From 7fe5124427dd2ef0926c0e6f6e727e91b8290a1e Mon Sep 17 00:00:00 2001 From: Arnie Date: Thu, 28 Nov 2024 16:40:10 +0100 Subject: [PATCH] Add kyverno tests --- .../kyvernoPolicies/tests/kyverno-test.yaml | 138 ++++++++++++++++ .../patched-spread-different-topology.yaml | 32 ++++ .../patched-spread-multi-topologies.yaml | 32 ++++ ...read-same-topology-different-settings.yaml | 26 +++ .../tests/patched-spread-same-topology.yaml | 26 +++ .../tests/patched-spread-undefined.yaml | 26 +++ .../kyvernoPolicies/tests/resource_multi.yaml | 32 ++++ .../kyvernoPolicies/tests/resources.yaml | 155 ++++++++++++++++++ flake.nix | 11 ++ 9 files changed, 478 insertions(+) create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml create mode 100644 anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml new file mode 100644 index 0000000..f6b10ba --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml @@ -0,0 +1,138 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: test-topology-spread +policies: + - ../rossumTopologySpread.yaml +resources: + - resources.yaml +results: + # spread-undefined + - kind: Deployment + patchedResource: patched-spread-undefined.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-undefined + result: pass + rule: create-topology-spread + - kind: Deployment + patchedResource: patched-spread-undefined.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-undefined + result: skip + rule: enforce-zone-topology-spread-configuration + - kind: Deployment + patchedResource: patched-spread-undefined.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-undefined + result: skip + rule: inject-zone-topology-spread + # spread-different-topology + - kind: Deployment + patchedResource: patched-spread-different-topology.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-different-topology + result: skip + rule: create-topology-spread + - kind: Deployment + patchedResource: patched-spread-different-topology.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-different-topology + result: skip + rule: enforce-zone-topology-spread-configuration + - kind: Deployment + patchedResource: patched-spread-different-topology.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-different-topology + result: pass + rule: inject-zone-topology-spread + # spread-same-topology + - kind: Deployment + patchedResource: patched-spread-same-topology.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-same-topology + result: skip + rule: create-topology-spread + - kind: Deployment + patchedResource: patched-spread-same-topology.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-same-topology + result: skip + rule: enforce-zone-topology-spread-configuration + - kind: Deployment + patchedResource: patched-spread-same-topology.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-same-topology + result: skip + rule: inject-zone-topology-spread + # spread-same-topology-different-settings + - kind: Deployment + patchedResource: patched-spread-same-topology-different-settings.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-same-topology-different-settings + result: skip + rule: create-topology-spread + - kind: Deployment + patchedResource: patched-spread-same-topology-different-settings.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-same-topology-different-settings + result: pass + rule: enforce-zone-topology-spread-configuration + - kind: Deployment + patchedResource: patched-spread-same-topology-different-settings.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-same-topology-different-settings + result: skip + rule: inject-zone-topology-spread + # spread-multi-topologies + - kind: Deployment + patchedResource: patched-spread-multi-topologies.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-multi-topologies + result: skip + rule: create-topology-spread + - kind: Deployment + patchedResource: patched-spread-multi-topologies.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-multi-topologies + result: pass + rule: enforce-zone-topology-spread-configuration + - kind: Deployment + patchedResource: patched-spread-multi-topologies.yaml + policy: rossum/enforce-topology-spread + resources: + - spread-multi-topologies + result: skip + rule: inject-zone-topology-spread + # test-wrong-label + - kind: Deployment + policy: rossum/enforce-topology-spread + resources: + - test-wrong-label + result: skip + rule: create-topology-spread + - kind: Deployment + policy: rossum/enforce-topology-spread + resources: + - test-wrong-label + result: skip + rule: enforce-zone-topology-spread-configuration + - kind: Deployment + policy: rossum/enforce-topology-spread + resources: + - test-wrong-label + result: skip + rule: inject-zone-topology-spread diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml new file mode 100644 index 0000000..7026b42 --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-different-topology + namespace: rossum + labels: + app.kubernetes.io/name: spread-different-topology +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-different-topology + template: + metadata: + labels: + app.kubernetes.io/name: spread-different-topology + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-different-topology + - maxSkew: 1 + topologyKey: topology.kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-different-topology diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml new file mode 100644 index 0000000..6397c2e --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-multi-topologies + namespace: rossum + labels: + app.kubernetes.io/name: spread-multi-topologies +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies + template: + metadata: + labels: + app.kubernetes.io/name: spread-multi-topologies + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml new file mode 100644 index 0000000..71ec693 --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-same-topology-different-settings + namespace: rossum + labels: + app.kubernetes.io/name: spread-same-topology-different-settings +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-same-topology-different-settings + template: + metadata: + labels: + app.kubernetes.io/name: spread-same-topology-different-settings + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-same-topology-different-settings diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml new file mode 100644 index 0000000..8200dbc --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-same-topology + namespace: rossum + labels: + app.kubernetes.io/name: spread-same-topology +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-same-topology + template: + metadata: + labels: + app.kubernetes.io/name: spread-same-topology + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-same-topology diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml new file mode 100644 index 0000000..ead347b --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-undefined + namespace: rossum + labels: + app.kubernetes.io/name: spread-undefined +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-undefined + template: + metadata: + labels: + app.kubernetes.io/name: spread-undefined + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-undefined diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml new file mode 100644 index 0000000..f31cb98 --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-multi-topologies + namespace: rossum + labels: + app.kubernetes.io/name: spread-multi-topologies +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies + template: + metadata: + labels: + app.kubernetes.io/name: spread-multi-topologies + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies diff --git a/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml new file mode 100644 index 0000000..af48cab --- /dev/null +++ b/anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml @@ -0,0 +1,155 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-undefined + namespace: rossum + labels: + app.kubernetes.io/name: spread-undefined +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-undefined + template: + metadata: + labels: + app.kubernetes.io/name: spread-undefined + spec: + containers: + - name: busybox + image: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-same-topology + namespace: rossum + labels: + app.kubernetes.io/name: spread-same-topology +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-same-topology + template: + metadata: + labels: + app.kubernetes.io/name: spread-same-topology + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-same-topology +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-same-topology-different-settings + namespace: rossum + labels: + app.kubernetes.io/name: spread-same-topology-different-settings +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-same-topology-different-settings + template: + metadata: + labels: + app.kubernetes.io/name: spread-same-topology-different-settings + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-same-topology-different-settings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-different-topology + namespace: rossum + labels: + app.kubernetes.io/name: spread-different-topology +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-different-topology + template: + metadata: + labels: + app.kubernetes.io/name: spread-different-topology + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-different-topology +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: spread-multi-topologies + namespace: rossum + labels: + app.kubernetes.io/name: spread-multi-topologies +spec: + selector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies + template: + metadata: + labels: + app.kubernetes.io/name: spread-multi-topologies + spec: + containers: + - name: busybox + image: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: spread-multi-topologies +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-wrong-label + namespace: rossum + labels: + name: test-wrong-label +spec: + selector: + matchLabels: + name: test-wrong-label + template: + metadata: + labels: + name: test-wrong-label + spec: + containers: + - name: busybox + image: busybox +--- + diff --git a/flake.nix b/flake.nix index 529a14e..6dcb83c 100644 --- a/flake.nix +++ b/flake.nix @@ -20,6 +20,7 @@ { packages = with pkgs; [ terraform + kyverno ]; scripts = { @@ -41,6 +42,16 @@ ${nix.lib.cd_root} nix fmt ./*.nix terraform fmt --recursive + ${pkgs.yamlfmt}/bin/yamlfmt ./anydatacenter + ''; + }; + + tests = { + description = "Run terraform and kyverno tests"; + exec = '' + ${nix.lib.cd_root} + terraform validate + ${pkgs.kyverno}/bin/kyverno test ./anydatacenter/30-policy-demo --detailed-results ''; }; };