adding tests

Signed-off-by: Jaydip Gabani <[email protected]>
JaydipGabani · Apr 16, 2024 · abdfc90 · abdfc90
1 parent 3fe14b6
commit abdfc90
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 0 deletions.
diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -89,6 +89,21 @@ teardown_file() {
     kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/good/good_ns.yaml
     kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml
 
+    wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding.yaml"
+
+    wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label"
+
+    wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml"
+
+    wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label"
+
+    run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml
+    assert_match 'denied' "${output}"
+    assert_failure
+    kubectl apply -f ${BATS_TESTS_DIR}/good/good_ns.yaml
+    kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/good/good_ns.yaml
+    kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml
+
     wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml"
   fi
 }

diff --git a/test/bats/tests/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml b/test/bats/tests/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml
@@ -0,0 +1,21 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabelsVap
+metadata:
+  name: all-must-have-label
+  labels:
+    "gatekeeper.sh/use-vap": "yes"
+spec:
+  enforcementAction: scoped
+  scopedEnforcementActions:
+  - action: deny
+    enforcementPoints:
+    - name: vap.k8s.io
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    message: "All namespaces must have an `owner` label that points to your company username"
+    labels:
+      - key: owner
+        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
diff --git a/test/gator/verify/constraint_with_scopedEA.yaml b/test/gator/verify/constraint_with_scopedEA.yaml
@@ -0,0 +1,19 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sFooIs
+metadata:
+  name: foo-is-bar
+spec:
+  enforcementAction: scoped
+  scopedEnforcementActions:
+  - action: deny
+    enforcementPoints:
+    - name: gator.gatekeeper.sh
+  - action: warn
+    enforcementPoints:
+    - name: validation.k8s.io
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["FooIsBar"]
+  parameters:
+    foo: "bar"
diff --git a/test/gator/verify/suite.yaml b/test/gator/verify/suite.yaml
@@ -13,3 +13,15 @@ tests:
     object: deny.yaml
     assertions:
     - violations: yes
+- name: foo-is-bar-with-scopedEA
+  template: template.yaml
+  constraint: constraint_with_scopedEA.yaml
+  cases:
+  - name: foo-bar
+    object: allow.yaml
+    assertions:
+    - violations: no
+  - name: foo-not-bar
+    object: deny.yaml
+    assertions:
+    - violations: yes