-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added test for copy-ns-labels policy #967
Conversation
Signed-off-by: siddhikhapare <[email protected]>
@chipzoller Could you help me in resolving this issue of test failures? |
Sure. Forget the failures for right now. I see you are missing some fundamental points of what this policy does. |
Thank you for your helpful response. As per my understanding ,in order to validate both conditions of policy simultaneously. I have to define both rules in single resource but I have created resources with separated methods of policy. I realize now that I was mistaken here. Could you please share your thoughts on this? |
Not sure what you're saying. Look at my hint, then look at the policy match block, then look at all the resources you're trying to create as part of the test. Something is off there. What is it? |
pod resource kind is not included in the match block which I have provided and rules will only apply to deployment resources which will create and manage the associated pods. |
@chipzoller I will update it. |
Yes, correct. Fix that first then let's look. |
Signed-off-by: siddhikhapare <[email protected]>
Should use a ClusterRole to grant permissions here for this policy? |
There should be no need to grant permissions here. |
Signed-off-by: siddhikhapare <[email protected]>
@chipzoller I've noticed that policy is taking more time to initialize. I tried increasing the sleep duration in |
I assert that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please look at the failed test log fro your error. You can and should also run this locally on your machine and you will see the same thing. You should always be running tests locally before pushing changes in a PR.
Signed-off-by: siddhikhapare <[email protected]>
I have attached passed test output here using chainsaw. |
@chipzoller I tested files locally which have got output as passed tests as expected but here test are failed. |
Look at the logged output in CI tests here and see why they fail. |
Signed-off-by: siddhikhapare <[email protected]>
for bad-deployment-with-ouside-ns resource have the |
Signed-off-by: siddhikhapare <[email protected]>
I think the tests were failing because of the |
Signed-off-by: siddhikhapare <[email protected]>
You still don't seem to understand what this policy is about and how to test it. This is a mutation policy with two rules. There is no "bad" resource and no failure should occur. The test is about asserting on what the resulting mutation should look like, for both rules, in different scenarios with applicable resources. |
I found internal error today that failed when calling the webhook "mutate-policy.kyverno.svc". However, according to this note mentioned in Kyverno's documentation https://kyverno.io/docs/writing-policies/mutate/ , Kubernetes disallows changes to certain fields in resources including I did not understand that error correctly so thanks for providing clarification. |
None of what you're saying matters in this case. A mutation during admission is not subject to these limitations since there is no "existing" resource. New resources being created are mutated before being persisted. All that's needed is to check the resource after it is created. |
Signed-off-by: siddhikhapare <[email protected]>
All test passed as you have explained @chipzoller. Thanks for your guidance. |
Signed-off-by: siddhikhapare <[email protected]>
I think this test might be showing there's a issue with resources timeout. Could you please provide your insights regarding this issue it would be helpful for me. should I use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also use an error step to fail if the kubernetes.io/metadata.name
is found on at least one Deployment.
Signed-off-by: siddhikhapare <[email protected]>
@chipzoller Sorry for delay in resolving issue. I was out of station. I have checked test here that
|
So are you saying the previous comment is resolved? Ready for review again? Also, in the future, there's no need to take a screenshot of terminal output. Please just paste the text into a code block here so it's easy to follow the path of communication. |
yes I believe that all test passed for that change what you have suggested to add. |
I have added whole resource definition in test file if that kubernetes.io/metadata.name label found with value of the label is the namespace name then that resource should provide error before applying policy because after applying policy that label should exclude from that resource. |
@siddhikhapare - has this requested change been addressed? |
Signed-off-by: siddhikhapare <[email protected]>
664ea96
to
0fa0148
Compare
Signed-off-by: siddhikhapare <[email protected]>
@chipzoller I got policy lint error but my all test passed locally. |
Signed-off-by: siddhikhapare <[email protected]>
Signed-off-by: siddhikhapare <[email protected]>
@chipzoller Should I update the digest hash string in the |
I found this error Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces. while testing diff --git a/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml b/kasten/kasten-generate-policy-by-preset-label/artifacthub-pkg.yml |
Sent #1036 to fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work, thanks.
Related Issue(s)
Partially addresses #950
Description
added chainsaw test for copy-namespace-labels policy to test working of policy for outside and within ns with owner and multiple additional labels.
Checklist