Add kyverno tests

2024-11-28 16:40:10 +01:00 · 2024-11-28 16:40:10 +01:00 · 7fe5124427
commit 7fe5124427
parent f359292d05
9 changed files with 478 additions and 0 deletions
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml
@ -0,0 +1,138 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-topology-spread
+policies:
+  - ../rossumTopologySpread.yaml
+resources:
+  - resources.yaml
+results:
+  # spread-undefined
+  - kind: Deployment
+    patchedResource: patched-spread-undefined.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-undefined
+    result: pass
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-undefined.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-undefined
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-undefined.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-undefined
+    result: skip
+    rule: inject-zone-topology-spread
+  # spread-different-topology
+  - kind: Deployment
+    patchedResource: patched-spread-different-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-different-topology
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-different-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-different-topology
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-different-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-different-topology
+    result: pass
+    rule: inject-zone-topology-spread
+  # spread-same-topology
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology
+    result: skip
+    rule: inject-zone-topology-spread
+  # spread-same-topology-different-settings
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology-different-settings.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology-different-settings
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology-different-settings.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology-different-settings
+    result: pass
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology-different-settings.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology-different-settings
+    result: skip
+    rule: inject-zone-topology-spread
+  # spread-multi-topologies
+  - kind: Deployment
+    patchedResource: patched-spread-multi-topologies.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-multi-topologies
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-multi-topologies.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-multi-topologies
+    result: pass
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-multi-topologies.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-multi-topologies
+    result: skip
+    rule: inject-zone-topology-spread
+  # test-wrong-label
+  - kind: Deployment
+    policy: rossum/enforce-topology-spread
+    resources:
+      - test-wrong-label
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    policy: rossum/enforce-topology-spread
+    resources:
+      - test-wrong-label
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    policy: rossum/enforce-topology-spread
+    resources:
+      - test-wrong-label
+    result: skip
+    rule: inject-zone-topology-spread
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml
@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-different-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-different-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-different-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-different-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-different-topology
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-different-topology
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml
@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-multi-topologies
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-multi-topologies
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-multi-topologies
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-multi-topologies
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml
@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology-different-settings
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology-different-settings
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology-different-settings
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology-different-settings
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology-different-settings
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml
@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml
@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-undefined
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-undefined
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-undefined
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-undefined
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-undefined
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml
@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-multi-topologies
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-multi-topologies
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-multi-topologies
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-multi-topologies
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
--- a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml
+++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml
@ -0,0 +1,155 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-undefined
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-undefined
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-undefined
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-undefined
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology-different-settings
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology-different-settings
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology-different-settings
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology-different-settings
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology-different-settings
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-different-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-different-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-different-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-different-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-different-topology
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-multi-topologies
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-multi-topologies
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-multi-topologies
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-multi-topologies
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-wrong-label
+  namespace: rossum
+  labels:
+    name: test-wrong-label
+spec:
+  selector:
+    matchLabels:
+      name: test-wrong-label
+  template:
+    metadata:
+      labels:
+        name: test-wrong-label
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+---
+
--- a/flake.nix
+++ b/flake.nix
@ -20,6 +20,7 @@
            {
              packages = with pkgs; [
                terraform
+                kyverno
              ];

              scripts = {
@ -41,6 +42,16 @@
                    ${nix.lib.cd_root}
                    nix fmt ./*.nix
                    terraform fmt --recursive
+                    ${pkgs.yamlfmt}/bin/yamlfmt ./anydatacenter
+                  '';
+                };
+
+                tests = {
+                  description = "Run terraform and kyverno tests";
+                  exec = ''
+                    ${nix.lib.cd_root}
+                    terraform validate
+                    ${pkgs.kyverno}/bin/kyverno test ./anydatacenter/30-policy-demo --detailed-results
                  '';
                };
              };