open-policy-agent
[gator verify] Support testing AdmissionReview input objects
I have a question around the best way of testing ConstraintTemplates that are using users and groups. Specifically I'm denying creation/deletion of certain namespaces and verifying the user's group via userInfo in the AdmissionReview input object.
The way I currently understand to write unit tests for this is to use the entire AdmissionReview JSON as an input and tweak it each time to test against different assertions in Rego and use opa test. The other way is to potentially use gator but I'm not exactly sure what type of object I would pass into each Case.
Appreciate any thoughts or ideas.
This is a great idea - we were already wanting to add support for specifying whether the operation was a create/delete/update.
What we're thinking of doing is allowing test authors to specify either an AdmissionReview or a k8s object. The test can just infer which the object is, and either test it as an object or as an AdmissionReview.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi,
I'm trying to test a rego template, using gator, that fails because of this condition:
input.review.operation == "CREATE"
In order to be able to test it i would have to specify the admission review operation as an input, which is not possible right now. I know your are already working on this subject but I just want to share this use case.
@maxsmythe / @ritazh / @sozercan I think we can close this issue since all the use cases are supported after #2348 (fyi @arno-snop)
