Add kyverno tests

anydatacenter/30-policy-demo/kyvernoPolicies/tests/kyverno-test.yaml

@@ -0,0 +1,138 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-topology-spread
+policies:
+  - ../rossumTopologySpread.yaml
+resources:
+  - resources.yaml
+results:
+  # spread-undefined
+  - kind: Deployment
+    patchedResource: patched-spread-undefined.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-undefined
+    result: pass
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-undefined.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-undefined
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-undefined.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-undefined
+    result: skip
+    rule: inject-zone-topology-spread
+  # spread-different-topology
+  - kind: Deployment
+    patchedResource: patched-spread-different-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-different-topology
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-different-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-different-topology
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-different-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-different-topology
+    result: pass
+    rule: inject-zone-topology-spread
+  # spread-same-topology
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology
+    result: skip
+    rule: inject-zone-topology-spread
+  # spread-same-topology-different-settings
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology-different-settings.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology-different-settings
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology-different-settings.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology-different-settings
+    result: pass
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-same-topology-different-settings.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-same-topology-different-settings
+    result: skip
+    rule: inject-zone-topology-spread
+  # spread-multi-topologies
+  - kind: Deployment
+    patchedResource: patched-spread-multi-topologies.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-multi-topologies
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    patchedResource: patched-spread-multi-topologies.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-multi-topologies
+    result: pass
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    patchedResource: patched-spread-multi-topologies.yaml
+    policy: rossum/enforce-topology-spread
+    resources:
+      - spread-multi-topologies
+    result: skip
+    rule: inject-zone-topology-spread
+  # test-wrong-label
+  - kind: Deployment
+    policy: rossum/enforce-topology-spread
+    resources:
+      - test-wrong-label
+    result: skip
+    rule: create-topology-spread
+  - kind: Deployment
+    policy: rossum/enforce-topology-spread
+    resources:
+      - test-wrong-label
+    result: skip
+    rule: enforce-zone-topology-spread-configuration
+  - kind: Deployment
+    policy: rossum/enforce-topology-spread
+    resources:
+      - test-wrong-label
+    result: skip
+    rule: inject-zone-topology-spread

anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-different-topology.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-different-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-different-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-different-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-different-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-different-topology
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-different-topology

anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-multi-topologies.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-multi-topologies
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-multi-topologies
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-multi-topologies
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-multi-topologies
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies

anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology-different-settings.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology-different-settings
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology-different-settings
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology-different-settings
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology-different-settings
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology-different-settings

anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-same-topology.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology

anydatacenter/30-policy-demo/kyvernoPolicies/tests/patched-spread-undefined.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-undefined
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-undefined
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-undefined
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-undefined
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-undefined

anydatacenter/30-policy-demo/kyvernoPolicies/tests/resource_multi.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-multi-topologies
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-multi-topologies
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-multi-topologies
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-multi-topologies
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies

anydatacenter/30-policy-demo/kyvernoPolicies/tests/resources.yaml

@@ -0,0 +1,155 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-undefined
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-undefined
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-undefined
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-undefined
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: ScheduleAnyway
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-same-topology-different-settings
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-same-topology-different-settings
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-same-topology-different-settings
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-same-topology-different-settings
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-same-topology-different-settings
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-different-topology
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-different-topology
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-different-topology
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-different-topology
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-different-topology
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spread-multi-topologies
+  namespace: rossum
+  labels:
+    app.kubernetes.io/name: spread-multi-topologies
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: spread-multi-topologies
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: spread-multi-topologies
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+        - maxSkew: 1
+          topologyKey: topology.kubernetes.io/zone
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: spread-multi-topologies
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-wrong-label
+  namespace: rossum
+  labels:
+    name: test-wrong-label
+spec:
+  selector:
+    matchLabels:
+      name: test-wrong-label
+  template:
+    metadata:
+      labels:
+        name: test-wrong-label
+    spec:
+      containers:
+        - name: busybox
+          image: busybox
+---
+

flake.nix

@@ -20,6 +20,7 @@
             {
               packages = with pkgs; [
                 terraform
+                kyverno
               ];
 
               scripts = {
@@ -41,6 +42,16 @@
                     ${nix.lib.cd_root}
                     nix fmt ./*.nix
                     terraform fmt --recursive
+                    ${pkgs.yamlfmt}/bin/yamlfmt ./anydatacenter
+                  '';
+                };
+
+                tests = {
+                  description = "Run terraform and kyverno tests";
+                  exec = ''
+                    ${nix.lib.cd_root}
+                    terraform validate
+                    ${pkgs.kyverno}/bin/kyverno test ./anydatacenter/30-policy-demo --detailed-results
                   '';
                 };
               };