├── .chainsaw.yaml ├── .chainsaw └── crds │ ├── applications.yaml │ ├── applicationsets.yaml │ ├── appprojects.yaml │ ├── certificates.yaml │ ├── cluster.yaml │ ├── externalsecrets.yaml │ ├── flux-repositories.yaml │ ├── istio-resources.yaml │ ├── kasten-policy.yaml │ ├── kubevirt-vm.yaml │ ├── linkerd.yaml │ ├── machineset.yaml │ ├── mesh.yaml │ ├── openshift.yaml │ ├── pipelinerun.yaml │ ├── restore.yaml │ ├── schedule.yaml │ ├── taskrun.yaml │ ├── tlsoption.yaml │ └── vpa.yaml ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.yml │ └── sample_policy.yml ├── PULL_REQUEST_TEMPLATE.md ├── actions │ ├── run-tests │ │ └── action.yaml │ └── setup-env │ │ └── action.yaml ├── cherry-pick-bot.yml ├── config.yaml ├── dependabot.yml ├── kind.yml └── workflows │ ├── check-actions.yaml │ ├── ci.yml │ └── test.yml ├── .gitignore ├── .hack ├── update-artifacthub-pkg.sh └── verify-files-structure.sh ├── LICENSE ├── README.md ├── argo-cel ├── application-field-validation │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── bad-application.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── good-application.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── application-field-validation.yaml │ └── artifacthub-pkg.yml ├── application-prevent-default-project │ ├── .chainsaw-test │ │ ├── bad-application.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── good-application.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── application-prevent-default-project.yaml │ └── artifacthub-pkg.yml ├── application-prevent-updates-project │ ├── .chainsaw-test │ │ ├── application-bad-update.yaml │ │ ├── application-update.yaml │ │ ├── application.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ └── policy-ready.yaml │ ├── application-prevent-updates-project.yaml │ └── artifacthub-pkg.yml ├── applicationset-name-matches-project │ ├── .chainsaw-test │ │ ├── bad-appset.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── good-appset.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── applicationset-name-matches-project.yaml │ └── artifacthub-pkg.yml └── appproject-clusterresourceblacklist │ ├── .chainsaw-test │ ├── bad-both-wildcard.yaml │ ├── bad-group-wildcard.yaml │ ├── bad-kind-wildcard.yaml │ ├── bad-no-blacklist.yaml │ ├── chainsaw-test.yaml │ ├── crd-assert.yaml │ ├── good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resources.yaml │ ├── appproject-clusterresourceblacklist.yaml │ └── artifacthub-pkg.yml ├── argo ├── application-field-validation │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── bad-application.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-application.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── application-field-validation.yaml │ └── artifacthub-pkg.yml ├── application-prevent-default-project │ ├── .chainsaw-test │ │ ├── bad-application.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-application.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── application-prevent-default-project.yaml │ └── artifacthub-pkg.yml ├── application-prevent-updates-project │ ├── .chainsaw-test │ │ ├── application-bad-update.yaml │ │ ├── application-update.yaml │ │ ├── application.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ └── chainsaw-test.yaml │ ├── application-prevent-updates-project.yaml │ └── artifacthub-pkg.yml ├── applicationset-name-matches-project │ ├── .chainsaw-test │ │ ├── bad-appset.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-appset.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── applicationset-name-matches-project.yaml │ └── artifacthub-pkg.yml ├── appproject-clusterresourceblacklist │ ├── .chainsaw-test │ │ ├── bad-both-wildcard.yaml │ │ ├── bad-group-wildcard.yaml │ │ ├── bad-kind-wildcard.yaml │ │ ├── bad-no-blacklist.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── appproject-clusterresourceblacklist.yaml │ └── artifacthub-pkg.yml └── argo-cluster-generation-from-rancher-capi │ ├── .chainsaw-test │ ├── chainsaw-step-00-assert-1.yaml │ ├── chainsaw-step-01-apply-1.yaml │ ├── chainsaw-step-01-apply-2.yaml │ ├── chainsaw-step-01-apply-3.yaml │ ├── chainsaw-step-01-apply-4.yaml │ ├── chainsaw-step-01-apply-5.yaml │ ├── chainsaw-test.yaml │ ├── cluster.yaml │ ├── permissions.yaml │ ├── policy-ready.yaml │ ├── secret-generated01.yaml │ └── secret-generated02.yaml │ ├── argo-cluster-generation-from-rancher-capi.yaml │ └── artifacthub-pkg.yml ├── artifacthub-repo.yml ├── aws-cel └── require-encryption-aws-loadbalancers │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── policy-ready.yaml │ ├── service-fail.yaml │ ├── service-pass.yaml │ └── service-skip.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-encryption-aws-loadbalancers.yaml ├── aws ├── require-aws-node-irsa │ ├── artifacthub-pkg.yml │ └── require-aws-node-irsa.yaml └── require-encryption-aws-loadbalancers │ ├── .chainsaw-test │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── service-fail.yaml │ ├── service-pass.yaml │ └── service-skip.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-encryption-aws-loadbalancers.yaml ├── best-practices-cel ├── check-deprecated-apis │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── check-deprecated-apis.yaml ├── disallow-cri-sock-mount │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── pod-containerd-sock.yaml │ │ ├── pod-cri-dockerd-sock.yaml │ │ ├── pod-crio-sock.yaml │ │ ├── pod-docker-sock.yaml │ │ ├── pod-emptydir-vol.yaml │ │ ├── pod-no-volumes.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-cri-sock-mount.yaml ├── disallow-default-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deploy-default.yaml │ │ ├── ds-default.yaml │ │ ├── good-resources.yaml │ │ ├── job-default.yaml │ │ ├── ns.yaml │ │ ├── pod-default.yaml │ │ ├── policy-ready.yaml │ │ └── ss-default.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-default-namespace.yaml ├── disallow-empty-ingress-host │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── good-ingress.yaml │ │ ├── no-host-fail-first.yaml │ │ ├── no-host-ingress.yaml │ │ ├── no-host-success-first.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-empty-ingress-host.yaml ├── disallow-helm-tiller │ ├── .chainsaw-test │ │ ├── bad-deploy.yaml │ │ ├── bad-pod-fail-first.yaml │ │ ├── bad-pod-success-first.yaml │ │ ├── bad-pod.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-deploy.yaml │ │ ├── good-pod.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-helm-tiller.yaml ├── disallow-latest-tag │ ├── .chainsaw-test │ │ ├── bad-pod-latest-fail-first.yaml │ │ ├── bad-pod-latest-success-first.yaml │ │ ├── bad-pod-no-tag.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-latest-tag.yaml ├── require-drop-all │ ├── .chainsaw-test │ │ ├── bad-pod-containers.yaml │ │ ├── bad-pod-corner.yaml │ │ ├── bad-pod-initcontainers.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── good-podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-drop-all.yaml ├── require-drop-cap-net-raw │ ├── .chainsaw-test │ │ ├── bad-pod-containers.yaml │ │ ├── bad-pod-corner.yaml │ │ ├── bad-pod-initcontainers.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── good-podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-drop-cap-net-raw.yaml ├── require-labels │ ├── .chainsaw-test │ │ ├── bad-pod-nolabel.yaml │ │ ├── bad-pod-somelabel.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-labels.yaml ├── require-pod-requests-limits │ ├── .chainsaw-test │ │ ├── bad-pod-nolimit.yaml │ │ ├── bad-pod-nores.yaml │ │ ├── bad-pod-nothing.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-pod-requests-limits.yaml ├── require-probes │ ├── .chainsaw-test │ │ ├── bad-pod-notall.yaml │ │ ├── bad-pod-nothing.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-probes.yaml ├── require-ro-rootfs │ ├── .chainsaw-test │ │ ├── bad-pod-false.yaml │ │ ├── bad-pod-notall.yaml │ │ ├── bad-pod-nothing.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-ro-rootfs.yaml ├── restrict-image-registries │ ├── .chainsaw-test │ │ ├── bad-pod-false.yaml │ │ ├── bad-pod-noregistry.yaml │ │ ├── bad-pod-notall.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-image-registries.yaml ├── restrict-node-port │ ├── .chainsaw-test │ │ ├── bad-service-nodeport.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-services.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-port.yaml └── restrict-service-external-ips │ ├── .chainsaw-test │ ├── bad-service-oneip.yaml │ ├── bad-service-twoeip.yaml │ ├── chainsaw-test.yaml │ ├── good-services.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-service-external-ips.yaml ├── best-practices ├── add-network-policy │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── notGeneratedResource.yaml │ │ ├── old-resource.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── generatedResource.yaml │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── add-network-policy.yaml │ └── artifacthub-pkg.yml ├── add-networkpolicy-dns │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── generatedResource.yaml │ │ ├── notGeneratedResource.yaml │ │ ├── old-resource.yaml │ │ ├── policy-ready.yaml │ │ └── resource.yaml │ ├── add-networkpolicy-dns.yaml │ └── artifacthub-pkg.yml ├── add-ns-quota │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── notGeneratedResource.yaml │ │ ├── old-resource.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── generatedLimitRange.yaml │ │ ├── generatedResourceQuota.yaml │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── add-ns-quota.yaml │ └── artifacthub-pkg.yml ├── add-rolebinding │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-step-03-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns-rb.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── rb-gen.yaml │ │ └── rb-not-gen.yaml │ ├── add-rolebinding.yaml │ └── artifacthub-pkg.yml ├── add-safe-to-evict │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── notPatchedResources.yaml │ │ ├── patchedResources.yaml │ │ ├── policy-ready.yaml │ │ └── resource-others.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── myapp-pod03-patched.yaml │ │ ├── myapp-pod04-patched.yaml │ │ └── resource.yaml │ ├── add-safe-to-evict.yaml │ └── artifacthub-pkg.yml ├── check-deprecated-apis │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── check-deprecated-apis.yaml ├── disallow-cri-sock-mount │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── pod-containerd-sock.yaml │ │ ├── pod-cri-dockerd-sock.yaml │ │ ├── pod-crio-sock.yaml │ │ ├── pod-docker-sock.yaml │ │ ├── pod-emptydir-vol.yaml │ │ ├── pod-no-volumes.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-cri-sock-mount.yaml ├── disallow-default-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deploy-default.yaml │ │ ├── ds-default.yaml │ │ ├── good-resources.yaml │ │ ├── job-default.yaml │ │ ├── ns.yaml │ │ ├── pod-default.yaml │ │ ├── policy-ready.yaml │ │ └── ss-default.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-default-namespace.yaml ├── disallow-empty-ingress-host │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── good-ingress.yaml │ │ ├── no-host-fail-first.yaml │ │ ├── no-host-ingress.yaml │ │ ├── no-host-success-first.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-empty-ingress-host.yaml ├── disallow-helm-tiller │ ├── .chainsaw-test │ │ ├── bad-deploy.yaml │ │ ├── bad-pod-fail-first.yaml │ │ ├── bad-pod-success-first.yaml │ │ ├── bad-pod.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-deploy.yaml │ │ ├── good-pod.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-helm-tiller.yaml ├── disallow-latest-tag │ ├── .chainsaw-test │ │ ├── bad-pod-latest-fail-first.yaml │ │ ├── bad-pod-latest-success-first.yaml │ │ ├── bad-pod-no-tag.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-latest-tag.yaml ├── require-drop-all │ ├── .chainsaw-test │ │ ├── bad-pod-containers.yaml │ │ ├── bad-pod-corner.yaml │ │ ├── bad-pod-initcontainers.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── good-podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-drop-all.yaml ├── require-drop-cap-net-raw │ ├── .chainsaw-test │ │ ├── bad-pod-containers.yaml │ │ ├── bad-pod-corner.yaml │ │ ├── bad-pod-initcontainers.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── good-podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-drop-cap-net-raw.yaml ├── require-labels │ ├── .chainsaw-test │ │ ├── bad-pod-nolabel.yaml │ │ ├── bad-pod-somelabel.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-labels.yaml ├── require-pod-requests-limits │ ├── .chainsaw-test │ │ ├── bad-pod-nolimit.yaml │ │ ├── bad-pod-nores.yaml │ │ ├── bad-pod-nothing.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-pod-requests-limits.yaml ├── require-probes │ ├── .chainsaw-test │ │ ├── bad-pod-notall.yaml │ │ ├── bad-pod-nothing.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-probes.yaml ├── require-ro-rootfs │ ├── .chainsaw-test │ │ ├── bad-pod-false.yaml │ │ ├── bad-pod-notall.yaml │ │ ├── bad-pod-nothing.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-ro-rootfs.yaml ├── restrict-image-registries │ ├── .chainsaw-test │ │ ├── bad-pod-false.yaml │ │ ├── bad-pod-noregistry.yaml │ │ ├── bad-pod-notall.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-podcontrollers.yaml │ │ ├── good-pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-image-registries.yaml ├── restrict-node-port │ ├── .chainsaw-test │ │ ├── bad-service-nodeport.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-services.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-port.yaml └── restrict-service-external-ips │ ├── .chainsaw-test │ ├── bad-service-oneip.yaml │ ├── bad-service-twoeip.yaml │ ├── chainsaw-test.yaml │ ├── good-services.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-service-external-ips.yaml ├── castai └── add-castai-removal-disabled │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ ├── patched01.yaml │ ├── patched02.yaml │ └── resources.yaml │ ├── add-castai-removal-disabled.yaml │ └── artifacthub-pkg.yml ├── cert-manager ├── limit-dnsnames │ ├── .chainsaw-test │ │ ├── cert-bad.yaml │ │ ├── cert-good.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ └── chainsaw-test.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── limit-dnsnames.yaml ├── limit-duration │ ├── .chainsaw-test │ │ ├── cert-bad.yaml │ │ ├── cert-good.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ └── chainsaw-test.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── limit-duration.yaml └── restrict-issuer │ ├── .chainsaw-test │ ├── cert-bad.yaml │ ├── cert-good.yaml │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-step-01-assert-2.yaml │ └── chainsaw-test.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-issuer.yaml ├── cleanup ├── cleanup-bare-pods │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cluster-role.yaml │ │ └── pod.yaml │ ├── artifacthub-pkg.yml │ └── cleanup-bare-pods.yaml └── cleanup-empty-replicasets │ ├── .chainsaw-test │ ├── chainsaw-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── cluster-role.yaml │ ├── config.yaml │ └── rs.yaml │ ├── artifacthub-pkg.yml │ └── cleanup-empty-replicasets.yaml ├── consul-cel └── enforce-min-tls-version │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── crd-assert.yaml │ ├── mesh-bad.yaml │ ├── mesh-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── enforce-min-tls-version.yaml ├── consul └── enforce-min-tls-version │ ├── .chainsaw-test │ ├── chainsaw-step-00-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── mesh-bad.yaml │ ├── mesh-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── enforce-min-tls-version.yaml ├── external-secret-operator └── add-external-secret-prefix │ ├── .chainsaw-test │ ├── README.md │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── ns.yaml │ ├── policy-ready.yaml │ ├── resource-mutated.yaml │ └── resource.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ ├── patched.yaml │ └── resource.yaml │ ├── add-external-secret-prefix.yaml │ └── artifacthub-pkg.yml ├── flux-cel ├── verify-flux-sources │ ├── .chainsaw-test │ │ ├── bucket-crd-assert.yaml │ │ ├── chainsaw-test.yaml │ │ ├── git-repository-crd-assert.yaml │ │ ├── helm-repository-crd-assert.yaml │ │ ├── image-repository-crd-assert.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── repo-bad-bucket.yaml │ │ ├── repo-bad-git.yaml │ │ ├── repo-bad-helm.yaml │ │ ├── repo-bad-image.yaml │ │ ├── repo-good-bucket.yaml │ │ ├── repo-good-git.yaml │ │ ├── repo-good-helm.yaml │ │ └── repo-good-image.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── verify-flux-sources.yaml └── verify-git-repositories │ ├── .chainsaw-test-rename-after-issue-10313-fix │ ├── bad-gitrepositories.yaml │ ├── bad.yaml │ ├── chainsaw-test-rename-after-issue-10313-fix.yaml │ ├── good-gitrepositories.yaml │ ├── good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── verify-git-repositories.yaml ├── flux ├── generate-flux-multi-tenant-resources │ ├── .chainsaw-test │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cluster-role.yaml │ │ ├── generatedResources.yaml │ │ ├── notGeneratedResource.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── generate-flux-multi-tenant-resources.yaml ├── verify-flux-images │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-ghcr-helm-controller.yaml │ │ ├── pod-ghcr-image-automation-controller.yaml │ │ ├── pod-ghcr-image-reflector-controller.yaml │ │ ├── pod-ghcr-kustomize-controller.yaml │ │ ├── pod-ghcr-notification-controller.yaml │ │ ├── pod-ghcr-source-controller.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── verify-flux-images.yaml ├── verify-flux-sources │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-step-01-assert-3.yaml │ │ ├── chainsaw-step-01-assert-4.yaml │ │ ├── chainsaw-step-01-assert-5.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── repo-bad-bucket.yaml │ │ ├── repo-bad-git.yaml │ │ ├── repo-bad-helm.yaml │ │ ├── repo-bad-image.yaml │ │ ├── repo-good-bucket.yaml │ │ ├── repo-good-git.yaml │ │ ├── repo-good-helm.yaml │ │ └── repo-good-image.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── verify-flux-sources.yaml └── verify-git-repositories │ ├── .chainsaw-test │ ├── bad-gitrepositories.yaml │ ├── bad.yaml │ ├── chainsaw-test.yaml │ ├── good-gitrepositories.yaml │ ├── good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── verify-git-repositories.yaml ├── istio-cel ├── enforce-sidecar-injection-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns-bad-disabled.yaml │ │ ├── ns-bad-nolabel.yaml │ │ ├── ns-bad-somelabel.yaml │ │ ├── ns-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── enforce-sidecar-injection-namespace.yaml ├── enforce-strict-mtls │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── pa-bad.yaml │ │ ├── pa-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── enforce-strict-mtls.yaml └── prevent-disabling-injection-pods │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── pod-bad.yaml │ ├── pod-good.yaml │ ├── podcontroller-bad.yaml │ ├── podcontroller-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-disabling-injection-pods.yaml ├── istio ├── add-ambient-mode-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-test.yaml │ │ ├── patched-ns-alt.yaml │ │ ├── patched-ns-disabled.yaml │ │ ├── patched-ns-enabled.yaml │ │ ├── patched-ns-none.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── add-ambient-mode-namespace.yaml │ └── artifacthub-pkg.yml ├── add-sidecar-injection-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-test.yaml │ │ ├── patched-ns-alt.yaml │ │ ├── patched-ns-disabled.yaml │ │ ├── patched-ns-enabled.yaml │ │ ├── patched-ns-none.yaml │ │ └── policy-ready.yaml │ ├── add-sidecar-injection-namespace.yaml │ └── artifacthub-pkg.yml ├── create-authorizationpolicy │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-05-apply-1.yaml │ │ ├── chainsaw-step-06-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── permissions.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── create-authorizationpolicy.yaml ├── enforce-ambient-mode-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns-bad-disabled.yaml │ │ ├── ns-bad-nolabel.yaml │ │ ├── ns-bad-somelabel.yaml │ │ └── ns-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── enforce-ambient-mode-namespace.yaml ├── enforce-sidecar-injection-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns-bad-disabled.yaml │ │ ├── ns-bad-nolabel.yaml │ │ ├── ns-bad-somelabel.yaml │ │ └── ns-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── enforce-sidecar-injection-namespace.yaml ├── enforce-strict-mtls │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pa-bad.yaml │ │ └── pa-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── enforce-strict-mtls.yaml ├── enforce-tls-hosts-host-subnets │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── dr-bad.yaml │ │ └── dr-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── enforce-tls-hosts-host-subnets.yaml ├── prevent-disabling-injection-pods │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-disabling-injection-pods.yaml ├── require-authorizationpolicy │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-apply-1.yaml │ │ ├── chainsaw-step-01-apply-2.yaml │ │ ├── chainsaw-step-01-apply-3.yaml │ │ ├── chainsaw-test.yaml │ │ ├── permissions.yaml │ │ ├── policy-ready.yaml │ │ └── report-assert.yaml │ ├── artifacthub-pkg.yml │ └── require-authorizationpolicy.yaml ├── restrict-virtual-service-wildcard │ ├── .chainsaw-test │ │ ├── bad-vs.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-vs.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-virtual-service-wildcard.yaml ├── service-mesh-disallow-capabilities │ ├── .chainsaw-test │ │ ├── bad.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── service-mesh-disallow-capabilities.yaml └── service-mesh-require-run-as-nonroot │ ├── .chainsaw-test │ ├── bad.yaml │ ├── chainsaw-test.yaml │ ├── good.yaml │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── service-mesh-require-run-as-nonroot.yaml ├── karpenter ├── add-karpenter-daemonset-priority-class │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── patched-resource.yaml │ │ ├── policy-ready.yaml │ │ └── resource.yaml │ ├── .kyverno-test │ │ ├── daemonset-patched.yaml │ │ ├── daemonset.yaml │ │ └── kyverno-test.yaml │ ├── add-karpenter-daemonset-priority-class.yaml │ └── artifacthub-pkg.yml ├── add-karpenter-donot-evict │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── patched03.yaml │ │ ├── patched04.yaml │ │ ├── policy-ready.yaml │ │ └── resource-others.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patched01.yaml │ │ ├── patched02.yaml │ │ └── resource.yaml │ ├── add-karpenter-donot-evict.yaml │ └── artifacthub-pkg.yml ├── add-karpenter-nodeselector │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── patch-lg-bad.yaml │ │ ├── patch-lg.yaml │ │ ├── patch-med-bad.yaml │ │ ├── patch-med.yaml │ │ ├── patch-sm-bad.yaml │ │ ├── policy-ready.yaml │ │ └── resource.yaml │ ├── add-karpenter-nodeselector.yaml │ └── artifacthub-pkg.yml └── set-karpenter-non-cpu-limits │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── ns.yaml │ ├── pod-others-patched.yaml │ ├── pod-others.yaml │ ├── podcontroller-patched.yaml │ ├── podcontroller-resources.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ ├── pod-ephemeral-storage-patched1.yaml │ ├── pod-ephemeral-storage-patched2.yaml │ ├── pod-ephemeral-storage-patched3.yaml │ ├── pod-ephemeral-storage-patched4.yaml │ ├── pod-memory-patched1.yaml │ ├── pod-memory-patched2.yaml │ ├── pod-memory-patched3.yaml │ ├── pod-memory-patched4.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── set-karpenter-non-cpu-limits.yaml ├── kasten-cel ├── k10-data-protection-by-label │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── deployment-bad-badlabel.yaml │ │ ├── deployment-bad-nolabel.yaml │ │ ├── deployment-good.yaml │ │ ├── nginx-deployment-invalid.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── ss-bad-badlabel.yaml │ │ ├── ss-bad-nolabel.yaml │ │ └── ss-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── nginx-deployment.yaml │ ├── artifacthub-pkg.yml │ └── k10-data-protection-by-label.yaml ├── k10-hourly-rpo │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── k10-bad-policy.yaml │ │ ├── k10-good-policy.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── backup-export-policy.yaml │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── k10-hourly-rpo.yaml └── k10-validate-ns-by-preset-label │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── crd-assert.yaml │ ├── ns-bad.yaml │ ├── ns-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── test-resource.yaml │ ├── artifacthub-pkg.yml │ └── k10-validate-ns-by-preset-label.yaml ├── kasten ├── README.md ├── kasten-3-2-1-backup │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── k10-bad-policy.yaml │ │ └── k10-good-policy.yaml │ ├── .kyverno-test │ │ ├── kasten-backup-policy.yaml │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── kasten-3-2-1-backup.yaml ├── kasten-data-protection-by-label │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deployment-bad-badlabel.yaml │ │ ├── deployment-bad-nolabel.yaml │ │ ├── deployment-good.yaml │ │ ├── nginx-deployment-invalid.yaml │ │ ├── ns.yaml │ │ ├── ss-bad-badlabel.yaml │ │ ├── ss-bad-nolabel.yaml │ │ └── ss-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── nginx-deployment.yaml │ ├── artifacthub-pkg.yml │ └── kasten-data-protection-by-label.yaml ├── kasten-generate-example-backup-policy │ ├── .kyverno-test │ │ ├── generatedResource.yaml │ │ ├── kyverno-test.yaml │ │ ├── test-resource.yaml │ │ └── test-values.yaml │ ├── artifacthub-pkg.yml │ └── kasten-generate-example-backup-policy.yaml ├── kasten-generate-policy-by-preset-label │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-apply-1.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-step-03-apply-2.yaml │ │ ├── chainsaw-step-03-apply-3.yaml │ │ ├── chainsaw-step-03-apply-4.yaml │ │ ├── chainsaw-step-03-apply-5.yaml │ │ ├── chainsaw-step-03-apply-6.yaml │ │ ├── chainsaw-test.yaml │ │ ├── generated-policy.yaml │ │ ├── not-generated-policy.yaml │ │ ├── permissions.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── generatedResource.yaml │ │ ├── kyverno-test.yaml │ │ ├── test-resource.yaml │ │ └── test-values.yaml │ ├── artifacthub-pkg.yml │ └── kasten-generate-policy-by-preset-label.yaml ├── kasten-hourly-rpo │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-01-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── k10-bad-policy.yaml │ │ ├── k10-good-policy.yaml │ │ └── ns.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── test-policies.yaml │ │ └── test-values.yaml │ ├── artifacthub-pkg.yml │ └── kasten-hourly-rpo.yaml ├── kasten-immutable-location-profile │ ├── .kyverno-test │ │ ├── immutable-location-profile.yaml │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── kasten-immutable-location-profile.yaml ├── kasten-minimum-retention │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kasten-hourly-policy.yaml │ │ ├── kasten-skipped-policies.yaml │ │ ├── kyverno-test.yaml │ │ └── patched.yaml │ ├── artifacthub-pkg.yml │ └── kasten-minimum-retention.yaml └── kasten-validate-ns-by-preset-label │ ├── .chainsaw-test │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-step-01-assert-2.yaml │ ├── chainsaw-test.yaml │ ├── ns-bad.yaml │ └── ns-good.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── test-resource.yaml │ ├── artifacthub-pkg.yml │ └── kasten-validate-ns-by-preset-label.yaml ├── kubecost-cel └── require-kubecost-labels │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── pod-bad.yaml │ ├── pod-good.yaml │ ├── podcontroller-bad.yaml │ ├── podcontroller-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-kubecost-labels.yaml ├── kubecost ├── enable-kubecost-continuous-rightsizing │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── not-patched-deploy.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── enable-kubecost-continuous-rightsizing.yaml ├── kubecost-proactive-cost-control │ ├── artifacthub-pkg.yml │ └── kubecost-proactive-cost-control.yaml └── require-kubecost-labels │ ├── .chainsaw-test │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── pod-bad.yaml │ ├── pod-good.yaml │ ├── podcontroller-bad.yaml │ └── podcontroller-good.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-kubecost-labels.yaml ├── kubeops ├── README.md └── config-syncer-secret-generation-from-rancher-capi │ ├── .chainsaw-test │ ├── chainsaw-step-00-assert-1.yaml │ ├── chainsaw-step-01-apply-1.yaml │ ├── chainsaw-step-01-apply-2.yaml │ ├── chainsaw-step-01-apply-3.yaml │ ├── chainsaw-step-01-apply-4.yaml │ ├── chainsaw-step-01-apply-5.yaml │ ├── chainsaw-step-03-apply-1.yaml │ ├── chainsaw-test.yaml │ ├── cluster.yaml │ ├── ns.yaml │ ├── permissions.yaml │ ├── policy-ready.yaml │ ├── secret-generated01.yaml │ ├── secret-generated02.yaml │ └── setup.yaml │ ├── artifacthub-pkg.yml │ └── config-syncer-secret-generation-from-rancher-capi.yaml ├── kubevirt ├── README.md ├── add-services │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-assert-1.yaml │ │ ├── chainsaw-step-01-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── generated-svc.yaml │ │ ├── permissions.yaml │ │ ├── policy-ready.yaml │ │ └── vmi.yaml │ ├── .kyverno-test │ │ ├── generatedResource.yaml │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── add-services.yaml │ └── artifacthub-pkg.yml └── enforce-instancetype │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── policy-ready.yaml │ ├── vm-bad.yaml │ └── vm-good.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── enforce-instancetype.yaml ├── linkerd-cel ├── prevent-linkerd-pod-injection-override │ ├── .chainsaw-test │ │ ├── bad-pod.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── good-podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-linkerd-pod-injection-override.yaml ├── prevent-linkerd-port-skipping │ ├── .chainsaw-test │ │ ├── bad-pod.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ ├── good-podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-linkerd-port-skipping.yaml └── require-linkerd-mesh-injection │ ├── .chainsaw-test │ ├── bad-ns.yaml │ ├── chainsaw-test.yaml │ ├── good-ns.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-linkerd-mesh-injection.yaml ├── linkerd ├── add-linkerd-mesh-injection │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-step-02-apply-5.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-step-02-assert-2.yaml │ │ ├── chainsaw-step-02-assert-3.yaml │ │ ├── chainsaw-step-02-assert-4.yaml │ │ ├── chainsaw-step-02-assert-5.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── add-linkerd-mesh-injection.yaml │ └── artifacthub-pkg.yml ├── add-linkerd-policy-annotation │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-step-02-assert-2.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── add-linkerd-policy-annotation.yaml │ └── artifacthub-pkg.yml ├── check-linkerd-authorizationpolicy │ ├── .chainsaw-test │ │ ├── bad-authz.yaml │ │ ├── chainsaw-step-00-assert-1.yaml │ │ ├── chainsaw-step-00-assert-2.yaml │ │ ├── chainsaw-step-00-assert-3.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-authz.yaml │ │ ├── http-route.yaml │ │ ├── permissions.yaml │ │ └── server.yaml │ ├── artifacthub-pkg.yml │ └── check-linkerd-authorizationpolicy.yaml ├── prevent-linkerd-pod-injection-override │ ├── .chainsaw-test │ │ ├── bad-pod.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ └── good-podcontrollers.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-linkerd-pod-injection-override.yaml ├── prevent-linkerd-port-skipping │ ├── .chainsaw-test │ │ ├── bad-pod.yaml │ │ ├── bad-podcontrollers.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pod.yaml │ │ └── good-podcontrollers.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-linkerd-port-skipping.yaml ├── require-linkerd-mesh-injection │ ├── .chainsaw-test │ │ ├── bad-ns.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-ns.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-linkerd-mesh-injection.yaml └── require-linkerd-server │ ├── .chainsaw-test │ ├── bad-deploy.yaml │ ├── bad-svc.yaml │ ├── chainsaw-step-00-assert-1.yaml │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── good-deploy.yaml │ ├── good-svc.yaml │ ├── permissions.yaml │ └── server.yaml │ ├── artifacthub-pkg.yml │ └── require-linkerd-server.yaml ├── nginx-ingress-cel ├── disallow-ingress-nginx-custom-snippets │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm-bad.yaml │ │ ├── cm-good.yaml │ │ ├── ig-bad.yaml │ │ ├── ig-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-ingress-nginx-custom-snippets.yaml ├── restrict-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ig-bad.yaml │ │ ├── ig-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-annotations.yaml └── restrict-ingress-paths │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── ig-bad.yaml │ ├── ig-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-paths.yaml ├── nginx-ingress ├── disallow-ingress-nginx-custom-snippets │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm-bad.yaml │ │ ├── cm-good.yaml │ │ ├── ig-bad.yaml │ │ ├── ig-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-ingress-nginx-custom-snippets.yaml ├── restrict-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ig-bad.yaml │ │ ├── ig-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-annotations.yaml └── restrict-ingress-paths │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── ig-bad.yaml │ ├── ig-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-paths.yaml ├── openshift-cel ├── check-routes │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── route-bad.yaml │ │ └── route-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── check-routes.yaml ├── disallow-deprecated-apis │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-deprecated-apis.yaml ├── disallow-jenkins-pipeline-strategy │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-jenkins-pipeline-strategy.yaml ├── disallow-security-context-constraint-anyuid │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── clusterroles-bad.yaml │ │ ├── clusterroles-good.yaml │ │ ├── crb-bad.yaml │ │ ├── crb-good.yaml │ │ ├── policy-ready.yaml │ │ ├── rb-bad.yaml │ │ ├── rb-good.yaml │ │ ├── roles-bad.yaml │ │ └── roles-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-security-context-constraint-anyuid.yaml └── enforce-etcd-encryption │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── enforce-etcd-encryption.yaml ├── openshift ├── README.md ├── check-routes │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── route-bad.yaml │ │ └── route-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── check-routes.yaml ├── disallow-deprecated-apis │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-deprecated-apis.yaml ├── disallow-jenkins-pipeline-strategy │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-jenkins-pipeline-strategy.yaml ├── disallow-security-context-constraint-anyuid │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── clusterroles-bad.yaml │ │ ├── clusterroles-good.yaml │ │ ├── crb-bad.yaml │ │ ├── crb-good.yaml │ │ ├── policy-ready.yaml │ │ ├── rb-bad.yaml │ │ ├── rb-good.yaml │ │ ├── roles-bad.yaml │ │ └── roles-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── disallow-security-context-constraint-anyuid.yaml ├── disallow-self-provisioner-binding │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crb-bad-roleref.yaml │ │ ├── crb-bad-sub-update.yaml │ │ ├── crb-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resources.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── disallow-self-provisioner-binding.yaml ├── enforce-etcd-encryption │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── enforce-etcd-encryption.yaml ├── inject-infrastructurename │ ├── artifacthub-pkg.yml │ └── inject-infrastructurename.yaml ├── team-validate-ns-name │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── team-validate-ns-name.yaml └── unique-routes │ ├── .kyverno-test │ ├── kyverno-test.yaml │ ├── mock.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── unique-routes.yaml ├── other-cel ├── advanced-restrict-image-registries │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm.yaml │ │ ├── ns-01.yaml │ │ ├── ns-02.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── advanced-restrict-image-registries.yaml │ └── artifacthub-pkg.yml ├── allowed-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── allowed-annotations.yaml │ └── artifacthub-pkg.yml ├── allowed-pod-priorities │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm.yaml │ │ ├── ns.yaml │ │ ├── pc.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ ├── policy-ready.yaml │ │ └── priorityClass.yaml │ ├── allowed-pod-priorities.yaml │ └── artifacthub-pkg.yml ├── block-ephemeral-containers │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod.yaml │ │ ├── podcontrollers.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── block-ephemeral-containers.yaml ├── check-env-vars │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── check-env-vars.yaml ├── check-node-for-cve-2022-0185 │ ├── artifacthub-pkg.yml │ └── check-node-for-cve-2022-0185.yaml ├── check-serviceaccount-secrets │ ├── .chainsaw-test │ │ ├── bad-svc-account.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-svc-account.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yaml │ └── check-serviceaccount-secrets.yaml ├── deny-commands-in-exec-probe │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── deny-commands-in-exec-probe.yaml ├── deny-secret-service-account-token-type │ ├── .chainsaw-test │ │ ├── bad-secret.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-secret.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yaml │ └── deny-secret-service-account-token-type.yaml ├── disallow-all-secrets │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-all-secrets.yaml ├── disallow-localhost-services │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── svc-bad.yaml │ │ └── svc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-localhost-services.yaml ├── disallow-secrets-from-env-vars │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-secrets-from-env-vars.yaml ├── docker-socket-requires-label │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── docker-socket-requires-label.yaml ├── enforce-pod-duration │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── enforce-pod-duration.yaml ├── enforce-readwriteonce-pod │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── enforce-readwriteonce-pod.yaml ├── ensure-probes-different │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── ensure-probes-different.yaml ├── ensure-readonly-hostpath │ ├── .chainsaw-test │ │ ├── bad-pod-02.yaml │ │ ├── bad-pod-03.yaml │ │ ├── bad-pod-04.yaml │ │ ├── bad-pod-05.yaml │ │ ├── bad-pods-all.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pods-all.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── bad-pod-01.yaml │ │ ├── good-pod-01.yaml │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── ensure-readonly-hostpath.yaml ├── exclude-namespaces-dynamically │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm.yaml │ │ ├── cmap.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── exclude-namespaces-dynamically.yaml ├── forbid-cpu-limits │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── forbid-cpu-limits.yaml ├── imagepullpolicy-always │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── imagepullpolicy-always.yaml ├── ingress-host-match-tls │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── ingress-host-match-tls.yaml ├── limit-containers-per-pod │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── limit-containers-per-pod.yaml ├── limit-hostpath-type-pv │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── pv-bad.yaml │ │ └── pv-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── limit-hostpath-type-pv.yaml ├── limit-hostpath-vols │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── badpod.yaml │ │ ├── goodpod.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── limit-hostpath-vols.yaml ├── memory-requests-equal-limits │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── memory-requests-equal-limits.yaml ├── metadata-match-regex │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── metadata-match-regex.yaml ├── pdb-maxunavailable │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pdb-bad.yaml │ │ ├── pdb-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── pdb-maxunavailable.yaml ├── prevent-bare-pods │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deployment.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-bare-pods.yaml ├── prevent-cr8escape │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── prevent-cr8escape.yaml ├── require-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-annotations.yaml ├── require-container-port-names │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-container-port-names.yaml ├── require-deployments-have-multiple-replicas │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deploy-bad.yaml │ │ ├── deploy-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-deployments-have-multiple-replicas.yaml ├── require-emptydir-requests-limits │ ├── .chainsaw-test │ │ ├── bad-pod.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource-fail.yaml │ │ ├── resource-pass.yaml │ │ └── resource-skip.yaml │ ├── artifacthub-pkg.yml │ └── require-emptydir-requests-limits.yaml ├── require-image-checksum │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-image-checksum.yaml ├── require-ingress-https │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-ingress-https.yaml ├── require-non-root-groups │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-non-root-groups.yaml ├── require-pod-priorityclassname │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pc.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-pod-priorityclassname.yaml ├── require-qos-burstable │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-qos-burstable.yaml ├── require-qos-guaranteed │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-qos-guaranteed.yaml ├── require-storageclass │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── pvc-bad.yaml │ │ ├── pvc-good.yaml │ │ ├── ss-bad.yaml │ │ └── ss-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-storageclass.yaml ├── restrict-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-annotations.yaml ├── restrict-binding-clusteradmin │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crb-bad.yaml │ │ ├── crb-good.yaml │ │ ├── policy-ready.yaml │ │ ├── rb-bad.yaml │ │ └── rb-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-binding-clusteradmin.yaml ├── restrict-binding-system-groups │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crb-bad.yaml │ │ ├── crb-good.yaml │ │ ├── policy-ready.yaml │ │ ├── rb-bad.yaml │ │ └── rb-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-binding-system-groups.yaml ├── restrict-clusterrole-nodesproxy │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-clusterrole-nodesproxy.yaml ├── restrict-controlplane-scheduling │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-controlplane-scheduling.yaml ├── restrict-deprecated-registry │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-deprecated-registry.yaml ├── restrict-edit-for-endpoints │ ├── artifacthub-pkg.yml │ └── restrict-edit-for-endpoints.yaml ├── restrict-escalation-verbs-roles │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── policy-ready.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-escalation-verbs-roles.yaml ├── restrict-ingress-classes │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-classes.yaml ├── restrict-ingress-defaultbackend │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-defaultbackend.yaml ├── restrict-ingress-wildcard │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-wildcard.yaml ├── restrict-jobs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cronjobs-good.yaml │ │ ├── jobs-bad.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-jobs.yaml ├── restrict-loadbalancer │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── svc-bad.yaml │ │ └── svc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-loadbalancer.yaml ├── restrict-networkpolicy-empty-podselector │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── netpol-bad.yaml │ │ ├── netpol-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-networkpolicy-empty-podselector.yaml ├── restrict-node-affinity │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-affinity.yaml ├── restrict-node-label-creation │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-label-creation.yaml ├── restrict-pod-controller-serviceaccount-updates │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cronjob-bad-update.yaml │ │ ├── cronjob-good-update.yaml │ │ ├── cronjob.yaml │ │ ├── deploy-bad-update.yaml │ │ ├── deploy-good-update.yaml │ │ ├── deployment.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── sa-01.yaml │ │ └── sa-02.yaml │ ├── artifacthub-pkg.yml │ └── restrict-pod-controller-serviceaccount-updates.yaml ├── restrict-sa-automount-sa-token │ ├── .chainsaw-test │ │ ├── bad-sa.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-sa.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-sa-automount-sa-token.yaml ├── restrict-secret-role-verbs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── policy-ready.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-secret-role-verbs.yaml ├── restrict-secrets-by-name │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-secrets-by-name.yaml ├── restrict-service-port-range │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── svc-bad.yaml │ │ └── svc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-service-port-range.yaml ├── restrict-storageclass │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ ├── sc-bad.yaml │ │ └── sc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-storageclass.yaml ├── restrict-usergroup-fsgroup-id │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-usergroup-fsgroup-id.yaml ├── restrict-wildcard-resources │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── policy-ready.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-wildcard-resources.yaml ├── restrict-wildcard-verbs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── policy-ready.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-wildcard-verbs.yaml └── topologyspreadconstraints-policy │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── podcontrollers-bad.yaml │ ├── podcontrollers-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ ├── resource-fail1.yaml │ ├── resource-fail2.yaml │ ├── resource-fail3.yaml │ ├── resource-pass.yaml │ └── resource-skip.yaml │ ├── artifacthub-pkg.yml │ └── topologyspreadconstraints-policy.yaml ├── other ├── add-certificates-volume │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-not-patched.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-not-patched.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── add-certificates-volume.yaml │ └── artifacthub-pkg.yml ├── add-default-resources │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ ├── patchedResource3.yaml │ │ └── resource.yaml │ ├── add-default-resources.yaml │ └── artifacthub-pkg.yml ├── add-default-securitycontext │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── add-default-securitycontext.yaml │ └── artifacthub-pkg.yml ├── add-emptydir-sizelimit │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── resource-mutated.yaml │ │ └── resource.yaml │ ├── add-emptydir-sizelimit.yaml │ └── artifacthub-pkg.yml ├── add-env-vars-from-cm │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource01.yaml │ │ └── resource.yaml │ ├── add-env-vars-from-cm.yaml │ └── artifacthub-pkg.yml ├── add-image-as-env-var │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patched-pod01.yaml │ │ ├── patched-pod02.yaml │ │ ├── patched-pod03.yaml │ │ └── resource.yaml │ ├── add-image-as-env-var.yaml │ └── artifacthub-pkg.yml ├── add-imagepullsecrets-for-containers-and-initcontainers │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-not-patched.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ ├── patchedResource3.yaml │ │ ├── patchedResource4.yaml │ │ └── resource.yaml │ ├── add-imagepullsecrets-for-containers-and-initcontainers.yaml │ └── artifacthub-pkg.yml ├── add-imagepullsecrets │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-not-patched.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ ├── patchedResource3.yaml │ │ └── resource.yaml │ ├── add-imagepullsecrets.yaml │ └── artifacthub-pkg.yml ├── add-labels │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm-patched.yaml │ │ ├── cm.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── policy-ready.yaml │ │ ├── secret-patched.yaml │ │ ├── secret.yaml │ │ ├── svc-patched.yaml │ │ └── svc.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── patchedResource1.yaml │ │ └── resource.yaml │ ├── add-labels.yaml │ └── artifacthub-pkg.yml ├── add-ndots │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── add-ndots.yaml │ └── artifacthub-pkg.yml ├── add-node-affinity │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── add-node-affinity.yaml │ └── artifacthub-pkg.yml ├── add-node-labels-pod │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── clusterroles.yaml │ │ ├── permissions.yaml │ │ ├── pod-patched01.yaml │ │ ├── pod-patched02.yaml │ │ ├── pod.yaml │ │ └── policy-ready.yaml │ ├── add-node-labels-pod.yaml │ └── artifacthub-pkg.yml ├── add-nodeSelector │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── add-nodeSelector.yaml │ └── artifacthub-pkg.yml ├── add-pod-priorityclassname │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── cronjob-mutated.yaml │ │ ├── cronjob.yaml │ │ ├── deployment-mutated.yaml │ │ ├── deployment.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── add-pod-priorityclassname.yaml │ └── artifacthub-pkg.yml ├── add-pod-proxies │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-resources-patched.yaml │ │ ├── pod-resources.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller-resources.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── add-pod-proxies.yaml │ └── artifacthub-pkg.yml ├── add-tolerations │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patched01.yaml │ │ ├── patched02.yaml │ │ └── resource.yaml │ ├── add-tolerations.yaml │ └── artifacthub-pkg.yml ├── add-ttl-jobs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── job-not-patched.yaml │ │ ├── job-patched.yaml │ │ ├── job.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patched01.yaml │ │ └── resource.yaml │ ├── add-ttl-jobs.yaml │ └── artifacthub-pkg.yml ├── add-volume-deployment │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── add-volume-deployment.yaml │ └── artifacthub-pkg.yml ├── advanced-restrict-image-registries │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── advanced-restrict-image-registries.yaml │ └── artifacthub-pkg.yml ├── advertise-node-extended-resources │ ├── advertise-node-extended-resources.yaml │ └── artifacthub-pkg.yml ├── allowed-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── allowed-annotations.yaml │ └── artifacthub-pkg.yml ├── allowed-base-images │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── allowed-base-images.yaml │ └── artifacthub-pkg.yml ├── allowed-image-repos │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── allowed-image-repos.yaml │ └── artifacthub-pkg.yml ├── allowed-label-changes │ ├── .chainsaw-test │ │ ├── bad-update.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-step-02-apply-5.yaml │ │ ├── chainsaw-step-02-apply-6.yaml │ │ ├── chainsaw-step-02-apply-7.yaml │ │ ├── chainsaw-step-02-apply-8.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-update.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── allowed-label-changes.yaml │ └── artifacthub-pkg.yml ├── allowed-pod-priorities │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cm.yaml │ │ ├── ns.yaml │ │ ├── pc.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── priorityClass.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── allowed-pod-priorities.yaml │ └── artifacthub-pkg.yml ├── always-pull-images │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── patched-pod01.yaml │ │ ├── patched-pod02.yaml │ │ ├── patched-pod03.yaml │ │ ├── podcontrollers-patched.yaml │ │ ├── podcontrollers.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── always-pull-images.yaml │ └── artifacthub-pkg.yml ├── annotate-base-images │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── annotate-base-images.yaml │ └── artifacthub-pkg.yml ├── apply-pss-restricted-profile │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-patched.yaml │ │ ├── podcontrollers.yaml │ │ ├── pods-patched.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── mutatedmypod.yaml │ │ └── resource.yaml │ ├── apply-pss-restricted-profile.yaml │ └── artifacthub-pkg.yml ├── audit-event-on-delete │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-04-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── secret.yaml │ ├── artifacthub-pkg.yml │ └── audit-event-on-delete.yaml ├── audit-event-on-exec │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-04-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── audit-event-on-exec.yaml ├── block-cluster-admin-from-ns │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── bad-cm-update.yaml │ │ ├── bad-pod.yaml │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-cm.yaml │ │ ├── good-pod-not-admin.yaml │ │ ├── good-pod.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── block-cluster-admin-from-ns.yaml ├── block-ephemeral-containers │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod.yaml │ │ └── podcontrollers.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── block-ephemeral-containers.yaml ├── block-images-with-volumes │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── bad.yaml │ │ ├── good.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── block-images-with-volumes.yaml ├── block-large-images │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── bad.yaml │ │ ├── good.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── block-large-images.yaml ├── block-pod-exec-by-namespace-label │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── block-pod-exec-by-namespace-label.yaml ├── block-pod-exec-by-namespace │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── block-pod-exec-by-namespace.yaml ├── block-pod-exec-by-pod-and-container │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── block-pod-exec-by-pod-and-container.yaml ├── block-pod-exec-by-pod-label │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── block-pod-exec-by-pod-label.yaml ├── block-pod-exec-by-pod-name │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── block-pod-exec-by-pod-name.yaml ├── block-stale-images │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── bad.yaml │ │ ├── good.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── block-stale-images.yaml ├── block-updates-deletes │ ├── .chainsaw-test │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-step-03-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── svc-bad-update.yaml │ │ ├── svc-good-update.yaml │ │ └── svc.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── block-updates-deletes.yaml ├── check-env-vars │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── check-env-vars.yaml ├── check-hpa-exists │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deployment-with-hpa-good.yaml │ │ ├── deployment-without-hpa-bad.yaml │ │ └── hpa.yaml │ ├── artifacthub-pkg.yml │ └── check-hpa-exists.yaml ├── check-ingress-nginx-controller-version-and-annotation-policy │ ├── .chainsaw-test │ │ ├── bad-resource.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-resource.yaml │ ├── artifacthub-pkg.yml │ └── check-ingress-nginx-controller-version-and-annotation-policy.yaml ├── check-node-for-cve-2022-0185 │ ├── artifacthub-pkg.yml │ └── check-node-for-cve-2022-0185.yaml ├── check-nvidia-gpu │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── bad.yaml │ │ ├── good01.yaml │ │ ├── good02.yaml │ │ ├── good03.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── check-nvidia-gpu.yaml ├── check-serviceaccount-secrets │ ├── .chainsaw-test │ │ ├── bad-svc-account.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-svc-account.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yaml │ └── check-serviceaccount-secrets.yaml ├── check-serviceaccount │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-step-02-apply-5.yaml │ │ ├── chainsaw-step-02-apply-6.yaml │ │ ├── chainsaw-test.yaml │ │ ├── foo-sa.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── check-serviceaccount.yaml ├── check-subjectaccessreview │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-step-03-apply-2.yaml │ │ ├── chainsaw-step-03-apply-3.yaml │ │ ├── chainsaw-step-03-apply-4.yaml │ │ ├── chainsaw-step-03-apply-5.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cm-one.yaml │ │ ├── cm-two.yaml │ │ └── ns.yaml │ ├── artifacthub-pkg.yml │ └── check-subjectaccessreview.yaml ├── check-vpa-configuration │ ├── .chainsaw-test │ │ ├── bad.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good.yaml │ │ ├── permissions.yaml │ │ └── prereq.yaml │ ├── artifact-hub.yaml │ └── check-vpa-configuration.yaml ├── concatenate-configmaps │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cm-patched.yaml │ │ ├── cm.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── concatenate-configmaps.yaml ├── copy-namespace-labels │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── patchresource.yaml │ │ ├── policy-ready.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── copy-namespace-labels.yaml ├── cordon-and-drain-node │ ├── artifacthub-pkg.yml │ └── cordon-and-drain-node.yaml ├── create-default-pdb │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deployment.yaml │ │ ├── ns.yaml │ │ ├── pdb-generated.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── generatedResource.yaml │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── create-default-pdb.yaml ├── create-pod-antiaffinity │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deployments.yaml │ │ ├── not-patched-deploy02.yaml │ │ ├── not-patched-deploy03.yaml │ │ ├── patched-deploy01.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── create-pod-antiaffinity.yaml ├── deny-commands-in-exec-probe │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── deny-commands-in-exec-probe.yaml ├── deny-secret-service-account-token-type │ ├── .chainsaw-test │ │ ├── bad-secret.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-secret.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yaml │ └── deny-secret-service-account-token-type.yaml ├── deployment-replicas-higher-than-pdb │ ├── .chainsaw-test │ │ ├── bad-pdb.yaml │ │ ├── chainsaw-test.yaml │ │ ├── existing-deployments.yaml │ │ ├── good-pdb.yaml │ │ └── policy-ready.yaml │ ├── artifact-hub.yml │ └── deployment-replicas-higher-than-pdb.yaml ├── disable-automountserviceaccounttoken │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ ├── sa-not-patched.yaml │ │ ├── sa-patched.yaml │ │ └── sa.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disable-automountserviceaccounttoken.yaml ├── disable-service-discovery │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-patched.yaml │ │ ├── podcontrollers.yaml │ │ ├── pods-patched.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── disable-service-discovery.yaml ├── disallow-all-secrets │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-all-secrets.yaml ├── disallow-localhost-services │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── svc-bad.yaml │ │ └── svc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-localhost-services.yaml ├── disallow-secrets-from-env-vars │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-secrets-from-env-vars.yaml ├── dns-policy-and-dns-config │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── kubeadm-config.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers-patched.yaml │ │ ├── podcontrollers.yaml │ │ ├── pods-not-patched.yaml │ │ ├── pods-patched.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── resource.yaml │ │ └── variables.yaml │ ├── artifacthub-pkg.yml │ └── dns-policy-and-dns-config.yaml ├── docker-socket-requires-label │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── docker-socket-requires-label.yaml ├── enforce-pod-duration │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── enforce-pod-duration.yaml ├── enforce-readwriteonce-pod │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── enforce-readwriteonce-pod.yaml ├── enforce-resources-as-ratio │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── enforce-resources-as-ratio.yaml ├── ensure-probes-different │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── podcontrollers-bad.yaml │ │ └── podcontrollers-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── ensure-probes-different.yaml ├── ensure-production-matches-staging │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deploy-bad-image.yaml │ │ ├── deploy-bad-imversion.yaml │ │ ├── deploy-bad-name.yaml │ │ ├── deploy-good.yaml │ │ ├── deployments.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── ensure-production-matches-staging.yaml ├── ensure-readonly-hostpath │ ├── .chainsaw-test │ │ ├── bad-pod-02.yaml │ │ ├── bad-pod-03.yaml │ │ ├── bad-pod-04.yaml │ │ ├── bad-pod-05.yaml │ │ ├── bad-pods-all.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pods-all.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── bad-pod-01.yaml │ │ ├── good-pod-01.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── ensure-readonly-hostpath.yaml ├── exclude-namespaces-dynamically │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cm.yaml │ │ ├── cmap.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── exclude-namespaces-dynamically.yaml ├── expiration-for-policyexceptions │ ├── artifacthub-pkg.yml │ └── expiration-for-policyexceptions.yaml ├── forbid-cpu-limits │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ ├── podcontrollers-good.yaml │ │ ├── pods-bad.yaml │ │ └── pods-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── forbid-cpu-limits.yaml ├── generate-networkpolicy-existing │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── netpol.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── generate-networkpolicy-existing.yaml ├── get-debug-information │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-00-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── depl-readonlyrootfs.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── get-debug-information.yaml ├── imagepullpolicy-always │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── imagepullpolicy-always.yaml ├── ingress-host-match-tls │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ └── ingress-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── ingress-host-match-tls.yaml ├── inject-env-var-from-image-label │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── artifacthub-pkg.yml │ └── inject-env-var-from-image-label.yaml ├── inject-sidecar-deployment │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deploy-patched01.yaml │ │ ├── deploy-patched02.yaml │ │ ├── deploy.yaml │ │ ├── not-deploy-patched02.yaml │ │ ├── not-deploy-patched03.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── inject-sidecar-deployment.yaml ├── inspect-csr │ ├── .chainsaw-test │ │ ├── chainsaw-step-03-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crolb-user.yaml │ │ ├── permissions.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── inspect-csr.yaml ├── kubernetes-version-check │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── kubernetes-version-check.yaml ├── label-existing-namespaces │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crb.yaml │ │ ├── ns.yaml │ │ ├── patched-ns01.yaml │ │ ├── patched-ns02.yaml │ │ ├── patched-ns03.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── label-existing-namespaces.yaml ├── label-nodes-cri │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── label-check.sh │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── label-nodes-cri.yaml ├── limit-configmap-for-sa │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-step-02-apply-5.yaml │ │ ├── chainsaw-step-02-apply-6.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cm-bad.yaml │ │ └── cm-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── variables.yaml │ ├── artifacthub-pkg.yml │ └── limit-configmap-for-sa.yaml ├── limit-containers-per-pod │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── limit-containers-per-pod.yaml ├── limit-hostpath-type-pv │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pv-bad.yaml │ │ └── pv-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── limit-hostpath-type-pv.yaml ├── limit-hostpath-vols │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── badpod.yaml │ │ ├── goodpod.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── limit-hostpath-vols.yaml ├── memory-requests-equal-limits │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── memory-requests-equal-limits.yaml ├── metadata-match-regex │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── metadata-match-regex.yaml ├── mitigate-log4shell │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cronjob-patched.yaml │ │ ├── deploy-patched.yaml │ │ ├── pod-patched01.yaml │ │ ├── pod-patched02.yaml │ │ ├── pod-patched03.yaml │ │ ├── pod.yaml │ │ ├── podcontroller.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── patchedResource1.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── mitigate-log4shell.yaml ├── mutate-large-termination-gps │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cronjob-patched.yaml │ │ ├── deploy-patched.yaml │ │ ├── pod-not-patched01.yaml │ │ ├── pod-not-patched02.yaml │ │ ├── pod-patched01.yaml │ │ ├── pod.yaml │ │ ├── podcontroller.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── mutate-large-termination-gps.yaml ├── mutate-pod-binding │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crb.yaml │ │ ├── pod-patched01.yaml │ │ ├── pod-patched02.yaml │ │ ├── pod.yaml │ │ ├── policy-ready.yaml │ │ └── testpod.yaml │ ├── artifacthub-pkg.yml │ └── mutate-pod-binding.yaml ├── namespace-inventory-check │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-apply-1.yaml │ │ ├── chainsaw-step-01-apply-2.yaml │ │ ├── chainsaw-step-01-apply-3.yaml │ │ ├── chainsaw-step-01-apply-4.yaml │ │ ├── chainsaw-step-01-apply-5.yaml │ │ ├── chainsaw-step-01-apply-6.yaml │ │ ├── chainsaw-step-01-apply-7.yaml │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ └── report-assert.yaml │ ├── artifacthub-pkg.yml │ └── namespace-inventory-check.yaml ├── namespace-protection │ ├── artifacthub-pkg.yml │ └── namespace-protection.yaml ├── nfs-subdir-external-provisioner-storage-path │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pvc-bad.yaml │ │ └── pvc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── nfs-subdir-external-provisioner-storage-path.yaml ├── only-trustworthy-registries-set-root │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── bad.yaml │ │ ├── good.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── only-trustworthy-registries-set-root.yaml ├── pdb-maxunavailable-with-deployments │ ├── .chainsaw-test │ │ ├── bad-pdb.yaml │ │ ├── chainsaw-test.yaml │ │ ├── existing-deployments.yaml │ │ ├── good-pdb.yaml │ │ └── policy-ready.yaml │ ├── artifact-hub.yml │ └── pdb-maxunavailable-with-deployments.yaml ├── pdb-maxunavailable │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pdb-bad.yaml │ │ └── pdb-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── pdb-maxunavailable.yaml ├── pdb-minavailable │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pdb.yaml │ │ ├── ss-bad.yaml │ │ └── ss-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── pdb-minavailable.yaml ├── policy-for-exceptions │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── policy-bad.yaml │ │ └── policy-good.yaml │ ├── artifacthub-pkg.yml │ └── policy-for-exceptions.yaml ├── prepend-image-registry │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pods-patched.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── failpatchedResource.yaml │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── patchedResourceWithoutInitContainer.yaml │ │ ├── resource.yaml │ │ ├── resourceFailed.yaml │ │ └── withoutinitcontainer.yaml │ ├── artifacthub-pkg.yml │ └── prepend-image-registry.yaml ├── prevent-bare-pods │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deployment.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ └── pod-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── prevent-bare-pods.yaml ├── prevent-cr8escape │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ ├── pods-bad.yaml │ │ ├── pods-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── prevent-cr8escape.yaml ├── prevent-duplicate-hpa │ ├── .chainsaw-test │ │ ├── bad.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good.yaml │ │ ├── policy-ready.yaml │ │ └── prereq.yaml │ ├── artifacthub-pkg.yml │ └── prevent-duplicate-hpa.yaml ├── prevent-duplicate-vpa │ ├── .chainsaw-test │ │ ├── bad.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good.yaml │ │ ├── permissions.yaml │ │ ├── policy-ready.yaml │ │ └── prereq.yaml │ ├── artifacthub-pkg.yml │ └── prevent-duplicate-vpa.yaml ├── protect-node-taints │ ├── .chainsaw-test │ │ ├── chainsaw-step-04-apply-1.yaml │ │ ├── chainsaw-step-04-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── protect-node-taints.yaml ├── record-creation-details │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns-patched.yaml │ │ ├── ns.yaml │ │ ├── pod-patch01.yaml │ │ ├── pod-patch02.yaml │ │ ├── pod-patched.yaml │ │ ├── pod.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── record-creation-details.yaml ├── refresh-env-var-in-pod │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-04-apply-1.yaml │ │ ├── chainsaw-step-04-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deployment.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── secret.yaml │ ├── artifacthub-pkg.yml │ └── refresh-env-var-in-pod.yaml ├── refresh-volumes-in-pods │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-step-03-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cm.yaml │ │ ├── ns.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── refresh-volumes-in-pods.yaml ├── remove-hostpath-volumes │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── not-pod-patched04.yaml │ │ ├── not-pod-patched05.yaml │ │ ├── ns.yaml │ │ ├── pod-patched.yaml │ │ ├── pod-patched02.yaml │ │ ├── pod-patched03.yaml │ │ ├── pod-patched04.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── remove-hostpath-volumes.yaml ├── remove-serviceaccount-token │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-not-patched01.yaml │ │ ├── pod-not-patched02.yaml │ │ ├── pod-patched.yaml │ │ ├── pod-patched02.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── remove-serviceaccount-token.yaml ├── replace-image-registry-with-harbor │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── README.md │ │ ├── disabled-test.yaml │ │ ├── patchedResource.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── replace-image-registry-with-harbor.yaml ├── replace-image-registry │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-patched.yaml │ │ ├── pod-patched02.yaml │ │ ├── pod-patched03.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource3.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── replace-image-registry.yaml ├── replace-ingress-hosts │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-test.yaml │ │ ├── kuttlresource.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── artifacthub-pkg.yml │ └── replace-ingress-hosts.yaml ├── require-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-annotations.yaml ├── require-base-image │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── require-base-image.yaml ├── require-container-port-names │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-container-port-names.yaml ├── require-cpu-limits │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-cpu-limits.yaml ├── require-deployments-have-multiple-replicas │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deploy-bad.yaml │ │ └── deploy-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-deployments-have-multiple-replicas.yaml ├── require-emptydir-requests-limits │ ├── .chainsaw-test │ │ ├── bad-pod.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource-fail.yaml │ │ ├── resource-pass.yaml │ │ ├── resource-skip.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── require-emptydir-requests-limits.yaml ├── require-image-checksum │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad-for-ephemeral.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good-for-ephemeral.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-image-checksum.yaml ├── require-image-source │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── bad.yaml │ │ ├── good.yaml │ │ ├── kyverno-test.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── require-image-source.yaml ├── require-imagepullsecrets │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-imagepullsecrets.yaml ├── require-ingress-https │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ └── ingress-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-ingress-https.yaml ├── require-netpol │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deploy-bad.yaml │ │ ├── deploy-good.yaml │ │ └── netpol.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── require-netpol.yaml ├── require-non-root-groups │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-non-root-groups.yaml ├── require-pdb │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deploy-bad.yaml │ │ ├── deploy-good.yaml │ │ ├── pdb.yaml │ │ ├── ss-bad.yaml │ │ └── ss-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource-pass.yaml │ │ ├── resource-skip.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── require-pdb.yaml ├── require-pod-priorityclassname │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pc.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-pod-priorityclassname.yaml ├── require-qos-burstable │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-qos-burstable.yaml ├── require-qos-guaranteed │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-qos-guaranteed.yaml ├── require-reasonable-pdbs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── pdb-maxUnavailable-bad.yaml │ │ ├── pdb-maxUnavailable-good.yaml │ │ ├── pdb-minAvailable-bad.yaml │ │ ├── pdb-minAvailable-good.yaml │ │ └── values.yaml │ ├── artifact-hub.yml │ └── require-reasonable-pdbs.yaml ├── require-replicas-allow-disruption │ ├── .chainsaw-test │ │ ├── bad-deploy.yaml │ │ ├── chainsaw-test.yaml │ │ ├── existing-pdbs.yaml │ │ ├── good-deploy.yaml │ │ └── policy-ready.yaml │ ├── artifact-hub.yaml │ └── require-replicas-allow-disruption.yaml ├── require-storageclass │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pvc-bad.yaml │ │ ├── pvc-good.yaml │ │ ├── ss-bad.yaml │ │ └── ss-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-storageclass.yaml ├── require-unique-external-dns │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── svc-bad.yaml │ │ ├── svc-good.yaml │ │ └── svc.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── require-unique-external-dns.yaml ├── require-unique-service-selector │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── svc-bad.yaml │ │ ├── svc-good.yaml │ │ └── svc.yaml │ ├── artifacthub-pkg.yml │ └── require-unique-service-selector.yaml ├── require-unique-uid-per-workload │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ └── pods.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── variables.yaml │ ├── artifacthub-pkg.yml │ └── require-unique-uid-per-workload.yaml ├── require-vulnerability-scan │ ├── artifacthub-pkg.yml │ └── require-vulnerability-scan.yaml ├── resolve-image-to-digest │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── podcontroller-patched.yaml │ │ ├── podcontroller.yaml │ │ ├── pods-patched.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── pod.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── resolve-image-to-digest.yaml ├── resource-creation-updating-denied │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── enforce-policy-assert.yaml │ │ ├── policy-assert.yaml │ │ ├── resource.yaml │ │ └── resource2.yaml │ ├── artifacthub-pkg.yml │ └── resource-creation-updating-denied.yaml ├── restart-deployment-on-secret-change │ ├── .chainsaw-test │ │ ├── chainsaw-step-03-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cluster-role.yaml │ │ ├── deploy.yaml │ │ ├── policy-ready.yaml │ │ └── secret.yaml │ ├── artifacthub-pkg.yml │ └── restart-deployment-on-secret-change.yaml ├── restrict-annotations │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-annotations.yaml ├── restrict-automount-sa-token │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-automount-sa-token.yaml ├── restrict-binding-clusteradmin │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crb-bad.yaml │ │ ├── crb-good.yaml │ │ ├── rb-bad.yaml │ │ └── rb-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-binding-clusteradmin.yaml ├── restrict-binding-system-groups │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crb-bad.yaml │ │ ├── crb-good.yaml │ │ ├── rb-bad.yaml │ │ └── rb-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-binding-system-groups.yaml ├── restrict-clusterrole-csr │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── non-violating-clusterrole.yaml │ │ └── violating-clusterrole.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yaml │ └── restrict-clusterrole-csr.yaml ├── restrict-clusterrole-mutating-validating-admission-webhooks │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── non-violating-clusterrole.yaml │ │ └── violating-clusterrole.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-clusterrole-mutating-validating-admission-webhooks.yaml ├── restrict-clusterrole-nodesproxy │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ └── cr-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-clusterrole-nodesproxy.yaml ├── restrict-controlplane-scheduling │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-controlplane-scheduling.yaml ├── restrict-deprecated-registry │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-deprecated-registry.yaml ├── restrict-edit-for-endpoints │ ├── artifacthub-pkg.yml │ └── restrict-edit-for-endpoints.yaml ├── restrict-escalation-verbs-roles │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-escalation-verbs-roles.yaml ├── restrict-ingress-classes │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ └── ingress-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-classes.yaml ├── restrict-ingress-defaultbackend │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ └── ingress-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-defaultbackend.yaml ├── restrict-ingress-host │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ ├── ingress-updates-bad.yaml │ │ ├── ingress-updates-good.yaml │ │ └── ingress.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-host.yaml ├── restrict-ingress-wildcard │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ └── ingress-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── restrict-ingress-wildcard.yaml ├── restrict-jobs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cronjobs-good.yaml │ │ ├── jobs-bad.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-jobs.yaml ├── restrict-loadbalancer │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── svc-bad.yaml │ │ └── svc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-loadbalancer.yaml ├── restrict-networkpolicy-empty-podselector │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── netpol-bad.yaml │ │ └── netpol-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-networkpolicy-empty-podselector.yaml ├── restrict-node-affinity │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-affinity.yaml ├── restrict-node-label-changes │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-label-changes.yaml ├── restrict-node-label-creation │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-label-creation.yaml ├── restrict-node-selection │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-node-selection.yaml ├── restrict-pod-controller-serviceaccount-updates │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-step-02-apply-3.yaml │ │ ├── chainsaw-step-02-apply-4.yaml │ │ ├── chainsaw-step-02-apply-5.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cronjob-bad-update.yaml │ │ ├── cronjob-good-update.yaml │ │ ├── deploy-bad-update.yaml │ │ └── deploy-good-update.yaml │ ├── artifacthub-pkg.yml │ └── restrict-pod-controller-serviceaccount-updates.yaml ├── restrict-pod-count-per-node │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── restrict-pod-count-per-node.yaml ├── restrict-sa-automount-sa-token │ ├── .chainsaw-test │ │ ├── bad-sa.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-sa.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yaml │ └── restrict-sa-automount-sa-token.yaml ├── restrict-scale │ ├── artifacthub-pkg.yml │ └── restrict-scale.yaml ├── restrict-secret-role-verbs │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-secret-role-verbs.yaml ├── restrict-secrets-by-label │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── permissions.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── secret.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── restrict-secrets-by-label.yaml ├── restrict-secrets-by-name │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-secrets-by-name.yaml ├── restrict-service-account │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── restrict-service-account.yaml ├── restrict-service-port-range │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── svc-bad.yaml │ │ └── svc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-service-port-range.yaml ├── restrict-storageclass │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── sc-bad.yaml │ │ └── sc-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-storageclass.yaml ├── restrict-usergroup-fsgroup-id │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-usergroup-fsgroup-id.yaml ├── restrict-wildcard-resources │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── restrict-wildcard-resources.yaml ├── restrict-wildcard-verbs │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cr-bad.yaml │ │ ├── cr-good.yaml │ │ ├── role-bad.yaml │ │ └── role-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-wildcard-verbs.yaml ├── scale-deployment-zero │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── deploy.yaml │ │ ├── deploy01-patched.yaml │ │ ├── deploy02-not-patched.yaml │ │ ├── deploy03-patched.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── scale-deployment-zero.yaml ├── spread-pods-across-topology │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── deploy.yaml │ │ ├── deploy01-patched.yaml │ │ ├── deploy02-not-patched.yaml │ │ ├── deploy03-not-patched.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── spread-pods-across-topology.yaml ├── sync-secrets │ ├── .chainsaw-test │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-04-apply-1.yaml │ │ ├── chainsaw-step-04-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cloneSourceResource.yaml │ │ ├── generatedResource.yaml │ │ ├── ns.yaml │ │ ├── permissions.yaml │ │ ├── policy-ready.yaml │ │ ├── renamed.yaml │ │ ├── resource.yaml │ │ └── secret-generated.yaml │ ├── artifacthub-pkg.yml │ └── sync-secrets.yaml ├── time-bound-policy │ ├── artifacthub-pkg.yml │ └── time-bound-policy.yaml ├── topologyspreadconstraints-policy │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── podcontrollers-bad.yaml │ │ └── podcontrollers-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── resource-fail1.yaml │ │ ├── resource-fail2.yaml │ │ ├── resource-fail3.yaml │ │ ├── resource-pass.yaml │ │ └── resource-skip.yaml │ ├── artifacthub-pkg.yml │ └── topologyspreadconstraints-policy.yaml ├── unique-ingress-host-and-path │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── ingress.yaml │ ├── artifacthub-pkg.yml │ └── unique-ingress-host-and-path.yaml ├── unique-ingress-paths │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── ingress-bad.yaml │ │ ├── ingress-good.yaml │ │ └── ingress.yaml │ ├── artifacthub-pkg.yml │ └── unique-ingress-paths.yaml ├── update-image-tag │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── cluster-role.yaml │ │ ├── deploy.yaml │ │ ├── deploy00-patched-again.yaml │ │ ├── deploy00-patched.yaml │ │ ├── deploy01-patched-again.yaml │ │ ├── deploy01-patched.yaml │ │ ├── deploy02-patched-again.yaml │ │ ├── deploy02-patched.yaml │ │ ├── deploy03-not-patched.yaml │ │ ├── deploy04-not-patched.yaml │ │ ├── ns.yaml │ │ ├── policy-ready.yaml │ │ └── policy-update.yaml │ ├── artifacthub-pkg.yml │ └── update-image-tag.yaml ├── verify-image-cve-2022-42889 │ ├── artifacthub-pkg.yml │ └── verify-image-cve-2022-42889.yaml ├── verify-image-gcpkms │ ├── artifacthub-pkg.yml │ └── verify-image-gcpkms.yaml ├── verify-image-ivpol │ ├── .chainsaw-test │ │ ├── bad.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good.yaml │ │ └── policy-ready.yaml │ ├── artifacthub-pkg.yml │ └── verify-image-ivpol.yaml ├── verify-image-slsa │ ├── artifacthub-pkg.yml │ └── verify-image-slsa.yaml ├── verify-image-with-multi-keys │ ├── artifacthub-pkg.yml │ └── verify-image-with-multi-keys.yaml ├── verify-image │ ├── artifacthub-pkg.yml │ └── verify-image.yaml ├── verify-manifest-integrity │ ├── artifacthub-pkg.yml │ └── verify-manifest-integrity.yaml ├── verify-sbom-cyclonedx │ ├── artifacthub-pkg.yml │ └── verify-sbom-cyclonedx.yaml └── verify-vpa-target │ ├── .chainsaw-test │ ├── bad.yaml │ ├── chainsaw-test.yaml │ ├── good.yaml │ ├── policy-ready.yaml │ └── prereq.yaml │ ├── artifacthub-pkg.yml │ └── verify-vpa-target.yaml ├── pod-security-cel ├── baseline │ ├── disallow-capabilities │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-capabilities.yaml │ ├── disallow-host-namespaces │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-namespaces.yaml │ ├── disallow-host-path │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-path.yaml │ ├── disallow-host-ports-range │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-ports-range.yaml │ ├── disallow-host-ports │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-ports.yaml │ ├── disallow-host-process │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-process.yaml │ ├── disallow-privileged-containers │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-privileged-containers.yaml │ ├── disallow-proc-mount │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-proc-mount.yaml │ ├── disallow-selinux │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-selinux.yaml │ ├── kustomization.yaml │ ├── restrict-seccomp │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-seccomp.yaml │ └── restrict-sysctls │ │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-sysctls.yaml └── restricted │ ├── disallow-capabilities-strict │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-capabilities-strict.yaml │ ├── disallow-privilege-escalation │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-privilege-escalation.yaml │ ├── kustomization.yaml │ ├── require-run-as-non-root-user │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-run-as-non-root-user.yaml │ ├── require-run-as-nonroot │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── require-run-as-nonroot.yaml │ ├── restrict-seccomp-strict │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-seccomp-strict.yaml │ └── restrict-volume-types │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── pod-bad.yaml │ ├── pod-good.yaml │ ├── podcontroller-bad.yaml │ ├── podcontroller-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-volume-types.yaml ├── pod-security ├── README.md ├── baseline │ ├── disallow-capabilities │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-capabilities.yaml │ ├── disallow-host-namespaces │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-namespaces.yaml │ ├── disallow-host-path │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-path.yaml │ ├── disallow-host-ports-range │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-ports-range.yaml │ ├── disallow-host-ports │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-ports.yaml │ ├── disallow-host-process │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-host-process.yaml │ ├── disallow-privileged-containers │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-privileged-containers.yaml │ ├── disallow-proc-mount │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ ├── podcontroller-good.yaml │ │ │ └── policy-ready.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-proc-mount.yaml │ ├── disallow-selinux │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-selinux.yaml │ ├── kustomization.yaml │ ├── restrict-apparmor-profiles │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-apparmor-profiles.yaml │ ├── restrict-seccomp │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-seccomp.yaml │ └── restrict-sysctls │ │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-sysctls.yaml ├── enforce │ └── kustomization.yaml ├── kustomization.yaml ├── restricted │ ├── disallow-capabilities-strict │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-capabilities-strict.yaml │ ├── disallow-privilege-escalation │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── disallow-privilege-escalation.yaml │ ├── kustomization.yaml │ ├── require-run-as-non-root-user │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── require-run-as-non-root-user.yaml │ ├── require-run-as-nonroot │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── require-run-as-nonroot.yaml │ ├── restrict-seccomp-strict │ │ ├── .chainsaw-test │ │ │ ├── chainsaw-step-01-assert-1.yaml │ │ │ ├── chainsaw-test.yaml │ │ │ ├── pod-bad.yaml │ │ │ ├── pod-good.yaml │ │ │ ├── podcontroller-bad.yaml │ │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ │ ├── kyverno-test.yaml │ │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-seccomp-strict.yaml │ └── restrict-volume-types │ │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ │ ├── artifacthub-pkg.yml │ │ └── restrict-volume-types.yaml └── subrule │ ├── podsecurity-subrule-baseline │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── podsecurity-subrule-baseline.yaml │ └── restricted │ ├── restricted-exclude-capabilities │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restricted-exclude-capabilities.yaml │ ├── restricted-exclude-seccomp │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restricted-exclude-seccomp.yaml │ └── restricted-latest │ ├── .chainsaw-test │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-test.yaml │ ├── pod-bad.yaml │ ├── pod-good.yaml │ ├── podcontroller-bad.yaml │ └── podcontroller-good.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restricted-latest.yaml ├── psa-cel ├── add-psa-namespace-reporting │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── namespace-with-psa-labels.yaml │ │ ├── namespace-without-psa-labels.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── namespace-with-psa-labels.yaml │ │ └── namespace-without-psa-labels.yaml │ ├── add-psa-namespace-reporting.yaml │ └── artifacthub-pkg.yml └── deny-privileged-profile │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── cr.yaml │ ├── crb.yaml │ ├── ns-bad.yaml │ ├── ns-good.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── deny-privileged-profile.yaml ├── psa ├── add-privileged-existing-namespaces │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-apply-1.yaml │ │ ├── chainsaw-step-01-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── not-patched-ns03.yaml │ │ ├── ns.yaml │ │ ├── patched-again-ns01.yaml │ │ ├── patched-again-ns02.yaml │ │ ├── patched-ns01.yaml │ │ ├── patched-ns02.yaml │ │ ├── policy-ready.yaml │ │ └── policy-update.yaml │ ├── add-privileged-existing-namespaces.yaml │ └── artifacthub-pkg.yml ├── add-psa-labels │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── ns.yaml │ │ ├── patched-ns01.yaml │ │ ├── patched-ns02.yaml │ │ ├── patched-ns03.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource.yaml │ │ ├── patchedResourcefail.yaml │ │ ├── resource.yaml │ │ └── resourcefail.yaml │ ├── add-psa-labels.yaml │ └── artifacthub-pkg.yml ├── add-psa-namespace-reporting │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── namespace-with-psa-labels.yaml │ │ ├── namespace-without-psa-labels.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── namespace-with-psa-labels.yaml │ │ └── namespace-without-psa-labels.yaml │ ├── add-psa-namespace-reporting.yaml │ └── artifacthub-pkg.yml └── deny-privileged-profile │ ├── .chainsaw-test │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-step-03-apply-1.yaml │ ├── chainsaw-step-03-apply-2.yaml │ ├── chainsaw-test.yaml │ ├── ns-bad.yaml │ └── ns-good.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── deny-privileged-profile.yaml ├── psp-migration-cel ├── check-supplemental-groups │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── check-supplemental-groups.yaml ├── restrict-adding-capabilities │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ ├── podcontroller-good.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-adding-capabilities.yaml └── restrict-runtimeClassName │ ├── .chainsaw-test │ ├── bad-pods.yaml │ ├── chainsaw-test.yaml │ ├── good-pods.yaml │ ├── ns.yaml │ ├── policy-ready.yaml │ ├── runtimeclass-exp.yaml │ ├── runtimeclass-foo.yaml │ └── runtimeclass-prod.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-runtimeClassName.yaml ├── psp-migration ├── add-apparmor │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── add-apparmor.yaml │ └── artifacthub-pkg.yml ├── add-capabilities │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── policy-ready.yaml │ │ └── resource-mutated.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ ├── patchedResource2.yaml │ │ └── resource.yaml │ ├── add-capabilities.yaml │ └── artifacthub-pkg.yml ├── add-runtimeClassName │ ├── .chainsaw-test │ │ ├── README.md │ │ ├── chainsaw-step-02-apply-1.yaml │ │ ├── chainsaw-step-02-apply-2.yaml │ │ ├── chainsaw-test.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource1.yaml │ │ └── resource.yaml │ ├── add-runtimeClassName.yaml │ └── artifacthub-pkg.yml ├── check-supplemental-groups │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── check-supplemental-groups.yaml ├── restrict-adding-capabilities │ ├── .chainsaw-test │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── pod-bad.yaml │ │ ├── pod-good.yaml │ │ ├── podcontroller-bad.yaml │ │ └── podcontroller-good.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-adding-capabilities.yaml └── restrict-runtimeClassName │ ├── .chainsaw-test │ ├── README.md │ ├── bad.yaml │ ├── chainsaw-step-02-apply-1.yaml │ ├── chainsaw-step-02-apply-2.yaml │ ├── chainsaw-step-02-apply-3.yaml │ ├── chainsaw-step-02-apply-4.yaml │ ├── chainsaw-test.yaml │ ├── good.yaml │ ├── policy-ready.yaml │ └── report.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── restrict-runtimeClassName.yaml ├── tekton-cel ├── block-tekton-task-runs │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── crd-assert.yaml │ │ ├── policy-ready.yaml │ │ └── taskrun.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── block-tekton-task-runs.yaml └── require-tekton-bundle │ ├── .chainsaw-test │ ├── bad-pipelinerun.yaml │ ├── bad-taskrun.yaml │ ├── chainsaw-test.yaml │ ├── crd-pipelinerun-assert.yaml │ ├── crd-taskrun-assert.yaml │ ├── good-pipelinerun.yaml │ ├── good-taskrun.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-tekton-bundle.yaml ├── tekton ├── block-tekton-task-runs │ ├── .chainsaw-test │ │ ├── chainsaw-step-00-assert-1.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── not-taskrun.yaml │ │ └── taskrun.yaml │ ├── artifacthub-pkg.yml │ └── block-tekton-task-runs.yaml ├── require-tekton-bundle │ ├── .chainsaw-test │ │ ├── bad-pipelinerun.yaml │ │ ├── bad-taskrun.yaml │ │ ├── chainsaw-step-00-assert-1.yaml │ │ ├── chainsaw-step-00-assert-2.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pipelinerun.yaml │ │ └── good-taskrun.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-tekton-bundle.yaml ├── require-tekton-namespace-pipelinerun │ ├── .chainsaw-test │ │ ├── bad-pipelinerun.yaml │ │ ├── chainsaw-step-00-assert-1.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ ├── good-pipelinerun.yaml │ │ └── ns.yaml │ ├── .kyverno-test │ │ └── kyverno-test.yaml │ ├── artifacthub-pkg.yml │ └── require-tekton-namespace-pipelinerun.yaml ├── require-tekton-securitycontext │ ├── artifacthub-pkg.yml │ └── require-tekton-securitycontext.yaml ├── verify-tekton-pipeline-bundle-signatures │ ├── artifacthub-pkg.yml │ └── verify-tekton-pipeline-bundle-signatures.yaml ├── verify-tekton-taskrun-signatures │ ├── artifacthub-pkg.yml │ └── verify-tekton-taskrun-signatures.yaml └── verify-tekton-taskrun-vuln-scan │ ├── artifacthub-pkg.yml │ └── verify-tekton-taskrun-vuln-scan.yaml ├── traefik-cel └── disallow-default-tlsoptions │ ├── .chainsaw-test │ ├── chainsaw-test.yaml │ ├── cr.yaml │ ├── crb.yaml │ ├── crd-assert.yaml │ ├── policy-ready.yaml │ └── tlsoption.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-default-tlsoptions.yaml ├── traefik └── disallow-default-tlsoptions │ ├── .chainsaw-test │ ├── chainsaw-step-00-assert-1.yaml │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-step-03-apply-1.yaml │ ├── chainsaw-step-03-apply-2.yaml │ ├── chainsaw-test.yaml │ └── tlsoption.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── disallow-default-tlsoptions.yaml ├── velero-cel ├── block-velero-restore │ ├── .chainsaw-test │ │ ├── bad-restore.yaml │ │ ├── chainsaw-test.yaml │ │ ├── crd-restore-assert.yaml │ │ ├── good-restore.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── block-velero-restore.yaml └── validate-cron-schedule │ ├── .chainsaw-test │ ├── bad-schedule.yaml │ ├── chainsaw-test.yaml │ ├── crd-schedule-assert.yaml │ ├── good-schedule.yaml │ └── policy-ready.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── validate-cron-schedule.yaml ├── velero ├── backup-all-volumes │ ├── .chainsaw-test │ │ ├── chainsaw-test.yaml │ │ ├── cronjob-patched.yaml │ │ ├── deploy-patched.yaml │ │ ├── ns.yaml │ │ ├── pod-not-patched02.yaml │ │ ├── pod-patched01.yaml │ │ ├── pod-patched03.yaml │ │ ├── pod-patched04.yaml │ │ ├── podcontroller.yaml │ │ ├── pods.yaml │ │ └── policy-ready.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ ├── patchedResource-fourth.yaml │ │ ├── patchedResource-third.yaml │ │ ├── patchedResource.yaml │ │ ├── resource.yaml │ │ └── values.yaml │ ├── artifacthub-pkg.yml │ └── backup-all-volumes.yaml ├── block-velero-restore │ ├── .chainsaw-test │ │ ├── bad-restore.yaml │ │ ├── chainsaw-step-00-assert-1.yaml │ │ ├── chainsaw-step-01-assert-1.yaml │ │ ├── chainsaw-test.yaml │ │ └── good-restore.yaml │ ├── .kyverno-test │ │ ├── kyverno-test.yaml │ │ └── resource.yaml │ ├── artifacthub-pkg.yml │ └── block-velero-restore.yaml └── validate-cron-schedule │ ├── .chainsaw-test │ ├── bad-schedule.yaml │ ├── chainsaw-step-00-assert-1.yaml │ ├── chainsaw-step-01-assert-1.yaml │ ├── chainsaw-test.yaml │ └── good-schedule.yaml │ ├── .kyverno-test │ ├── kyverno-test.yaml │ └── resources.yaml │ ├── artifacthub-pkg.yml │ └── validate-cron-schedule.yaml └── windows-security └── require-run-as-containeruser ├── .chainsaw-test ├── chainsaw-step-01-assert-1.yaml ├── chainsaw-test.yaml ├── pod-bad.yaml ├── pod-good.yaml ├── podcontroller-bad.yaml └── podcontroller-good.yaml ├── artifacthub-pkg.yml └── require-run-as-containeruser.yaml /.github/cherry-pick-bot.yml: -------------------------------------------------------------------------------- 1 | enabled: true 2 | preservePullRequestTitle: true 3 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: github-actions 4 | directories: 5 | - / 6 | - /.github/actions/*/ 7 | schedule: 8 | interval: daily -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | settings.json 2 | .idea 3 | .DS_Store 4 | kubeconfig 5 | .hack/chainsaw-matrix/chainsaw-matrix 6 | -------------------------------------------------------------------------------- /argo-cel/application-field-validation/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: application-field-validation 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-step-01-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: argo-rancher-cluster-ns 5 | -------------------------------------------------------------------------------- /argo/argo-cluster-generation-from-rancher-capi/.chainsaw-test/chainsaw-step-01-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: argocd 5 | -------------------------------------------------------------------------------- /artifacthub-repo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | repositoryID: 231d81b2-c91a-4a4b-907e-67c0a863e8fa 3 | owners: 4 | - name: Chip Zoller 5 | email: chipzoller@gmail.com 6 | - name: Charles-Edouard Brétéché 7 | email: charled.breteche@gmail.com 8 | -------------------------------------------------------------------------------- /aws-cel/require-encryption-aws-loadbalancers/.chainsaw-test/service-fail.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-service 5 | spec: 6 | selector: 7 | app: nginx 8 | ports: 9 | - port: 80 10 | targetPort: 8080 11 | type: LoadBalancer -------------------------------------------------------------------------------- /aws/require-encryption-aws-loadbalancers/.chainsaw-test/service-fail.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-service 5 | spec: 6 | selector: 7 | app: nginx 8 | ports: 9 | - port: 80 10 | targetPort: 8080 11 | type: LoadBalancer -------------------------------------------------------------------------------- /best-practices-cel/disallow-default-namespace/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: not-default-ns 5 | 6 | -------------------------------------------------------------------------------- /best-practices-cel/disallow-helm-tiller/.chainsaw-test/bad-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01-ht 5 | spec: 6 | containers: 7 | - name: helm-tiller 8 | image: docker.io/tiller:latest 9 | 10 | -------------------------------------------------------------------------------- /best-practices-cel/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-helm-tiller 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/disallow-latest-tag/.chainsaw-test/good-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod-ht 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | 10 | -------------------------------------------------------------------------------- /best-practices-cel/disallow-latest-tag/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-latest-tag 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-drop-all/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: drop-all-capabilities 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: drop-cap-net-raw 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-labels/.chainsaw-test/bad-pod-nolabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod-nolabel 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-labels/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-requests-limits 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-probes/.chainsaw-test/bad-pod-nothing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01 5 | labels: 6 | app: myapp 7 | spec: 8 | containers: 9 | - name: busybox 10 | image: ghcr.io/kyverno/test-busybox:1.35 11 | 12 | -------------------------------------------------------------------------------- /best-practices-cel/require-probes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-pod-probes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod02-roroot 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | 10 | -------------------------------------------------------------------------------- /best-practices-cel/require-ro-rootfs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-ro-rootfs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-false.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01-registry 5 | spec: 6 | containers: 7 | - name: k8s-nginx 8 | image: registry.k8s.io/nginx:1.7.9 9 | 10 | -------------------------------------------------------------------------------- /best-practices-cel/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod04-registry 5 | spec: 6 | containers: 7 | - name: k8s-nginx 8 | image: nginx 9 | 10 | -------------------------------------------------------------------------------- /best-practices-cel/restrict-image-registries/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-image-registries 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/restrict-node-port/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-nodeport 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices-cel/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-external-ips 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/add-network-policy/.chainsaw-test/old-resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bye-world-namespace -------------------------------------------------------------------------------- /best-practices/add-network-policy/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-networkpolicy 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/add-network-policy/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: hello-world-namespace -------------------------------------------------------------------------------- /best-practices/add-networkpolicy-dns/.chainsaw-test/old-resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bye-world-namespace -------------------------------------------------------------------------------- /best-practices/add-networkpolicy-dns/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-networkpolicy-dns 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/add-networkpolicy-dns/.chainsaw-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: hello-world-namespace -------------------------------------------------------------------------------- /best-practices/add-ns-quota/.chainsaw-test/notGeneratedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: default-deny 5 | namespace: bye-world-namespace 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress -------------------------------------------------------------------------------- /best-practices/add-ns-quota/.chainsaw-test/old-resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bye-world-namespace -------------------------------------------------------------------------------- /best-practices/add-ns-quota/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-ns-quota 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/add-ns-quota/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: hello-world-namespace -------------------------------------------------------------------------------- /best-practices/add-rolebinding/.chainsaw-test/ns-rb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: addrb-ns -------------------------------------------------------------------------------- /best-practices/add-rolebinding/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bad-addrb-ns -------------------------------------------------------------------------------- /best-practices/add-rolebinding/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-rolebinding 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/add-safe-to-evict/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-safe-to-evict 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/disallow-cri-sock-mount/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-container-sock-mounts 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/disallow-default-namespace/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: not-default-ns 5 | -------------------------------------------------------------------------------- /best-practices/disallow-default-namespace/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-default-namespace 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-empty-ingress-host 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/disallow-helm-tiller/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-helm-tiller 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/disallow-latest-tag/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-latest-tag 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/require-drop-all/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: drop-all-capabilities 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/require-drop-cap-net-raw/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: drop-cap-net-raw 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/require-labels/.chainsaw-test/bad-pod-nolabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod-nolabel 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /best-practices/require-labels/.chainsaw-test/bad-pod-somelabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod-somelabel 5 | labels: 6 | my.io/foo: bar 7 | spec: 8 | containers: 9 | - name: busybox 10 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /best-practices/require-labels/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/require-pod-requests-limits/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-requests-limits 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/require-probes/.chainsaw-test/bad-pod-nothing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01 5 | labels: 6 | app: myapp 7 | spec: 8 | containers: 9 | - name: busybox 10 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /best-practices/require-probes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-pod-probes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/require-ro-rootfs/.chainsaw-test/bad-pod-nothing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod02-roroot 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /best-practices/require-ro-rootfs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-ro-rootfs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/restrict-image-registries/.chainsaw-test/bad-pod-false.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01-registry 5 | spec: 6 | containers: 7 | - name: k8s-nginx 8 | image: registry.k8s.io/nginx:1.7.9 -------------------------------------------------------------------------------- /best-practices/restrict-image-registries/.chainsaw-test/bad-pod-noregistry.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod04-registry 5 | spec: 6 | containers: 7 | - name: k8s-nginx 8 | image: ghcr.io/kyverno/test-nginx -------------------------------------------------------------------------------- /best-practices/restrict-image-registries/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-image-registries 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/restrict-node-port/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-nodeport 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /best-practices/restrict-service-external-ips/.chainsaw-test/good-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: goodservice01-eip 5 | spec: 6 | selector: 7 | app: MyApp 8 | ports: 9 | - protocol: TCP 10 | port: 80 11 | targetPort: 9376 -------------------------------------------------------------------------------- /best-practices/restrict-service-external-ips/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-external-ips 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /castai/add-castai-removal-disabled/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-castai-removal-disabled 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /cert-manager/limit-dnsnames/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: cert-manager-limit-dnsnames 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /cert-manager/limit-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: cert-manager-limit-duration 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /cert-manager/restrict-issuer/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: cert-manager-restrict-issuer 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /cleanup/cleanup-bare-pods/.chainsaw-test/chainsaw-step-02-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v2beta1 2 | kind: ClusterCleanupPolicy 3 | metadata: 4 | name: clean-bare-pods 5 | -------------------------------------------------------------------------------- /cleanup/cleanup-bare-pods/.chainsaw-test/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: bare-pod 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: ghcr.io/kyverno/test-nginx:1.14.1 9 | -------------------------------------------------------------------------------- /cleanup/cleanup-empty-replicasets/.chainsaw-test/chainsaw-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: ReplicaSet 3 | metadata: 4 | name: example-797bfc7b6f 5 | namespace: default 6 | -------------------------------------------------------------------------------- /consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: consul.hashicorp.com/v1alpha1 2 | kind: Mesh 3 | metadata: 4 | name: badmesh01 5 | spec: 6 | tls: 7 | incoming: 8 | tlsMinVersion: TLSv1_1 -------------------------------------------------------------------------------- /consul-cel/enforce-min-tls-version/.chainsaw-test/mesh-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: consul.hashicorp.com/v1alpha1 2 | kind: Mesh 3 | metadata: 4 | name: goodmesh01 5 | spec: 6 | tls: 7 | incoming: 8 | tlsMinVersion: TLSv1_2 -------------------------------------------------------------------------------- /consul-cel/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-min-tls-version 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /consul/enforce-min-tls-version/.chainsaw-test/mesh-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: consul.hashicorp.com/v1alpha1 2 | kind: Mesh 3 | metadata: 4 | name: badmesh01 5 | spec: 6 | tls: 7 | incoming: 8 | tlsMinVersion: TLSv1_1 -------------------------------------------------------------------------------- /consul/enforce-min-tls-version/.chainsaw-test/mesh-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: consul.hashicorp.com/v1alpha1 2 | kind: Mesh 3 | metadata: 4 | name: goodmesh01 5 | spec: 6 | tls: 7 | incoming: 8 | tlsMinVersion: TLSv1_2 -------------------------------------------------------------------------------- /consul/enforce-min-tls-version/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-min-tls-version 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /external-secret-operator/add-external-secret-prefix/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-external-secret-prefix -------------------------------------------------------------------------------- /external-secret-operator/add-external-secret-prefix/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-external-secret-prefix 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /flux-cel/verify-flux-sources/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: flux-system 5 | -------------------------------------------------------------------------------- /flux-cel/verify-flux-sources/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: verify-flux-sources 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-bucket.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: Bucket 3 | metadata: 4 | name: bucket-bad 5 | spec: 6 | interval: 5m0s 7 | endpoint: minio.notmyorg.com 8 | bucketName: example -------------------------------------------------------------------------------- /flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: GitRepository 3 | metadata: 4 | name: bad-gitrepo-01 5 | spec: 6 | interval: 5m0s 7 | url: https://github.com/notmyorg/podinfo -------------------------------------------------------------------------------- /flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: HelmRepository 3 | metadata: 4 | name: bad-helmrepo-01 5 | spec: 6 | interval: 5m0s 7 | url: https://helmrepo.github.io/podinfo -------------------------------------------------------------------------------- /flux-cel/verify-flux-sources/.chainsaw-test/repo-bad-image.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: image.toolkit.fluxcd.io/v1beta2 2 | kind: ImageRepository 3 | metadata: 4 | name: imagerepo-bad 5 | spec: 6 | image: nothing.io/notmyorg/ 7 | interval: 1h 8 | provider: generic -------------------------------------------------------------------------------- /flux/generate-flux-multi-tenant-resources/.chainsaw-test/chainsaw-step-03-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | toolkit.fluxcd.io/tenant: ftenant 6 | name: flux-tenant-namespace 7 | -------------------------------------------------------------------------------- /flux/generate-flux-multi-tenant-resources/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: old-flux-tenant-namespace 5 | labels: 6 | toolkit.fluxcd.io/tenant: ftenant -------------------------------------------------------------------------------- /flux/verify-flux-images/.chainsaw-test/pod-ghcr-helm-controller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-ghcr-helm-controller 5 | spec: 6 | containers: 7 | - name: pod-ghcr-helm-controller 8 | image: ghcr.io/fluxcd/helm-controller:replacethistag -------------------------------------------------------------------------------- /flux/verify-flux-images/.chainsaw-test/pod-ghcr-source-controller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-ghcr-source-controller 5 | spec: 6 | containers: 7 | - name: pod-ghcr-source-controller 8 | image: ghcr.io/fluxcd/source-controller:replacethistag -------------------------------------------------------------------------------- /flux/verify-flux-images/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: verify-flux-images 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /flux/verify-flux-sources/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: verify-flux-sources 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /flux/verify-flux-sources/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: flux-system 5 | -------------------------------------------------------------------------------- /flux/verify-flux-sources/.chainsaw-test/repo-bad-bucket.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: Bucket 3 | metadata: 4 | name: bucket-bad 5 | spec: 6 | interval: 5m0s 7 | endpoint: minio.notmyorg.com 8 | bucketName: example -------------------------------------------------------------------------------- /flux/verify-flux-sources/.chainsaw-test/repo-bad-git.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1 2 | kind: GitRepository 3 | metadata: 4 | name: bad-gitrepo-01 5 | spec: 6 | interval: 5m0s 7 | url: https://github.com/notmyorg/podinfo -------------------------------------------------------------------------------- /flux/verify-flux-sources/.chainsaw-test/repo-bad-helm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: source.toolkit.fluxcd.io/v1beta2 2 | kind: HelmRepository 3 | metadata: 4 | name: bad-helmrepo-01 5 | spec: 6 | interval: 5m0s 7 | url: https://helmrepo.github.io/podinfo -------------------------------------------------------------------------------- /flux/verify-flux-sources/.chainsaw-test/repo-bad-image.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: image.toolkit.fluxcd.io/v1beta2 2 | kind: ImageRepository 3 | metadata: 4 | name: imagerepo-bad 5 | spec: 6 | image: nothing.io/notmyorg/ 7 | interval: 1h 8 | provider: generic -------------------------------------------------------------------------------- /flux/verify-git-repositories/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: verify-git-repositories 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: disabled 6 | name: bad-istio-sinj01 -------------------------------------------------------------------------------- /istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bad-istio-sinj03 -------------------------------------------------------------------------------- /istio-cel/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: enabled 6 | name: bad-istio-sinj02 -------------------------------------------------------------------------------- /istio-cel/enforce-strict-mtls/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-strict-mtls 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio.io/dataplane-mode: ambient 6 | name: istio-test-en-ns 7 | -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio.io/dataplane-mode: other 6 | name: istio-test-dis-ns 7 | -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-test-none-ns 5 | -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: bar 6 | name: istio-test-alt-ns 7 | -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: bar 6 | istio.io/dataplane-mode: ambient 7 | name: istio-test-alt-ns -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio.io/dataplane-mode: ambient 6 | name: istio-test-dis-ns -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio.io/dataplane-mode: ambient 6 | name: istio-test-en-ns -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio.io/dataplane-mode: ambient 6 | name: istio-test-none-ns -------------------------------------------------------------------------------- /istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-ambient-mode-namespace 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: enabled 6 | name: istio-test-en-ns 7 | -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: disabled 6 | name: istio-test-dis-ns 7 | -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-test-none-ns 5 | -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: bar 6 | name: istio-test-alt-ns 7 | -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/patched-ns-alt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: bar 6 | istio-injection: enabled 7 | name: istio-test-alt-ns -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/patched-ns-disabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: enabled 6 | name: istio-test-dis-ns -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/patched-ns-enabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: enabled 6 | name: istio-test-en-ns -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/patched-ns-none.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: enabled 6 | name: istio-test-none-ns -------------------------------------------------------------------------------- /istio/add-sidecar-injection-namespace/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-sidecar-injection-namespace 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /istio/create-authorizationpolicy/.chainsaw-test/chainsaw-step-05-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-cr-authpol-ns 5 | -------------------------------------------------------------------------------- /istio/create-authorizationpolicy/.chainsaw-test/chainsaw-step-06-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: default-deny 5 | namespace: istio-cr-authpol-ns 6 | spec: {} 7 | -------------------------------------------------------------------------------- /istio/create-authorizationpolicy/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: create-authorizationpolicy 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio.io/dataplane-mode: other 6 | name: bad-istio-amb01 -------------------------------------------------------------------------------- /istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bad-istio-amb03 -------------------------------------------------------------------------------- /istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: enabled 6 | name: bad-istio-amb02 -------------------------------------------------------------------------------- /istio/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-disabled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | istio-injection: disabled 6 | name: bad-istio-sinj01 -------------------------------------------------------------------------------- /istio/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-nolabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bad-istio-sinj03 -------------------------------------------------------------------------------- /istio/enforce-sidecar-injection-namespace/.chainsaw-test/ns-bad-somelabel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: enabled 6 | name: bad-istio-sinj02 -------------------------------------------------------------------------------- /istio/enforce-strict-mtls/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: enforce-strict-mtls 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /istio/require-authorizationpolicy/.chainsaw-test/chainsaw-step-01-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-reqauthzpol-good-ns 5 | -------------------------------------------------------------------------------- /istio/require-authorizationpolicy/.chainsaw-test/chainsaw-step-01-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: default-deny 5 | namespace: istio-reqauthzpol-good-ns 6 | spec: {} 7 | -------------------------------------------------------------------------------- /istio/require-authorizationpolicy/.chainsaw-test/chainsaw-step-01-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: istio-reqauthzpol-bad-ns 5 | -------------------------------------------------------------------------------- /istio/require-authorizationpolicy/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-authorizationpolicies 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-karpenter-donot-evict 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /karpenter/add-karpenter-nodeselector/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-karpenter-nodeselector 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test -------------------------------------------------------------------------------- /karpenter/set-karpenter-non-cpu-limits/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: set-karpenter-non-cpu-limits 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /karpenter/set-karpenter-non-cpu-limits/.kyverno-test/pod-memory-patched4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: test4 5 | namespace: test 6 | spec: 7 | containers: 8 | - name: test4 9 | image: test/test:latest 10 | resources: {} 11 | -------------------------------------------------------------------------------- /kasten-cel/k10-data-protection-by-label/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: k10-dplabel-ns -------------------------------------------------------------------------------- /kasten-cel/k10-data-protection-by-label/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: k10-data-protection-by-label 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kasten-cel/k10-hourly-rpo/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: k10-policy-hourly-rpo 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kasten/kasten-3-2-1-backup/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: kasten-3-2-1-backup-policy 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kasten/kasten-data-protection-by-label/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: k10-dplabel-ns -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kasten-io 5 | -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | dataprotection: gold 6 | name: k10-gp-label-ns01 7 | -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | dataprotection: silver 6 | name: k10-gp-label-ns02 7 | -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | dataprotection: bronze 6 | name: k10-gp-label-ns03 7 | -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-5.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | dataprotection: none 6 | name: k10-gp-label-ns04 7 | -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.chainsaw-test/chainsaw-step-03-apply-6.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: k10-gp-label-ns05 5 | -------------------------------------------------------------------------------- /kasten/kasten-generate-policy-by-preset-label/.kyverno-test/test-resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-namespace 5 | labels: 6 | dataprotection: gold -------------------------------------------------------------------------------- /kasten/kasten-hourly-rpo/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: kasten-hourly-rpo 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kasten/kasten-hourly-rpo/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-namespace 5 | labels: 6 | appPriority: critical 7 | --- 8 | apiVersion: v1 9 | kind: Namespace 10 | metadata: 11 | name: kasten-io -------------------------------------------------------------------------------- /kasten/kasten-minimum-retention/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kasten-minimum-retention -------------------------------------------------------------------------------- /kasten/kasten-minimum-retention/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: kasten-minimum-retention 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /kubecost-cel/require-kubecost-labels/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-kubecost-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kubecost/require-kubecost-labels/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-kubecost-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-step-01-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kubeops-cluster-ns 5 | -------------------------------------------------------------------------------- /kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/chainsaw-step-01-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kubed 5 | -------------------------------------------------------------------------------- /kubeops/config-syncer-secret-generation-from-rancher-capi/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: argo-rancher-cluster-ns 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: argocd -------------------------------------------------------------------------------- /kubevirt/add-services/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: k6t-add-services 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /kubevirt/enforce-instancetype/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: k6t-enforce-instancetype 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /linkerd-cel/prevent-linkerd-port-skipping/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-linkerd-port-skipping 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | foo: bar 6 | name: lmi-ns01 7 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: enabled 6 | linkerd.io/inject: enabled 7 | name: lmi-ns02 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: disabled 6 | linkerd.io/inject: disabled 7 | name: lmi-ns03 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: disabled 6 | name: lmi-ns04 7 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-apply-5.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | linkerd.io/inject: disabled 6 | name: lmi-ns05 7 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: enabled 6 | foo: bar 7 | linkerd.io/inject: enabled 8 | name: lmi-ns01 9 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-assert-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: enabled 6 | linkerd.io/inject: enabled 7 | name: lmi-ns02 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-assert-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: disabled 6 | linkerd.io/inject: disabled 7 | name: lmi-ns03 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-assert-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: disabled 6 | linkerd.io/inject: enabled 7 | name: lmi-ns04 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/chainsaw-step-02-assert-5.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/proxy-await: enabled 6 | linkerd.io/inject: disabled 7 | name: lmi-ns05 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-mesh-injection/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-linkerd-mesh-injection 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | foo: bar 6 | name: lpa-ns01 7 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/default-inbound-policy: allow 6 | name: lpa-ns02 7 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-step-02-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/default-inbound-policy: deny 6 | foo: bar 7 | name: lpa-ns01 8 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-policy-annotation/.chainsaw-test/chainsaw-step-02-assert-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | config.linkerd.io/default-inbound-policy: allow 6 | name: lpa-ns02 7 | -------------------------------------------------------------------------------- /linkerd/add-linkerd-policy-annotation/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-linkerd-policy-annotation 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /linkerd/check-linkerd-authorizationpolicy/.chainsaw-test/server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy.linkerd.io/v1beta1 2 | kind: Server 3 | metadata: 4 | name: authors 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: emoji-svc 9 | port: grpc 10 | proxyProtocol: gRPC -------------------------------------------------------------------------------- /linkerd/require-linkerd-server/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-linkerd-server 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /linkerd/require-linkerd-server/.chainsaw-test/server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy.linkerd.io/v1beta1 2 | kind: Server 3 | metadata: 4 | name: reqserver 5 | spec: 6 | podSelector: 7 | matchLabels: 8 | app: bbserver 9 | port: grpc 10 | proxyProtocol: gRPC -------------------------------------------------------------------------------- /nginx-ingress-cel/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | allow-snippet-annotations: "true" 4 | kind: ConfigMap 5 | metadata: 6 | name: config-map-true 7 | -------------------------------------------------------------------------------- /nginx-ingress-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /nginx-ingress-cel/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-ingress-paths 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /nginx-ingress/disallow-ingress-nginx-custom-snippets/.chainsaw-test/cm-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | allow-snippet-annotations: "true" 4 | kind: ConfigMap 5 | metadata: 6 | name: config-map-true 7 | -------------------------------------------------------------------------------- /nginx-ingress/restrict-annotations/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /nginx-ingress/restrict-ingress-paths/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-ingress-paths 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /openshift-cel/check-routes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-routes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /openshift-cel/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: good-role01 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["pods"] 8 | verbs: ["get", "watch", "list"] -------------------------------------------------------------------------------- /openshift/check-routes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-routes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/clusterroles-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: crole-good01 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["secrets"] 8 | verbs: ["get", "watch", "list"] -------------------------------------------------------------------------------- /openshift/disallow-security-context-constraint-anyuid/.chainsaw-test/roles-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | name: good-role01 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["pods"] 8 | verbs: ["get", "watch", "list"] -------------------------------------------------------------------------------- /openshift/team-validate-ns-name/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | ### Namespace good 2 | --- 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: team1-test 7 | ### Namespace bad 8 | --- 9 | apiVersion: v1 10 | kind: Namespace 11 | metadata: 12 | name: test-namespace 13 | -------------------------------------------------------------------------------- /openshift/unique-routes/.kyverno-test/mock.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: unique-routes 5 | rules: 6 | - name: require-unique-routes 7 | values: 8 | hosts: '["hello-openshift-bad.mydomain"]' 9 | -------------------------------------------------------------------------------- /other-cel/advanced-restrict-image-registries/.chainsaw-test/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | registries: ghcr.io/ 4 | kind: ConfigMap 5 | metadata: 6 | name: clusterregistries 7 | namespace: default 8 | -------------------------------------------------------------------------------- /other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | corp.com/allowed-registries: img.corp.com/ 6 | name: imageregistries-ns01 7 | -------------------------------------------------------------------------------- /other-cel/advanced-restrict-image-registries/.chainsaw-test/ns-02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | corp.com/allowed-registries: docker.io/ 6 | name: imageregistries-ns02 7 | -------------------------------------------------------------------------------- /other-cel/allowed-annotations/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/allowed-pod-priorities/.chainsaw-test/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | pod-priority-ns: "high, medium, low" 4 | no-priority-ns: foo 5 | kind: ConfigMap 6 | metadata: 7 | name: allowed-pod-priorities 8 | namespace: default 9 | 10 | -------------------------------------------------------------------------------- /other-cel/allowed-pod-priorities/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: pod-priority-ns 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: no-priority-ns 10 | 11 | -------------------------------------------------------------------------------- /other-cel/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-podpriorities 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/block-ephemeral-containers/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: block-ephemeral-ns 5 | 6 | -------------------------------------------------------------------------------- /other-cel/check-env-vars/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-env-vars 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: bad-svc-account-02 5 | namespace: default 6 | secrets: 7 | - name: example-automated-thing-token-zyxwv 8 | 9 | -------------------------------------------------------------------------------- /other-cel/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: good-svc-account 5 | namespace: default 6 | 7 | -------------------------------------------------------------------------------- /other-cel/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: deny-commands-in-exec-probe 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other-cel/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: bad-secret 5 | annotations: 6 | kubernetes.io/service-account.name: build-robot 7 | type: kubernetes.io/service-account-token 8 | 9 | -------------------------------------------------------------------------------- /other-cel/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: good-secret 5 | type: kubernetes.io/basic-auth 6 | stringData: 7 | username: admin 8 | password: t0p-Secret 9 | 10 | -------------------------------------------------------------------------------- /other-cel/disallow-all-secrets/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: no-secrets 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/disallow-localhost-services/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: no-localhost-service 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/disallow-localhost-services/.chainsaw-test/svc-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: badsvc01 5 | spec: 6 | type: ExternalName 7 | externalName: localhost 8 | 9 | -------------------------------------------------------------------------------- /other-cel/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: docker-socket-check 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/enforce-pod-duration/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: pod-lifetime 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/ensure-probes-different/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ensure-probes-different-ns 5 | 6 | -------------------------------------------------------------------------------- /other-cel/ensure-probes-different/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: validate-probes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: ensure-readonly-hostpath 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/exclude-namespaces-dynamically/.chainsaw-test/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | exclude: "exclude-ns, exclude-ns-2" 4 | kind: ConfigMap 5 | metadata: 6 | name: namespace-filters 7 | namespace: default -------------------------------------------------------------------------------- /other-cel/exclude-namespaces-dynamically/.chainsaw-test/cmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: namespace-filters 5 | namespace: default 6 | data: 7 | exclude: "[\"default\", \"test\"]" 8 | -------------------------------------------------------------------------------- /other-cel/exclude-namespaces-dynamically/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: exclude-ns 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: exclude-ns-2 -------------------------------------------------------------------------------- /other-cel/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: forbid-cpu-limits 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: imagepullpolicy-always 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: ingress-host-match-tls 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-containers-per-pod 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-hostpath-type-pv 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-hostpath-vols 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other-cel/limit-hostpath-vols/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: limit-hostpath-vols 5 | resources: 6 | - name: bad-pods-all 7 | values: 8 | request.operation: UPDATE 9 | -------------------------------------------------------------------------------- /other-cel/metadata-match-regex/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: metadata-match-regex 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: badpdb01 5 | spec: 6 | maxUnavailable: 0 7 | 8 | -------------------------------------------------------------------------------- /other-cel/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: pdb-maxunavailable 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/prevent-bare-pods/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: prevent-naked-pods-ns 5 | 6 | -------------------------------------------------------------------------------- /other-cel/prevent-bare-pods/.chainsaw-test/pod-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | 10 | -------------------------------------------------------------------------------- /other-cel/prevent-bare-pods/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-bare-pods 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/prevent-cr8escape/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-cr8escape 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other-cel/require-annotations/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/require-image-checksum/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-image-checksum 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/require-ingress-https/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-ingress-https 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/require-non-root-groups/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-non-root-groups 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other-cel/require-pod-priorityclassname/.chainsaw-test/pc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scheduling.k8s.io/v1 2 | kind: PriorityClass 3 | metadata: 4 | name: high 5 | value: 1234 6 | globalDefault: false 7 | description: "This priority class should be used for XYZ service pods only." 8 | 9 | -------------------------------------------------------------------------------- /other-cel/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | priorityClassName: high 10 | 11 | -------------------------------------------------------------------------------- /other-cel/require-qos-burstable/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-qos-burstable 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-qos-guaranteed 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other-cel/require-storageclass/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-storageclass 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-annotations/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-deprecated-registry/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: dep-registry-ns 5 | 6 | -------------------------------------------------------------------------------- /other-cel/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-ingress-classes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-jobs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-jobs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other-cel/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: no-loadbalancer-service 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-loadbalancer/.chainsaw-test/svc-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: badsvc01 5 | spec: 6 | selector: 7 | app: nginx 8 | ports: 9 | - port: 80 10 | targetPort: 80 11 | type: LoadBalancer 12 | 13 | -------------------------------------------------------------------------------- /other-cel/restrict-node-affinity/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-node-affinity 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-node-label-creation 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-good-update.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: busybox 6 | name: deployment01 7 | spec: 8 | template: 9 | spec: 10 | restartPolicy: Always -------------------------------------------------------------------------------- /other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: restrict-sa-ns 5 | -------------------------------------------------------------------------------- /other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: serviceaccount01 5 | namespace: restrict-sa-ns 6 | -------------------------------------------------------------------------------- /other-cel/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/sa-02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: serviceaccount02 5 | namespace: restrict-sa-ns 6 | -------------------------------------------------------------------------------- /other-cel/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-secrets-by-name 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-storageclass/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-storageclass 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other-cel/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-wildcard-verbs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | 12 | -------------------------------------------------------------------------------- /other/add-certificates-volume/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: other-certvol-ns -------------------------------------------------------------------------------- /other/add-certificates-volume/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-certificates-volume 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-certificates-volume/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | labels: 5 | app: myapp 6 | annotations: 7 | inject-certs: enabled 8 | name: mypod 9 | spec: 10 | containers: 11 | - image: nginx:latest 12 | name: nginx 13 | -------------------------------------------------------------------------------- /other/add-default-resources/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-default-resources 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-default-securitycontext/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-default-securitycontext 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-default-securitycontext/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod 5 | labels: 6 | foo: bar 7 | spec: 8 | containers: 9 | - name: nginx 10 | image: nginx:latest 11 | -------------------------------------------------------------------------------- /other/add-emptydir-sizelimit/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-emptydir-sizelimit -------------------------------------------------------------------------------- /other/add-emptydir-sizelimit/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-emptydir-sizelimit 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/add-env-vars-from-cm/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-env-vars-from-cm 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-image-as-env-var/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-image-as-env-var -------------------------------------------------------------------------------- /other/add-image-as-env-var/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-image-as-env-var 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/add-image-as-env-var/.kyverno-test/patched-pod02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod02 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/busybox:1.35 9 | env: 10 | - name: K8S_IMAGE 11 | value: ghcr.io/busybox:1.35 -------------------------------------------------------------------------------- /other/add-imagepullsecrets-for-containers-and-initcontainers/.kyverno-test/patchedResource4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod-4 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: nginx:latest -------------------------------------------------------------------------------- /other/add-imagepullsecrets/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-imagepullsecrets 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-imagepullsecrets/.kyverno-test/patchedResource1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod-1 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: corp.reg.com/nginx:latest 9 | imagePullSecrets: 10 | - name: my-secret -------------------------------------------------------------------------------- /other/add-imagepullsecrets/.kyverno-test/patchedResource2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod-2 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: nginx:latest -------------------------------------------------------------------------------- /other/add-imagepullsecrets/.kyverno-test/patchedResource3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod-3 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: corp.reg.com/nginx:latest 9 | imagePullSecrets: 10 | - name: my-secret -------------------------------------------------------------------------------- /other/add-labels/.chainsaw-test/cm-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | key: label 4 | kind: ConfigMap 5 | metadata: 6 | name: cm01 7 | labels: 8 | bar: foo 9 | foo: bar -------------------------------------------------------------------------------- /other/add-labels/.chainsaw-test/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | key: label 4 | kind: ConfigMap 5 | metadata: 6 | name: cm01 7 | labels: 8 | bar: foo -------------------------------------------------------------------------------- /other/add-labels/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-labels/.chainsaw-test/secret-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | labels: 5 | bar: foo 6 | foo: bar 7 | name: secret01 -------------------------------------------------------------------------------- /other/add-labels/.chainsaw-test/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | key: bGFiZWw= 4 | kind: Secret 5 | metadata: 6 | labels: 7 | bar: foo 8 | name: secret01 -------------------------------------------------------------------------------- /other/add-labels/.chainsaw-test/svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: nginx 6 | name: svc01 7 | spec: 8 | ports: 9 | - port: 80 10 | protocol: TCP 11 | targetPort: 80 12 | selector: 13 | run: nginx 14 | type: ClusterIP -------------------------------------------------------------------------------- /other/add-labels/.kyverno-test/patchedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod 5 | labels: 6 | foo: bar 7 | spec: 8 | containers: 9 | - name: nginx 10 | image: nginx:latest 11 | -------------------------------------------------------------------------------- /other/add-ndots/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-ndots 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-ndots/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod 5 | labels: 6 | foo: bar 7 | spec: 8 | containers: 9 | - name: nginx 10 | image: nginx:latest -------------------------------------------------------------------------------- /other/add-node-affinity/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-node-affinity -------------------------------------------------------------------------------- /other/add-node-affinity/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-node-affinity 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/add-node-labels-pod/.chainsaw-test/chainsaw-step-02-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Node 3 | metadata: 4 | labels: 5 | foo: bar 6 | -------------------------------------------------------------------------------- /other/add-node-labels-pod/.chainsaw-test/pod-patched01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | labels: 5 | app: busybox 6 | foo: bar 7 | name: pod01 8 | spec: 9 | containers: 10 | - name: busybox 11 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/add-node-labels-pod/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-node-labels-pod 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/add-nodeSelector/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-nodeselector 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-nodeSelector/.kyverno-test/patchedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod 5 | spec: 6 | containers: 7 | - image: nginx:latest 8 | name: nginx 9 | nodeSelector: 10 | foo: bar 11 | color: orange 12 | -------------------------------------------------------------------------------- /other/add-nodeSelector/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: nginx:latest -------------------------------------------------------------------------------- /other/add-pod-priorityclassname/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-pod-priorityclassname 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/add-pod-priorityclassname/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | namespaceSelector: 4 | - labels: 5 | env: foo 6 | name: foo 7 | - labels: 8 | env: production 9 | name: production 10 | -------------------------------------------------------------------------------- /other/add-pod-proxies/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-pod-proxies 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-tolerations/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-tolerations -------------------------------------------------------------------------------- /other/add-tolerations/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-tolerations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/add-ttl-jobs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-ttl-jobs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/add-volume-deployment/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-volume 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | corp.com/allowed-registries: img.corp.com/* 6 | name: imageregistries-ns01 7 | -------------------------------------------------------------------------------- /other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | corp.com/allowed-registries: docker.io/* 6 | name: imageregistries-ns02 7 | -------------------------------------------------------------------------------- /other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | registries: corp.img.io/* 4 | kind: ConfigMap 5 | metadata: 6 | name: clusterregistries 7 | namespace: imageregistries-ns01 8 | -------------------------------------------------------------------------------- /other/advanced-restrict-image-registries/.chainsaw-test/chainsaw-step-02-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | registries: ghcr.io/* 4 | kind: ConfigMap 5 | metadata: 6 | name: clusterregistries 7 | namespace: default 8 | -------------------------------------------------------------------------------- /other/allowed-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-base-images 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: platform 5 | -------------------------------------------------------------------------------- /other/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | allowedbaseimages: gcr.io/distroless/static:nonroot 4 | kind: ConfigMap 5 | metadata: 6 | name: baseimages 7 | namespace: platform 8 | -------------------------------------------------------------------------------- /other/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-image-repos 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/allowed-image-repos/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: allowed-image-repos-ns -------------------------------------------------------------------------------- /other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod02 5 | spec: 6 | containers: 7 | - image: ghcr.io/kyverno/test-busybox:1.35 8 | name: busybox 9 | -------------------------------------------------------------------------------- /other/allowed-label-changes/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | labels: 5 | foo: bar 6 | name: pod03 7 | spec: 8 | containers: 9 | - image: ghcr.io/kyverno/test-busybox:1.35 10 | name: busybox 11 | -------------------------------------------------------------------------------- /other/allowed-label-changes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-label-changes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/allowed-pod-priorities/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: allowed-podpriorities 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/allowed-pod-priorities/.chainsaw-test/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | pod-priority-ns: "[\"high\",\"medium\",\"low\"]" 4 | no-priority-ns: foo 5 | kind: ConfigMap 6 | metadata: 7 | name: allowed-pod-priorities 8 | namespace: default -------------------------------------------------------------------------------- /other/allowed-pod-priorities/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: pod-priority-ns 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: no-priority-ns -------------------------------------------------------------------------------- /other/allowed-pod-priorities/.chainsaw-test/priorityClass.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scheduling.k8s.io/v1 2 | kind: PriorityClass 3 | metadata: 4 | name: high-priority 5 | value: 1000000 6 | globalDefault: false 7 | description: "This priority class should be used for XYZ service pods only." -------------------------------------------------------------------------------- /other/always-pull-images/.chainsaw-test/patched-pod01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod01 5 | spec: 6 | containers: 7 | - image: ghcr.io/kyverno/test-busybox:1.35 8 | name: busybox 9 | imagePullPolicy: Always -------------------------------------------------------------------------------- /other/always-pull-images/.chainsaw-test/patched-pod02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod02 5 | spec: 6 | containers: 7 | - image: ghcr.io/kyverno/test-busybox:1.35 8 | name: busybox 9 | imagePullPolicy: Always -------------------------------------------------------------------------------- /other/always-pull-images/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: always-pull-images 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/always-pull-images/.kyverno-test/patchedResource1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod-1 5 | labels: 6 | foo: bar 7 | spec: 8 | containers: 9 | - name: nginx 10 | image: nginx:latest 11 | imagePullPolicy: Always -------------------------------------------------------------------------------- /other/always-pull-images/.kyverno-test/patchedResource2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod-2 5 | labels: 6 | foo: bar 7 | spec: 8 | containers: 9 | - name: "" 10 | image: nginx:latest 11 | -------------------------------------------------------------------------------- /other/annotate-base-images/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: annotate-base-images -------------------------------------------------------------------------------- /other/annotate-base-images/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: annotate-base-images 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/apply-pss-restricted-profile/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: apply-pss-restricted-profile 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/audit-event-on-delete/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: delete-event-ns -------------------------------------------------------------------------------- /other/audit-event-on-delete/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: audit-event-on-delete 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/audit-event-on-delete/.chainsaw-test/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | key: bGFiZWw= 4 | kind: Secret 5 | metadata: 6 | namespace: delete-event-ns 7 | name: secret-tbd -------------------------------------------------------------------------------- /other/audit-event-on-exec/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: exec-event-ns -------------------------------------------------------------------------------- /other/audit-event-on-exec/.chainsaw-test/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: execevent-pod 5 | namespace: exec-event-ns 6 | spec: 7 | containers: 8 | - image: busybox:1.35 9 | name: busybox 10 | command: ["sleep","3600"] -------------------------------------------------------------------------------- /other/audit-event-on-exec/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: audit-event-on-exec 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/bad-cm-update.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: goodcm01 5 | namespace: testnamespace 6 | data: 7 | foo: foo -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01 5 | namespace: testnamespace 6 | spec: 7 | containers: 8 | - name: busybox 9 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/good-cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: goodcm01 5 | namespace: testnamespace 6 | data: 7 | foo: bar -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod02 5 | namespace: testnamespace 6 | spec: 7 | containers: 8 | - name: busybox 9 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: testnamespace -------------------------------------------------------------------------------- /other/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: block-cluster-admin-from-ns 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/block-ephemeral-containers/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: block-ephemeral-ns -------------------------------------------------------------------------------- /other/block-images-with-volumes/.kyverno-test/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: image-vol 5 | spec: 6 | containers: 7 | - name: image-vol 8 | image: clover/volume:passbolt -------------------------------------------------------------------------------- /other/block-images-with-volumes/.kyverno-test/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox:1.28 -------------------------------------------------------------------------------- /other/block-images-with-volumes/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: block-images-with-volumes 5 | rules: 6 | - name: block-images-with-vols 7 | values: 8 | imageData.configData.config.Volumes: "1" 9 | -------------------------------------------------------------------------------- /other/block-large-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: block-large-images 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/block-large-images/.kyverno-test/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: large-image 5 | spec: 6 | containers: 7 | - name: large-image 8 | image: nvidia/cuda:12.2.0-devel-ubi8 -------------------------------------------------------------------------------- /other/block-large-images/.kyverno-test/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: small-image 5 | spec: 6 | containers: 7 | - name: small-image 8 | image: busybox:1.28 -------------------------------------------------------------------------------- /other/block-large-images/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: block-large-images 5 | rules: 6 | - name: block-over-twogi 7 | values: 8 | imageSize: 3Gi 9 | -------------------------------------------------------------------------------- /other/block-pod-exec-by-namespace-label/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: deny-exec-by-namespace-label 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/block-pod-exec-by-namespace/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: block-pod-exec-ns 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: pci -------------------------------------------------------------------------------- /other/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: deny-exec-by-namespace-name 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/block-pod-exec-by-pod-and-container/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bpe-podcontainer-ns 5 | -------------------------------------------------------------------------------- /other/block-pod-exec-by-pod-label/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bpe-podlabel-ns -------------------------------------------------------------------------------- /other/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: deny-exec-by-pod-label 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: bpe-podname-ns 5 | -------------------------------------------------------------------------------- /other/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: deny-exec-by-pod-name 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/block-stale-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: block-stale-images 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/block-stale-images/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: block-staleimg-ns -------------------------------------------------------------------------------- /other/block-stale-images/.kyverno-test/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: redis 5 | spec: 6 | containers: 7 | - name: redis 8 | image: docker.io/redis:6.0.0-buster 9 | 10 | -------------------------------------------------------------------------------- /other/block-stale-images/.kyverno-test/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: redis 5 | spec: 6 | containers: 7 | - name: redis 8 | image: docker.io/redis:latest 9 | 10 | -------------------------------------------------------------------------------- /other/block-stale-images/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: block-stale-images 5 | rules: 6 | - name: block-stale-images 7 | values: 8 | imageData.configData.created: "2020-05-01T03:15:12-07:00" 9 | -------------------------------------------------------------------------------- /other/block-updates-deletes/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: block-updates-deletes-ns -------------------------------------------------------------------------------- /other/block-updates-deletes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: block-updates-deletes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/check-env-vars/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-env-vars 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-hpa-exists 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/check-nvidia-gpu/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-nvidia-gpus 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/check-nvidia-gpu/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: nvidia-gpu-ns -------------------------------------------------------------------------------- /other/check-nvidia-gpu/.kyverno-test/good02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod02 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox:1.28 9 | command: ["sleep","9999"] -------------------------------------------------------------------------------- /other/check-nvidia-gpu/.kyverno-test/good03.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod03 5 | spec: 6 | containers: 7 | - name: gpu-example-nolimits 8 | image: nvidia/cuda:12.2.0-devel-ubi8 9 | command: ["nvidia-smi"] -------------------------------------------------------------------------------- /other/check-serviceaccount-secrets/.chainsaw-test/bad-svc-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: bad-svc-account-02 5 | namespace: default 6 | secrets: 7 | - name: example-automated-thing-token-zyxwv -------------------------------------------------------------------------------- /other/check-serviceaccount-secrets/.chainsaw-test/good-svc-account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: good-svc-account 5 | namespace: default 6 | -------------------------------------------------------------------------------- /other/check-serviceaccount/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-sa 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/check-serviceaccount/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: check-sa-ns 5 | -------------------------------------------------------------------------------- /other/check-serviceaccount/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: restricted 5 | namespace: check-sa-ns 6 | -------------------------------------------------------------------------------- /other/check-serviceaccount/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: safe 5 | namespace: check-sa-ns 6 | -------------------------------------------------------------------------------- /other/check-serviceaccount/.chainsaw-test/chainsaw-step-02-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | annotations: 5 | kubernetes.io/service-account.name: safe 6 | name: safe-secret 7 | namespace: check-sa-ns 8 | type: kubernetes.io/service-account-token 9 | -------------------------------------------------------------------------------- /other/check-serviceaccount/.chainsaw-test/foo-sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: restricted 5 | namespace: foo 6 | --- 7 | apiVersion: v1 8 | kind: ServiceAccount 9 | metadata: 10 | name: safe 11 | namespace: foo -------------------------------------------------------------------------------- /other/check-subjectaccessreview/.chainsaw-test/cm-one.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: bar 4 | kind: ConfigMap 5 | metadata: 6 | name: cm01 7 | namespace: subreview-ns -------------------------------------------------------------------------------- /other/check-subjectaccessreview/.chainsaw-test/cm-two.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: bar 4 | kind: ConfigMap 5 | metadata: 6 | name: cm02 7 | namespace: subreview-ns -------------------------------------------------------------------------------- /other/check-subjectaccessreview/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: subreview-ns -------------------------------------------------------------------------------- /other/check-vpa-configuration/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: check-vpa-configuration 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/concatenate-configmaps/.chainsaw-test/cm-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | keytwo: foo plus bar 4 | kind: ConfigMap 5 | metadata: 6 | name: cmtwo 7 | namespace: bar -------------------------------------------------------------------------------- /other/concatenate-configmaps/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: foo 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: bar -------------------------------------------------------------------------------- /other/concatenate-configmaps/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: concatenate-configmaps 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/copy-namespace-labels/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: within-ns 5 | labels: 6 | owner: "any-corp" 7 | env: dev 8 | -------------------------------------------------------------------------------- /other/copy-namespace-labels/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: copy-namespace-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/create-default-pdb/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: default-pdb-ns -------------------------------------------------------------------------------- /other/create-default-pdb/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: create-default-pdb 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/create-pod-antiaffinity/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: insert-pod-antiaffinity 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/deny-secret-service-account-token-type/.chainsaw-test/bad-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: bad-secret 5 | annotations: 6 | kubernetes.io/service-account.name: build-robot 7 | type: kubernetes.io/service-account-token -------------------------------------------------------------------------------- /other/deny-secret-service-account-token-type/.chainsaw-test/good-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: good-secret 5 | type: kubernetes.io/basic-auth 6 | stringData: 7 | username: admin 8 | password: t0p-Secret -------------------------------------------------------------------------------- /other/disable-automountserviceaccounttoken/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: disable-satokenmount-ns -------------------------------------------------------------------------------- /other/disable-automountserviceaccounttoken/.chainsaw-test/sa-not-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | automountServiceAccountToken: false 4 | metadata: 5 | name: foo-sa 6 | namespace: disable-satokenmount-ns -------------------------------------------------------------------------------- /other/disable-automountserviceaccounttoken/.chainsaw-test/sa-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | automountServiceAccountToken: false 4 | metadata: 5 | name: default 6 | namespace: disable-satokenmount-ns -------------------------------------------------------------------------------- /other/disable-automountserviceaccounttoken/.chainsaw-test/sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: foo-sa 5 | namespace: disable-satokenmount-ns -------------------------------------------------------------------------------- /other/disable-automountserviceaccounttoken/.kyverno-test/patchedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: default 5 | automountServiceAccountToken: false -------------------------------------------------------------------------------- /other/disable-automountserviceaccounttoken/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: default 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: demo-sa -------------------------------------------------------------------------------- /other/disable-service-discovery/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disable-service-discovery 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/disallow-all-secrets/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: no-secrets 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/disallow-localhost-services/.chainsaw-test/svc-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: badsvc01 5 | spec: 6 | type: ExternalName 7 | externalName: localhost -------------------------------------------------------------------------------- /other/dns-policy-and-dns-config/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: dns-polconfig-ns -------------------------------------------------------------------------------- /other/dns-policy-and-dns-config/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: change-dns-config-policy 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/dns-policy-and-dns-config/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod 5 | labels: 6 | foo: bar 7 | spec: 8 | containers: 9 | - name: nginx 10 | image: nginx:latest 11 | dnsPolicy: ClusterFirst -------------------------------------------------------------------------------- /other/enforce-pod-duration/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: pod-lifetime 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/enforce-resources-as-ratio/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: enforce-resources-as-ratio 5 | resources: 6 | - name: goodpod 7 | values: 8 | request.operation: UPDATE 9 | -------------------------------------------------------------------------------- /other/ensure-probes-different/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: validate-probes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/ensure-probes-different/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ensure-probes-different-ns -------------------------------------------------------------------------------- /other/ensure-production-matches-staging/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: production 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: staging -------------------------------------------------------------------------------- /other/ensure-readonly-hostpath/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: ensure-readonly-hostpath 5 | resources: 6 | - name: good-pod-01 7 | values: 8 | request.operation: UPDATE 9 | -------------------------------------------------------------------------------- /other/exclude-namespaces-dynamically/.chainsaw-test/cm.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | exclude: "[\"exclude-ns\", \"not-exclude-ns\"]" 4 | kind: ConfigMap 5 | metadata: 6 | name: namespace-filters 7 | namespace: default -------------------------------------------------------------------------------- /other/exclude-namespaces-dynamically/.chainsaw-test/cmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: namespace-filters 5 | namespace: default 6 | data: 7 | exclude: "[\"default\", \"test\"]" 8 | -------------------------------------------------------------------------------- /other/exclude-namespaces-dynamically/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: exclude-ns 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: not-exclude-ns -------------------------------------------------------------------------------- /other/forbid-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: forbid-cpu-limits 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/generate-networkpolicy-existing/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: foo -------------------------------------------------------------------------------- /other/generate-networkpolicy-existing/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: generate-networkpolicy-existing 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/get-debug-information/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: abc -------------------------------------------------------------------------------- /other/get-debug-information/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: get-debug-data-policy 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: imagepullpolicy-always 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/ingress-host-match-tls/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: ingress-host-match-tls 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/inject-env-var-from-image-label/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: inject-env-var-from-image-label -------------------------------------------------------------------------------- /other/inject-env-var-from-image-label/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: inject-env-var-from-image-label 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/inject-sidecar-deployment/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: inject-sidecar 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/inspect-csr/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: inspect-csr 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/kubernetes-version-check/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kubversion-ns 5 | -------------------------------------------------------------------------------- /other/kubernetes-version-check/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | key: bGFiZWw= 4 | kind: Secret 5 | metadata: 6 | name: kversion-secret 7 | namespace: kubversion-ns 8 | -------------------------------------------------------------------------------- /other/kubernetes-version-check/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: kubernetes-version-check 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/label-existing-namespaces/.chainsaw-test/patched-ns01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | mykey: myvalue 6 | name: label-namespace01 -------------------------------------------------------------------------------- /other/label-existing-namespaces/.chainsaw-test/patched-ns02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | mykey: myvalue 6 | name: label-namespace02 -------------------------------------------------------------------------------- /other/label-existing-namespaces/.chainsaw-test/patched-ns03.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | foo: bar 6 | mykey: myvalue 7 | name: label-namespace03 -------------------------------------------------------------------------------- /other/label-existing-namespaces/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: label-existing-namespaces 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/label-nodes-cri/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: label-nodes-cri 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-configmap-for-sa 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: another-namespace 5 | -------------------------------------------------------------------------------- /other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: limit-cm-sa-namespace 5 | -------------------------------------------------------------------------------- /other/limit-configmap-for-sa/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: another-developer 5 | namespace: another-namespace 6 | -------------------------------------------------------------------------------- /other/limit-hostpath-type-pv/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-hostpath-type-pv 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/limit-hostpath-vols/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: limit-hostpath-vols 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/limit-hostpath-vols/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: limit-hostpath-vols 5 | resources: 6 | - name: bad-pods-all 7 | values: 8 | request.operation: UPDATE 9 | -------------------------------------------------------------------------------- /other/metadata-match-regex/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: metadata-match-regex 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/mitigate-log4shell/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: log4shell-mitigation 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod02 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | terminationGracePeriodSeconds: 50 -------------------------------------------------------------------------------- /other/mutate-large-termination-gps/.chainsaw-test/pod-not-patched02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod03 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | terminationGracePeriodSeconds: 50 -------------------------------------------------------------------------------- /other/mutate-large-termination-gps/.chainsaw-test/pod-patched01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | terminationGracePeriodSeconds: 50 -------------------------------------------------------------------------------- /other/mutate-large-termination-gps/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: mutate-termination-grace-period-seconds 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/mutate-large-termination-gps/.kyverno-test/patchedResource1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: demo-pod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox:1.28 9 | terminationGracePeriodSeconds: 50 -------------------------------------------------------------------------------- /other/mutate-large-termination-gps/.kyverno-test/patchedResource2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: demo-pod02 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox:1.28 -------------------------------------------------------------------------------- /other/mutate-pod-binding/.chainsaw-test/chainsaw-step-02-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Node 3 | metadata: 4 | labels: 5 | foo: bar 6 | -------------------------------------------------------------------------------- /other/mutate-pod-binding/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: mutate-pod-binding 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/namespace-inventory-check/.chainsaw-test/chainsaw-step-01-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: inventory-check-ns01 5 | -------------------------------------------------------------------------------- /other/namespace-inventory-check/.chainsaw-test/chainsaw-step-01-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: inventory-check-ns02 5 | -------------------------------------------------------------------------------- /other/namespace-inventory-check/.chainsaw-test/chainsaw-step-01-apply-5.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: inventory-check-ns03 5 | -------------------------------------------------------------------------------- /other/namespace-inventory-check/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: namespace-inventory-check 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/only-trustworthy-registries-set-root/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: trust-registry-ns -------------------------------------------------------------------------------- /other/only-trustworthy-registries-set-root/.kyverno-test/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-with-root-user 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox:1.28 -------------------------------------------------------------------------------- /other/only-trustworthy-registries-set-root/.kyverno-test/good.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: pod-with-trusted-registry 6 | spec: 7 | containers: 8 | - name: kyverno 9 | image: ghcr.io/kyverno/kyverno:latest -------------------------------------------------------------------------------- /other/pdb-maxunavailable-with-deployments/.chainsaw-test/bad-pdb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: bad-pdb01 5 | spec: 6 | maxUnavailable: 0 7 | selector: 8 | matchLabels: 9 | app: busybox 10 | -------------------------------------------------------------------------------- /other/pdb-maxunavailable-with-deployments/.chainsaw-test/good-pdb.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: good-pdb01 5 | spec: 6 | maxUnavailable: 0 7 | selector: 8 | matchLabels: 9 | app: busybox 10 | -------------------------------------------------------------------------------- /other/pdb-maxunavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: pdb-maxunavailable 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/pdb-maxunavailable/.chainsaw-test/pdb-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: policy/v1 2 | kind: PodDisruptionBudget 3 | metadata: 4 | name: badpdb01 5 | spec: 6 | maxUnavailable: 0 -------------------------------------------------------------------------------- /other/pdb-minavailable/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: pdb-minavailable-check 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/policy-for-exceptions/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: policy-for-exceptions 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/policy-for-exceptions/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: policy-exceptions-ns -------------------------------------------------------------------------------- /other/prepend-image-registry/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prepend-registry 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/prevent-bare-pods/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-bare-pods 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/prevent-bare-pods/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: prevent-naked-pods-ns -------------------------------------------------------------------------------- /other/prevent-bare-pods/.chainsaw-test/pod-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/prevent-cr8escape/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-cr8escape 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-duplicate-hpa 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: prevent-duplicate-vpa 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/protect-node-taints/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: protect-node-taints 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/record-creation-details/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: record-create-ns -------------------------------------------------------------------------------- /other/record-creation-details/.chainsaw-test/pod-patch02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | annotations: 5 | kyverno.io/created-by: "" 6 | name: pod01 7 | spec: 8 | containers: 9 | - name: busybox 10 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/record-creation-details/.chainsaw-test/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/record-creation-details/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: record-creation-details 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-step-04-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: YmFy 4 | kind: Secret 5 | metadata: 6 | name: env-secret 7 | namespace: refresh-env-var-ns 8 | labels: 9 | kyverno.io/watch: "true" 10 | -------------------------------------------------------------------------------- /other/refresh-env-var-in-pod/.chainsaw-test/chainsaw-step-04-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: YmFy 4 | kind: Secret 5 | metadata: 6 | name: not-env-secret 7 | namespace: refresh-env-var-ns 8 | -------------------------------------------------------------------------------- /other/refresh-env-var-in-pod/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: refresh-env-var-ns -------------------------------------------------------------------------------- /other/refresh-env-var-in-pod/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: refresh-env-var-in-pods 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-step-03-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: bar 4 | kind: ConfigMap 5 | metadata: 6 | name: refresh-cm 7 | namespace: refresh-vols-ns 8 | -------------------------------------------------------------------------------- /other/refresh-volumes-in-pods/.chainsaw-test/chainsaw-step-03-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: bar 4 | kind: ConfigMap 5 | metadata: 6 | name: not-refresh-cm 7 | namespace: refresh-vols-ns 8 | -------------------------------------------------------------------------------- /other/refresh-volumes-in-pods/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: refresh-vols-ns -------------------------------------------------------------------------------- /other/refresh-volumes-in-pods/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: refresh-volumes-in-pods 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/remove-hostpath-volumes/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: remove-hostpathvols-ns -------------------------------------------------------------------------------- /other/remove-hostpath-volumes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: remove-hostpath-volumes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/remove-serviceaccount-token/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: remove-satoken-ns -------------------------------------------------------------------------------- /other/remove-serviceaccount-token/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: remove-serviceaccount-token 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/replace-image-registry-with-harbor/.kyverno-test/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | Temporarily disabling this test until we can find a way to provide per-container context variables in a Values file. -------------------------------------------------------------------------------- /other/replace-image-registry/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: replace-registry-ns -------------------------------------------------------------------------------- /other/replace-image-registry/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: replace-image-registry 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/replace-image-registry/.kyverno-test/patchedResource1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: myapp-pod1 5 | namespace: default 6 | spec: 7 | containers: 8 | - image: myregistry.corp.com/nginx:latest 9 | name: docker-with-registry -------------------------------------------------------------------------------- /other/replace-ingress-hosts/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: replace-ingress-hosts -------------------------------------------------------------------------------- /other/replace-ingress-hosts/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v2beta1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: replace-ingress-hosts 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-annotations/.chainsaw-test/pod-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | annotations: 5 | corp.org/department: "foo" 6 | name: goodpod01 7 | spec: 8 | containers: 9 | - name: busybox 10 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/require-base-image/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-base-image 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-base-image/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: require-base-image-ns -------------------------------------------------------------------------------- /other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-cpu-limits 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-emptydir-requests-limits/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: require-emptydir-requests-and-limits 5 | resources: 6 | - name: bad-pod 7 | values: 8 | request.operation: UPDATE 9 | -------------------------------------------------------------------------------- /other/require-image-checksum/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-image-checksum 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-image-source/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-image-source 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-image-source/.kyverno-test/bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: badpod01 5 | spec: 6 | containers: 7 | - name: test 8 | image: busybox:1.28 -------------------------------------------------------------------------------- /other/require-image-source/.kyverno-test/good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod01 5 | spec: 6 | containers: 7 | - name: test 8 | image: ghcr.io/kyverno/kyverno-annotations-example:latest -------------------------------------------------------------------------------- /other/require-ingress-https/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-ingress-https 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-netpol/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-network-policy 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-netpol/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: require-network-policy 5 | rules: 6 | - name: require-network-policy 7 | values: 8 | policies_count: "0" 9 | -------------------------------------------------------------------------------- /other/require-pdb/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-pdb 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-pdb/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: require-pdb 5 | rules: 6 | - name: require-pdb 7 | values: 8 | pdb_count: "1" 9 | -------------------------------------------------------------------------------- /other/require-pod-priorityclassname/.chainsaw-test/pc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: scheduling.k8s.io/v1 2 | kind: PriorityClass 3 | metadata: 4 | name: high 5 | value: 1234 6 | globalDefault: false 7 | description: "This priority class should be used for XYZ service pods only." -------------------------------------------------------------------------------- /other/require-pod-priorityclassname/.chainsaw-test/pod-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 9 | priorityClassName: high -------------------------------------------------------------------------------- /other/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-pod-priorityclassname 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/require-qos-burstable/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-qos-burstable 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-reasonable-pdbs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-reasonable-pdbs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/require-reasonable-pdbs/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: require-pdb 5 | rules: 6 | - name: require-pdb 7 | values: 8 | pdb_count: "1" 9 | -------------------------------------------------------------------------------- /other/require-storageclass/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-storageclass 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/resolve-image-to-digest/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: resolve-image-to-digest 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/resolve-image-to-digest/.kyverno-test/patchedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47 -------------------------------------------------------------------------------- /other/resolve-image-to-digest/.kyverno-test/pod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: busybox 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: busybox:1.28 -------------------------------------------------------------------------------- /other/restart-deployment-on-secret-change/.chainsaw-test/chainsaw-step-03-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: Zm9v 4 | kind: Secret 5 | metadata: 6 | name: mysecret 7 | namespace: default 8 | -------------------------------------------------------------------------------- /other/restart-deployment-on-secret-change/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restart-deployment-on-secret-change 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/restart-deployment-on-secret-change/.chainsaw-test/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: mysecret 5 | namespace: default 6 | data: 7 | foo: YmFy -------------------------------------------------------------------------------- /other/restrict-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/restrict-deprecated-registry/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: dep-registry-ns -------------------------------------------------------------------------------- /other/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-deprecated-registry 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/restrict-ingress-host/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: unique-ingress-host 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/restrict-jobs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-jobs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/restrict-loadbalancer/.chainsaw-test/svc-bad.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: badsvc01 5 | spec: 6 | selector: 7 | app: nginx 8 | ports: 9 | - port: 80 10 | targetPort: 80 11 | type: LoadBalancer -------------------------------------------------------------------------------- /other/restrict-loadbalancer/.chainsaw-test/svc-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: goodsvc01 5 | spec: 6 | selector: 7 | app: nginx 8 | ports: 9 | - port: 80 10 | targetPort: 80 11 | nodePort: 30007 12 | type: NodePort -------------------------------------------------------------------------------- /other/restrict-node-label-changes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: protect-node-label-foo 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-node-label-creation 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /other/restrict-node-selection/.chainsaw-test/pod-good.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: goodpod01 5 | spec: 6 | containers: 7 | - name: busybox 8 | image: ghcr.io/kyverno/test-busybox:1.35 -------------------------------------------------------------------------------- /other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: restrict-sa-ns 5 | -------------------------------------------------------------------------------- /other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: serviceaccount01 5 | namespace: restrict-sa-ns 6 | -------------------------------------------------------------------------------- /other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: serviceaccount02 5 | namespace: restrict-sa-ns 6 | -------------------------------------------------------------------------------- /other/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/deploy-good-update.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: busybox 6 | name: deployment01 7 | spec: 8 | template: 9 | spec: 10 | restartPolicy: Always -------------------------------------------------------------------------------- /other/restrict-pod-count-per-node/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | labels: 5 | app: myapp 6 | name: myapp-pod 7 | spec: 8 | containers: 9 | - image: nginx 10 | name: myapp-pod 11 | 12 | -------------------------------------------------------------------------------- /other/restrict-pod-count-per-node/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | policies: 4 | - name: restrict-pod-count 5 | rules: 6 | - name: restrict-pod-count 7 | values: 8 | podcounts: "40" 9 | -------------------------------------------------------------------------------- /other/scale-deployment-zero/.chainsaw-test/deploy01-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: busybox 6 | annotations: 7 | sre.corp.org/troubleshooting-needed: "true" 8 | name: deployment01 9 | spec: 10 | replicas: 0 -------------------------------------------------------------------------------- /other/scale-deployment-zero/.chainsaw-test/deploy03-patched.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: busybox 6 | annotations: 7 | sre.corp.org/troubleshooting-needed: "true" 8 | name: deployment03 9 | spec: 10 | replicas: 0 -------------------------------------------------------------------------------- /other/scale-deployment-zero/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: scale-deployment-zero 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: spread-pods 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: YmFy 4 | kind: Secret 5 | metadata: 6 | name: regcred 7 | namespace: default 8 | -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/chainsaw-step-04-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | bar: Zm9v 4 | kind: Secret 5 | metadata: 6 | name: regcred 7 | namespace: default 8 | -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/chainsaw-step-04-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | bar: Zm9v 4 | kind: Secret 5 | metadata: 6 | name: regcred 7 | namespace: sync-secrets-ns01 8 | -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/cloneSourceResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: regcred 5 | namespace: default 6 | type: Opaque 7 | data: 8 | password: MWYyZDFlMmU2N2Rm -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/generatedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: regcred 5 | namespace: hello-world-namespace 6 | type: Opaque 7 | data: 8 | password: MWYyZDFlMmU2N2Rm -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: sync-secrets-ns01 -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: sync-secrets 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: hello-world-namespace 5 | -------------------------------------------------------------------------------- /other/sync-secrets/.chainsaw-test/secret-generated.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | foo: YmFy 4 | kind: Secret 5 | metadata: 6 | name: regcred 7 | namespace: sync-secrets-ns01 -------------------------------------------------------------------------------- /other/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: unique-ingress-path 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /other/update-image-tag/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: update-image-tag-ns -------------------------------------------------------------------------------- /other/update-image-tag/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: update-image-tag 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /other/verify-vpa-target/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: verify-vpa-target 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | -------------------------------------------------------------------------------- /pod-security-cel/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: disallow-selinux 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /pod-security-cel/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-seccomp 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /pod-security-cel/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-sysctls 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /pod-security/enforce/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - ../restricted 3 | 4 | patches: 5 | - patch: |- 6 | - op: replace 7 | path: /spec/validationFailureAction 8 | value: Enforce 9 | target: 10 | kind: ClusterPolicy 11 | -------------------------------------------------------------------------------- /pod-security/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - restricted 3 | -------------------------------------------------------------------------------- /psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | labels: 6 | pod-security.kubernetes.io/enforce: "privileged" -------------------------------------------------------------------------------- /psa-cel/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-fail -------------------------------------------------------------------------------- /psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | labels: 6 | pod-security.kubernetes.io/enforce: "privileged" -------------------------------------------------------------------------------- /psa-cel/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-fail -------------------------------------------------------------------------------- /psa-cel/deny-privileged-profile/.chainsaw-test/cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: ns-deleter 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - namespaces 10 | verbs: 11 | - create 12 | -------------------------------------------------------------------------------- /psa-cel/deny-privileged-profile/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: deny-privileged-profile 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/chainsaw-step-01-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-privileged-existing-ns01 5 | -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/not-patched-ns03.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: privileged 6 | name: kube-system -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-privileged-existing-ns02 -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/patched-again-ns01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: baseline 6 | name: add-privileged-existing-ns01 -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/patched-again-ns02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: baseline 6 | name: add-privileged-existing-ns02 -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/patched-ns01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: privileged 6 | name: add-privileged-existing-ns01 -------------------------------------------------------------------------------- /psa/add-privileged-existing-namespaces/.chainsaw-test/patched-ns02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: privileged 6 | name: add-privileged-existing-ns02 -------------------------------------------------------------------------------- /psa/add-psa-labels/.chainsaw-test/patched-ns01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: baseline 6 | pod-security.kubernetes.io/warn: restricted 7 | foo: bar 8 | name: add-psa-labels-ns01 9 | -------------------------------------------------------------------------------- /psa/add-psa-labels/.chainsaw-test/patched-ns02.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: privileged 6 | pod-security.kubernetes.io/warn: restricted 7 | name: add-psa-labels-ns02 8 | -------------------------------------------------------------------------------- /psa/add-psa-labels/.chainsaw-test/patched-ns03.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | pod-security.kubernetes.io/enforce: baseline 6 | pod-security.kubernetes.io/warn: baseline 7 | name: add-psa-labels-ns03 8 | -------------------------------------------------------------------------------- /psa/add-psa-labels/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-psa-labels 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /psa/add-psa-labels/.kyverno-test/patchedResource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | labels: 6 | pod-security.kubernetes.io/enforce: baseline 7 | pod-security.kubernetes.io/warn: restricted -------------------------------------------------------------------------------- /psa/add-psa-labels/.kyverno-test/patchedResourcefail.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | labels: 6 | pod-security.kubernetes.io/fail: baseline-fail 7 | -------------------------------------------------------------------------------- /psa/add-psa-labels/.kyverno-test/resource.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | -------------------------------------------------------------------------------- /psa/add-psa-labels/.kyverno-test/resourcefail.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-fail 5 | -------------------------------------------------------------------------------- /psa/add-psa-namespace-reporting/.chainsaw-test/namespace-with-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | labels: 6 | pod-security.kubernetes.io/enforce: "privileged" -------------------------------------------------------------------------------- /psa/add-psa-namespace-reporting/.chainsaw-test/namespace-without-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-fail -------------------------------------------------------------------------------- /psa/add-psa-namespace-reporting/.kyverno-test/namespace-with-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | labels: 6 | pod-security.kubernetes.io/enforce: "privileged" -------------------------------------------------------------------------------- /psa/add-psa-namespace-reporting/.kyverno-test/namespace-without-psa-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test-fail -------------------------------------------------------------------------------- /psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: restrict-runtimeclassname 5 | -------------------------------------------------------------------------------- /psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-runtimeclass 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-exp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: expconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: expclass 6 | -------------------------------------------------------------------------------- /psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-foo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: fooconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: fooclass 6 | -------------------------------------------------------------------------------- /psp-migration-cel/restrict-runtimeClassName/.chainsaw-test/runtimeclass-prod.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: prodconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: prodclass 6 | -------------------------------------------------------------------------------- /psp-migration/add-apparmor/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: foo 5 | -------------------------------------------------------------------------------- /psp-migration/add-apparmor/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-apparmor-annotations 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /psp-migration/add-capabilities/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-capabilities 5 | -------------------------------------------------------------------------------- /psp-migration/add-capabilities/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-capabilities 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: add-runtimeclassname 5 | -------------------------------------------------------------------------------- /psp-migration/add-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: prodconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: prodclass 6 | -------------------------------------------------------------------------------- /psp-migration/add-runtimeClassName/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: add-runtimeclassname 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: restrict-runtimeclassname 5 | -------------------------------------------------------------------------------- /psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: prodconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: prodclass 6 | -------------------------------------------------------------------------------- /psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: expconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: expclass 6 | -------------------------------------------------------------------------------- /psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-step-02-apply-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: node.k8s.io/v1 2 | handler: fooconfig 3 | kind: RuntimeClass 4 | metadata: 5 | name: fooclass 6 | -------------------------------------------------------------------------------- /psp-migration/restrict-runtimeClassName/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: restrict-runtimeclass 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready -------------------------------------------------------------------------------- /tekton-cel/block-tekton-task-runs/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: block-tekton-task-runs 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /tekton-cel/block-tekton-task-runs/.chainsaw-test/taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: TaskRun 3 | metadata: 4 | name: taskrun01 5 | spec: 6 | taskRef: 7 | name: read-task -------------------------------------------------------------------------------- /tekton-cel/require-tekton-bundle/.chainsaw-test/bad-taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: TaskRun 3 | metadata: 4 | name: badtaskrun01 5 | spec: 6 | taskRef: 7 | name: read-task -------------------------------------------------------------------------------- /tekton-cel/require-tekton-bundle/.chainsaw-test/good-pipelinerun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | name: goodpipelinerun01 5 | spec: 6 | pipelineRef: 7 | name: mypipeline 8 | bundle: docker.io/foo/bar -------------------------------------------------------------------------------- /tekton-cel/require-tekton-bundle/.chainsaw-test/good-taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: TaskRun 3 | metadata: 4 | name: goodtaskrun01 5 | spec: 6 | taskRef: 7 | name: echo-task 8 | bundle: docker.io/foo/bar -------------------------------------------------------------------------------- /tekton-cel/require-tekton-bundle/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: require-tekton-bundle 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /tekton/block-tekton-task-runs/.chainsaw-test/not-taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: not-taskrun-ns -------------------------------------------------------------------------------- /tekton/block-tekton-task-runs/.chainsaw-test/taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: TaskRun 3 | metadata: 4 | name: taskrun01 5 | spec: 6 | taskRef: 7 | name: read-task -------------------------------------------------------------------------------- /tekton/require-tekton-bundle/.chainsaw-test/bad-taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: TaskRun 3 | metadata: 4 | name: badtaskrun01 5 | spec: 6 | taskRef: 7 | name: read-task -------------------------------------------------------------------------------- /tekton/require-tekton-bundle/.chainsaw-test/good-pipelinerun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: PipelineRun 3 | metadata: 4 | name: goodpipelinerun01 5 | spec: 6 | pipelineRef: 7 | name: mypipeline 8 | bundle: docker.io/foo/bar -------------------------------------------------------------------------------- /tekton/require-tekton-bundle/.chainsaw-test/good-taskrun.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: TaskRun 3 | metadata: 4 | name: goodtaskrun01 5 | spec: 6 | taskRef: 7 | name: echo-task 8 | bundle: docker.io/foo/bar -------------------------------------------------------------------------------- /tekton/require-tekton-namespace-pipelinerun/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: req-tekton-ns 5 | spec: {} 6 | -------------------------------------------------------------------------------- /velero-cel/block-velero-restore/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: block-velero-restore 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /velero-cel/validate-cron-schedule/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: validate-cron-schedule 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /velero/backup-all-volumes/.chainsaw-test/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: backup-velero-yes 5 | labels: 6 | velero-backup-pvc: "true" 7 | --- 8 | apiVersion: v1 9 | kind: Namespace 10 | metadata: 11 | name: backup-velero-no -------------------------------------------------------------------------------- /velero/backup-all-volumes/.chainsaw-test/policy-ready.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kyverno.io/v1 2 | kind: ClusterPolicy 3 | metadata: 4 | name: backup-all-volumes 5 | status: 6 | conditions: 7 | - reason: Succeeded 8 | status: "True" 9 | type: Ready 10 | 11 | -------------------------------------------------------------------------------- /velero/backup-all-volumes/.kyverno-test/values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cli.kyverno.io/v1alpha1 2 | kind: Values 3 | namespaceSelector: 4 | - labels: 5 | velero-backup-pvc: "true" 6 | name: foo 7 | - labels: 8 | env: production 9 | name: bar 10 | --------------------------------------------------------------------------------