Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add docs about assertion trees in cli
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
- Loading branch information
1 parent
fc45f14
commit c8b6c83
Showing
3 changed files
with
86 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
--- | ||
title: Working with Assertion Trees | ||
description: Advanced testing with the Kyverno CLI | ||
weight: 20 | ||
--- | ||
|
||
Kyverno 1.12 introduced assertion trees support in the `test` command. | ||
|
||
The purpose of assertion trees is to offer more flexibility than the traditional syntax in `results`. | ||
|
||
Assertion trees reside under the `checks` stanza as shown in the example below: | ||
|
||
```yaml | ||
checks: | ||
- match: | ||
resource: | ||
kind: Namespace | ||
metadata: | ||
name: hello-world-namespace | ||
policy: | ||
kind: ClusterPolicy | ||
metadata: | ||
name: sync-secret | ||
rule: | ||
name: sync-my-secret | ||
assert: | ||
status: pass | ||
error: | ||
(status != 'pass'): true | ||
``` | ||
|
||
## Composition of a check item | ||
|
||
A check is made of the following parts: | ||
|
||
- A `match` statement to select the elements considered by a check. This match can act on the resource, the policy and/or the rule. It is not limited to matching by kind or name but can match on anything in the payload (labels, annotations, etc...). | ||
- An `assert` statement defining the conditions to verify on the matched elements. | ||
- An `error` statement (the opposite of an `assert`) defining the conditions that must NOT evaluate to `true` on the matched elements. | ||
|
||
In the example above the `check` is matching Namespace elements named `hello-world-namespace` for the cluster policy named `sync-secret` and rule named `sync-my-secret`. For those elements the status is expected to be equal to `pass` and the expression `(status != 'pass')` is NOT expected to be true. | ||
|
||
## Examples | ||
|
||
Implementation is based on [Kyverno JSON - assertion trees](https://kyverno.github.io/kyverno-json/latest/policies/policies/). Please refer to the documentation for more details on the syntax. | ||
|
||
### Select all results | ||
|
||
To select all results, all you need to do is to provide an empty match statement: | ||
|
||
```yaml | ||
|
||
- match: {} # this will match everything | ||
assert: | ||
# ... | ||
error: | ||
# ... | ||
``` | ||
|
||
### Select based on labels | ||
|
||
To select results based on labels, specify those labels in the stanza where they apply: | ||
|
||
```yaml | ||
- match: | ||
resource: | ||
metadata: | ||
labels: | ||
foo: bar | ||
policy: | ||
metadata: | ||
labels: | ||
bar: baz | ||
assert: | ||
# ... | ||
error: | ||
# ... | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters