Comments (6)
How are you seeing this fails and on what version? I tested the policy myself manually and it works. We also test this regularly in CI. You're also missing the name
field in your Pod above.
from policies.
$ kyverno version
Version: 1.10.0
Time: 2023-05-30T10:01:31Z
Git commit ID: da6f5c18132f773af15d0e09cbf2e16a36725232
$ kyverno test .
Executing ...
applying 1 policy to 1 resource...
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ default/Pod/test │ Fail │
│───│────────────────────────│────────────────────────│──────────────────│────────│
Test Summary: 0 tests passed and 1 tests failed
Aggregated Failed Test Cases :
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ # │ POLICY │ RULE │ RESOURCE │ RESULT │
│───│────────────────────────│────────────────────────│──────────────────│────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ default/Pod/test │ Fail │
│───│────────────────────────│────────────────────────│──────────────────│────────│
$ cat .kyverno-test/resource.yaml
apiVersion: v1
kind: Pod
metadata:
name: test
spec:
containers:
- name: test
image: busybox:1.0.0
imagePullPolicy: IfNotPresent
$ cat .kyverno-test/kyverno-test.yaml
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: imagepullpolicy-always
policies:
- ../imagepullpolicy-always.yaml
resources:
- resource.yaml
results:
- kind: Pod
policy: imagepullpolicy-always
resources:
- test
result: pass
rule: imagepullpolicy-always
from policies.
Ok, you didn't mention the Kyverno CLI until now. Please test this on the latest version of the CLI (1.11.4).
from policies.
Apologies for assuming CLI usage! I've downloaded 1.11.4 via curl -LO https://github.com/kyverno/kyverno/releases/download/v1.11.4/kyverno-cli_v1.11.4_linux_x86_64.tar.gz
$ kyverno version
Version: 1.11.4
Time: ---
Git commit ID: ---
$ kyverno test .
Loading test ( .kyverno-test/kyverno-test.yaml ) ...
Loading values/variables ...
Loading policies ...
Loading resources ...
Applying 1 policy to 1 resource ...
Checking results ...
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ ID │ POLICY │ RULE │ RESOURCE │ RESULT │ REASON │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ Pod/test │ Fail │ Want pass, got skip │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
Test Summary: 0 tests passed and 1 tests failed
Aggregated Failed Test Cases :
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ ID │ POLICY │ RULE │ RESOURCE │ RESULT │ REASON │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
│ 1 │ imagepullpolicy-always │ imagepullpolicy-always │ Pod/test │ Fail │ Want pass, got skip │
│────│────────────────────────│────────────────────────│──────────│────────│─────────────────────│
Error: 1 tests failed
Does this imply I should change my kyverno-test.yaml
to use result: skip
for this test, since the image:
spec doesn't match the policy check?
from policies.
Does this imply I should change my
kyverno-test.yaml
to useresult: skip
for this test, since theimage:
spec doesn't match the policy check?
Yes, exactly.
from policies.
Makes sense, thank you for quick responses!
from policies.
Related Issues (20)
- [Enhancement] Move PSS CEL test resources inside folders HOT 2
- [Sample] policy to check if the metrics server is configured or not HOT 1
- [Need help] prevent-bare-pod custom to bypass node-shell(nsenter) pod in use node-shell command HOT 3
- [Sample] policy to check if prometheus is configured or not HOT 3
- [Sample] policy to check if the resources of an object are within the upperbound and lowerbound as suggested by vpa recommender HOT 1
- [Enhancement] Improve description of scale deployment to zero policy
- [Chainsaw Tests] Add Chainsaw tests for the sample policies HOT 2
- [Bug] update sample policies to include all container types in a pod
- [Chainsaw tests] Write test for cleanup empty replica sets sample policy HOT 2
- Prepend Image Registry policy should not apply on `UPDATE` for `initContainers` HOT 3
- [Chainsaw Tests] Add Chainsaw tests for the sample policy disallow-proc-mount HOT 2
- Refactoring the chainsaw tests on cert-manager/limit-dnsnames HOT 4
- [Bug] Variable `image` is not accessible in `spec.rules.verifyImages.repository` field
- [Bug] Improve policy other/add-node-affinity/add-node-affinity.yaml
- [Sample] Best Practices for PDBs HOT 5
- Require Unique UID per Workload - Hlem Upgrade Issue HOT 1
- Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: HOT 2
- Add RoleBinding not working for EKS(aws k8s cluster) HOT 7
- Block Stale Images
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.