diff --git a/Makefile b/Makefile index 1ab1df59..1402dfe7 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,7 @@ e2e.local: helm.install.local e2e.quick e2e.local.ics: helm.install.local e2e.quick.ics -e2e.quick: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy e2e.quick.vulnerability +e2e.quick: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy e2e.quick.simple.clusterimagepolicy e2e.quick.ics: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.armada e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) @@ -99,16 +99,17 @@ e2e.quick.generic: go test -v ./test/e2e --no-install --generic -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) +e2e.quick.simple.clusterimagepolicy: + go test -v ./test/e2e --no-install --simple-cluster-image-policy + -kubectl delete namespace secretnamespace + -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) + e2e.quick.simple.imagepolicy: -kubectl delete namespace secretnamespace go test -v ./test/e2e --no-install --simple-image-policy -kubectl delete namespace secretnamespace -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) -e2e.quick.vulnerability: - go test -v ./test/e2e --no-install --vulnerability - -kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' ) - e2e.clean: helm.clean .PHONY: code-generator regenerate diff --git a/scripts/install-on-docker b/scripts/install-on-docker index 7da3eeac..247dd070 100755 --- a/scripts/install-on-docker +++ b/scripts/install-on-docker @@ -5,7 +5,7 @@ kubectl create secret docker-registry ${PULLSECRET} --docker-username iamapikey --docker-password "${PORTIERIS_PULL_APIKEY}" --docker-server ${REG} # make a secret that e2e tests can use to pull test images, do notary and get va results # e2e tests copy this to the test namespaces -kubectl create secret docker-registry all-icr-io --docker-username iamapikey --docker-password "${PORTIERIS_TESTIMAGE_APIKEY}" --docker-server de.icr.io +kubectl create secret docker-registry all-icr-io --docker-username iamapikey --docker-password "${PORTIERIS_TESTIMAGE_APIKEY}" --docker-server icr.io kubectl create ns portieris kubectl get secret ${PULLSECRET} -o yaml | sed 's/namespace: default/namespace: portieris/' | kubectl create -f - diff --git a/test/e2e/main_test.go b/test/e2e/main_test.go index 2d6cc42d..b7db7b27 100644 --- a/test/e2e/main_test.go +++ b/test/e2e/main_test.go @@ -1,4 +1,4 @@ -// Copyright 2018,2021 Portieris Authors. +// Copyright 2018,2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -32,7 +32,7 @@ var ( noInstall bool - testTrustImagePolicy, testTrustClusterImagePolicy, testArmada, testVAImagePolicy, testVAClusterImagePolicy, testWildcardImagePolicy, testGeneric, testSimpleImagePolicy, testVulnerability bool + testTrustImagePolicy, testTrustClusterImagePolicy, testArmada, testVAImagePolicy, testWildcardImagePolicy, testGeneric, testSimpleImagePolicy, testSimpleClusterImagePolicy bool ) const ( @@ -47,12 +47,10 @@ func TestMain(m *testing.M) { flag.BoolVar(&testTrustImagePolicy, "trust-image-policy", false, "runs trust tests for image policies") flag.BoolVar(&testTrustClusterImagePolicy, "trust-cluster-image-policy", false, "runs trust tests for cluster image policies") flag.BoolVar(&testArmada, "armada", false, "runs tests for Armada based installation") - flag.BoolVar(&testVAImagePolicy, "va-image-policy", false, "runs va tests for image policies") - flag.BoolVar(&testVAClusterImagePolicy, "va-cluster-image-policy", false, "runs va tests for cluster image policies") flag.BoolVar(&testWildcardImagePolicy, "wildcards-image-policy", false, "runs tests for wildcards in image policies") flag.BoolVar(&testGeneric, "generic", false, "runs generic enforment tests") flag.BoolVar(&testSimpleImagePolicy, "simple-image-policy", false, "runs tests for simple signing policies") - flag.BoolVar(&testVulnerability, "vulnerability", false, "runs tests for vulnerability enforcement") + flag.BoolVar(&testSimpleClusterImagePolicy, "simple-cluster-image-policy", false, "runs tests for simple signing policies") flag.Parse() diff --git a/test/e2e/notary.ibm.clusterimagepolicy_test.go b/test/e2e/notary.ibm.clusterimagepolicy_test.go index 8d80dece..d6e42cd4 100644 --- a/test/e2e/notary.ibm.clusterimagepolicy_test.go +++ b/test/e2e/notary.ibm.clusterimagepolicy_test.go @@ -20,93 +20,6 @@ import ( "github.com/IBM/portieris/test/e2e/utils" ) -func TestNotary_ClusterImagePolicyRepositories_AllowAllDenyAll(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow all images", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-all.yaml") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny all images when no cluster image policy is present", func(t *testing.T) { - namespace, err := framework.CreateNamespaceWithIPS("deny-all") - if err != nil { - t.Fatalf("error creating deny-all namespace: %v", err) - } - defer framework.DeleteNamespace(namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - }) -} - -func TestNotary_ClusterImagePolicyRepositories_BasicTrust(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow signed images when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny unsigned images when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) -} - -func TestNotary_ClusterImagePolicyRepositories_TrustPinning(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow images signed by the correct single signer when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-signer1.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Allow images signed the correct multiple signers and when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-multi.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-multisigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny images signed by the wrong signer when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-signer2.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny images signed by a single signer when multiple are required when trust enabled", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-multi.yaml") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) -} - -func TestNotary_ClusterImagePolicyRepositories_TrustPinningMultiContainers(t *testing.T) { - utils.CheckIfTesting(t, testTrustClusterImagePolicy) - t.Run("Allow when both containers fulfill the policy", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-signed.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) - t.Run("Deny when one container fails to fulfill the policy", func(t *testing.T) { - clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed-unsigned.yaml", namespace.Name) - utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) - }) -} - // Temporary check until other registries are supported. func TestNotary_ClusterImagePolicyRepositories_ThirdPartyTrust(t *testing.T) { utils.CheckIfTesting(t, testTrustClusterImagePolicy) diff --git a/test/e2e/notary.ibm.imagepolicy_test.go b/test/e2e/notary.ibm.imagepolicy_test.go index 5a5cd274..706f841f 100644 --- a/test/e2e/notary.ibm.imagepolicy_test.go +++ b/test/e2e/notary.ibm.imagepolicy_test.go @@ -20,96 +20,6 @@ import ( "github.com/IBM/portieris/test/e2e/utils" ) -func TestNotary_ImagePolicyRepositories_AllowAllDenyAll(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Allow all images", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-all.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny all images when no image policy is present", func(t *testing.T) { - t.Parallel() - namespace, err := framework.CreateNamespaceWithIPS("deny-all") - if err != nil { - t.Fatalf("error creating deny-all namespace: %v", err) - } - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - -} - -func TestNotary_ImagePolicyRepositories_BasicTrust(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - t.Run("Allow signed images when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny unsigned images when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) -} - -func TestNotary_ImagePolicyRepositories_TrustPinning(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - t.Run("Allow images signed by the correct single signer when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-signer1.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Allow images signed the correct multiple signers and when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-multi.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-multisigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny images signed by the wrong signer when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-signer2.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny images signed by a single signer when multiple are required when trust enabled", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-multi.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name) - utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) -} - -func TestNotary_ImagePolicyRepositories_TrustPinningMultiContainers(t *testing.T) { - utils.CheckIfTesting(t, testTrustImagePolicy) - t.Run("Allow when both containers fulfill the policy", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-signed.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) - t.Run("Deny when one container fails to fulfill the policy", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed-unsigned.yaml", namespace.Name) - utils.CleanUpImagePolicyTest(t, framework, namespace.Name) - }) -} - // Temporary check until other registries are supported. func TestNotary_ImagePolicyRepositories_ThirdPartyTrust(t *testing.T) { utils.CheckIfTesting(t, testTrustImagePolicy) diff --git a/test/e2e/policy.generic_test.go b/test/e2e/policy.generic_test.go index fb292305..68c8f5bf 100644 --- a/test/e2e/policy.generic_test.go +++ b/test/e2e/policy.generic_test.go @@ -1,4 +1,4 @@ -// Copyright 2018, 2021 Portieris Authors. +// Copyright 2018, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -26,12 +26,14 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on Deployment", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Policy enforced on DaemonSet", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestDaemonSetRunnable(t, framework, "./testdata/daemonset/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -39,6 +41,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on ReplicaSet", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestReplicaSetRunnable(t, framework, "./testdata/replicaset/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -46,6 +49,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on ReplicationController", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestReplicationControllerRunnable(t, framework, "./testdata/replicationcontroller/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -53,6 +57,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on Pod", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestPodRunnable(t, framework, "./testdata/pod/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -60,6 +65,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on StatefulSet", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestStatefulSetRunnable(t, framework, "./testdata/statefulset/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -67,6 +73,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on Job", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestJobRunnable(t, framework, "./testdata/job/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -74,6 +81,7 @@ func Test_JobTypesSuccess(t *testing.T) { t.Run("Policy enforced on CronJob", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) utils.TestCronJobRunnable(t, framework, "./testdata/cronjob/global-nginx-signed.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) @@ -254,6 +262,7 @@ func Test_OperationsSucces(t *testing.T) { t.Parallel() // Create a namespace and policy to allow all. namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-all.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) // Start the deployment. deploymentName := utils.TestStartDeployNoDelete(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) // Change the policy to deny. @@ -283,6 +292,7 @@ func Test_OperationsSucces(t *testing.T) { }` // Create a namespace and policy to allow all. namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) // Start the deployment. deploymentName := utils.TestStartDeployNoDelete(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) // Change the policy to deny. @@ -295,6 +305,7 @@ func Test_OperationsSucces(t *testing.T) { t.Parallel() // Create a namespace and policy to allow all. namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/sh.pubkey.yaml", namespace.Name) // Start the deployment. _ = utils.TestStartDeployNoDelete(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name) // Change the policy to deny. diff --git a/test/e2e/simple.clusterimagepolicy_test.go b/test/e2e/simple.clusterimagepolicy_test.go new file mode 100644 index 00000000..affa1df0 --- /dev/null +++ b/test/e2e/simple.clusterimagepolicy_test.go @@ -0,0 +1,120 @@ +// Copyright 2018, 2023 Portieris Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "testing" + + "github.com/IBM/portieris/test/e2e/utils" +) + +func TestSimple_ClusterImagePolicyRepositories_AllowAllDenyAll(t *testing.T) { + utils.CheckIfTesting(t, testSimpleClusterImagePolicy) + if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { + defer framework.CreateClusterImagePolicy(defaultClusterPolicy) + } + + t.Run("Allow all images", func(t *testing.T) { + clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-all.yaml") + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) + utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name) + }) + t.Run("Deny all images when no cluster image policy is present", func(t *testing.T) { + namespace, err := framework.CreateNamespaceWithIPS("deny-all") + if err != nil { + t.Fatalf("error creating deny-all namespace: %v", err) + } + defer framework.DeleteNamespace(namespace.Name) + utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name) + }) +} + +func TestSimple_ClusterImagePolicyRepositories_Basic(t *testing.T) { + utils.CheckIfTesting(t, testSimpleClusterImagePolicy) + t.Run("Allow images signed by the correct single simple signer", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby1.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed the correct multiple simple signers", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed the correct multiple simple signers with no mutation", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifyNoSha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed the correct multiple simple signers with explicit mutation", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2-mutate.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images signed by the correct single simple signer with a secret namespace override", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml", "secretnamespace") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Deny images signed by the wrong single simple signer", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby1.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-another.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Deny images signed by a single simple signer when multiple are required", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-signedby2.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) + utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-another.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images matched with remapIdentity policy", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/clusterimagepolicy/simple-remap.yaml", "") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-remapped.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images without a pullSecret", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespaceNoSecrets(t, framework, "./testdata/clusterimagepolicy/simple-accept-anything.yaml") + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-another.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/dockerhub-nginx-unsigned.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) + t.Run("Allow images which require a signature without a pullSecret", func(t *testing.T) { + t.Parallel() + namespace := utils.CreateImagePolicyInstalledNamespaceNoSecrets(t, framework, "./testdata/clusterimagepolicy/simple-signedby1.yaml") + utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) + utils.CleanUpImagePolicyTest(t, framework, namespace.Name) + }) +} diff --git a/test/e2e/simple.imagePolicy_test.go b/test/e2e/simple.imagePolicy_test.go index 119c25d0..ae96e1dd 100644 --- a/test/e2e/simple.imagePolicy_test.go +++ b/test/e2e/simple.imagePolicy_test.go @@ -1,4 +1,4 @@ -// Copyright 2020, 2021 Portieris Authors. +// Copyright 2020, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -49,7 +49,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby1.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed the correct multiple simple signers", func(t *testing.T) { @@ -57,7 +57,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby2.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifySha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed the correct multiple simple signers with no mutation", func(t *testing.T) { @@ -65,7 +65,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby2-nomutate.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifyNoSha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifyNoSha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed the correct multiple simple signers with explicit mutation", func(t *testing.T) { @@ -73,14 +73,14 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby2-mutate.yaml", "") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) utils.CreateSecret(t, framework, "./testdata/secret/simple2pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifySha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Allow images signed by the correct single simple signer with a secret namespace override", func(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/simple-signedby1-keysecret-namespace-override.yaml", "secretnamespace") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name, utils.VerifySha) + utils.TestDeploymentRunnableCheck(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name, utils.VerifySha) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) t.Run("Deny images signed by the wrong single simple signer", func(t *testing.T) { @@ -116,7 +116,7 @@ func TestSimple_ImagePolicyRepositories_Basic(t *testing.T) { t.Parallel() namespace := utils.CreateImagePolicyInstalledNamespaceNoSecrets(t, framework, "./testdata/imagepolicy/simple-signedby1.yaml") utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-simple.yaml", namespace.Name) + utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-free.yaml", namespace.Name) utils.CleanUpImagePolicyTest(t, framework, namespace.Name) }) } diff --git a/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml b/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml index a27087a2..ef20a938 100644 --- a/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml +++ b/test/e2e/testdata/clusterimagepolicy/allow-signed.yaml @@ -6,6 +6,7 @@ spec: repositories: - name: "de.icr.io/testing-authn/nginx" policy: - trust: - trustServer: "https://notary.de.icr.io" - enabled: true + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/pinned-multi.yaml b/test/e2e/testdata/clusterimagepolicy/pinned-multi.yaml deleted file mode 100644 index 198fde07..00000000 --- a/test/e2e/testdata/clusterimagepolicy/pinned-multi.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: portieris.cloud.ibm.com/v1 -kind: ClusterImagePolicy -metadata: - name: pinned-multi -spec: - repositories: - - name: "de.icr.io/testing-authn/nginx" - policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - signerSecrets: - - name: signer1pubkey - - name: signer2pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/pinned-signer1.yaml b/test/e2e/testdata/clusterimagepolicy/pinned-signer1.yaml deleted file mode 100644 index 7f589c27..00000000 --- a/test/e2e/testdata/clusterimagepolicy/pinned-signer1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: portieris.cloud.ibm.com/v1 -kind: ClusterImagePolicy -metadata: - name: pinned-signer1 -spec: - repositories: - - name: "de.icr.io/testing-authn/nginx" - policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - signerSecrets: - - name: signer1pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/pinned-signer2.yaml b/test/e2e/testdata/clusterimagepolicy/pinned-signer2.yaml deleted file mode 100644 index a19dcbe5..00000000 --- a/test/e2e/testdata/clusterimagepolicy/pinned-signer2.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: portieris.cloud.ibm.com/v1 -kind: ClusterImagePolicy -metadata: - name: pinned-signer2 -spec: - repositories: - - name: "de.icr.io/testing-authn/nginx" - policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - signerSecrets: - - name: signer2pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/simple-accept-anything.yaml b/test/e2e/testdata/clusterimagepolicy/simple-accept-anything.yaml new file mode 100644 index 00000000..515aa520 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-accept-anything.yaml @@ -0,0 +1,11 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-accept-anything +spec: + repositories: + - name: "*" + policy: + simple: + requirements: + - type: "insecureAcceptAnything" diff --git a/test/e2e/testdata/clusterimagepolicy/simple-remap.yaml b/test/e2e/testdata/clusterimagepolicy/simple-remap.yaml new file mode 100644 index 00000000..e6c1b81b --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-remap.yaml @@ -0,0 +1,16 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-remap +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + signedIdentity: + type: "remapIdentity" + prefix: "icr.io/cise/remap" + signedPrefix: "icr.io/cise" diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml new file mode 100644 index 00000000..3b112916 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby1-keysecret-namespace-override.yaml @@ -0,0 +1,16 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby1 +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simpleStore: + url: "https://foo.com/x" + auth: storesecret + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + keySecretNamespace: secretnamespace diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml new file mode 100644 index 00000000..65f20689 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby1.yaml @@ -0,0 +1,15 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby1 +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simpleStore: + url: "https://foo.com/x" + auth: storesecret + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml new file mode 100644 index 00000000..102a4a71 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-mutate.yaml @@ -0,0 +1,15 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby2-mutate +spec: + repositories: + - name: "icr.io/cise/*" + policy: + mutateImage: true + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + - type: "signedBy" + keySecret: simple2pubkey \ No newline at end of file diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml new file mode 100644 index 00000000..0411c641 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby2-nomutate.yaml @@ -0,0 +1,15 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby2-nomutate +spec: + repositories: + - name: "icr.io/cise/*" + policy: + mutateImage: false + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + - type: "signedBy" + keySecret: simple2pubkey \ No newline at end of file diff --git a/test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml b/test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml new file mode 100644 index 00000000..682575e5 --- /dev/null +++ b/test/e2e/testdata/clusterimagepolicy/simple-signedby2.yaml @@ -0,0 +1,14 @@ +apiVersion: portieris.cloud.ibm.com/v1 +kind: ClusterImagePolicy +metadata: + name: simple-signedby2 +spec: + repositories: + - name: "icr.io/cise/*" + policy: + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey + - type: "signedBy" + keySecret: simple2pubkey diff --git a/test/e2e/testdata/cronjob/global-nginx-signed.yaml b/test/e2e/testdata/cronjob/global-nginx-signed.yaml index 093d39e1..9e3617a2 100644 --- a/test/e2e/testdata/cronjob/global-nginx-signed.yaml +++ b/test/e2e/testdata/cronjob/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: batch/v1 kind: Job metadata: @@ -13,7 +14,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml b/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml index e415ee3e..01379326 100644 --- a/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/cronjob/global-nginx-unsigned.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: batch/v1 kind: Job metadata: @@ -13,7 +14,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/daemonset/global-nginx-signed.yaml b/test/e2e/testdata/daemonset/global-nginx-signed.yaml index bfc6c00d..f583681c 100644 --- a/test/e2e/testdata/daemonset/global-nginx-signed.yaml +++ b/test/e2e/testdata/daemonset/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: apps/v1 kind: DaemonSet metadata: @@ -17,6 +18,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml b/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml index 0a78e0ed..8bb5266e 100644 --- a/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/daemonset/global-nginx-unsigned.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/deployment/global-nginx-simple.yaml b/test/e2e/testdata/deployment/global-nginx-signed-free.yaml similarity index 100% rename from test/e2e/testdata/deployment/global-nginx-simple.yaml rename to test/e2e/testdata/deployment/global-nginx-signed-free.yaml diff --git a/test/e2e/testdata/deployment/global-nginx-signed.yaml b/test/e2e/testdata/deployment/global-nginx-signed.yaml index dde68115..074e1cc1 100644 --- a/test/e2e/testdata/deployment/global-nginx-signed.yaml +++ b/test/e2e/testdata/deployment/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: apps/v1 kind: Deployment metadata: @@ -17,6 +18,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/deployment/global-nginx-unsigned.yaml b/test/e2e/testdata/deployment/global-nginx-unsigned.yaml index e5747056..a7d2114d 100644 --- a/test/e2e/testdata/deployment/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/deployment/global-nginx-unsigned.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/imagepolicy/allow-signed.yaml b/test/e2e/testdata/imagepolicy/allow-signed.yaml index 0a611743..b239122d 100644 --- a/test/e2e/testdata/imagepolicy/allow-signed.yaml +++ b/test/e2e/testdata/imagepolicy/allow-signed.yaml @@ -1,12 +1,13 @@ +# allow simple sign from icr.io/portieris-authn apiVersion: portieris.cloud.ibm.com/v1 kind: ImagePolicy metadata: name: allow-signed spec: repositories: - - name: "de.icr.io/testing-authn/nginx" + - name: "icr.io/portieris-authn/nginx" policy: - trust: - enabled: true - trustServer: "https://notary.de.icr.io" - + simple: + requirements: + - type: "signedBy" + keySecret: simple1pubkey \ No newline at end of file diff --git a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml index 0f2c4456..9502cd84 100644 --- a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml +++ b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-trailing-wildcard.yaml @@ -4,7 +4,7 @@ metadata: name: allow-unsigned-embedded-trailing-wildcard spec: repositories: - - name: "de.icr.io/*/*" + - name: "icr.io/*/*" policy: trust: enabled: false diff --git a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml index 6d6d79b1..edc2c927 100644 --- a/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml +++ b/test/e2e/testdata/imagepolicy/allow-unsigned-embedded-wildcard.yaml @@ -4,7 +4,7 @@ metadata: name: allow-unsigned-embedded-wildcard spec: repositories: - - name: "de.icr.io/*/nginx" + - name: "icr.io/*/nginx" policy: trust: enabled: false diff --git a/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml b/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml index c06adf9e..ac832926 100644 --- a/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml +++ b/test/e2e/testdata/imagepolicy/allow-unsigned-trailing-wildcard.yaml @@ -4,7 +4,7 @@ metadata: name: allow-unsigned-trailing-wildcard spec: repositories: - - name: "de.icr.io/testing-authn/*" + - name: "icr.io/portieris-authn/*" policy: trust: enabled: false diff --git a/test/e2e/testdata/job/global-nginx-signed.yaml b/test/e2e/testdata/job/global-nginx-signed.yaml index c9d1a057..49928a9a 100644 --- a/test/e2e/testdata/job/global-nginx-signed.yaml +++ b/test/e2e/testdata/job/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: batch/v1 kind: Job metadata: @@ -10,7 +11,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/job/global-nginx-unsigned.yaml b/test/e2e/testdata/job/global-nginx-unsigned.yaml index 94ccb6a3..f0f4d1f0 100644 --- a/test/e2e/testdata/job/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/job/global-nginx-unsigned.yaml @@ -10,7 +10,7 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 restartPolicy: Never diff --git a/test/e2e/testdata/pod/global-nginx-signed.yaml b/test/e2e/testdata/pod/global-nginx-signed.yaml index 3a95d45a..8182df7a 100644 --- a/test/e2e/testdata/pod/global-nginx-signed.yaml +++ b/test/e2e/testdata/pod/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: v1 kind: Pod metadata: @@ -8,6 +9,6 @@ metadata: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/pod/global-nginx-unsigned.yaml b/test/e2e/testdata/pod/global-nginx-unsigned.yaml index 36e823a0..7ad20f47 100644 --- a/test/e2e/testdata/pod/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/pod/global-nginx-unsigned.yaml @@ -8,6 +8,6 @@ metadata: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - - containerPort: 80 + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/replicaset/global-nginx-signed.yaml b/test/e2e/testdata/replicaset/global-nginx-signed.yaml index 875d311a..9f4a82f7 100644 --- a/test/e2e/testdata/replicaset/global-nginx-signed.yaml +++ b/test/e2e/testdata/replicaset/global-nginx-signed.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - - containerPort: 80 + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml b/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml index bbbd878c..a0c54b95 100644 --- a/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/replicaset/global-nginx-unsigned.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml b/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml index 3a62a1c2..798a5a80 100644 --- a/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml +++ b/test/e2e/testdata/replicationcontroller/global-nginx-signed.yaml @@ -1,3 +1,4 @@ +# simple signed apiVersion: v1 kind: ReplicationController metadata: @@ -13,6 +14,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml b/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml index 85f3fe8f..0fa9685f 100644 --- a/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/replicationcontroller/global-nginx-unsigned.yaml @@ -13,6 +13,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/testdata/secret/sh.pubkey.yaml b/test/e2e/testdata/secret/sh.pubkey.yaml new file mode 100644 index 00000000..3504dc27 --- /dev/null +++ b/test/e2e/testdata/secret/sh.pubkey.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: simple1pubkey +stringData: + key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + + mQINBGF4lUwBEAC7oi1yrsqgST7eHrY7MvPmSKxtfKhZ78Z98XBAOY7MW/adBbu4 + xDK9ggvxqP/zRvTC5WDiJEYmZemx7Y89wIbYRem9eKH+Uy7Mym2vP2bQKFDFBS6x + S9UvUgYr473iGnWBLNL5D7wqpXVwpDgrHPBJDxgK5wKpjmIpjVNz1I+57U5F3IG/ + Mdj2QexP4qI7rIoQKSMooO0YVmzWRUVSrcqxRI3doWtqm6CJpGrBJpEIffoDfPKb + 0x/ItzidkrgWpxCcXBsGn5DxfcH36W8Fnpxj52KbtyySO+QthmliPqfKg0m221bw + Xw7gDhnMwpw8d6uswSFJqRl5+0TeYaJiF3p0lr7vKKfpr5TrHbEyiYxuT4FU7/sy + lAr7TN13CR0rQOQVLT1OxvUbSxoRf5Tczk6XF7acpDbARUYL71NYeAlTTqmegL58 + F4tYEqBLHb08yL1z4xC6TkoZbXGWtfE63jACZlZIVyco6dlJZ3g3Nvz5cwK8j3/N + XclEWYxGXUdRDT2/gBP1ccyE5FSE4QF6Yu66PBeb4DD5cYaqlzSVyuMBEYXkRTIf + 0wfuXybqvzevExLHrQp/Bk3oaR5+tV8jKkdb3GojUu0nAWbGInu952mesKwSOa6Q + 5c6qRtuLFdPydKaoqPSLtZBFpBGzCVKtmwORmuIGdWnKwxqmgiWAAvsjGQARAQAB + tChTdHVhcnQgSGF5dG9uIDxzdHVhcnQuaGF5dG9uQHVrLmlibS5jb20+iQJSBBMB + CAA8FiEE7QyWSjk40HCcvJo8h8EE7uQywsMFAmF4lUwCGwMFCwkIBwIDIgIBBhUK + CQgLAgQWAgMBAh4HAheAAAoJEIfBBO7kMsLDWuIQAI1GBz6RUh+8CIiigwV6L03k + 7lPAEHam6YN4S/z4XskClMlHCOrZGvSsOg/SzdEYV0asWY64sW60alULg0O4C+Pt + TNfjBO46URcsDvW01HhJVQP05NT4rNPDWNeK6SXnl+0sS18LcKywwkB+AdnjytFK + 2h97H8zYu5XRZMohiMt7x80zaQdwVqf0dHk212AyYSKHqdMPjS1EP/9NtUfF5og6 + 8MEua6Fhe1QkWVRBRdLO3ojLSLbMYzXHrxUV9BDVAHMR9AWnw0SiSz0FRoxwb9gl + gaHzAYUj6o+1j4iF9yj+cLWmOEMEi/xA0czkJ60FiOw8WZ+7UVnwXI9n5P4ctoJj + yGHSPWxeRLFuP0ptsA9Np/Vo/xF6YkI+zlEJDeed2XmIJXn60rGIEi9X81syXMnJ + IA5NxZU3egzrScLOZyuVu6HE7NomTM5KalM3/TLFe/fvBMGsjR+WZpKMIycpJhYw + ARORxcoS/AFo2sM9GVKW0N4v9/nwbigTjEloxrz2hO7betbFRvOTisXrJDU+J6CO + MorvYLv3OD3pWPJdr708AIYn7q4HHrGG9cdALOc4kxeCd3Zw2W0hcuYJZ5JkVFOW + GywT5TQ/bpsqNsLm4Hmv868im+GrmO/cxY3xsRcPVEmMwREW+8HveEXlh2BkhaYq + 3fhU1PZOWQssMIpnlZ/tuQINBGF4lUwBEADTYQzAHjsjc+XMXwzeXxZEyMIgc6NP + wkLgcOFkBi3L/SmiDcO30SkPAPF/ebou6igo3sHMDX8swdFcnneTbKr+e5NkY+24 + 6st+0lrPJLgdQ+aIinQ5cn0voEbFXZSas/oqDAlJ32GxxOGCJvx9Gjhzete+Xiyq + LJ+v+gYQwkgUYsAyVzE2k+uju+2Aay+QI6F0ICxIx/9y62rb3ZCH8cKXE3FjpS4J + z5lJqpc276/hgvTVbpWyExzf/C6QTAOFrGuudVlvDdEkXlpUQ8CBqe/SetLpg6qd + x4MJAuvTF2FKrw8EC1it3N7eadJWo2tHAPvysUb9TeZyoavpLWNL99Zm3Da+YMzJ + VeCHI15NOTUAmayv5Owfs7Yqn9++Z/4wfWfJAsr99jDoCrr4keff21ER3ejhjyq+ + KGdg5sthAH15xnieBoyNf14Sn+Hwqf7dQ5l9sC37L85PgxY/UCzDFj+hx+shBTjq + mgjd1y+SSGGp8LHILXWJdrvu4iFTnX7toeejh7m75jgL1u4vpDntMJA4cyJf7k4y + EbllrrDx3s+8nZoW2Yd66SKwmDkri91aeDxnulwXB/68l+KKARET98JgAmPJKBFL + NhJQPST/YnrHs2qncXcXDpTcVk6jBXQS0/miavVg3zM6FhQDUz1Ycyg0xQEN3Rrw + F0VU2y4wJUp2IQARAQABiQI2BBgBCAAgFiEE7QyWSjk40HCcvJo8h8EE7uQywsMF + AmF4lUwCGwwACgkQh8EE7uQywsMfpxAAlR+a3Y4VKB/0IwZPjqFNDh37D95f8NDk + JtHBIAC60EBe1zht6kXVj7O/V+yWLbktXCl25l7fgeaFYBPJB6MpMPYm29APBlLL + 4geVB0x+Qe+8KTPUgrrQWP98S8O5+6UiI801RcKMqpfAoBUc+ezauSZdGoEcN1lT + I0rho3Ot6D1rspmcCmN4rVWLm3vm+Pz70xaMolRZWaoWsX39gVzF45JtwO/zfG8m + I52m8KXfIKYNYD2Eqyaw02NiQ9efsNa7hR8SzjIwyoC0Ng8Mmvozr6kz6lnu95UD + 5Sotip+bkI+l+oDfOAHT0nFMNJa2jAzZq8mcieYjBuz4U8s3TedMNY5XHtpSDWl7 + LQFACoZBsOX0V+SKtenG2MI+KkmxmTto36By0Uq/KBfhuyoxyHVdsm8ikzUT1D9i + lobeRs1UpR4JA8Q55JtQY41p5bpp8thJUKVaUV1KuxhnX9L/g5XcdKr7wSVFuGmN + 4g6OKnsmdK+2kSTZPBiiS6cOvtompUusilmPOaNxTuYn/cvhfZPZIzYFYiHcjTMO + GzMRLVU0wQbokkaD1NXsR8FC8a2YcmrdzaWXy2wWrkP161tHF6TIsw8MfO3f6jOb + EZ40knBTJeyjZOFVCBdf2Ayj2NIYIBLpOqdDBMwrDcad+KGjBDUv6z+4QgKBAq+6 + R4p2Rlar8h0= + =e2cj + -----END PGP PUBLIC KEY BLOCK----- diff --git a/test/e2e/testdata/statefulset/global-nginx-signed.yaml b/test/e2e/testdata/statefulset/global-nginx-signed.yaml index 5c86c585..fc54746c 100644 --- a/test/e2e/testdata/statefulset/global-nginx-signed.yaml +++ b/test/e2e/testdata/statefulset/global-nginx-signed.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:signed + image: icr.io/portieris-authn/nginx:signed ports: - containerPort: 80 diff --git a/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml b/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml index 8dce2118..b8894b70 100644 --- a/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml +++ b/test/e2e/testdata/statefulset/global-nginx-unsigned.yaml @@ -16,6 +16,6 @@ spec: spec: containers: - name: nginx - image: de.icr.io/testing-authn/nginx:unsigned + image: icr.io/portieris-authn/nginx:unsigned ports: - containerPort: 80 diff --git a/test/e2e/utils/imagepolicy.go b/test/e2e/utils/imagepolicy.go index 1e9a2056..dce1861e 100644 --- a/test/e2e/utils/imagepolicy.go +++ b/test/e2e/utils/imagepolicy.go @@ -1,4 +1,4 @@ -// Copyright 2020, 2022 Portieris Authors. +// Copyright 2020, 2023 Portieris Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -86,9 +86,9 @@ func UpdateImagePolicy(t *testing.T, fw *framework.Framework, manifestPath, name t.Fatalf("error loading %q ImagePolicy manifest: %v", imagePolicy.Name, err) } if err := fw.DeleteImagePolicy(oldPolicy, namespace); err != nil { - t.Fatalf("error updating %q ImagePolicy: %v", imagePolicy.Name, err) + t.Fatalf("error deleting %q ImagePolicy: %v", imagePolicy.Name, err) } if err := fw.CreateImagePolicy(namespace, imagePolicy); err != nil { - t.Fatalf("error updating %q ImagePolicy: %v", imagePolicy.Name, err) + t.Fatalf("error creating %q ImagePolicy: %v", imagePolicy.Name, err) } } diff --git a/test/e2e/vulnerability.imagePolicy_test.go b/test/e2e/vulnerability.imagePolicy_test.go deleted file mode 100644 index 344e39f9..00000000 --- a/test/e2e/vulnerability.imagePolicy_test.go +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2020, 2021 Portieris Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package e2e - -import ( - "testing" - - "github.com/IBM/portieris/test/e2e/utils" -) - -func Test_ICCRVA_ImagePolicy(t *testing.T) { - utils.CheckIfTesting(t, testVulnerability) - if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil { - defer framework.CreateClusterImagePolicy(defaultClusterPolicy) - } - - t.Run("Pods are admitted when ICCRVA is enabled when VA results are OK", func(t *testing.T) { - t.Parallel() - // this pod spec references an image with UNSUPPORTED status. - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/vulnerability-allow.yaml", namespace.Name) - }) - t.Run("Pods are denied when ICCRVA is enabled when VA results are not OK", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/vulnerability-deny.yaml", namespace.Name) - }) - t.Run("Pods that are admissable by simple signing, are denied when VA status is not OK", func(t *testing.T) { - t.Parallel() - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled-with-simple.yaml", "") - utils.CreateSecret(t, framework, "./testdata/secret/simple1pubkey.yaml", namespace.Name) - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/vulnerability-deny-vulnerable-signed.yaml", namespace.Name) - }) - t.Run("Pods are not admitted when they have non-exempted config issues", func(t *testing.T) { - t.Parallel() - // this pod spec references an image with configuration issues. - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-enabled.yaml", "") - utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/vulnerability-account-exemption.yaml", namespace.Name) - }) - t.Run("Pods are admitted when exemptions from a specified account make the image safe to deploy", func(t *testing.T) { - t.Parallel() - // this test requires you to export E2E_ACCOUNT_HEADER to an account which has exempted the configuration issue: - namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/vulnerability-with-account.yaml", "") - utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/vulnerability-account-exemption.yaml", namespace.Name) - }) - -}