fix acount>account typo in department label/tag and add test cases (#6)

* fix acount>account typo in department label/tag and add test cases

* bump version

infra/checkov/require-known-department-label/pass2.tf

@@ -0,0 +1,20 @@
+resource "aws_s3_bucket" "b" {
+  bucket = "my-tf-test-bucket"
+  tags = {
+    mycompany.com.department = "accounts"
+  }
+}
+
+resource "aws_ami" "example" {
+  name                = "terraform-example"
+  virtualization_type = "hvm"
+  root_device_name    = "/dev/xvda"
+  tags = {
+    mycompany.com.department = "accounts"
+  }
+  ebs_block_device {
+    device_name = "/dev/xvda"
+    snapshot_id = "snap-xxxxxxxx"
+    volume_size = 8
+  }
+}

infra/checkov/require-known-department-label/policy.yaml

@@ -20,7 +20,7 @@ definition:
       resource_types: "all"
       attribute: 'tags.mycompany.com.department'
       operator: "equals"
-      value: acounts
+      value: accounts
     - cond_type: "attribute"
       resource_types: "all"
       attribute: 'tags.mycompany.com.department'

kubernetes/kyverno/kustomization.yaml

@@ -1,10 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-nameSuffix: "-2.0.0"
+nameSuffix: "-2.1.0"
 
 commonLabels:
-  mycompany.com/policy-version: "2.0.0"
+  mycompany.com/policy-version: "2.1.0"
 
 resources:
   - require-department-label/policy.yaml

kubernetes/kyverno/require-department-label/fail0.yaml

@@ -3,7 +3,7 @@ kind: Pod
 metadata:
   name: require-department-label-fail0
   labels:
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-department-label/pass0.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-department-label-pass0
   labels:
     mycompany.com/department: finance
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-department-label/policy.yaml

@@ -39,7 +39,7 @@ spec:
             - "*"
           selector:
             matchLabels:
-              mycompany.com/policy-version: "2.0.0"
+              mycompany.com/policy-version: "2.1.0"
     validate:
       message: "The label `mycompany.com/department` is required."
       pattern:

kubernetes/kyverno/require-department-label/skip0.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-department-label-skip0
   labels:
     mycompany.com/require-department-label: exempt
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-department-label/skip1.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-department-label-skip1
   namespace: kube-system
   labels:
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-known-department-label/fail0.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-known-department-label-fail0
   labels:
     mycompany.com/department: nothr
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-known-department-label/pass0.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-known-department-label-pass0
   labels:
     mycompany.com/department: hr
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-known-department-label/pass1.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: require-known-department-label-pass1
+  labels:
+    mycompany.com/department: accounts
+    mycompany.com/policy-version: "2.1.0"
+spec:
+  containers:
+  - name: nginx
+    image: nginx

kubernetes/kyverno/require-known-department-label/policy.yaml

@@ -39,10 +39,10 @@ spec:
             - "*"
           selector:
             matchLabels:
-              mycompany.com/policy-version: "2.0.0"
+              mycompany.com/policy-version: "2.1.0"
     validate:
-      message: "The label `mycompany.com/department` is required to be one of [tech|acounts|servicedesk|hr]"
+      message: "The label `mycompany.com/department` is required to be one of [tech|accounts|servicedesk|hr]"
       pattern:
         metadata:
           labels:
-            "mycompany.com/department": "tech|acounts|servicedesk|hr"
+            "mycompany.com/department": "tech|accounts|servicedesk|hr"

kubernetes/kyverno/require-known-department-label/skip0.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-known-department-label-skip0
   labels:
     mycompany.com/require-known-department-label: exempt
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-known-department-label/skip1.yaml

@@ -4,7 +4,7 @@ metadata:
   name: require-known-department-label-skip1
   namespace: kube-system
   labels:
-    mycompany.com/policy-version: "2.0.0"
+    mycompany.com/policy-version: "2.1.0"
 spec:
   containers:
   - name: nginx

kubernetes/kyverno/require-known-department-label/test.yaml

@@ -6,6 +6,7 @@ policies:
 resources:
   - fail0.yaml
   - pass0.yaml
+  - pass1.yaml
   - skip0.yaml
   - skip1.yaml
 
@@ -20,6 +21,11 @@ results:
   resource: require-known-department-label-pass0
   kind: Pod
   result: pass
+- policy: require-known-department-label
+  rule: require-known-department-label
+  resource: require-known-department-label-pass1
+  kind: Pod
+  result: pass
 - policy: require-known-department-label
   rule: require-known-department-label
   resource: require-known-department-label-skip0