Merge pull request #183 from mastersans/missing-chainsaw

feat: added missing chainsaw test

best-practices/disallow-default-namespace/disallow-default-namespace.yaml

@@ -0,0 +1,49 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-default-namespace
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/title: Disallow Default Namespace
+    kyverno.io/kyverno-version: 1.10.0
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/category: Multi-Tenancy
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Kubernetes Namespaces are an optional feature that provide a way to segment and
+      isolate cluster resources across multiple applications and users. As a best
+      practice, workloads should be isolated with Namespaces. Namespaces should be required
+      and the default (empty) Namespace should not be used. This policy validates that Pods
+      specify a Namespace name other than `default`. Rule auto-generation is disabled here
+      due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
+      object and not at the Pod template level.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: validate-namespace
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Using 'default' namespace is not allowed."
+      pattern:
+        metadata:
+          namespace: "!default"
+  - name: validate-podcontroller-namespace
+    match:
+      any:
+      - resources:
+          kinds:
+          - DaemonSet
+          - Deployment
+          - Job
+          - StatefulSet
+    validate:
+      message: "Using 'default' namespace is not allowed for pod controllers."
+      pattern:
+        metadata:
+          namespace: "!default"

best-practices/disallow-default-namespace/e2e/chainsaw-test.yaml

@@ -0,0 +1,55 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-default-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../disallow-default-namespace.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: disallow-default-namespace
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ns.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: good-resources.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-default.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ds-default.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: job-default.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ss-default.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: deploy-default.yaml

best-practices/disallow-default-namespace/e2e/deploy-default.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: bad-busybox
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"

best-practices/disallow-default-namespace/e2e/ds-default.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: bad-daemonset
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      name: good-daemonset
+  template:
+    metadata:
+      labels:
+        name: good-daemonset
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"

best-practices/disallow-default-namespace/e2e/good-resources.yaml

@@ -0,0 +1,97 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+  namespace: not-default-ns
+spec:
+  containers:
+  - name: busybox
+    image: "busybox:v1.35"
+    command:
+    - "sleep"
+    - "3000"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: busybox
+  namespace: not-default-ns
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: good-daemonset
+  namespace: not-default-ns
+spec:
+  selector:
+    matchLabels:
+      name: good-daemonset
+  template:
+    metadata:
+      labels:
+        name: good-daemonset
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: good-job
+  namespace: not-default-ns
+spec:
+  template:
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"
+      restartPolicy: Never
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: good-statefulset
+  namespace: not-default-ns
+spec:
+  selector:
+    matchLabels:
+      app: busybox
+  serviceName: "busyservice"
+  replicas: 1
+  minReadySeconds: 10
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"

best-practices/disallow-default-namespace/e2e/job-default.yaml

@@ -0,0 +1,15 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: bad-job
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"
+      restartPolicy: Never

best-practices/disallow-default-namespace/e2e/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: not-default-ns

best-practices/disallow-default-namespace/e2e/pod-default.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+  namespace: default
+spec:
+  containers:
+  - name: busybox
+    image: "busybox:v1.35"
+    command:
+    - "sleep"
+    - "3000"

best-practices/disallow-default-namespace/e2e/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-default-namespace
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

best-practices/disallow-default-namespace/e2e/ss-default.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: good-statefulset
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      app: busybox
+  serviceName: "busyservice"
+  replicas: 1
+  minReadySeconds: 10
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: ghcr.io/kyverno/test-busybox:1.35
+        name: busybox
+        command:
+        - "sleep"
+        - "3000"

best-practices/disallow-default-namespace/kyverno-test.yaml

@@ -0,0 +1,28 @@
+name: disallow-default-namespace
+policies:
+  -  disallow-default-namespace.yaml
+resources:
+  -  resource.yaml
+results:
+  # validate-namespace
+  - policy: disallow-default-namespace
+    rule: validate-namespace
+    resource: badpod01
+    kind: Pod
+    result: fail
+  - policy: disallow-default-namespace
+    rule: validate-namespace
+    resource: goodpod01
+    kind: Pod
+    result: pass
+  # validate-podcontroller-namespace
+  - policy: disallow-default-namespace
+    rule: validate-podcontroller-namespace
+    resource: baddeployment01
+    kind: Deployment
+    result: fail
+  - policy: disallow-default-namespace
+    rule: validate-podcontroller-namespace
+    resource: gooddeployment01
+    kind: Deployment
+    result: pass