aslafy-z/-repro-kyverno-random-test-results-v1.9-v1.10.md

## -repro-kyverno-random-test-results-v1.9-v1.10.md

      
    Raw
  

              -repro-kyverno-random-test-results-v1.9-v1.10.md
            
          
    Reproduction for Kyverno random test results on v1.9-v1.10

git clone https://gist.github.com/aslafy-z/4be51cb23e7a40ee5e288ab2ad85f1a6
cd 4be51cb23e7a40ee5e288ab2ad85f1a6
sh run.sh


## kyverno-test.yaml
---
name: require-run-as-nonroot
policies:
  - ./policy.yaml
resources:
  - ./resources.yaml
results:
  - policy: require-run-as-nonroot
    rule: run-as-non-root
    resources:
      - badpod
    result: fail
    kind: Pod
  - policy: require-run-as-nonroot
    rule: run-as-non-root
    resources:
      - skippod
    result: skip
    kind: Pod

## policy.yaml
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-run-as-nonroot
spec:
  rules:
    - name: run-as-non-root
      match:
        all:
          - resources:
              kinds:
                - Pod
      exclude:
        all:
          - resources:
              annotations:
                kyverno.io/skip: "true"
      validate:
        message: "Containers must not run as root"
        anyPattern:
          - spec:
              securityContext:
                runAsNonRoot: true

## resources.yaml
---
apiVersion: v1
kind: Pod
metadata:
  name: badpod
  namespace: a
spec:
  containers:
    - name: busybox
  securityContext:
    runAsNonRoot: false
---
apiVersion: v1
kind: Pod
metadata:
  name: skippod
  # namespace: b
  annotations:
    kyverno.io/skip: "true"
spec:
  containers:
    - name: busybox
  securityContext:
    runAsNonRoot: false

## run.sh
#!/bin/sh
curl -fsSL https://github.com/kyverno/kyverno/releases/download/v1.10.5/kyverno-cli_v1.10.5_linux_x86_64.tar.gz | tar -xzf - kyverno

for i in $(seq 0 100); do
  ./kyverno test . >/dev/null 2>&1 && echo 'pass' || echo 'fail'
done
	---
	name: require-run-as-nonroot
	policies:
	- ./policy.yaml
	resources:
	- ./resources.yaml
	results:
	- policy: require-run-as-nonroot
	rule: run-as-non-root
	resources:
	- badpod
	result: fail
	kind: Pod
	- policy: require-run-as-nonroot
	rule: run-as-non-root
	resources:
	- skippod
	result: skip
	kind: Pod
	---
	apiVersion: kyverno.io/v1
	kind: ClusterPolicy
	metadata:
	name: require-run-as-nonroot
	spec:
	rules:
	- name: run-as-non-root
	match:
	all:
	- resources:
	kinds:
	- Pod
	exclude:
	all:
	- resources:
	annotations:
	kyverno.io/skip: "true"
	validate:
	message: "Containers must not run as root"
	anyPattern:
	- spec:
	securityContext:
	runAsNonRoot: true
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: badpod
	namespace: a
	spec:
	containers:
	- name: busybox
	securityContext:
	runAsNonRoot: false
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: skippod
	# namespace: b
	annotations:
	kyverno.io/skip: "true"
	spec:
	containers:
	- name: busybox
	securityContext:
	runAsNonRoot: false
	#!/bin/sh
	curl -fsSL https://github.com/kyverno/kyverno/releases/download/v1.10.5/kyverno-cli_v1.10.5_linux_x86_64.tar.gz \| tar -xzf - kyverno

	for i in $(seq 0 100); do
	./kyverno test . >/dev/null 2>&1 && echo 'pass' \|\| echo 'fail'
	done