git clone https://gist.github.com/aslafy-z/4be51cb23e7a40ee5e288ab2ad85f1a6
cd 4be51cb23e7a40ee5e288ab2ad85f1a6
sh run.sh
Last active
November 22, 2023 20:32
-
-
Save aslafy-z/4be51cb23e7a40ee5e288ab2ad85f1a6 to your computer and use it in GitHub Desktop.
Repro for Kyverno random test results on v1.9-v1.10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: require-run-as-nonroot | |
policies: | |
- ./policy.yaml | |
resources: | |
- ./resources.yaml | |
results: | |
- policy: require-run-as-nonroot | |
rule: run-as-non-root | |
resources: | |
- badpod | |
result: fail | |
kind: Pod | |
- policy: require-run-as-nonroot | |
rule: run-as-non-root | |
resources: | |
- skippod | |
result: skip | |
kind: Pod |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: kyverno.io/v1 | |
kind: ClusterPolicy | |
metadata: | |
name: require-run-as-nonroot | |
spec: | |
rules: | |
- name: run-as-non-root | |
match: | |
all: | |
- resources: | |
kinds: | |
- Pod | |
exclude: | |
all: | |
- resources: | |
annotations: | |
kyverno.io/skip: "true" | |
validate: | |
message: "Containers must not run as root" | |
anyPattern: | |
- spec: | |
securityContext: | |
runAsNonRoot: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: badpod | |
namespace: a | |
spec: | |
containers: | |
- name: busybox | |
securityContext: | |
runAsNonRoot: false | |
--- | |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: skippod | |
# namespace: b | |
annotations: | |
kyverno.io/skip: "true" | |
spec: | |
containers: | |
- name: busybox | |
securityContext: | |
runAsNonRoot: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
curl -fsSL https://github.com/kyverno/kyverno/releases/download/v1.10.5/kyverno-cli_v1.10.5_linux_x86_64.tar.gz | tar -xzf - kyverno | |
for i in $(seq 0 100); do | |
./kyverno test . >/dev/null 2>&1 && echo 'pass' || echo 'fail' | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment