kyverno · chipzoller · May 29, 2024 · May 22, 2024 · May 22, 2024 · May 22, 2024
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -107,7 +107,7 @@ jobs:
           set -e
           kubectl apply -f ./.chainsaw/crds
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@995cddaee7702e849270b84fa44cdcebe7462da8 # v0.1.9
+        uses: kyverno/action-install-chainsaw@ef2517389320aae0fd7c067aa14b060eef08b76d # v0.2.3
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: allowed-annotations
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml b/other-cel/allowed-pod-priorities/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: allowed-pod-priorities
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml b/other-cel/block-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: block-ephemeral-containers
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-env-vars/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: check-env-vars
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/check-serviceaccount-secrets/.chainsaw-test/chainsaw-test.yaml
@@ -1,8 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
   name: check-service-accounts
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml b/other-cel/deny-secret-service-account-token-type/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: deny-secret-service-account-token-type
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-all-secrets/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-all-secrets
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-localhost-services/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-localhost-services
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml b/other-cel/disallow-secrets-from-env-vars/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-secrets-from-env-vars
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml b/other-cel/docker-socket-requires-label/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: docker-socket-requires-label
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml b/other-cel/enforce-pod-duration/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: enforce-pod-duration
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-probes-different/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: ensure-probes-different
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml b/other-cel/ensure-readonly-hostpath/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: ensure-readonly-hostpath
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/forbid-cpu-limits/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: forbid-cpu-limits
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml b/other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: imagepullpolicy-always
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml b/other-cel/ingress-host-match-tls/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: ingress-host-match-tls
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-containers-per-pod/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: limit-containers-per-pod
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml b/other-cel/limit-hostpath-type-pv/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: limit-hostpath-type-pv
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml b/other-cel/memory-requests-equal-limits/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: memory-requests-equal-limits
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml b/other-cel/metadata-match-regex/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: metadata-match-regex
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml b/other-cel/pdb-maxunavailable/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: pdb-maxunavailable
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-bare-pods/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: prevent-naked-pods
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml b/other-cel/prevent-cr8escape/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: prevent-cr8escape
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-capabilities/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-capabilities
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-namespaces/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-host-namespaces
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-path/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-host-path
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-ports-range/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-host-ports-range
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-ports/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-host-ports
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-host-process/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-host-process
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-privileged-containers/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-privileged-containers
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/disallow-selinux/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-selinux
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: restrict-seccomp
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: restrict-sysctls
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-capabilities-strict/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-capabilities-strict
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/disallow-privilege-escalation/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: disallow-privilege-escalation
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-non-root-user/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: require-run-as-non-root-user
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/require-run-as-nonroot/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: require-run-as-nonroot
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-seccomp-strict/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: restrict-seccomp-strict
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try:

diff --git a/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml b/pod-security-cel/restricted/restrict-volume-types/.chainsaw-test/chainsaw-test.yaml
@@ -5,6 +5,8 @@ metadata:
   creationTimestamp: null
   name: restrict-volume-types
 spec:
+  # disable templating because it can cause issues with CEL expressions
+  template: false
   steps:
   - name: step-01
     try: