad-pod-env + result: fail rule: safe-secrets-from-env - kind: Pod policy: restrict-secrets-by-name resources: - good-pod-all result: pass - rule: safe-secrets-from-volumes -- kind: Pod + rule: safe-secrets-from-env +- kind: Deployment policy: restrict-secrets-by-name resources: - - bad-pod-vol + - bad-deploy-envfrom result: fail - rule: safe-secrets-from-volumes + rule: safe-secrets-from-envfrom - kind: Pod policy: restrict-secrets-by-name resources: - - bad-pod-env + - bad-pod-envfrom result: fail - rule: safe-secrets-from-env + rule: safe-secrets-from-envfrom - kind: Pod policy: restrict-secrets-by-name resources: - - bad-pod-envfrom - result: fail + - good-pod-all + result: pass rule: safe-secrets-from-envfrom - kind: Deployment policy: restrict-secrets-by-name resources: - - bad-deploy-env + - bad-deploy-vol result: fail - rule: safe-secrets-from-env -- kind: Deployment + rule: safe-secrets-from-volumes +- kind: Pod policy: restrict-secrets-by-name resources: - - bad-deploy-envfrom + - bad-pod-vol result: fail - rule: safe-secrets-from-envfrom -- kind: Deployment + rule: safe-secrets-from-volumes +- kind: Pod policy: restrict-secrets-by-name resources: - - bad-deploy-vol - result: fail + - good-pod-all + result: pass rule: safe-secrets-from-volumes diff --git a/other/res/restrict-service-account/kyverno-test.yaml b/other/res/restrict-service-account/kyverno-test.yaml index 4c1474c70..edd5ba199 100644 --- a/other/res/restrict-service-account/kyverno-test.yaml +++ b/other/res/restrict-service-account/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-service-account +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-service-account policies: - restrict-service-account.yaml resources: @@ -7,13 +10,13 @@ results: - kind: Pod policy: restrict-service-account resources: - - goodpod01 - result: pass + - badpod01 + result: fail rule: validate-service-account - kind: Pod policy: restrict-service-account resources: - - badpod01 - result: fail + - goodpod01 + result: pass rule: validate-service-account variables: values.yaml diff --git a/other/res/restrict-service-account/values.yaml b/other/res/restrict-service-account/values.yaml index 7f8806231..d12b52dae 100644 --- a/other/res/restrict-service-account/values.yaml +++ b/other/res/restrict-service-account/values.yaml @@ -1,8 +1,9 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values policies: - - name: restrict-service-account - rules: - - name: validate-service-account - values: - saMap.data.busybox: "[\"docker.io/busybox\",\"docker.io/busybox:1.28\"]" - request.object.spec.serviceAccountName: "busybox" - \ No newline at end of file +- name: restrict-service-account + rules: + - name: validate-service-account + values: + request.object.spec.serviceAccountName: busybox + saMap.data.busybox: '["docker.io/busybox","docker.io/busybox:1.28"]' diff --git a/other/res/restrict-service-port-range/kyverno-test.yaml b/other/res/restrict-service-port-range/kyverno-test.yaml index a708fb798..bfe1f181d 100644 --- a/other/res/restrict-service-port-range/kyverno-test.yaml +++ b/other/res/restrict-service-port-range/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-service-port-range +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-service-port-range policies: - restrict-service-port-range.yaml resources: diff --git a/other/res/restrict-storageclass/kyverno-test.yaml b/other/res/restrict-storageclass/kyverno-test.yaml index 5288e1bf7..3646003c4 100644 --- a/other/res/restrict-storageclass/kyverno-test.yaml +++ b/other/res/restrict-storageclass/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-storageclass +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-storageclass policies: - restrict-storageclass.yaml resources: diff --git a/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml b/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml index 5f1136a67..a00641459 100644 --- a/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml +++ b/other/res/restrict-usergroup-fsgroup-id/kyverno-test.yaml @@ -1,27 +1,27 @@ -name: validate-userid-groupid-fsgroup +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: validate-userid-groupid-fsgroup policies: - restrict-usergroup-fsgroup-id.yaml resources: - resource.yaml results: - kind: Pod - namespace: default policy: validate-userid-groupid-fsgroup resources: - - myapp-pod + - default/myapp-pod result: pass - rule: validate-userid + rule: validate-fsgroup - kind: Pod - namespace: default policy: validate-userid-groupid-fsgroup resources: - - myapp-pod + - default/myapp-pod result: pass rule: validate-groupid - kind: Pod - namespace: default policy: validate-userid-groupid-fsgroup resources: - - myapp-pod + - default/myapp-pod result: pass - rule: validate-fsgroup + rule: validate-userid diff --git a/other/s-z/spread-pods-across-topology/kyverno-test.yaml b/other/s-z/spread-pods-across-topology/kyverno-test.yaml index 1e4812c03..94b3278e7 100644 --- a/other/s-z/spread-pods-across-topology/kyverno-test.yaml +++ b/other/s-z/spread-pods-across-topology/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: spread-pods +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: spread-pods policies: - spread-pods-across-topology.yaml resources: diff --git a/other/s-z/topologyspreadconstraints-policy/kyverno-test.yaml b/other/s-z/topologyspreadconstraints-policy/kyverno-test.yaml index 5ffd40b8f..c663237d2 100644 --- a/other/s-z/topologyspreadconstraints-policy/kyverno-test.yaml +++ b/other/s-z/topologyspreadconstraints-policy/kyverno-test.yaml @@ -1,45 +1,33 @@ -name: topologyspreadconstraints +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: topologyspreadconstraints policies: - - topologyspreadconstraints-policy.yaml +- topologyspreadconstraints-policy.yaml resources: - - resource-fail1.yaml - - resource-fail2.yaml - - resource-fail3.yaml - - resource-pass.yaml - - resource-skip.yaml +- resource-fail1.yaml +- resource-fail2.yaml +- resource-fail3.yaml +- resource-pass.yaml +- resource-skip.yaml results: - - policy: topologyspreadconstraints-policy - rule: spread-pods - resources: - - pass - namespace: monitoring - kind: StatefulSet - result: pass - - policy: topologyspreadconstraints-policy - rule: spread-pods - resources: - - fail1 - namespace: monitoring - kind: StatefulSet - result: fail - - policy: topologyspreadconstraints-policy - rule: spread-pods - resources: - - fail2 - namespace: monitoring - kind: StatefulSet - result: fail - - policy: topologyspreadconstraints-policy - rule: spread-pods - resources: - - fail3 - namespace: monitoring - kind: StatefulSet - result: fail - - policy: topologyspreadconstraints-policy - rule: spread-pods - resources: - - skip - namespace: monitoring - kind: StatefulSet - result: skip +- kind: StatefulSet + policy: topologyspreadconstraints-policy + resources: + - monitoring/fail1 + - monitoring/fail2 + - monitoring/fail3 + result: fail + rule: spread-pods +- kind: StatefulSet + policy: topologyspreadconstraints-policy + resources: + - monitoring/pass + result: pass + rule: spread-pods +- kind: StatefulSet + policy: topologyspreadconstraints-policy + resources: + - monitoring/skip + result: skip + rule: spread-pods diff --git a/pod-security/baseline/disallow-capabilities/kyverno-test.yaml b/pod-security/baseline/disallow-capabilities/kyverno-test.yaml index ea47a611f..b6f20e19a 100644 --- a/pod-security/baseline/disallow-capabilities/kyverno-test.yaml +++ b/pod-security/baseline/disallow-capabilities/kyverno-test.yaml @@ -1,222 +1,75 @@ -name: disallow-capabilities +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities policies: - disallow-capabilities.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-capabilities - resources: - - badpod01 - result: fail - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - badpod02 - result: fail - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - badpod03 - result: fail - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - badpod04 - result: fail - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - badpod05 - result: fail - rule: adding-capabilities -- kind: Pod +- kind: CronJob policy: disallow-capabilities resources: - - badpod06 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 result: fail rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - goodpod01 - result: pass - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - goodpod02 - result: pass - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - goodpod03 - result: pass - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - goodpod04 - result: pass - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - goodpod05 - result: pass - rule: adding-capabilities -- kind: Pod - policy: disallow-capabilities - resources: - - goodpod06 - result: pass - rule: adding-capabilities - kind: Deployment policy: disallow-capabilities resources: - baddeployment01 - result: fail - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - baddeployment02 - result: fail - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - baddeployment03 - result: fail - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - baddeployment04 - result: fail - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - baddeployment05 - result: fail - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - baddeployment06 result: fail rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - - gooddeployment01 - result: pass - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - - gooddeployment02 - result: pass - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - - gooddeployment03 - result: pass - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - - gooddeployment04 - result: pass - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - - gooddeployment05 - result: pass - rule: adding-capabilities -- kind: Deployment - policy: disallow-capabilities - resources: - - gooddeployment06 - result: pass - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - - badcronjob01 - result: fail - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - - badcronjob02 - result: fail - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - - badcronjob03 - result: fail - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - - badcronjob04 - result: fail - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - - badcronjob05 - result: fail - rule: adding-capabilities -- kind: CronJob +- kind: Pod policy: disallow-capabilities resources: - - badcronjob06 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 result: fail rule: adding-capabilities - kind: CronJob policy: disallow-capabilities resources: - goodcronjob01 - result: pass - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - goodcronjob02 - result: pass - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - goodcronjob03 - result: pass - rule: adding-capabilities -- kind: CronJob - policy: disallow-capabilities - resources: - goodcronjob04 + - goodcronjob05 + - goodcronjob06 result: pass rule: adding-capabilities -- kind: CronJob +- kind: Deployment policy: disallow-capabilities resources: - - goodcronjob05 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 result: pass rule: adding-capabilities -- kind: CronJob +- kind: Pod policy: disallow-capabilities resources: - - goodcronjob06 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 result: pass rule: adding-capabilities diff --git a/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml b/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml index 124392e1e..582fa7794 100644 --- a/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-namespaces/kyverno-test.yaml @@ -1,168 +1,66 @@ -name: disallow-host-namespaces +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-namespaces policies: - disallow-host-namespaces.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-host-namespaces - resources: - - badpod01 - result: fail - rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - badpod02 - result: fail - rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - badpod03 - result: fail - rule: host-namespaces -- kind: Pod +- kind: CronJob policy: disallow-host-namespaces resources: - - badpod04 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 result: fail rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - goodpod01 - result: pass - rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - goodpod02 - result: pass - rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - goodpod03 - result: pass - rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - goodpod04 - result: pass - rule: host-namespaces -- kind: Pod - policy: disallow-host-namespaces - resources: - - goodpod05 - result: pass - rule: host-namespaces - kind: Deployment policy: disallow-host-namespaces resources: - baddeployment01 - result: fail - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - baddeployment02 - result: fail - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - baddeployment03 - result: fail - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - baddeployment04 result: fail rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - - gooddeployment01 - result: pass - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - - gooddeployment02 - result: pass - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - - gooddeployment03 - result: pass - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - - gooddeployment04 - result: pass - rule: host-namespaces -- kind: Deployment - policy: disallow-host-namespaces - resources: - - gooddeployment05 - result: pass - rule: host-namespaces -- kind: CronJob - policy: disallow-host-namespaces - resources: - - badcronjob01 - result: fail - rule: host-namespaces -- kind: CronJob - policy: disallow-host-namespaces - resources: - - badcronjob02 - result: fail - rule: host-namespaces -- kind: CronJob - policy: disallow-host-namespaces - resources: - - badcronjob03 - result: fail - rule: host-namespaces -- kind: CronJob +- kind: Pod policy: disallow-host-namespaces resources: - - badcronjob04 + - badpod01 + - badpod02 + - badpod03 + - badpod04 result: fail rule: host-namespaces - kind: CronJob policy: disallow-host-namespaces resources: - goodcronjob01 - result: pass - rule: host-namespaces -- kind: CronJob - policy: disallow-host-namespaces - resources: - goodcronjob02 - result: pass - rule: host-namespaces -- kind: CronJob - policy: disallow-host-namespaces - resources: - goodcronjob03 + - goodcronjob04 + - goodcronjob05 result: pass rule: host-namespaces -- kind: CronJob +- kind: Deployment policy: disallow-host-namespaces resources: - - goodcronjob04 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 result: pass rule: host-namespaces -- kind: CronJob +- kind: Pod policy: disallow-host-namespaces resources: - - goodcronjob05 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 result: pass rule: host-namespaces diff --git a/pod-security/baseline/disallow-host-path/kyverno-test.yaml b/pod-security/baseline/disallow-host-path/kyverno-test.yaml index e8727e8da..f64ceba01 100644 --- a/pod-security/baseline/disallow-host-path/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-path/kyverno-test.yaml @@ -1,78 +1,51 @@ -name: disallow-host-path +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-path policies: - disallow-host-path.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-host-path - resources: - - badpod01 - result: fail - rule: host-path -- kind: Pod +- kind: CronJob policy: disallow-host-path resources: - - badpod02 + - badcronjob01 + - badcronjob02 result: fail rule: host-path -- kind: Pod - policy: disallow-host-path - resources: - - goodpod01 - result: pass - rule: host-path -- kind: Pod - policy: disallow-host-path - resources: - - goodpod02 - result: pass - rule: host-path - kind: Deployment policy: disallow-host-path resources: - baddeployment01 + - baddeployment02 result: fail rule: host-path -- kind: Deployment +- kind: Pod policy: disallow-host-path resources: - - baddeployment02 + - badpod01 + - badpod02 result: fail rule: host-path -- kind: Deployment +- kind: CronJob policy: disallow-host-path resources: - - gooddeployment01 + - goodcronjob01 + - goodcronjob02 result: pass rule: host-path - kind: Deployment policy: disallow-host-path resources: + - gooddeployment01 - gooddeployment02 result: pass rule: host-path -- kind: CronJob - policy: disallow-host-path - resources: - - badcronjob01 - result: fail - rule: host-path -- kind: CronJob - policy: disallow-host-path - resources: - - badcronjob02 - result: fail - rule: host-path -- kind: CronJob - policy: disallow-host-path - resources: - - goodcronjob01 - result: pass - rule: host-path -- kind: CronJob +- kind: Pod policy: disallow-host-path resources: - - goodcronjob02 + - goodpod01 + - goodpod02 result: pass rule: host-path diff --git a/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml b/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml index bab2a3022..e9ef5fdf0 100644 --- a/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-ports-range/kyverno-test.yaml @@ -1,366 +1,99 @@ -name: disallow-host-ports-range +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-ports-range policies: - disallow-host-ports-range.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod01 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod02 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod03 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod04 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod05 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod06 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod07 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod08 - result: fail - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - badpod09 - result: fail - rule: host-port-range -- kind: Pod +- kind: CronJob policy: disallow-host-ports-range resources: - - badpod10 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 result: fail rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod01 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod02 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod03 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod04 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod05 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod06 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod07 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod08 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod09 - result: pass - rule: host-port-range -- kind: Pod - policy: disallow-host-ports-range - resources: - - goodpod10 - result: pass - rule: host-port-range - kind: Deployment policy: disallow-host-ports-range resources: - baddeployment01 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment02 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment03 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment04 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment05 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment06 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment07 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment08 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment09 - result: fail - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - baddeployment10 result: fail rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment01 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment02 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment03 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment04 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment05 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment06 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment07 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment08 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment09 - result: pass - rule: host-port-range -- kind: Deployment - policy: disallow-host-ports-range - resources: - - gooddeployment10 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob01 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob02 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob03 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob04 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob05 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob06 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob07 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob08 - result: fail - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - - badcronjob09 - result: fail - rule: host-port-range -- kind: CronJob +- kind: Pod policy: disallow-host-ports-range resources: - - badcronjob10 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 result: fail rule: host-port-range - kind: CronJob policy: disallow-host-ports-range resources: - goodcronjob01 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob02 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob03 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob04 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob05 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob06 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob07 - result: pass - rule: host-port-range -- kind: CronJob - policy: disallow-host-ports-range - resources: - goodcronjob08 + - goodcronjob09 + - goodcronjob10 result: pass rule: host-port-range -- kind: CronJob +- kind: Deployment policy: disallow-host-ports-range resources: - - goodcronjob09 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 result: pass rule: host-port-range -- kind: CronJob +- kind: Pod policy: disallow-host-ports-range resources: - - goodcronjob10 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 result: pass rule: host-port-range diff --git a/pod-security/baseline/disallow-host-ports/kyverno-test.yaml b/pod-security/baseline/disallow-host-ports/kyverno-test.yaml index bbae5544e..7a4d01264 100644 --- a/pod-security/baseline/disallow-host-ports/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-ports/kyverno-test.yaml @@ -1,366 +1,99 @@ -name: disallow-host-ports +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-ports policies: - disallow-host-ports.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-host-ports - resources: - - badpod01 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod02 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod03 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod04 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod05 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod06 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod07 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod08 - result: fail - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - badpod09 - result: fail - rule: host-ports-none -- kind: Pod +- kind: CronJob policy: disallow-host-ports resources: - - badpod10 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 result: fail rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod01 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod02 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod03 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod04 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod05 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod06 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod07 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod08 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod09 - result: pass - rule: host-ports-none -- kind: Pod - policy: disallow-host-ports - resources: - - goodpod10 - result: pass - rule: host-ports-none - kind: Deployment policy: disallow-host-ports resources: - baddeployment01 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment02 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment03 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment04 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment05 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment06 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment07 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment08 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment09 - result: fail - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - baddeployment10 result: fail rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment01 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment02 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment03 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment04 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment05 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment06 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment07 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment08 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment09 - result: pass - rule: host-ports-none -- kind: Deployment - policy: disallow-host-ports - resources: - - gooddeployment10 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob01 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob02 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob03 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob04 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob05 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob06 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob07 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob08 - result: fail - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - - badcronjob09 - result: fail - rule: host-ports-none -- kind: CronJob +- kind: Pod policy: disallow-host-ports resources: - - badcronjob10 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 result: fail rule: host-ports-none - kind: CronJob policy: disallow-host-ports resources: - goodcronjob01 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob02 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob03 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob04 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob05 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob06 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob07 - result: pass - rule: host-ports-none -- kind: CronJob - policy: disallow-host-ports - resources: - goodcronjob08 + - goodcronjob09 + - goodcronjob10 result: pass rule: host-ports-none -- kind: CronJob +- kind: Deployment policy: disallow-host-ports resources: - - goodcronjob09 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 result: pass rule: host-ports-none -- kind: CronJob +- kind: Pod policy: disallow-host-ports resources: - - goodcronjob10 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 result: pass rule: host-ports-none diff --git a/pod-security/baseline/disallow-host-process/kyverno-test.yaml b/pod-security/baseline/disallow-host-process/kyverno-test.yaml index 61ac71374..13bfd26a3 100644 --- a/pod-security/baseline/disallow-host-process/kyverno-test.yaml +++ b/pod-security/baseline/disallow-host-process/kyverno-test.yaml @@ -1,204 +1,72 @@ -name: disallow-host-process +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-host-process policies: - disallow-host-process.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-host-process - resources: - - badpod01 - result: fail - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - badpod02 - result: fail - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - badpod03 - result: fail - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - badpod04 - result: fail - rule: host-process-containers -- kind: Pod +- kind: CronJob policy: disallow-host-process resources: - - badpod05 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 result: fail rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - goodpod01 - result: pass - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - goodpod02 - result: pass - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - goodpod03 - result: pass - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - goodpod04 - result: pass - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - goodpod05 - result: pass - rule: host-process-containers -- kind: Pod - policy: disallow-host-process - resources: - - goodpod06 - result: pass - rule: host-process-containers - kind: Deployment policy: disallow-host-process resources: - baddeployment01 - result: fail - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - baddeployment02 - result: fail - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - baddeployment03 - result: fail - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - baddeployment04 - result: fail - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - baddeployment05 result: fail rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - - gooddeployment01 - result: pass - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - - gooddeployment02 - result: pass - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - - gooddeployment03 - result: pass - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - - gooddeployment04 - result: pass - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - - gooddeployment05 - result: pass - rule: host-process-containers -- kind: Deployment - policy: disallow-host-process - resources: - - gooddeployment06 - result: pass - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - - badcronjob01 - result: fail - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - - badcronjob02 - result: fail - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - - badcronjob03 - result: fail - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - - badcronjob04 - result: fail - rule: host-process-containers -- kind: CronJob +- kind: Pod policy: disallow-host-process resources: - - badcronjob05 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 result: fail rule: host-process-containers - kind: CronJob policy: disallow-host-process resources: - goodcronjob01 - result: pass - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - goodcronjob02 - result: pass - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - goodcronjob03 - result: pass - rule: host-process-containers -- kind: CronJob - policy: disallow-host-process - resources: - goodcronjob04 + - goodcronjob05 + - goodcronjob06 result: pass rule: host-process-containers -- kind: CronJob +- kind: Deployment policy: disallow-host-process resources: - - goodcronjob05 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 result: pass rule: host-process-containers -- kind: CronJob +- kind: Pod policy: disallow-host-process resources: - - goodcronjob06 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 result: pass rule: host-process-containers diff --git a/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml b/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml index 129f66c71..9d25762e5 100644 --- a/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml +++ b/pod-security/baseline/disallow-privileged-containers/kyverno-test.yaml @@ -1,204 +1,72 @@ -name: disallow-privileged-containers +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privileged-containers policies: - disallow-privileged-containers.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-privileged-containers - resources: - - badpod01 - result: fail - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - badpod02 - result: fail - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - badpod03 - result: fail - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - badpod04 - result: fail - rule: privileged-containers -- kind: Pod +- kind: CronJob policy: disallow-privileged-containers resources: - - badpod05 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 result: fail rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - goodpod01 - result: pass - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - goodpod02 - result: pass - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - goodpod03 - result: pass - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - goodpod04 - result: pass - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - goodpod05 - result: pass - rule: privileged-containers -- kind: Pod - policy: disallow-privileged-containers - resources: - - goodpod06 - result: pass - rule: privileged-containers - kind: Deployment policy: disallow-privileged-containers resources: - baddeployment01 - result: fail - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - baddeployment02 - result: fail - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - baddeployment03 - result: fail - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - baddeployment04 - result: fail - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - baddeployment05 result: fail rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - - gooddeployment01 - result: pass - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - - gooddeployment02 - result: pass - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - - gooddeployment03 - result: pass - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - - gooddeployment04 - result: pass - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - - gooddeployment05 - result: pass - rule: privileged-containers -- kind: Deployment - policy: disallow-privileged-containers - resources: - - gooddeployment06 - result: pass - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - - badcronjob01 - result: fail - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - - badcronjob02 - result: fail - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - - badcronjob03 - result: fail - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - - badcronjob04 - result: fail - rule: privileged-containers -- kind: CronJob +- kind: Pod policy: disallow-privileged-containers resources: - - badcronjob05 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 result: fail rule: privileged-containers - kind: CronJob policy: disallow-privileged-containers resources: - goodcronjob01 - result: pass - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - goodcronjob02 - result: pass - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - goodcronjob03 - result: pass - rule: privileged-containers -- kind: CronJob - policy: disallow-privileged-containers - resources: - goodcronjob04 + - goodcronjob05 + - goodcronjob06 result: pass rule: privileged-containers -- kind: CronJob +- kind: Deployment policy: disallow-privileged-containers resources: - - goodcronjob05 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 result: pass rule: privileged-containers -- kind: CronJob +- kind: Pod policy: disallow-privileged-containers resources: - - goodcronjob06 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 result: pass rule: privileged-containers diff --git a/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml b/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml index 26e4d5ec0..8b4e80d33 100644 --- a/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml +++ b/pod-security/baseline/disallow-proc-mount/kyverno-test.yaml @@ -1,204 +1,72 @@ -name: disallow-proc-mount +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-proc-mount policies: - disallow-proc-mount.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-proc-mount - resources: - - badpod01 - result: fail - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - badpod02 - result: fail - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - badpod03 - result: fail - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - badpod04 - result: fail - rule: check-proc-mount -- kind: Pod +- kind: CronJob policy: disallow-proc-mount resources: - - badpod05 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 result: fail rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - goodpod01 - result: pass - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - goodpod02 - result: pass - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - goodpod03 - result: pass - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - goodpod04 - result: pass - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - goodpod05 - result: pass - rule: check-proc-mount -- kind: Pod - policy: disallow-proc-mount - resources: - - goodpod06 - result: pass - rule: check-proc-mount - kind: Deployment policy: disallow-proc-mount resources: - baddeployment01 - result: fail - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - baddeployment02 - result: fail - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - baddeployment03 - result: fail - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - baddeployment04 - result: fail - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - baddeployment05 result: fail rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - - gooddeployment01 - result: pass - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - - gooddeployment02 - result: pass - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - - gooddeployment03 - result: pass - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - - gooddeployment04 - result: pass - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - - gooddeployment05 - result: pass - rule: check-proc-mount -- kind: Deployment - policy: disallow-proc-mount - resources: - - gooddeployment06 - result: pass - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - - badcronjob01 - result: fail - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - - badcronjob02 - result: fail - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - - badcronjob03 - result: fail - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - - badcronjob04 - result: fail - rule: check-proc-mount -- kind: CronJob +- kind: Pod policy: disallow-proc-mount resources: - - badcronjob05 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 result: fail rule: check-proc-mount - kind: CronJob policy: disallow-proc-mount resources: - goodcronjob01 - result: pass - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - goodcronjob02 - result: pass - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - goodcronjob03 - result: pass - rule: check-proc-mount -- kind: CronJob - policy: disallow-proc-mount - resources: - goodcronjob04 + - goodcronjob05 + - goodcronjob06 result: pass rule: check-proc-mount -- kind: CronJob +- kind: Deployment policy: disallow-proc-mount resources: - - goodcronjob05 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 result: pass rule: check-proc-mount -- kind: CronJob +- kind: Pod policy: disallow-proc-mount resources: - - goodcronjob06 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 result: pass rule: check-proc-mount diff --git a/pod-security/baseline/disallow-selinux/kyverno-test.yaml b/pod-security/baseline/disallow-selinux/kyverno-test.yaml index 05bb38dc0..83736fd47 100644 --- a/pod-security/baseline/disallow-selinux/kyverno-test.yaml +++ b/pod-security/baseline/disallow-selinux/kyverno-test.yaml @@ -1,888 +1,216 @@ -name: disallow-selinux +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-selinux policies: - disallow-selinux.yaml resources: - resource.yaml results: -- kind: Pod +- kind: CronJob policy: disallow-selinux resources: - - badpod01 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 result: fail rule: selinux-type -- kind: Pod +- kind: Deployment policy: disallow-selinux resources: - - badpod02 + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 result: fail rule: selinux-type - kind: Pod policy: disallow-selinux resources: + - badpod01 + - badpod02 - badpod03 - result: fail - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - badpod04 - result: fail - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - badpod05 - result: fail - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - badpod06 - result: fail - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - badpod07 result: fail rule: selinux-type -- kind: Pod +- kind: CronJob policy: disallow-selinux resources: - - goodpod01 + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 + - goodcronjob07 + - goodcronjob08 + - goodcronjob09 + - goodcronjob10 + - goodcronjob11 + - goodcronjob12 + - goodcronjob13 + - goodcronjob14 result: pass rule: selinux-type -- kind: Pod +- kind: Deployment policy: disallow-selinux resources: - - goodpod02 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + - gooddeployment11 + - gooddeployment12 + - gooddeployment13 + - gooddeployment14 result: pass rule: selinux-type - kind: Pod policy: disallow-selinux resources: + - goodpod01 + - goodpod02 - goodpod03 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod04 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod05 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod06 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod07 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod08 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod09 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod10 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod11 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod12 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod13 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - goodpod14 result: pass rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - baddeployment01 - result: fail - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - baddeployment02 - result: fail - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - baddeployment03 - result: fail - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - baddeployment04 - result: fail - rule: selinux-type -- kind: Deployment +- kind: CronJob policy: disallow-selinux resources: - - baddeployment05 + - selur-badcronjob01 + - selur-badcronjob02 + - selur-badcronjob03 + - selur-badcronjob04 + - selur-badcronjob05 + - selur-badcronjob06 + - selur-badcronjob07 + - selur-badcronjob08 + - selur-badcronjob09 + - selur-badcronjob10 + - selur-badcronjob11 + - selur-badcronjob12 + - selur-badcronjob13 + - selur-badcronjob14 + - selur-badcronjob15 + - selur-badcronjob16 + - selur-badcronjob17 result: fail - rule: selinux-type + rule: selinux-user-role - kind: Deployment policy: disallow-selinux resources: - - baddeployment06 + - selur-baddeployment01 + - selur-baddeployment02 + - selur-baddeployment03 + - selur-baddeployment04 + - selur-baddeployment05 + - selur-baddeployment06 + - selur-baddeployment07 + - selur-baddeployment08 + - selur-baddeployment09 + - selur-baddeployment10 + - selur-baddeployment11 + - selur-baddeployment12 + - selur-baddeployment13 + - selur-baddeployment14 + - selur-baddeployment15 + - selur-baddeployment16 + - selur-baddeployment17 result: fail - rule: selinux-type -- kind: Deployment + rule: selinux-user-role +- kind: Pod policy: disallow-selinux resources: - - baddeployment07 + - selur-badpod01 + - selur-badpod02 + - selur-badpod03 + - selur-badpod04 + - selur-badpod05 + - selur-badpod06 + - selur-badpod07 + - selur-badpod08 + - selur-badpod09 + - selur-badpod10 + - selur-badpod11 + - selur-badpod12 + - selur-badpod13 + - selur-badpod14 + - selur-badpod15 + - selur-badpod16 + - selur-badpod17 result: fail - rule: selinux-type -- kind: Deployment + rule: selinux-user-role +- kind: CronJob policy: disallow-selinux resources: - - gooddeployment01 + - selur-goodcronjob01 + - selur-goodcronjob02 + - selur-goodcronjob03 + - selur-goodcronjob04 + - selur-goodcronjob05 + - selur-goodcronjob06 + - selur-goodcronjob07 + - selur-goodcronjob08 + - selur-goodcronjob09 + - selur-goodcronjob10 + - selur-goodcronjob11 result: pass - rule: selinux-type + rule: selinux-user-role - kind: Deployment policy: disallow-selinux resources: - - gooddeployment02 + - selur-gooddeployment01 + - selur-gooddeployment02 + - selur-gooddeployment03 + - selur-gooddeployment04 + - selur-gooddeployment05 + - selur-gooddeployment06 + - selur-gooddeployment07 + - selur-gooddeployment08 + - selur-gooddeployment09 + - selur-gooddeployment10 + - selur-gooddeployment11 result: pass - rule: selinux-type -- kind: Deployment + rule: selinux-user-role +- kind: Pod policy: disallow-selinux resources: - - gooddeployment03 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment04 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment05 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment06 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment07 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment08 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment09 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment10 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment11 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment12 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment13 - result: pass - rule: selinux-type -- kind: Deployment - policy: disallow-selinux - resources: - - gooddeployment14 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob01 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob02 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob03 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob04 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob05 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob06 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - badcronjob07 - result: fail - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob01 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob02 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob03 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob04 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob05 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob06 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob07 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob08 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob09 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob10 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob11 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob12 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob13 - result: pass - rule: selinux-type -- kind: CronJob - policy: disallow-selinux - resources: - - goodcronjob14 - result: pass - rule: selinux-type -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod01 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod02 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod03 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod04 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod05 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod06 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod07 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod08 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod09 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod10 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod11 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod12 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod13 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod14 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod15 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod16 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-badpod17 - result: fail - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod01 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod02 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod03 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod04 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod05 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod06 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod07 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod08 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod09 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod10 - result: pass - rule: selinux-user-role -- kind: Pod - policy: disallow-selinux - resources: - - selur-goodpod11 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment01 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment02 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment03 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment04 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment05 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment06 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment07 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment08 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment09 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment10 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment11 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment12 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment13 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment14 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment15 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment16 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-baddeployment17 - result: fail - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment01 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment02 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment03 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment04 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment05 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment06 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment07 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment08 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment09 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment10 - result: pass - rule: selinux-user-role -- kind: Deployment - policy: disallow-selinux - resources: - - selur-gooddeployment11 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob01 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob02 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob03 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob04 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob05 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob06 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob07 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob08 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob09 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob10 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob11 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob12 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob13 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob14 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob15 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob16 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-badcronjob17 - result: fail - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob01 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob02 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob03 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob04 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob05 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob06 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob07 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob08 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob09 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob10 - result: pass - rule: selinux-user-role -- kind: CronJob - policy: disallow-selinux - resources: - - selur-goodcronjob11 + - selur-goodpod01 + - selur-goodpod02 + - selur-goodpod03 + - selur-goodpod04 + - selur-goodpod05 + - selur-goodpod06 + - selur-goodpod07 + - selur-goodpod08 + - selur-goodpod09 + - selur-goodpod10 + - selur-goodpod11 result: pass rule: selinux-user-role diff --git a/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml b/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml index f964a7625..ea2ade84d 100644 --- a/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml +++ b/pod-security/baseline/restrict-apparmor-profiles/kyverno-test.yaml @@ -1,78 +1,51 @@ -name: restrict-apparmor-profiles +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-apparmor-profiles policies: - restrict-apparmor-profiles.yaml resources: - resource.yaml results: -- kind: Pod +- kind: CronJob policy: restrict-apparmor-profiles resources: - - badpod01 + - badcronjob01 result: fail rule: app-armor -- kind: Pod - policy: restrict-apparmor-profiles - resources: - - goodpod01 - result: pass - rule: app-armor -- kind: Pod - policy: restrict-apparmor-profiles - resources: - - goodpod02 - result: pass - rule: app-armor -- kind: Pod - policy: restrict-apparmor-profiles - resources: - - goodpod03 - result: pass - rule: app-armor - kind: Deployment policy: restrict-apparmor-profiles resources: - baddeployment01 result: fail rule: app-armor -- kind: Deployment - policy: restrict-apparmor-profiles - resources: - - gooddeployment01 - result: pass - rule: app-armor -- kind: Deployment - policy: restrict-apparmor-profiles - resources: - - gooddeployment02 - result: pass - rule: app-armor -- kind: Deployment - policy: restrict-apparmor-profiles - resources: - - gooddeployment03 - result: pass - rule: app-armor -- kind: CronJob +- kind: Pod policy: restrict-apparmor-profiles resources: - - badcronjob01 + - badpod01 result: fail rule: app-armor - kind: CronJob policy: restrict-apparmor-profiles resources: - goodcronjob01 + - goodcronjob02 + - goodcronjob03 result: pass rule: app-armor -- kind: CronJob +- kind: Deployment policy: restrict-apparmor-profiles resources: - - goodcronjob02 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 result: pass rule: app-armor -- kind: CronJob +- kind: Pod policy: restrict-apparmor-profiles resources: - - goodcronjob03 + - goodpod01 + - goodpod02 + - goodpod03 result: pass rule: app-armor diff --git a/pod-security/baseline/restrict-seccomp/kyverno-test.yaml b/pod-security/baseline/restrict-seccomp/kyverno-test.yaml index f5b817eb5..249cd9657 100644 --- a/pod-security/baseline/restrict-seccomp/kyverno-test.yaml +++ b/pod-security/baseline/restrict-seccomp/kyverno-test.yaml @@ -1,330 +1,93 @@ -name: restrict-seccomp +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp policies: - restrict-seccomp.yaml resources: - resource.yaml results: -- kind: Pod - policy: restrict-seccomp - resources: - - badpod01 - result: fail - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - badpod02 - result: fail - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - badpod03 - result: fail - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - badpod04 - result: fail - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - badpod05 - result: fail - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - badpod06 - result: fail - rule: check-seccomp -- kind: Pod +- kind: CronJob policy: restrict-seccomp resources: - - badpod07 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 result: fail rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod01 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod02 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod03 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod04 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod05 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod06 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod07 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod08 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod09 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod10 - result: pass - rule: check-seccomp -- kind: Pod - policy: restrict-seccomp - resources: - - goodpod11 - result: pass - rule: check-seccomp - kind: Deployment policy: restrict-seccomp resources: - baddeployment01 - result: fail - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - baddeployment02 - result: fail - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - baddeployment03 - result: fail - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - baddeployment04 - result: fail - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - baddeployment05 - result: fail - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - baddeployment06 - result: fail - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - baddeployment07 result: fail rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment01 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment02 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment03 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment04 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment05 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment06 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment07 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment08 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment09 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment10 - result: pass - rule: check-seccomp -- kind: Deployment - policy: restrict-seccomp - resources: - - gooddeployment11 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - - badcronjob01 - result: fail - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - - badcronjob02 - result: fail - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - - badcronjob03 - result: fail - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - - badcronjob04 - result: fail - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - - badcronjob05 - result: fail - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - - badcronjob06 - result: fail - rule: check-seccomp -- kind: CronJob +- kind: Pod policy: restrict-seccomp resources: - - badcronjob07 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 result: fail rule: check-seccomp - kind: CronJob policy: restrict-seccomp resources: - goodcronjob01 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob02 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob03 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob04 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob05 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob06 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob07 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob08 - result: pass - rule: check-seccomp -- kind: CronJob - policy: restrict-seccomp - resources: - goodcronjob09 + - goodcronjob10 + - goodcronjob11 result: pass rule: check-seccomp -- kind: CronJob +- kind: Deployment policy: restrict-seccomp resources: - - goodcronjob10 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 + - gooddeployment11 result: pass rule: check-seccomp -- kind: CronJob +- kind: Pod policy: restrict-seccomp resources: - - goodcronjob11 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 + - goodpod11 result: pass rule: check-seccomp diff --git a/pod-security/baseline/restrict-sysctls/kyverno-test.yaml b/pod-security/baseline/restrict-sysctls/kyverno-test.yaml index 8c09ee32e..8878f9e89 100644 --- a/pod-security/baseline/restrict-sysctls/kyverno-test.yaml +++ b/pod-security/baseline/restrict-sysctls/kyverno-test.yaml @@ -1,168 +1,66 @@ -name: restrict-sysctls +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-sysctls policies: - restrict-sysctls.yaml resources: - resource.yaml results: -- kind: Pod - policy: restrict-sysctls - resources: - - badpod01 - result: fail - rule: check-sysctls -- kind: Pod +- kind: CronJob policy: restrict-sysctls resources: - - badpod02 + - badcronjob01 + - badcronjob02 result: fail rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod01 - result: pass - rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod02 - result: pass - rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod03 - result: pass - rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod04 - result: pass - rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod05 - result: pass - rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod06 - result: pass - rule: check-sysctls -- kind: Pod - policy: restrict-sysctls - resources: - - goodpod07 - result: pass - rule: check-sysctls - kind: Deployment policy: restrict-sysctls resources: - baddeployment01 - result: fail - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - baddeployment02 result: fail rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment01 - result: pass - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment02 - result: pass - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment03 - result: pass - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment04 - result: pass - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment05 - result: pass - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment06 - result: pass - rule: check-sysctls -- kind: Deployment - policy: restrict-sysctls - resources: - - gooddeployment07 - result: pass - rule: check-sysctls -- kind: CronJob - policy: restrict-sysctls - resources: - - badcronjob01 - result: fail - rule: check-sysctls -- kind: CronJob +- kind: Pod policy: restrict-sysctls resources: - - badcronjob02 + - badpod01 + - badpod02 result: fail rule: check-sysctls - kind: CronJob policy: restrict-sysctls resources: - goodcronjob01 - result: pass - rule: check-sysctls -- kind: CronJob - policy: restrict-sysctls - resources: - goodcronjob02 - result: pass - rule: check-sysctls -- kind: CronJob - policy: restrict-sysctls - resources: - goodcronjob03 - result: pass - rule: check-sysctls -- kind: CronJob - policy: restrict-sysctls - resources: - goodcronjob04 - result: pass - rule: check-sysctls -- kind: CronJob - policy: restrict-sysctls - resources: - goodcronjob05 + - goodcronjob06 + - goodcronjob07 result: pass rule: check-sysctls -- kind: CronJob +- kind: Deployment policy: restrict-sysctls resources: - - goodcronjob06 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 result: pass rule: check-sysctls -- kind: CronJob +- kind: Pod policy: restrict-sysctls resources: - - goodcronjob07 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 result: pass rule: check-sysctls diff --git a/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml b/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml index 9a1d6fbd3..b1d1875d0 100644 --- a/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml +++ b/pod-security/restricted/disallow-capabilities-strict/kyverno-test.yaml @@ -1,654 +1,177 @@ -name: disallow-capabilities-strict +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-capabilities-strict policies: - disallow-capabilities-strict.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod01 - result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod02 - result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod03 - result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod04 - result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod05 - result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod06 - result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - badpod07 - result: fail - rule: require-drop-all -- kind: Pod +- kind: CronJob policy: disallow-capabilities-strict resources: - - badpod08 + - addcap-badcronjob01 + - addcap-badcronjob02 + - addcap-badcronjob03 + - addcap-badcronjob04 + - addcap-badcronjob05 + - addcap-badcronjob06 + - addcap-badcronjob07 + - addcap-badcronjob08 + - addcap-badcronjob09 + - addcap-badcronjob10 result: fail - rule: require-drop-all -- kind: Pod + rule: adding-capabilities-strict +- kind: Deployment policy: disallow-capabilities-strict resources: - - badpod09 + - addcap-baddeployment01 + - addcap-baddeployment02 + - addcap-baddeployment03 + - addcap-baddeployment04 + - addcap-baddeployment05 + - addcap-baddeployment06 + - addcap-baddeployment07 + - addcap-baddeployment08 + - addcap-baddeployment09 + - addcap-baddeployment10 result: fail - rule: require-drop-all + rule: adding-capabilities-strict - kind: Pod policy: disallow-capabilities-strict resources: - - badpod10 + - addcap-badpod01 + - addcap-badpod02 + - addcap-badpod03 + - addcap-badpod04 + - addcap-badpod05 + - addcap-badpod06 + - addcap-badpod07 + - addcap-badpod08 + - addcap-badpod09 + - addcap-badpod10 result: fail - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - goodpod01 - result: pass - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - goodpod02 - result: pass - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - goodpod03 - result: pass - rule: require-drop-all -- kind: Pod + rule: adding-capabilities-strict +- kind: CronJob policy: disallow-capabilities-strict resources: - - goodpod04 + - addcap-goodcronjob01 + - addcap-goodcronjob02 + - addcap-goodcronjob03 + - addcap-goodcronjob04 + - addcap-goodcronjob05 + - addcap-goodcronjob06 + - addcap-goodcronjob07 + - addcap-goodcronjob08 + - addcap-goodcronjob09 + - addcap-goodcronjob10 result: pass - rule: require-drop-all -- kind: Pod + rule: adding-capabilities-strict +- kind: Deployment policy: disallow-capabilities-strict resources: - - goodpod05 + - addcap-gooddeployment01 + - addcap-gooddeployment02 + - addcap-gooddeployment03 + - addcap-gooddeployment04 + - addcap-gooddeployment05 + - addcap-gooddeployment06 + - addcap-gooddeployment07 + - addcap-gooddeployment08 + - addcap-gooddeployment09 + - addcap-gooddeployment10 result: pass - rule: require-drop-all + rule: adding-capabilities-strict - kind: Pod policy: disallow-capabilities-strict resources: - - goodpod06 + - addcap-goodpod01 + - addcap-goodpod02 + - addcap-goodpod03 + - addcap-goodpod04 + - addcap-goodpod05 + - addcap-goodpod06 + - addcap-goodpod07 + - addcap-goodpod08 + - addcap-goodpod09 + - addcap-goodpod10 result: pass - rule: require-drop-all -- kind: Deployment + rule: adding-capabilities-strict +- kind: CronJob policy: disallow-capabilities-strict resources: - - baddeployment01 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 result: fail rule: require-drop-all - kind: Deployment policy: disallow-capabilities-strict resources: + - baddeployment01 - baddeployment02 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment03 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment04 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment05 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment06 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment07 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment08 - result: fail - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - baddeployment09 + - baddeployment10 result: fail rule: require-drop-all -- kind: Deployment +- kind: Pod policy: disallow-capabilities-strict resources: - - baddeployment10 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 result: fail rule: require-drop-all -- kind: Deployment +- kind: CronJob policy: disallow-capabilities-strict resources: - - gooddeployment01 + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + - goodcronjob06 result: pass rule: require-drop-all - kind: Deployment policy: disallow-capabilities-strict resources: + - gooddeployment01 - gooddeployment02 - result: pass - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - gooddeployment03 - result: pass - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - gooddeployment04 - result: pass - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - gooddeployment05 - result: pass - rule: require-drop-all -- kind: Deployment - policy: disallow-capabilities-strict - resources: - gooddeployment06 result: pass rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob01 - result: fail - rule: require-drop-all -- kind: CronJob +- kind: Pod policy: disallow-capabilities-strict resources: - - badcronjob02 - result: fail + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + result: pass rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob03 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob04 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob05 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob06 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob07 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob08 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob09 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - badcronjob10 - result: fail - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - goodcronjob01 - result: pass - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - goodcronjob02 - result: pass - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - goodcronjob03 - result: pass - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - goodcronjob04 - result: pass - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - goodcronjob05 - result: pass - rule: require-drop-all -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - goodcronjob06 - result: pass - rule: require-drop-all -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod01 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod02 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod03 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod04 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod05 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod06 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod07 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod08 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod09 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-badpod10 - result: fail - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod01 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod02 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod03 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod04 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod05 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod06 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod07 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod08 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod09 - result: pass - rule: adding-capabilities-strict -- kind: Pod - policy: disallow-capabilities-strict - resources: - - addcap-goodpod10 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment01 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment02 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment03 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment04 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment05 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment06 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment07 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment08 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment09 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-baddeployment10 - result: fail - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment01 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment02 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment03 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment04 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment05 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment06 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment07 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment08 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment09 - result: pass - rule: adding-capabilities-strict -- kind: Deployment - policy: disallow-capabilities-strict - resources: - - addcap-gooddeployment10 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob01 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob02 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob03 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob04 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob05 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob06 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob07 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob08 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob09 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-badcronjob10 - result: fail - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob01 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob02 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob03 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob04 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob05 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob06 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob07 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob08 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob09 - result: pass - rule: adding-capabilities-strict -- kind: CronJob - policy: disallow-capabilities-strict - resources: - - addcap-goodcronjob10 - result: pass - rule: adding-capabilities-strict diff --git a/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml b/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml index 5b5381d05..2fb9df7dc 100644 --- a/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml +++ b/pod-security/restricted/disallow-privilege-escalation/kyverno-test.yaml @@ -1,204 +1,72 @@ -name: disallow-privilege-escalation +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-privilege-escalation policies: - disallow-privilege-escalation.yaml resources: - resource.yaml results: -- kind: Pod - policy: disallow-privilege-escalation - resources: - - badpod01 - result: fail - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - badpod02 - result: fail - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - badpod03 - result: fail - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - badpod04 - result: fail - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - badpod05 - result: fail - rule: privilege-escalation -- kind: Pod +- kind: CronJob policy: disallow-privilege-escalation resources: - - badpod06 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 result: fail rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - goodpod01 - result: pass - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - goodpod02 - result: pass - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - goodpod03 - result: pass - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - goodpod04 - result: pass - rule: privilege-escalation -- kind: Pod - policy: disallow-privilege-escalation - resources: - - goodpod05 - result: pass - rule: privilege-escalation - kind: Deployment policy: disallow-privilege-escalation resources: - baddeployment01 - result: fail - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - baddeployment02 - result: fail - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - baddeployment03 - result: fail - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - baddeployment04 - result: fail - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - baddeployment05 - result: fail - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - baddeployment06 result: fail rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - - gooddeployment01 - result: pass - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - - gooddeployment02 - result: pass - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - - gooddeployment03 - result: pass - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - - gooddeployment04 - result: pass - rule: privilege-escalation -- kind: Deployment - policy: disallow-privilege-escalation - resources: - - gooddeployment05 - result: pass - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - - badcronjob01 - result: fail - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - - badcronjob02 - result: fail - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - - badcronjob03 - result: fail - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - - badcronjob04 - result: fail - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - - badcronjob05 - result: fail - rule: privilege-escalation -- kind: CronJob +- kind: Pod policy: disallow-privilege-escalation resources: - - badcronjob06 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 result: fail rule: privilege-escalation - kind: CronJob policy: disallow-privilege-escalation resources: - goodcronjob01 - result: pass - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - goodcronjob02 - result: pass - rule: privilege-escalation -- kind: CronJob - policy: disallow-privilege-escalation - resources: - goodcronjob03 + - goodcronjob04 + - goodcronjob05 result: pass rule: privilege-escalation -- kind: CronJob +- kind: Deployment policy: disallow-privilege-escalation resources: - - goodcronjob04 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 result: pass rule: privilege-escalation -- kind: CronJob +- kind: Pod policy: disallow-privilege-escalation resources: - - goodcronjob05 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 result: pass rule: privilege-escalation diff --git a/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml b/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml index f26b4fb30..5746c5408 100644 --- a/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml +++ b/pod-security/restricted/require-run-as-non-root-user/kyverno-test.yaml @@ -1,294 +1,87 @@ -name: require-run-as-non-root-user +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-non-root-user policies: - require-run-as-non-root-user.yaml resources: - resource.yaml results: -- kind: Pod - policy: require-run-as-non-root-user - resources: - - badpod01 - result: fail - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - badpod02 - result: fail - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - badpod03 - result: fail - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - badpod04 - result: fail - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - badpod05 - result: fail - rule: run-as-non-root-user -- kind: Pod +- kind: CronJob policy: require-run-as-non-root-user resources: - - badpod06 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 result: fail rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod01 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod02 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod03 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod04 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod05 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod06 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod07 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod08 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod09 - result: pass - rule: run-as-non-root-user -- kind: Pod - policy: require-run-as-non-root-user - resources: - - goodpod10 - result: pass - rule: run-as-non-root-user - kind: Deployment policy: require-run-as-non-root-user resources: - baddeployment01 - result: fail - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - baddeployment02 - result: fail - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - baddeployment03 - result: fail - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - baddeployment04 - result: fail - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - baddeployment05 - result: fail - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - baddeployment06 result: fail rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment01 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment02 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment03 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment04 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment05 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment06 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment07 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment08 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment09 - result: pass - rule: run-as-non-root-user -- kind: Deployment - policy: require-run-as-non-root-user - resources: - - gooddeployment10 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - - badcronjob01 - result: fail - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - - badcronjob02 - result: fail - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - - badcronjob03 - result: fail - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - - badcronjob04 - result: fail - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - - badcronjob05 - result: fail - rule: run-as-non-root-user -- kind: CronJob +- kind: Pod policy: require-run-as-non-root-user resources: - - badcronjob06 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 result: fail rule: run-as-non-root-user - kind: CronJob policy: require-run-as-non-root-user resources: - goodcronjob01 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob02 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob03 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob04 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob05 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob06 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob07 - result: pass - rule: run-as-non-root-user -- kind: CronJob - policy: require-run-as-non-root-user - resources: - goodcronjob08 + - goodcronjob09 + - goodcronjob10 result: pass rule: run-as-non-root-user -- kind: CronJob +- kind: Deployment policy: require-run-as-non-root-user resources: - - goodcronjob09 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 result: pass rule: run-as-non-root-user -- kind: CronJob +- kind: Pod policy: require-run-as-non-root-user resources: - - goodcronjob10 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 result: pass rule: run-as-non-root-user diff --git a/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml b/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml index d89f23578..af311187c 100644 --- a/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml +++ b/pod-security/restricted/require-run-as-nonroot/kyverno-test.yaml @@ -1,456 +1,114 @@ -name: require-run-as-nonroot +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-run-as-nonroot policies: - require-run-as-nonroot.yaml resources: - resource.yaml results: -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod01 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod02 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod03 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod04 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod05 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod06 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod07 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod08 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod09 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod10 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod11 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod12 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod13 - result: fail - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - badpod14 - result: fail - rule: run-as-non-root -- kind: Pod +- kind: CronJob policy: require-run-as-nonroot resources: - - badpod15 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 + - badcronjob08 + - badcronjob09 + - badcronjob10 + - badcronjob11 + - badcronjob12 + - badcronjob13 + - badcronjob14 + - badcronjob15 result: fail rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod01 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod02 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod03 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod04 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod05 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod06 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod07 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod08 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod09 - result: pass - rule: run-as-non-root -- kind: Pod - policy: require-run-as-nonroot - resources: - - goodpod10 - result: pass - rule: run-as-non-root - kind: Deployment policy: require-run-as-nonroot resources: - baddeployment01 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment02 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment03 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment04 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment05 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment06 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment07 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment08 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment09 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment10 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment11 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment12 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment13 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment14 - result: fail - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - baddeployment15 result: fail rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment01 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment02 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment03 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment04 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment05 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment06 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment07 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment08 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment09 - result: pass - rule: run-as-non-root -- kind: Deployment - policy: require-run-as-nonroot - resources: - - gooddeployment10 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob01 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob02 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob03 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob04 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob05 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob06 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob07 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob08 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob09 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob10 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob11 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob12 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob13 - result: fail - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - - badcronjob14 - result: fail - rule: run-as-non-root -- kind: CronJob +- kind: Pod policy: require-run-as-nonroot resources: - - badcronjob15 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 result: fail rule: run-as-non-root - kind: CronJob policy: require-run-as-nonroot resources: - goodcronjob01 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob02 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob03 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob04 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob05 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob06 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob07 - result: pass - rule: run-as-non-root -- kind: CronJob - policy: require-run-as-nonroot - resources: - goodcronjob08 + - goodcronjob09 + - goodcronjob10 result: pass rule: run-as-non-root -- kind: CronJob +- kind: Deployment policy: require-run-as-nonroot resources: - - goodcronjob09 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 result: pass rule: run-as-non-root -- kind: CronJob +- kind: Pod policy: require-run-as-nonroot resources: - - goodcronjob10 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 result: pass rule: run-as-non-root diff --git a/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml b/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml index 835be5c19..cba06fe08 100644 --- a/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml +++ b/pod-security/restricted/restrict-seccomp-strict/kyverno-test.yaml @@ -1,312 +1,90 @@ -name: restrict-seccomp-strict +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-seccomp-strict policies: - restrict-seccomp-strict.yaml resources: - resource.yaml results: -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod01 - result: fail - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod02 - result: fail - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod03 - result: fail - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod04 - result: fail - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod05 - result: fail - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - badpod06 - result: fail - rule: check-seccomp-strict -- kind: Pod +- kind: CronJob policy: restrict-seccomp-strict resources: - - badpod07 + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + - badcronjob07 result: fail rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod01 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod02 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod03 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod04 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod05 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod06 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod07 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod08 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod09 - result: pass - rule: check-seccomp-strict -- kind: Pod - policy: restrict-seccomp-strict - resources: - - goodpod10 - result: pass - rule: check-seccomp-strict - kind: Deployment policy: restrict-seccomp-strict resources: - baddeployment01 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - baddeployment02 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - baddeployment03 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - baddeployment04 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - baddeployment05 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - baddeployment06 - result: fail - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - baddeployment07 result: fail rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment01 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment02 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment03 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment04 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment05 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment06 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment07 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment08 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment09 - result: pass - rule: check-seccomp-strict -- kind: Deployment - policy: restrict-seccomp-strict - resources: - - gooddeployment10 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob01 - result: fail - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob02 - result: fail - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob03 - result: fail - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob04 - result: fail - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob05 - result: fail - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - - badcronjob06 - result: fail - rule: check-seccomp-strict -- kind: CronJob +- kind: Pod policy: restrict-seccomp-strict resources: - - badcronjob07 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 result: fail rule: check-seccomp-strict - kind: CronJob policy: restrict-seccomp-strict resources: - goodcronjob01 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob02 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob03 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob04 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob05 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob06 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob07 - result: pass - rule: check-seccomp-strict -- kind: CronJob - policy: restrict-seccomp-strict - resources: - goodcronjob08 + - goodcronjob09 + - goodcronjob10 result: pass rule: check-seccomp-strict -- kind: CronJob +- kind: Deployment policy: restrict-seccomp-strict resources: - - goodcronjob09 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 + - gooddeployment10 result: pass rule: check-seccomp-strict -- kind: CronJob +- kind: Pod policy: restrict-seccomp-strict resources: - - goodcronjob10 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 + - goodpod10 result: pass rule: check-seccomp-strict diff --git a/pod-security/restricted/restrict-volume-types/kyverno-test.yaml b/pod-security/restricted/restrict-volume-types/kyverno-test.yaml index b59366590..1580ddad2 100644 --- a/pod-security/restricted/restrict-volume-types/kyverno-test.yaml +++ b/pod-security/restricted/restrict-volume-types/kyverno-test.yaml @@ -1,528 +1,126 @@ -name: restrict-volume-types +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-volume-types policies: - restrict-volume-types.yaml resources: - resource.yaml results: -- kind: Pod - policy: restrict-volume-types - resources: - - badpod01 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod02 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod03 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod04 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod05 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod06 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod07 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod08 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod09 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod10 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod11 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod12 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod13 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod14 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod15 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod16 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod17 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod18 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod19 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - badpod20 - result: fail - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod01 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod02 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod03 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod04 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod05 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod06 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod07 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod08 - result: pass - rule: restricted-volumes -- kind: Pod - policy: restrict-volume-types - resources: - - goodpod09 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment01 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment02 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment03 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment04 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment05 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment06 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment07 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment08 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment09 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment10 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment11 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment12 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment13 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment14 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment15 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment16 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment17 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment18 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment19 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - baddeployment20 - result: fail - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment01 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment02 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment03 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment04 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment05 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment06 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment07 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment08 - result: pass - rule: restricted-volumes -- kind: Deployment - policy: restrict-volume-types - resources: - - gooddeployment09 - result: pass - rule: restricted-volumes - kind: CronJob policy: restrict-volume-types resources: - badcronjob01 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob02 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob03 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob04 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob05 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob06 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob07 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob08 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob09 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob10 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob11 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob12 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob13 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob14 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob15 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob16 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob17 - result: fail - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - badcronjob18 + - badcronjob19 + - badcronjob20 result: fail rule: restricted-volumes -- kind: CronJob +- kind: Deployment policy: restrict-volume-types resources: - - badcronjob19 + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + - baddeployment07 + - baddeployment08 + - baddeployment09 + - baddeployment10 + - baddeployment11 + - baddeployment12 + - baddeployment13 + - baddeployment14 + - baddeployment15 + - baddeployment16 + - baddeployment17 + - baddeployment18 + - baddeployment19 + - baddeployment20 result: fail rule: restricted-volumes -- kind: CronJob +- kind: Pod policy: restrict-volume-types resources: - - badcronjob20 + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + - badpod08 + - badpod09 + - badpod10 + - badpod11 + - badpod12 + - badpod13 + - badpod14 + - badpod15 + - badpod16 + - badpod17 + - badpod18 + - badpod19 + - badpod20 result: fail rule: restricted-volumes - kind: CronJob policy: restrict-volume-types resources: - goodcronjob01 - result: pass - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - goodcronjob02 - result: pass - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - goodcronjob03 - result: pass - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - goodcronjob04 - result: pass - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - goodcronjob05 - result: pass - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - goodcronjob06 - result: pass - rule: restricted-volumes -- kind: CronJob - policy: restrict-volume-types - resources: - goodcronjob07 + - goodcronjob08 + - goodcronjob09 result: pass rule: restricted-volumes -- kind: CronJob +- kind: Deployment policy: restrict-volume-types resources: - - goodcronjob08 + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + - gooddeployment06 + - gooddeployment07 + - gooddeployment08 + - gooddeployment09 result: pass rule: restricted-volumes -- kind: CronJob +- kind: Pod policy: restrict-volume-types resources: - - goodcronjob09 + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + - goodpod06 + - goodpod07 + - goodpod08 + - goodpod09 result: pass rule: restricted-volumes diff --git a/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml b/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml index f25c70d42..9aaab4e14 100644 --- a/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml +++ b/pod-security/subrule/podsecurity-subrule-baseline/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: podsecurity-subrule-baseline +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: podsecurity-subrule-baseline policies: - podsecurity-subrule-baseline.yaml resources: diff --git a/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml b/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml index a66f5a8c3..2f9bc540a 100644 --- a/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-capabilities/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: podsecurity-subrule-restricted-capabilities +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: podsecurity-subrule-restricted-capabilities policies: - restricted-exclude-capabilities.yaml resources: diff --git a/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml b/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml index 2077b9220..097e9146c 100644 --- a/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml +++ b/pod-security/subrule/restricted/restricted-exclude-seccomp/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: podsecurity-subrule-restricted-seccomp +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: podsecurity-subrule-restricted-seccomp policies: - restricted-exclude-seccomp.yaml resources: diff --git a/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml b/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml index 00f3fb8ed..70041df7f 100644 --- a/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml +++ b/pod-security/subrule/restricted/restricted-latest/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restricted-latest +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restricted-latest policies: - restricted-latest.yaml resources: diff --git a/psa/add-psa-labels/kyverno-test.yaml b/psa/add-psa-labels/kyverno-test.yaml index 142afdd6c..ce0668ed0 100644 --- a/psa/add-psa-labels/kyverno-test.yaml +++ b/psa/add-psa-labels/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-psa-labels +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-psa-labels policies: - add-psa-labels.yaml resources: @@ -6,16 +9,16 @@ resources: - resourcefail.yaml results: - kind: Namespace - patchedResource: patchedResource.yaml + patchedResource: patchedResourcefail.yaml policy: add-psa-labels resources: - - test - result: pass + - test-fail + result: fail rule: add-baseline-enforce-restricted-warn - kind: Namespace - patchedResource: patchedResourcefail.yaml + patchedResource: patchedResource.yaml policy: add-psa-labels resources: - - test-fail - result: fail + - test + result: pass rule: add-baseline-enforce-restricted-warn diff --git a/psp-migration/add-apparmor/kyverno-test.yaml b/psp-migration/add-apparmor/kyverno-test.yaml index eba865c97..3bafcf968 100644 --- a/psp-migration/add-apparmor/kyverno-test.yaml +++ b/psp-migration/add-apparmor/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-apparmor-annotations +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-apparmor-annotations policies: - add-apparmor.yaml resources: diff --git a/psp-migration/add-capabilities/kyverno-test.yaml b/psp-migration/add-capabilities/kyverno-test.yaml index 826be4e87..f1b6f3dc8 100644 --- a/psp-migration/add-capabilities/kyverno-test.yaml +++ b/psp-migration/add-capabilities/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-capabilities +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-capabilities policies: - add-capabilities.yaml resources: diff --git a/psp-migration/add-runtimeClassName/kyverno-test.yaml b/psp-migration/add-runtimeClassName/kyverno-test.yaml index 261554c73..83ec6578b 100644 --- a/psp-migration/add-runtimeClassName/kyverno-test.yaml +++ b/psp-migration/add-runtimeClassName/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: add-runtimeClassName +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-runtimeClassName policies: - add-runtimeClassName.yaml resources: diff --git a/psp-migration/check-supplemental-groups/kyverno-test.yaml b/psp-migration/check-supplemental-groups/kyverno-test.yaml index bd81ce4da..bfae0b4de 100644 --- a/psp-migration/check-supplemental-groups/kyverno-test.yaml +++ b/psp-migration/check-supplemental-groups/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: psp-check-supplemental-groups +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: psp-check-supplemental-groups policies: - check-supplemental-groups.yaml resources: diff --git a/psp-migration/restrict-adding-capabilities/kyverno-test.yaml b/psp-migration/restrict-adding-capabilities/kyverno-test.yaml index f43535bd9..f1e176861 100644 --- a/psp-migration/restrict-adding-capabilities/kyverno-test.yaml +++ b/psp-migration/restrict-adding-capabilities/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: psp-restrict-adding-capabilities +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: psp-restrict-adding-capabilities policies: - restrict-adding-capabilities.yaml resources: @@ -8,59 +11,14 @@ results: policy: psp-restrict-adding-capabilities resources: - addcap-badpod01 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod02 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod03 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod04 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod05 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod06 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod07 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod08 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod09 - result: fail - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-badpod10 result: fail rule: allowed-capabilities @@ -68,59 +26,14 @@ results: policy: psp-restrict-adding-capabilities resources: - addcap-goodpod01 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod02 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod03 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod04 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod05 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod06 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod07 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod08 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod09 - result: pass - rule: allowed-capabilities -- kind: Pod - policy: psp-restrict-adding-capabilities - resources: - addcap-goodpod10 result: pass rule: allowed-capabilities diff --git a/psp-migration/restrict-runtimeClassName/kyverno-test.yaml b/psp-migration/restrict-runtimeClassName/kyverno-test.yaml index f9dadae6d..f5beb1ac1 100644 --- a/psp-migration/restrict-runtimeClassName/kyverno-test.yaml +++ b/psp-migration/restrict-runtimeClassName/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: restrict-runtimeclass +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: restrict-runtimeclass policies: - restrict-runtimeClassName.yaml resources: @@ -14,17 +17,7 @@ results: policy: restrict-runtimeclass resources: - goodpod01 - result: pass - rule: prodclass-or-expclass -- kind: Pod - policy: restrict-runtimeclass - resources: - goodpod02 - result: pass - rule: prodclass-or-expclass -- kind: Pod - policy: restrict-runtimeclass - resources: - goodpod03 result: pass rule: prodclass-or-expclass diff --git a/traefik/disallow-default-tlsoptions/kyverno-test.yaml b/traefik/disallow-default-tlsoptions/kyverno-test.yaml index 9a1284cd8..486ba4b61 100644 --- a/traefik/disallow-default-tlsoptions/kyverno-test.yaml +++ b/traefik/disallow-default-tlsoptions/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: disallow-default-tlsoptions +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disallow-default-tlsoptions policies: - disallow-default-tlsoptions.yaml resources: diff --git a/velero/backup-all-volumes/kyverno-test.yaml b/velero/backup-all-volumes/kyverno-test.yaml index e8d5b39c0..87394325d 100644 --- a/velero/backup-all-volumes/kyverno-test.yaml +++ b/velero/backup-all-volumes/kyverno-test.yaml @@ -1,31 +1,31 @@ -name: backup-all-volumes +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: backup-all-volumes policies: - backup-all-volumes.yaml resources: - resource.yaml results: -- kind: Pod - namespace: foo - patchedResource: patchedResource.yaml +- kind: Deployment + patchedResource: patchedResource-fourth.yaml policy: backup-all-volumes resources: - - first + - foo/fourth result: pass - rule: backup-velero-pv + rule: autogen-backup-velero-pv - kind: Pod - namespace: foo patchedResource: patchedResource-third.yaml policy: backup-all-volumes resources: - - third + - foo/third result: pass rule: backup-velero-pv -- kind: Deployment - namespace: foo - patchedResource: patchedResource-fourth.yaml +- kind: Pod + patchedResource: patchedResource.yaml policy: backup-all-volumes resources: - - fourth + - foo/first result: pass - rule: autogen-backup-velero-pv + rule: backup-velero-pv variables: values.yaml diff --git a/velero/backup-all-volumes/values.yaml b/velero/backup-all-volumes/values.yaml index 7725b77fb..e048c2eba 100644 --- a/velero/backup-all-volumes/values.yaml +++ b/velero/backup-all-volumes/values.yaml @@ -1,7 +1,9 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Values namespaceSelector: - - name: foo - labels: - velero-backup-pvc: "true" - - name: bar - labels: - env: production \ No newline at end of file +- labels: + velero-backup-pvc: "true" + name: foo +- labels: + env: production + name: bar diff --git a/velero/block-velero-restore/kyverno-test.yaml b/velero/block-velero-restore/kyverno-test.yaml index 2cfc47ef3..ce805a27f 100644 --- a/velero/block-velero-restore/kyverno-test.yaml +++ b/velero/block-velero-restore/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: block-velero-restore +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: block-velero-restore policies: - block-velero-restore.yaml resources: @@ -14,11 +17,6 @@ results: policy: block-velero-restore resources: - restore-without-namespace-mapping - result: pass - rule: block-velero-restore-to-protected-namespace -- kind: Restore - policy: block-velero-restore - resources: - goodrestore01 result: pass rule: block-velero-restore-to-protected-namespace diff --git a/velero/validate-cron-schedule/kyverno-test.yaml b/velero/validate-cron-schedule/kyverno-test.yaml index cfc076b43..e7e08e12e 100644 --- a/velero/validate-cron-schedule/kyverno-test.yaml +++ b/velero/validate-cron-schedule/kyverno-test.yaml @@ -1,4 +1,7 @@ -name: validate-cron-schedule +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: validate-cron-schedule policies: - validate-cron-schedule.yaml resources: @@ -7,12 +10,12 @@ results: - kind: Schedule policy: validate-cron-schedule resources: - - goodschedule01 - result: pass + - badschedule01 + result: fail rule: validate-cron - kind: Schedule policy: validate-cron-schedule resources: - - badschedule01 - result: fail + - goodschedule01 + result: pass rule: validate-cron