Comments (6)
chipzoller
commented on August 14, 2024
How are you seeing this fails and on what version? I tested the policy myself manually and it works. We also test this regularly in CI. You're also missing the name field in your Pod above.
from policies.
Kellen275
commented on August 14, 2024
$ kyverno version
Version: 1.10.0
Time: 2023-05-30T10:01:31Z
Git commit ID: da6f5c18132f773af15d0e09cbf2e16a36725232
$ kyverno test .
Executing ...
applying 1 policy to 1 resource...
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ default/Pod/test │ Fail │
│───│────────────────────────│────────────────────────│──────────────────│────────│
Test Summary: 0 tests passed and 1 tests failed
Aggregated Failed Test Cases :
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ default/Pod/test │ Fail │
│───│────────────────────────│────────────────────────│──────────────────│────────│
$ cat .kyverno-test/resource.yaml
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- name: test
image: busybox:1.0.0
imagePullPolicy: IfNotPresent
$ cat .kyverno-test/kyverno-test.yaml
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: imagepullpolicy-always
policies:
- ../imagepullpolicy-always.yaml
resources:
- resource.yaml
results:
- kind: Pod
policy: imagepullpolicy-always
resources:
- test
result: pass
rule: imagepullpolicy-alwaysfrom policies.
chipzoller
commented on August 14, 2024
Ok, you didn't mention the Kyverno CLI until now. Please test this on the latest version of the CLI (1.11.4).
from policies.
Kellen275
commented on August 14, 2024
Apologies for assuming CLI usage! I've downloaded 1.11.4 via curl -LO https://github.com/kyverno/kyverno/releases/download/v1.11.4/kyverno-cli_v1.11.4_linux_x86_64.tar.gz
$ kyverno version
Version: 1.11.4
Time: ---
Git commit ID: ---
$ kyverno test .
Loading test ( .kyverno-test/kyverno-test.yaml ) ...
Loading values/variables ...
Loading policies ...
Loading resources ...
Applying 1 policy to 1 resource ...
Checking results ...
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ ID │ POLICY │ RULE │ RESOURCE │ RESULT │ REASON │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ Pod/test │ Fail │ Want pass, got skip │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
Test Summary: 0 tests passed and 1 tests failed
Aggregated Failed Test Cases :
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ ID │ POLICY │ RULE │ RESOURCE │ RESULT │ REASON │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ Pod/test │ Fail │ Want pass, got skip │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
Error: 1 tests failedDoes this imply I should change my kyverno-test.yaml to use result: skip for this test, since the image: spec doesn't match the policy check?
from policies.
chipzoller
commented on August 14, 2024
Does this imply I should change my
kyverno-test.yamlto useresult: skipfor this test, since theimage:spec doesn't match the policy check?
Yes, exactly.
from policies.
Kellen275
commented on August 14, 2024
Makes sense, thank you for quick responses!
from policies.
Related Issues (20)
- [Enhancement] Move PSS CEL test resources inside folders HOT 2
- [Sample] policy to check if the metrics server is configured or not HOT 1
- [Need help] prevent-bare-pod custom to bypass node-shell(nsenter) pod in use node-shell command HOT 3
- [Sample] policy to check if prometheus is configured or not HOT 3
- [Sample] policy to check if the resources of an object are within the upperbound and lowerbound as suggested by vpa recommender HOT 1
- [Enhancement] Improve description of scale deployment to zero policy
- [Chainsaw Tests] Add Chainsaw tests for the sample policies HOT 2
- [Bug] update sample policies to include all container types in a pod
- [Chainsaw tests] Write test for cleanup empty replica sets sample policy HOT 2
- Prepend Image Registry policy should not apply on `UPDATE` for `initContainers` HOT 3
- [Chainsaw Tests] Add Chainsaw tests for the sample policy disallow-proc-mount HOT 2
- Refactoring the chainsaw tests on cert-manager/limit-dnsnames HOT 4
- [Bug] Variable `image` is not accessible in `spec.rules.verifyImages.repository` field
- [Bug] Improve policy other/add-node-affinity/add-node-affinity.yaml
- [Sample] Best Practices for PDBs HOT 5
- Require Unique UID per Workload - Hlem Upgrade Issue HOT 1
- Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: HOT 2
- Add RoleBinding not working for EKS(aws k8s cluster) HOT 7
- Block Stale Images
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.