feat: add other policies in CEL expressions - Part 1

.github/workflows/test.yml

@@ -53,6 +53,8 @@ jobs:
           - ^other$/^re[c-q]
           - ^other$/^res
           - ^other$/^[s-z]
+          - ^other-cel$/^a
+          - ^other-cel$/^[b-d]
           - ^pod-security$
           - ^pod-security-cel$
           - ^psa$

other-cel/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: allowed-annotations
+status:
+  ready: true

other-cel/allowed-annotations/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: allowed-annotations
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../allowed-annotations.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: allowed-annotations
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml

other-cel/allowed-annotations/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    fluxcd.io/cat: meow
+  name: badpod01
+spec:
+  containers:
+    - name: pod01-01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+    fluxcd.io/foo: bar
+  name: badpod02
+spec:
+  containers:
+    - name: pod02-01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    fluxcd.io/bar: foo
+    foo: bar
+  name: badpod03
+spec:
+  containers:
+    - name: pod-01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    fluxcd.io/bar: foo
+    fluxcd.io/cow: moo
+  name: badpod04
+spec:
+  containers:
+    - name: pod-01
+      image: busybox:1.35

other-cel/allowed-annotations/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+    - name: pod01-01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+    fluxcd.io/cow: ox
+    fluxcd.io/dog: cat
+  name: goodpod02
+spec:
+  containers:
+    - name: pod02-01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    foo: bar
+  name: goodpod03
+spec:
+  containers:
+    - name: pod-01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    fluxcd.io/cow: moo
+    foo: bar
+  name: goodpod04
+spec:
+  containers:
+    - name: pod-01
+      image: busybox:1.35

other-cel/allowed-annotations/.chainsaw-test/podcontroller-bad.yaml

@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        foo: bar
+        fluxcd.io/foo: bar
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: bb-01
+          image: busybox:1.35
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeployment02
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        fluxcd.io/cat: meow
+        fluxcd.io/cow: moo
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: bb-01
+          image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            foo: bar
+            fluxcd.io/foo: bar
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            imagePullPolicy: IfNotPresent
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob02
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            fluxcd.io/cat: meow
+            fluxcd.io/cow: moo
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            imagePullPolicy: IfNotPresent
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure

other-cel/allowed-annotations/.chainsaw-test/podcontroller-good.yaml

@@ -0,0 +1,131 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        foo: bar
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: bb-01
+          image: busybox:1.35
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment02
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        fluxcd.io/cow: moo
+        fluxcd.io/dog: bark
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: bb-01
+          image: busybox:1.35
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment03
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+        - name: bb-01
+          image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:  
+            foo: bar
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            imagePullPolicy: IfNotPresent
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob02
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            fluxcd.io/cow: moo
+            fluxcd.io/dog: bark
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            imagePullPolicy: IfNotPresent
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob03
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hello
+            image: busybox:1.35
+            imagePullPolicy: IfNotPresent
+            command:
+            - "sleep"
+            - "3600"
+          restartPolicy: OnFailure

other-cel/allowed-annotations/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: allowed-annotations
+policies:
+- ../allowed-annotations.yaml
+resources:
+- resource.yaml
+results:
+- kind: Pod
+  policy: allowed-annotations
+  resources:
+  - badpod01
+  result: fail
+  rule: allowed-fluxcd-annotations
+- kind: Pod
+  policy: allowed-annotations
+  resources:
+  - goodpod01
+  result: pass
+  rule: allowed-fluxcd-annotations