Added kuttl tests and cli tests for kyverno 1.10 (nirmata#80)

* Added kuttl tests for kyverno 1.10

* updated e2e workflow yaml

Updated the license key in the helm command

Added Kuttl e2e tests for best practices policy

Updated the kuttl test yaml files

Updated the resource yaml

Kyverno 1.10 policy updates (nirmata#79)

* Update policies to use Kyverno 1.10

* Update Kyverno version annotation

* Update Kyverno annotation and e2e tests

.github/workflows/cli.yaml

@@ -2,10 +2,10 @@ name: Kyverno CLI Test
 on:
   push:
     branches:
-      - main
+      - kyverno-1.10
   pull_request:
     branches:
-      - main
+      - kyverno-1.10
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        n4k-version: [v1.9.0-n4kbuild.3]
+        n4k-version: [v1.10.0-n4k.nirmata.1]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/e2e.yaml

@@ -3,13 +3,13 @@ name: Kuttl Test
 on:
   push:
     branches:
-      - 'main'
+      - 'kyverno-1.10'
   # this action needs to read GH secret
   # hence prevents executing on PRs from forks
   # disabling running on PRs until we find a workaround for this
   pull_request:
     branches:
-      - 'main'
+      - 'kyverno-1.10'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}

Makefile

@@ -1,13 +1,13 @@
 .DEFAULT_GOAL: build-all
 
 K8S_VERSION          ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-)
-KIND_IMAGE           ?= kindest/node:v1.25.2
+KIND_IMAGE           ?= kindest/node:v1.27.1
 KIND_NAME            ?= kind
 USE_CONFIG           ?= standard
 
 TOOLS_DIR                          := $(PWD)/.tools
 KIND                               := $(TOOLS_DIR)/kind
-KIND_VERSION                       := v0.17.0
+KIND_VERSION                       := v0.19.0
 HELM                               := $(TOOLS_DIR)/helm
 HELM_VERSION                       := v3.10.1
 KUTTL                              := $(TOOLS_DIR)/kubectl-kuttl
@@ -60,9 +60,16 @@ kind-delete-cluster: $(KIND)
 kind-deploy-kyverno: $(HELM) 
 	@echo Install kyverno chart... >&2
 	@echo $(N4K_LICENSE_KEY) >&2
-	@$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts
-	@$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj
+
+##	@$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts
+##	@$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set image.tag=v1.10.0-n4k.nirmata.1 --set initImage.tag=v1.10.0-n4k.nirmata.1 --set cleanupController.image.tag=v1.10.0-n4k.nirmata.1
 
+    ### Adding temporary  installation command for the kyverno n4k 1.10
+	git clone -b kyverno-1.10-beta1 https://github.com/nirmata/kyverno-charts.git
+	@$(HELM) install kyverno ./kyverno-charts/charts/nirmata -n kyverno --create-namespace  --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj
+
+##  @$(HELM) repo add nirmata https://nirmata.github.io/kyverno-charts
+##	@$(HELM) install kyverno --namespace kyverno --create-namespace nirmata/kyverno --set licenseManager.licenseKey=+7BT76LNHCKLi3vW2mbYP5vYuS+Rm4XaLPu7k6Vgq4/efR3BEJk6Ru+zOFJagN2l0oLyG15qZ2kkXpzqaeEAal6APDLB7s3htLFeJ6mf0hc7/3dupUY13zrdX5svkS5p6BNKVisuXwK5XfF8sJyLn16I/CRdICj9fzktWQWYB5h46xOj5NlMPMj0/m6tCa3hIVJpB9Onkd4KMXlO+PQUbUwk/wxuciQkGwjbXQs+V9w0MuWMODpY0jGN1dgLNETI7mpS6G5DVvHkbAtrJ+gvG15aFFtKjgPInoemqxbhj2wzYue5pNSdHUZYE9b+LLlj --set image.tag=v1.10.0-n4k.nirmata.1 --set initImage.tag=v1.10.0-n4k.nirmata.1 --set cleanupController.image.tag=v1.10.0-n4k.nirmata.1
 ## Check Kyverno status 
 .PHONY: wait-for-kyverno
 wait-for-kyverno: 

best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml

@@ -6,13 +6,14 @@ metadata:
     policies.kyverno.io/title: Disallow empty Ingress host
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Ingress
     policies.kyverno.io/description: >-
       An ingress resource needs to define an actual host name
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: false
   rules:
     - name: disallow-empty-ingress-host

best-practices/disallow-empty-ingress-host/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-empty-ingress-host
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow-empty-ingress-host/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-empty-ingress-host
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml

@@ -7,14 +7,15 @@ metadata:
     policies.kyverno.io/category: Best Practices, EKS Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/description: >-
       Container daemon socket bind mounts allows access to the container engine on the
       node. This access can be used for privilege escalation and to manage containers
       outside of Kubernetes, and hence should not be allowed. This policy validates that
       the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-docker-sock-mount

best-practices/disallow_cri_sock_mount/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-container-sock-mounts
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow_cri_sock_mount/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-container-sock-mounts
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow_default_namespace/disallow_default_namespace.yaml

@@ -5,6 +5,7 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/title: Disallow Default Namespace
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/category: Multi-Tenancy
     policies.kyverno.io/severity: medium
@@ -18,7 +19,7 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-namespace

best-practices/disallow_default_namespace/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-default-namespace
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow_default_namespace/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-default-namespace
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow_latest_tag/disallow_latest_tag.yaml

@@ -7,13 +7,14 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       The ':latest' tag is mutable and can lead to unexpected errors if the
       image changes. A best practice is to use an immutable tag that maps to
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: require-image-tag

best-practices/disallow_latest_tag/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-latest-tag
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/disallow_latest_tag/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-latest-tag
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/require_drop_all/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: drop-all-capabilities
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/require_drop_all/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: drop-all-capabilities
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/require_drop_all/require_drop_all.yaml

@@ -7,6 +7,7 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Capabilities permit privileged actions without giving full root access. All
@@ -15,7 +16,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: require-drop-all

best-practices/require_drop_cap_net_raw/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: drop-cap-net-raw
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/require_drop_cap_net_raw/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: drop-cap-net-raw
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml

@@ -7,6 +7,7 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Capabilities permit privileged actions without giving full root access. The
@@ -16,7 +17,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: require-drop-cap-net-raw

best-practices/require_labels/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-labels
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/require_labels/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-labels
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/require_labels/require_labels.yaml

@@ -6,14 +6,15 @@ metadata:
     policies.kyverno.io/title: Require Labels
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod, Label
     policies.kyverno.io/description: >-
       Define and use labels that identify semantic attributes of your application or Deployment.
       A common set of labels allows tools to work collaboratively, describing objects in a common manner that
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: check-for-labels

best-practices/require_pod_requests_limits/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-requests-limits
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/require_pod_requests_limits/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-requests-limits
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml

@@ -8,6 +8,7 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       As application workloads share cluster resources, it is important to limit resources
       requested and consumed by each Pod. It is recommended to require resource requests and
@@ -16,7 +17,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-resources

best-practices/require_probes/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-pod-probes
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded

best-practices/require_probes/e2e/policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-pod-probes
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
 status:
   conditions:
   - reason: Succeeded

best-practices/require_probes/require_probes.yaml

@@ -7,6 +7,7 @@ metadata:
     policies.kyverno.io/title: Require Pod Probes
     policies.kyverno.io/category: Best Practices, EKS Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Liveness and readiness probes need to be configured to correctly manage a Pod's
@@ -17,7 +18,7 @@ metadata:
       This policy validates that all containers have one of livenessProbe, readinessProbe,
       or startupProbe defined.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-probes

best-practices/require_ro_rootfs/e2e/03-enforce-policy-assert.yaml

@@ -3,7 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: require-ro-rootfs
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
 status:
   conditions:
   - reason: Succeeded