policies icon indicating copy to clipboard operation
policies copied to clipboard

Published 20 hours ago verified publisher icon kyverno

[Chainsaw Tests] Add Chainsaw tests for the sample policies

Open realshuting opened this issue 1 year ago • 2 comments

Problem Statement

Hi there👋

This is an umbrella issue for adding Chainsaw tests for Kyverno sample policies.

You can find references below to write tests:

Start by browsing the following sample policies, and you can pick up a task by:

  1. create a GitHub issue on kyverno/policies repo
  2. comment /assign to get assigned
  3. write your tests
  4. verify tests locally
  • require a Kubernetes cluster
  • require installing Chainsaw
  1. create the PR
  • [ ] https://github.com/kyverno/policies/tree/main/aws/require-aws-node-irsa
  • [ ] https://github.com/kyverno/policies/tree/main/best-practices/check-deprecated-apis
  • [x] refactor https://github.com/kyverno/policies/tree/main/cert-manager/limit-dnsnames
  • [x] refactor https://github.com/kyverno/policies/tree/main/cert-manager/limit-duration
  • [x] refactor https://github.com/kyverno/policies/tree/main/cert-manager/restrict-issuer
  • [x] https://github.com/kyverno/policies/tree/main/cleanup/cleanup-bare-pods
  • [x] https://github.com/kyverno/policies/tree/main/cleanup/cleanup-empty-replicasets
  • [ ] https://github.com/kyverno/policies/tree/main/other/advertise-node-extended-resources
  • [x] https://github.com/kyverno/policies/tree/main/other/copy-namespace-labels
  • [ ] https://github.com/kyverno/policies/tree/main/other/expiration-for-policyexceptions
  • [ ] https://github.com/kyverno/policies/tree/main/other/namespace-protection
  • [ ] https://github.com/kyverno/policies/tree/main/other/restrict-edit-for-endpoints
  • [ ] https://github.com/kyverno/policies/tree/main/other/restrict-scale
  • [ ] https://github.com/kyverno/policies/tree/main/other/restrict-service-account
  • [x] https://github.com/kyverno/policies/tree/main/pod-security/baseline/disallow-proc-mount
  • [ ] https://github.com/kyverno/policies/tree/main/pod-security/subrule/podsecurity-subrule-baseline

Solution Description

n/a

Example "Good" Resource

No response

Example "Bad" Resource

No response

Other Comments

No response

Slack discussion

No response

Troubleshooting

realshuting avatar Mar 21 '24 16:03 realshuting

Hei @realshuting, I created a new issue and PR, but were unable to assign myself. Can you do a review?

  • https://github.com/kyverno/policies/issues/956
  • https://github.com/kyverno/policies/pull/957

erisnar avatar Mar 25 '24 13:03 erisnar

Removed line item to test procMount policy since it can't be tested without a specific feature gate we don't want to enable for all clusters.

chipzoller avatar Apr 30 '24 13:04 chipzoller