[Chainsaw Tests] Add Chainsaw test for Bare Pods

cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: cleanup-bare-pods
+spec:
+  steps:
+    - name: apply clusterrole
+      try:
+        - apply:
+            file: ../clusterrole.yaml
+    - name: create a bare pod
+      try:
+        - apply:
+            file: pod.yaml
+        - assert:
+            file: pod.yaml
+    - name: apply cleanup policy
+      try:
+        - apply:
+            file: cleanup-bare-pods-test.yaml
+        - assert:
+            file: cleanup-bare-pods-test.yaml
+    - name: wait for scheduled deletion
+      try:
+        - sleep:
+            duration: 1m30s
+    - name: check for bare pod
+      try:
+        - error:
+            file: pod.yaml

cleanup/cleanup-bare-pods/.chainsaw-test/cleanup-bare-pods-test.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterCleanupPolicy
+metadata:
+  name: clean-bare-pods
+  annotations:
+    policies.kyverno.io/title: Cleanup Bare Pods
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.11.1
+    policies.kyverno.io/minversion: 1.10.0
+    pod-policies.kyverno.io/autogen-controllers: none
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/description: >-
+      A bare Pod is any Pod created directly and not owned by a controller such as a
+      Deployment or Job. Bare Pods are often create manually by users in an attempt to troubleshoot
+      an issue. If left in the cluster, they create clutter, increase cost, and can be a security
+      risk. Bare Pods can be cleaned up periodically through use of a policy. This policy finds
+      and removes all bare Pods across the cluster.
+spec:
+  match:
+    any:
+    - resources:
+        kinds:
+          - Pod
+  conditions:
+    all:
+    - key: "{{ target.metadata.ownerReferences[] || `[]` }}"
+      operator: Equals
+      value: []
+  schedule: "*/1 * * * *"

cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bare-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx:1.14.1

cleanup/cleanup-bare-pods/clusterrole.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: kyverno
+  labels:
+    app.kubernetes.io/component: cleanup-controller
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
+  name: kyverno:cleanup-controller:temp
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+