benjaminjb/alertmanager-deployment-policy.yaml

## alertmanager-deployment-policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: alertmanager
spec:
  validationFailureAction: Audit
  rules:
  - name: deployment
    match:
      any:
      - resources:
          kinds:
          - Deployment
          name: alertmanager
    validate:
      message: "Should have defined spec"
      pattern:
        spec:
          template:
            spec:
              containers:
              - args:
                - --config.file=/etc/alertmanager/alertmanager.yml
                - --storage.path=/alertmanager
                - --log.level=info
                - --cluster.advertise-address=0.0.0.0:9093
                image: prom/alertmanager:v0.22.2
                name: alertmanager
                ports:
                - containerPort: 9093
                ^(volumeMounts):
                - name: alertmanagerconf
                  mountPath: /etc/alertmanager
                - name: alertmanagerdata
                  mountPath: /alertmanager
              ^(volumes):
              - configMap:
                  defaultMode: 420
                  name: alertmanager-config
                name: alertmanagerconf
              - name: alertmanagerdata
                persistentVolumeClaim:
                  claimName: alertmanagerdata

## alertmanager-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: alertmanager
spec:
  selector:
    matchLabels:
      app.kubernetes.io/component: alertmanager
  template:
    metadata:
      labels:
        app.kubernetes.io/component: alertmanager
    spec:
      containers:
      - name: alertmanager
        image: prom/alertmanager:v0.22.2
        args:
        - --config.file=/etc/alertmanager/alertmanager.yml
        - --storage.path=/alertmanager
        - --log.level=info
        - --cluster.advertise-address=0.0.0.0:9093
        ports:
        - containerPort: 9093
        volumeMounts:
        - mountPath: /etc/alertmanager
          name: alertmanagerconf
        - mountPath: /alertmanager
          name: alertmanagerdata
      serviceAccountName: alertmanager
      volumes:
      - name: alertmanagerdata
        persistentVolumeClaim:
          claimName: alertmanagerdata
      - name: alertmanagerconf
        configMap:
          defaultMode: 420
          name: alertmanager-config

## kyverno-test.yaml
name: test
policies:
  - alertmanager-deployment-policy.yaml
resources:
  - alertmanager-deployment.yaml
results:
  - policy: alertmanager
    rule: deployment
    resource: alertmanager
    kind: Deployment
    result: pass

## stdout.txt
$> kyverno test testing/kyverno -v3

Executing test...
I0831 09:36:11.401553   15656 common.go:346]  "msg"="Defaulting request.operation to CREATE"
I0831 09:36:11.402529   15656 common.go:202]  "msg"="read policies" "errors"=0 "policies"=1
applying 1 policy to 1 resource...
I0831 09:36:11.406374   15656 common.go:425]  "msg"="applying policy on resource"
                                              "policy"="alertmanager"
                                              "resource"="default/Deployment/alertmanager"
...
I0831 09:36:11.408626   15656 validate_resource.go:274] engine.validate
                                                        "msg"="validation error"
                                                        "error"="resource value
                                                        '[--config.file=/etc/alertmanager/alertmanager.yml --storage.path=/alertmanager --log.level=info --cluster.advertise-address=0.0.0.0:9093]'
                                                        does not match
                                                        '--config.file=/etc/alertmanager/alertmanager.yml'
                                                        at path /spec/template/spec/containers/0/args/"
                                                        "new.kind"="Deployment"
                                                        "new.name"="alertmanager"
                                                        "new.namespace"="default"
                                                        "path"="/spec/template/spec/containers/0/args/"
                                                        "policy.apply"="All"
                                                        "policy.name"="alertmanager"
                                                        "policy.namespace"=""
                                                        "rule.name"="deployment"
I0831 09:36:11.409628   15656 test_command.go:1155]  "msg"="result mismatch"
                                                     "expected"="pass"
                                                     "key"="alertmanager-deployment-Deployment-alertmanager"
                                                     "received"="fail"

## If I remove the `args` field from the policy file, it passes.
	apiVersion: kyverno.io/v1
	kind: ClusterPolicy
	metadata:
	name: alertmanager
	spec:
	validationFailureAction: Audit
	rules:
	- name: deployment
	match:
	any:
	- resources:
	kinds:
	- Deployment
	name: alertmanager
	validate:
	message: "Should have defined spec"
	pattern:
	spec:
	template:
	spec:
	containers:
	- args:
	- --config.file=/etc/alertmanager/alertmanager.yml
	- --storage.path=/alertmanager
	- --log.level=info
	- --cluster.advertise-address=0.0.0.0:9093
	image: prom/alertmanager:v0.22.2
	name: alertmanager
	ports:
	- containerPort: 9093
	^(volumeMounts):
	- name: alertmanagerconf
	mountPath: /etc/alertmanager
	- name: alertmanagerdata
	mountPath: /alertmanager
	^(volumes):
	- configMap:
	defaultMode: 420
	name: alertmanager-config
	name: alertmanagerconf
	- name: alertmanagerdata
	persistentVolumeClaim:
	claimName: alertmanagerdata
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: alertmanager
	spec:
	selector:
	matchLabels:
	app.kubernetes.io/component: alertmanager
	template:
	metadata:
	labels:
	app.kubernetes.io/component: alertmanager
	spec:
	containers:
	- name: alertmanager
	image: prom/alertmanager:v0.22.2
	args:
	- --config.file=/etc/alertmanager/alertmanager.yml
	- --storage.path=/alertmanager
	- --log.level=info
	- --cluster.advertise-address=0.0.0.0:9093
	ports:
	- containerPort: 9093
	volumeMounts:
	- mountPath: /etc/alertmanager
	name: alertmanagerconf
	- mountPath: /alertmanager
	name: alertmanagerdata
	serviceAccountName: alertmanager
	volumes:
	- name: alertmanagerdata
	persistentVolumeClaim:
	claimName: alertmanagerdata
	- name: alertmanagerconf
	configMap:
	defaultMode: 420
	name: alertmanager-config
	name: test
	policies:
	- alertmanager-deployment-policy.yaml
	resources:
	- alertmanager-deployment.yaml
	results:
	- policy: alertmanager
	rule: deployment
	resource: alertmanager
	kind: Deployment
	result: pass
	$> kyverno test testing/kyverno -v3

	Executing test...
	I0831 09:36:11.401553 15656 common.go:346] "msg"="Defaulting request.operation to CREATE"
	I0831 09:36:11.402529 15656 common.go:202] "msg"="read policies" "errors"=0 "policies"=1
	applying 1 policy to 1 resource...
	I0831 09:36:11.406374 15656 common.go:425] "msg"="applying policy on resource"
	"policy"="alertmanager"
	"resource"="default/Deployment/alertmanager"
	...
	I0831 09:36:11.408626 15656 validate_resource.go:274] engine.validate
	"msg"="validation error"
	"error"="resource value
	'[--config.file=/etc/alertmanager/alertmanager.yml --storage.path=/alertmanager --log.level=info --cluster.advertise-address=0.0.0.0:9093]'
	does not match
	'--config.file=/etc/alertmanager/alertmanager.yml'
	at path /spec/template/spec/containers/0/args/"
	"new.kind"="Deployment"
	"new.name"="alertmanager"
	"new.namespace"="default"
	"path"="/spec/template/spec/containers/0/args/"
	"policy.apply"="All"
	"policy.name"="alertmanager"
	"policy.namespace"=""
	"rule.name"="deployment"
	I0831 09:36:11.409628 15656 test_command.go:1155] "msg"="result mismatch"
	"expected"="pass"
	"key"="alertmanager-deployment-Deployment-alertmanager"
	"received"="fail"

	## If I remove the `args` field from the policy file, it passes.