diff --git a/test/bats/test.bats b/test/bats/test.bats index 5e67e773e23..6c21060c04d 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -89,6 +89,21 @@ teardown_file() { kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/good/good_ns.yaml kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding.yaml" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-all-must-have-label" + + run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml + assert_match 'denied' "${output}" + assert_failure + kubectl apply -f ${BATS_TESTS_DIR}/good/good_ns.yaml + kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/good/good_ns.yaml + kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_ns.yaml + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template_vap.yaml" fi } diff --git a/test/bats/tests/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml b/test/bats/tests/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml new file mode 100644 index 00000000000..ec2b92ed8fe --- /dev/null +++ b/test/bats/tests/constraints/all_ns_must_have_label_provided_vapbinding_scoped.yaml @@ -0,0 +1,21 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabelsVap +metadata: + name: all-must-have-label + labels: + "gatekeeper.sh/use-vap": "yes" +spec: + enforcementAction: scoped + scopedEnforcementActions: + - action: deny + enforcementPoints: + - name: vap.k8s.io + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + message: "All namespaces must have an `owner` label that points to your company username" + labels: + - key: owner + allowedRegex: "^[a-zA-Z]+.agilebank.demo$" diff --git a/test/gator/verify/constraint_with_scopedEA.yaml b/test/gator/verify/constraint_with_scopedEA.yaml new file mode 100644 index 00000000000..fd067dd356e --- /dev/null +++ b/test/gator/verify/constraint_with_scopedEA.yaml @@ -0,0 +1,19 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sFooIs +metadata: + name: foo-is-bar +spec: + enforcementAction: scoped + scopedEnforcementActions: + - action: deny + enforcementPoints: + - name: gator.gatekeeper.sh + - action: warn + enforcementPoints: + - name: validation.k8s.io + match: + kinds: + - apiGroups: [""] + kinds: ["FooIsBar"] + parameters: + foo: "bar" diff --git a/test/gator/verify/suite.yaml b/test/gator/verify/suite.yaml index 6ec45b78873..e8d57f5a48a 100644 --- a/test/gator/verify/suite.yaml +++ b/test/gator/verify/suite.yaml @@ -13,3 +13,15 @@ tests: object: deny.yaml assertions: - violations: yes +- name: foo-is-bar-with-scopedEA + template: template.yaml + constraint: constraint_with_scopedEA.yaml + cases: + - name: foo-bar + object: allow.yaml + assertions: + - violations: no + - name: foo-not-bar + object: deny.yaml + assertions: + - violations: yes \ No newline at end of file