From 44402b15bf4d5454fa24482aec8acc668a9f30ae Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 21 Sep 2023 07:56:48 +0000 Subject: [PATCH] fix: modify clusterpolicyreports in kuttl tests (#760) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mariam Fahmy Co-authored-by: Charles-Edouard Brétéché --- .../02-assert.yaml | 4 -- .../require-authorizationpolicy/03-cpolr.yaml | 15 ----- .../03-report.yaml | 4 +- .../report-assert.yaml | 27 +++++++++ other/e-l/inspect-csr/03-assert.yaml | 9 ++- .../namespace-inventory-check/02-assert.yaml | 4 -- .../namespace-inventory-check/03-report.yaml | 4 ++ .../report-assert.yaml | 56 +++++++++++++++++++ .../resource-check.sh | 12 ---- 9 files changed, 93 insertions(+), 42 deletions(-) delete mode 100644 istio/require-authorizationpolicy/02-assert.yaml delete mode 100644 istio/require-authorizationpolicy/03-cpolr.yaml rename other/m-q/namespace-inventory-check/03-cpolr.yaml => istio/require-authorizationpolicy/03-report.yaml (50%) create mode 100644 istio/require-authorizationpolicy/report-assert.yaml delete mode 100644 other/m-q/namespace-inventory-check/02-assert.yaml create mode 100644 other/m-q/namespace-inventory-check/03-report.yaml create mode 100644 other/m-q/namespace-inventory-check/report-assert.yaml delete mode 100644 other/m-q/namespace-inventory-check/resource-check.sh diff --git a/istio/require-authorizationpolicy/02-assert.yaml b/istio/require-authorizationpolicy/02-assert.yaml deleted file mode 100644 index 757d90436..000000000 --- a/istio/require-authorizationpolicy/02-assert.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: wgpolicyk8s.io/v1alpha2 -kind: ClusterPolicyReport -metadata: - name: cpol-require-authorizationpolicies \ No newline at end of file diff --git a/istio/require-authorizationpolicy/03-cpolr.yaml b/istio/require-authorizationpolicy/03-cpolr.yaml deleted file mode 100644 index 782964ba1..000000000 --- a/istio/require-authorizationpolicy/03-cpolr.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - if [ "$(kubectl get cpolr cpol-require-authorizationpolicies -o jsonpath='{.results[?(@.resources[0].name=="istio-reqauthzpol-bad-ns")].result}')" = "fail" ] ; then - exit 0; - else - exit 1; - fi -- script: | - if [ "$(kubectl get cpolr cpol-require-authorizationpolicies -o jsonpath='{.results[?(@.resources[0].name=="istio-reqauthzpol-good-ns")].result}')" = "pass" ] ; then - exit 0; - else - exit 1; - fi diff --git a/other/m-q/namespace-inventory-check/03-cpolr.yaml b/istio/require-authorizationpolicy/03-report.yaml similarity index 50% rename from other/m-q/namespace-inventory-check/03-cpolr.yaml rename to istio/require-authorizationpolicy/03-report.yaml index b568fb9a5..db172bedd 100644 --- a/other/m-q/namespace-inventory-check/03-cpolr.yaml +++ b/istio/require-authorizationpolicy/03-report.yaml @@ -1,4 +1,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep -commands: -- command: bash ./resource-check.sh \ No newline at end of file +assert: +- report-assert.yaml diff --git a/istio/require-authorizationpolicy/report-assert.yaml b/istio/require-authorizationpolicy/report-assert.yaml new file mode 100644 index 000000000..726b718e4 --- /dev/null +++ b/istio/require-authorizationpolicy/report-assert.yaml @@ -0,0 +1,27 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: istio-reqauthzpol-bad-ns +summary: + error: 0 + fail: 1 + pass: 0 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: istio-reqauthzpol-good-ns +summary: + error: 0 + fail: 0 + pass: 1 + skip: 0 + warn: 0 \ No newline at end of file diff --git a/other/e-l/inspect-csr/03-assert.yaml b/other/e-l/inspect-csr/03-assert.yaml index 25faa4399..fc1b83460 100644 --- a/other/e-l/inspect-csr/03-assert.yaml +++ b/other/e-l/inspect-csr/03-assert.yaml @@ -1,17 +1,16 @@ apiVersion: wgpolicyk8s.io/v1alpha2 kind: ClusterPolicyReport metadata: - name: cpol-inspect-csr + ownerReferences: + - apiVersion: certificates.k8s.io/v1 + kind: CertificateSigningRequest + name: inspect-csr-user results: - category: Other message: A CSR was created by {"groups":["testorg","system:authenticated"],"username":"inspect-csr-user"} holding ClusterRoles ["csr-manager","system:basic-user","system:discovery","system:public-info-viewer"] and Roles null. The subjects and groups requested in the CSR were "{"CommonName":"inspect-csr-user","Country":null,"ExtraNames":null,"Locality":null,"Names":[{"Type":[2,5,4,10],"Value":"testorg"},{"Type":[2,5,4,3],"Value":"inspect-csr-user"}],"Organization":["testorg"],"OrganizationalUnit":null,"PostalCode":null,"Province":null,"SerialNumber":"","StreetAddress":null}" policy: inspect-csr - resources: - - apiVersion: certificates.k8s.io/v1 - kind: CertificateSigningRequest - name: inspect-csr-user result: fail rule: csr scored: true diff --git a/other/m-q/namespace-inventory-check/02-assert.yaml b/other/m-q/namespace-inventory-check/02-assert.yaml deleted file mode 100644 index 8f85e0617..000000000 --- a/other/m-q/namespace-inventory-check/02-assert.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: wgpolicyk8s.io/v1alpha2 -kind: ClusterPolicyReport -metadata: - name: cpol-namespace-inventory-check \ No newline at end of file diff --git a/other/m-q/namespace-inventory-check/03-report.yaml b/other/m-q/namespace-inventory-check/03-report.yaml new file mode 100644 index 000000000..db172bedd --- /dev/null +++ b/other/m-q/namespace-inventory-check/03-report.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- report-assert.yaml diff --git a/other/m-q/namespace-inventory-check/report-assert.yaml b/other/m-q/namespace-inventory-check/report-assert.yaml new file mode 100644 index 000000000..7bc7f7408 --- /dev/null +++ b/other/m-q/namespace-inventory-check/report-assert.yaml @@ -0,0 +1,56 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: inventory-check-ns01 +results: +- result: fail + rule: networkpolicies +- result: pass + rule: resourcequotas +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: inventory-check-ns02 +results: +- result: pass + rule: networkpolicies +- result: fail + rule: resourcequotas +summary: + error: 0 + fail: 1 + pass: 1 + skip: 0 + warn: 0 +--- +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: ClusterPolicyReport +metadata: + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: inventory-check-ns03 +results: +- result: pass + rule: networkpolicies +- result: pass + rule: resourcequotas +summary: + error: 0 + fail: 0 + pass: 2 + skip: 0 + warn: 0 diff --git a/other/m-q/namespace-inventory-check/resource-check.sh b/other/m-q/namespace-inventory-check/resource-check.sh deleted file mode 100644 index fd52e970e..000000000 --- a/other/m-q/namespace-inventory-check/resource-check.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -resources=("inventory-check-ns01" "inventory-check-ns01" "inventory-check-ns02" "inventory-check-ns02" "inventory-check-ns03" "inventory-check-ns03") -rules=("resourcequotas" "networkpolicies" "resourcequotas" "networkpolicies" "resourcequotas" "networkpolicies") -results=("pass" "fail" "fail" "pass" "pass" "pass") -for i in "${!resources[@]}"; do - if [ "$(kubectl get clusterpolicyreport cpol-namespace-inventory-check -o json | kyverno jp query "results[?resources[0].name=='${resources[$i]}' && rule=='${rules[$i]}'].result[?@=='${results[$i]}'] | length(@) | to_string(@)=='1'" | tail -n 1)" = "true" ] ; then - echo "Success: resource ${resources[$i]} ${results[$i]}ed for rule ${rules[$i]}"; - else - echo "Failed: resource ${resources[$i]} did not ${results[$i]} for rule ${rules[$i]}"; - exit 1; - fi -done \ No newline at end of file