fix: modify clusterpolicyreports in kuttl tests (#760) (#766)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

fix: modify clusterpolicyreports in kuttl tests (#760) (#766)
c4a72595 · gcp-cherry-pick-bot[bot] · GitHub · bf7a12f1 · bf7a12f1 · bf7a12f1
Unverified Commit c4a72595 authored 1 year ago by gcp-cherry-pick-bot[bot] Committed by GitHub 1 year ago
--- a/istio/require-authorizationpolicy/02-assert.yaml
+++ b/istio/require-authorizationpolicy/02-assert.yaml
-apiVersion: wgpolicyk8s.io/v1alpha2
-kind: ClusterPolicyReport
-metadata:
-  name: cpol-require-authorizationpolicies
\ No newline at end of file
--- a/istio/require-authorizationpolicy/03-cpolr.yaml
+++ b/istio/require-authorizationpolicy/03-cpolr.yaml
-apiVersion: kuttl.dev/v1beta1
-kind: TestStep
-commands:
- script: |
-    if [ "$(kubectl get cpolr cpol-require-authorizationpolicies -o jsonpath='{.results[?(@.resources[0].name=="istio-reqauthzpol-bad-ns")].result}')" = "fail" ] ; then
-            exit 0;
-    else
-            exit 1;
-    fi
- script: |
-    if [ "$(kubectl get cpolr cpol-require-authorizationpolicies -o jsonpath='{.results[?(@.resources[0].name=="istio-reqauthzpol-good-ns")].result}')" = "pass" ] ; then
-            exit 0;
-    else
-            exit 1;
-    fi
--- a/other/m-q/namespace-inventory-check/03-cpolr.yaml
+++ b/other/m-q/namespace-inventory-check/03-cpolr.yaml
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
-commands:
+assert:
- command: bash ./resource-check.sh
+- report-assert.yaml
\ No newline at end of file
--- a/istio/require-authorizationpolicy/report-assert.yaml
+++ b/istio/require-authorizationpolicy/report-assert.yaml
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  ownerReferences:
+    - apiVersion: v1
+      kind: Namespace
+      name: istio-reqauthzpol-bad-ns
+summary:
+  error: 0
+  fail: 1
+  pass: 0
+  skip: 0
+  warn: 0
+---
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  ownerReferences:
+    - apiVersion: v1
+      kind: Namespace
+      name: istio-reqauthzpol-good-ns
+summary:
+  error: 0
+  fail: 0
+  pass: 1
+  skip: 0
+  warn: 0
\ No newline at end of file
--- a/other/e-l/inspect-csr/03-assert.yaml
+++ b/other/e-l/inspect-csr/03-assert.yaml
 apiVersion: wgpolicyk8s.io/v1alpha2
 kind: ClusterPolicyReport
 metadata:
-  name: cpol-inspect-csr
+  ownerReferences:
+  - apiVersion: certificates.k8s.io/v1
+    kind: CertificateSigningRequest
+    name: inspect-csr-user
 results:
 - category: Other
  message: A CSR was created by {"groups":["testorg","system:authenticated"],"username":"inspect-csr-user"}
    holding ClusterRoles ["csr-manager","system:basic-user","system:discovery","system:public-info-viewer"]
    and Roles null. The subjects and groups requested in the CSR were "{"CommonName":"inspect-csr-user","Country":null,"ExtraNames":null,"Locality":null,"Names":[{"Type":[2,5,4,10],"Value":"testorg"},{"Type":[2,5,4,3],"Value":"inspect-csr-user"}],"Organization":["testorg"],"OrganizationalUnit":null,"PostalCode":null,"Province":null,"SerialNumber":"","StreetAddress":null}"
  policy: inspect-csr
-  resources:
-  - apiVersion: certificates.k8s.io/v1
-    kind: CertificateSigningRequest
-    name: inspect-csr-user
  result: fail
  rule: csr
  scored: true

--- a/other/m-q/namespace-inventory-check/02-assert.yaml
+++ b/other/m-q/namespace-inventory-check/02-assert.yaml
-apiVersion: wgpolicyk8s.io/v1alpha2
-kind: ClusterPolicyReport
-metadata:
-  name: cpol-namespace-inventory-check
\ No newline at end of file
--- a/other/m-q/namespace-inventory-check/03-report.yaml
+++ b/other/m-q/namespace-inventory-check/03-report.yaml
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- report-assert.yaml
--- a/other/m-q/namespace-inventory-check/report-assert.yaml
+++ b/other/m-q/namespace-inventory-check/report-assert.yaml
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Namespace
+    name: inventory-check-ns01
+results:
+- result: fail
+  rule: networkpolicies
+- result: pass
+  rule: resourcequotas
+summary:
+  error: 0
+  fail: 1
+  pass: 1
+  skip: 0
+  warn: 0
+---
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Namespace
+    name: inventory-check-ns02
+results:
+- result: pass
+  rule: networkpolicies
+- result: fail
+  rule: resourcequotas
+summary:
+  error: 0
+  fail: 1
+  pass: 1
+  skip: 0
+  warn: 0
+---
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Namespace
+    name: inventory-check-ns03
+results:
+- result: pass
+  rule: networkpolicies
+- result: pass
+  rule: resourcequotas
+summary:
+  error: 0
+  fail: 0
+  pass: 2
+  skip: 0
+  warn: 0
--- a/other/m-q/namespace-inventory-check/resource-check.sh
+++ b/other/m-q/namespace-inventory-check/resource-check.sh
-#!/bin/bash
-resources=("inventory-check-ns01" "inventory-check-ns01" "inventory-check-ns02" "inventory-check-ns02" "inventory-check-ns03" "inventory-check-ns03")
-rules=("resourcequotas" "networkpolicies" "resourcequotas" "networkpolicies" "resourcequotas" "networkpolicies")
-results=("pass" "fail" "fail" "pass" "pass" "pass")
-for i in "${!resources[@]}"; do
-    if [ "$(kubectl get clusterpolicyreport cpol-namespace-inventory-check -o json | kyverno jp query "results[?resources[0].name=='${resources[$i]}' && rule=='${rules[$i]}'].result[?@=='${results[$i]}'] | length(@) | to_string(@)=='1'" | tail -n 1)" = "true" ] ; then
-            echo "Success: resource ${resources[$i]} ${results[$i]}ed for rule ${rules[$i]}";
-    else
-            echo "Failed: resource ${resources[$i]} did not ${results[$i]} for rule ${rules[$i]}";
-            exit 1;
-    fi
-done
\ No newline at end of file