22apiVersion : chainsaw.kyverno.io/v1alpha1
33kind : Test
44metadata :
5- name : egressfirewall-created-in-all-ns-but-one
5+ name : egressfirewall-created-in-all-new- ns-but-one
66spec :
77 concurrent : false
88 description : |
99 Tests that the ClusterPolicy for generating EgressFirewall is
10- is creating the EgressFirewall in all namespace expect in internal-services.
10+ is creating the EgressFirewall in all new namespaces except in internal-services.
1111 steps :
1212 - name : setup-crd
1313 try :
4242 metadata :
4343 name : default
4444 namespace : test-ns
45+ spec :
46+ egress :
47+ - to :
48+ dnsName : signserver.devel.redhat.com
49+ type : Deny
4550 - name : create-internal-services-namespace
4651 try :
4752 - apply :
@@ -52,12 +57,228 @@ spec:
5257 name : internal-services
5358 - name : verify-no-egress-firewall-in-internal-services
5459 try :
55- - delete :
56- ref :
57- apiVersion : k8s.ovn.org/v1
58- kind : EgressFirewall
59- namespace : internal-services
60- name : default
61- expect :
62- - check :
63- ($error != null) : true
60+ - delete :
61+ ref :
62+ apiVersion : k8s.ovn.org/v1
63+ kind : EgressFirewall
64+ namespace : internal-services
65+ name : default
66+ expect :
67+ - check :
68+ ($error != null) : true
69+ ---
70+ apiVersion : chainsaw.kyverno.io/v1alpha1
71+ kind : Test
72+ metadata :
73+ name : egressfirewall-created-in-all-existing-ns-but-one
74+ spec :
75+ concurrent : false
76+ description : |
77+ Tests that the ClusterPolicy for generating EgressFirewall is
78+ is creating the EgressFirewall in all existing namespaces except in internal-services.
79+ steps :
80+ - name : setup-crd
81+ try :
82+ - apply :
83+ file : resources/mock-egressfirewall-crd.yaml
84+ - assert :
85+ file : resources/mock-egressfirewall-crd.yaml
86+ - name : setup-permissions
87+ try :
88+ - apply :
89+ file : ../kyverno_rbac.yaml
90+ - name : create-test-namespace
91+ try :
92+ - apply :
93+ resource :
94+ apiVersion : v1
95+ kind : Namespace
96+ metadata :
97+ name : test-ns
98+ - name : create-internal-services-namespace
99+ try :
100+ - apply :
101+ resource :
102+ apiVersion : v1
103+ kind : Namespace
104+ metadata :
105+ name : internal-services
106+ - name : Apply Kyverno ClusterPolicy and assert it exists
107+ try :
108+ - apply :
109+ file : ../block-signing-server-access.yaml
110+ - assert :
111+ file : chainsaw-assert-clusterpolicy.yaml
112+ - name : verify-egress-firewall-created
113+ try :
114+ - assert :
115+ resource :
116+ apiVersion : k8s.ovn.org/v1
117+ kind : EgressFirewall
118+ metadata :
119+ name : default
120+ namespace : test-ns
121+ spec :
122+ egress :
123+ - to :
124+ dnsName : signserver.devel.redhat.com
125+ type : Deny
126+ - name : verify-no-egress-firewall-in-internal-services
127+ try :
128+ - delete :
129+ ref :
130+ apiVersion : k8s.ovn.org/v1
131+ kind : EgressFirewall
132+ namespace : internal-services
133+ name : default
134+ expect :
135+ - check :
136+ ($error != null) : true
137+ ---
138+ apiVersion : chainsaw.kyverno.io/v1alpha1
139+ kind : Test
140+ metadata :
141+ name : egressfirewall-recreated-if-deleted
142+ spec :
143+ concurrent : false
144+ description : |
145+ Tests that the ClusterPolicy for generating EgressFirewall is
146+ is recreating the EgressFirewall if deleted
147+ steps :
148+ - name : setup-crd
149+ try :
150+ - apply :
151+ file : resources/mock-egressfirewall-crd.yaml
152+ - assert :
153+ file : resources/mock-egressfirewall-crd.yaml
154+ - name : setup-permissions
155+ try :
156+ - apply :
157+ file : ../kyverno_rbac.yaml
158+ - name : Apply Kyverno ClusterPolicy and assert it exists
159+ try :
160+ - apply :
161+ file : ../block-signing-server-access.yaml
162+ - assert :
163+ file : chainsaw-assert-clusterpolicy.yaml
164+ - name : create-test-namespace
165+ try :
166+ - apply :
167+ resource :
168+ apiVersion : v1
169+ kind : Namespace
170+ metadata :
171+ name : test-ns
172+ - name : verify-egress-firewall-created
173+ try :
174+ - assert :
175+ resource :
176+ apiVersion : k8s.ovn.org/v1
177+ kind : EgressFirewall
178+ metadata :
179+ name : default
180+ namespace : test-ns
181+ spec :
182+ egress :
183+ - to :
184+ dnsName : signserver.devel.redhat.com
185+ type : Deny
186+ - name : delete-egress-firewall
187+ try :
188+ - delete :
189+ ref :
190+ apiVersion : k8s.ovn.org/v1
191+ kind : EgressFirewall
192+ namespace : test-ns
193+ name : default
194+ - name : verify-egress-firewall-recreated
195+ try :
196+ - assert :
197+ resource :
198+ apiVersion : k8s.ovn.org/v1
199+ kind : EgressFirewall
200+ metadata :
201+ name : default
202+ namespace : test-ns
203+ spec :
204+ egress :
205+ - to :
206+ dnsName : signserver.devel.redhat.com
207+ type : Deny
208+ ---
209+ apiVersion : chainsaw.kyverno.io/v1alpha1
210+ kind : Test
211+ metadata :
212+ name : egressfirewall-restored-if-modified
213+ spec :
214+ concurrent : false
215+ description : |
216+ Tests that the ClusterPolicy for generating EgressFirewall
217+ restores the EgressFirewall if it is modified.
218+ steps :
219+ - name : setup-crd
220+ try :
221+ - apply :
222+ file : resources/mock-egressfirewall-crd.yaml
223+ - assert :
224+ file : resources/mock-egressfirewall-crd.yaml
225+ - name : setup-permissions
226+ try :
227+ - apply :
228+ file : ../kyverno_rbac.yaml
229+ - name : Apply Kyverno ClusterPolicy and assert it exists
230+ try :
231+ - apply :
232+ file : ../block-signing-server-access.yaml
233+ - assert :
234+ file : chainsaw-assert-clusterpolicy.yaml
235+ - name : create-test-namespace
236+ try :
237+ - apply :
238+ resource :
239+ apiVersion : v1
240+ kind : Namespace
241+ metadata :
242+ name : test-ns
243+ - name : verify-egress-firewall-created
244+ try :
245+ - assert :
246+ resource :
247+ apiVersion : k8s.ovn.org/v1
248+ kind : EgressFirewall
249+ metadata :
250+ name : default
251+ namespace : test-ns
252+ spec :
253+ egress :
254+ - to :
255+ dnsName : signserver.devel.redhat.com
256+ type : Deny
257+ - name : modify-egress-firewall
258+ try :
259+ - apply :
260+ resource :
261+ apiVersion : k8s.ovn.org/v1
262+ kind : EgressFirewall
263+ metadata :
264+ name : default
265+ namespace : test-ns
266+ spec :
267+ egress :
268+ - to :
269+ dnsName : malicious.example.com
270+ type : Allow
271+ - name : verify-egress-firewall-restored
272+ try :
273+ - assert :
274+ resource :
275+ apiVersion : k8s.ovn.org/v1
276+ kind : EgressFirewall
277+ metadata :
278+ name : default
279+ namespace : test-ns
280+ spec :
281+ egress :
282+ - to :
283+ dnsName : signserver.devel.redhat.com
284+ type : Deny
0 commit comments