From cdf703ca6a38180aa51968f2678990766bb90664 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 30 Oct 2023 01:47:20 +0100 Subject: [PATCH] chore: add policy loader unit tests (#160) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Jim Bugwadia Co-authored-by: Jim Bugwadia --- pkg/policy/load_test.go | 126 +++++++++++++++++++++++++++++ test/policy/bad-rule.yaml | 22 +++++ test/policy/configmap.yaml | 6 ++ test/policy/empty.yaml | 0 test/policy/multiple.yaml | 13 +++ test/policy/no-rules.yaml | 5 ++ test/policy/no-spec.yaml | 4 + test/policy/ok.yaml | 21 +++++ test/policy/rule-name-missing.yaml | 20 +++++ 9 files changed, 217 insertions(+) create mode 100644 pkg/policy/load_test.go create mode 100644 test/policy/bad-rule.yaml create mode 100644 test/policy/configmap.yaml create mode 100644 test/policy/empty.yaml create mode 100644 test/policy/multiple.yaml create mode 100644 test/policy/no-rules.yaml create mode 100644 test/policy/no-spec.yaml create mode 100644 test/policy/ok.yaml create mode 100644 test/policy/rule-name-missing.yaml diff --git a/pkg/policy/load_test.go b/pkg/policy/load_test.go new file mode 100644 index 00000000..380475e1 --- /dev/null +++ b/pkg/policy/load_test.go @@ -0,0 +1,126 @@ +package policy + +import ( + "path/filepath" + "testing" + + "github.com/kyverno/kyverno-json/pkg/apis/v1alpha1" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestLoad(t *testing.T) { + basePath := "../../test/policy" + tests := []struct { + name string + path string + want []*v1alpha1.ValidatingPolicy + wantErr bool + }{{ + name: "confimap", + path: filepath.Join(basePath, "configmap.yaml"), + wantErr: true, + }, { + name: "not found", + path: filepath.Join(basePath, "not-found.yaml"), + wantErr: true, + }, { + name: "empty", + path: filepath.Join(basePath, "empty.yaml"), + wantErr: false, + }, { + name: "no spec", + path: filepath.Join(basePath, "no-spec.yaml"), + wantErr: true, + }, { + name: "no rules", + path: filepath.Join(basePath, "no-rules.yaml"), + wantErr: true, + }, { + name: "invalid rule", + path: filepath.Join(basePath, "bad-rule.yaml"), + wantErr: true, + }, { + name: "rule name missing", + path: filepath.Join(basePath, "rule-name-missing.yaml"), + wantErr: true, + }, { + name: "ok", + path: filepath.Join(basePath, "ok.yaml"), + want: []*v1alpha1.ValidatingPolicy{{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "json.kyverno.io/v1alpha1", + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test", + }, + Spec: v1alpha1.ValidatingPolicySpec{ + Rules: []v1alpha1.ValidatingRule{{ + Name: "pod-no-latest", + Match: &v1alpha1.Match{ + Any: []v1alpha1.Any{{ + Value: map[string]interface{}{ + "apiVersion": "v1", + "kind": "Pod", + }, + }}, + }, + Assert: &v1alpha1.Assert{ + All: []v1alpha1.Assertion{{ + Check: v1alpha1.Any{ + Value: map[string]interface{}{ + "spec": map[string]interface{}{ + "~foo.containers->foos": map[string]interface{}{ + "(at($foos, $foo).image)->foo": map[string]interface{}{ + "(contains($foo, ':'))": true, + "(ends_with($foo, ':latest'))": false, + }, + }, + }, + }, + }, + }}, + }, + }}, + }, + }}, + }, { + name: "multiple", + path: filepath.Join(basePath, "multiple.yaml"), + want: []*v1alpha1.ValidatingPolicy{{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "json.kyverno.io/v1alpha1", + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-1", + }, + Spec: v1alpha1.ValidatingPolicySpec{ + Rules: []v1alpha1.ValidatingRule{}, + }, + }, { + TypeMeta: metav1.TypeMeta{ + APIVersion: "json.kyverno.io/v1alpha1", + Kind: "ValidatingPolicy", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "test-2", + }, + Spec: v1alpha1.ValidatingPolicySpec{ + Rules: []v1alpha1.ValidatingRule{}, + }, + }}, + }} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := Load(tt.path) + if tt.wantErr { + require.Error(t, err) + } else { + require.NoError(t, err) + } + require.Equal(t, tt.want, got) + }) + } +} diff --git a/test/policy/bad-rule.yaml b/test/policy/bad-rule.yaml new file mode 100644 index 00000000..e01e2aaa --- /dev/null +++ b/test/policy/bad-rule.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: + rules: + - name: pod-no-latest + # matches instead of match + matches: + any: + - apiVersion: v1 + kind: Pod + assert: + all: + - check: + spec: + ~foo.containers->foos: + (at($foos, $foo).image)->foo: + # an image tag is required + (contains($foo, ':')): true + # using a mutable image tag e.g. 'latest' is not allowed + (ends_with($foo, ':latest')): false \ No newline at end of file diff --git a/test/policy/configmap.yaml b/test/policy/configmap.yaml new file mode 100644 index 00000000..a1d88436 --- /dev/null +++ b/test/policy/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: default +data: + foo: bar \ No newline at end of file diff --git a/test/policy/empty.yaml b/test/policy/empty.yaml new file mode 100644 index 00000000..e69de29b diff --git a/test/policy/multiple.yaml b/test/policy/multiple.yaml new file mode 100644 index 00000000..29b5dab1 --- /dev/null +++ b/test/policy/multiple.yaml @@ -0,0 +1,13 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test-1 +spec: + rules: [] +--- +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test-2 +spec: + rules: [] diff --git a/test/policy/no-rules.yaml b/test/policy/no-rules.yaml new file mode 100644 index 00000000..173604b4 --- /dev/null +++ b/test/policy/no-rules.yaml @@ -0,0 +1,5 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: {} diff --git a/test/policy/no-spec.yaml b/test/policy/no-spec.yaml new file mode 100644 index 00000000..411dabe4 --- /dev/null +++ b/test/policy/no-spec.yaml @@ -0,0 +1,4 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test diff --git a/test/policy/ok.yaml b/test/policy/ok.yaml new file mode 100644 index 00000000..3ee779a9 --- /dev/null +++ b/test/policy/ok.yaml @@ -0,0 +1,21 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: + rules: + - name: pod-no-latest + match: + any: + - apiVersion: v1 + kind: Pod + assert: + all: + - check: + spec: + ~foo.containers->foos: + (at($foos, $foo).image)->foo: + # an image tag is required + (contains($foo, ':')): true + # using a mutable image tag e.g. 'latest' is not allowed + (ends_with($foo, ':latest')): false \ No newline at end of file diff --git a/test/policy/rule-name-missing.yaml b/test/policy/rule-name-missing.yaml new file mode 100644 index 00000000..164e7afa --- /dev/null +++ b/test/policy/rule-name-missing.yaml @@ -0,0 +1,20 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: test +spec: + rules: + - match: + any: + - apiVersion: v1 + kind: Pod + assert: + all: + - check: + spec: + ~foo.containers->foos: + (at($foos, $foo).image)->foo: + # an image tag is required + (contains($foo, ':')): true + # using a mutable image tag e.g. 'latest' is not allowed + (ends_with($foo, ':latest')): false \ No newline at end of file