MCPcopy
hub / github.com/open-policy-agent/gatekeeper / TestExcludedNamespaces

Function TestExcludedNamespaces

pkg/webhook/policy_test.go:422–522  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

420}
421
422func TestExcludedNamespaces(t *testing.T) {
423 cfg := &v1alpha1.Config{
424 Spec: v1alpha1.ConfigSpec{
425 Match: []v1alpha1.MatchEntry{
426 {
427 ExcludedNamespaces: []wildcard.Wildcard{"kube-*"},
428 Processes: []string{"*"},
429 },
430 },
431 Validation: v1alpha1.Validation{
432 Traces: []v1alpha1.Trace{},
433 },
434 },
435 }
436 ctx := context.Background()
437 opa, err := makeOpaClient()
438 if err != nil {
439 t.Fatalf("Could not initialize OPA: %s", err)
440 }
441 if _, err := opa.AddTemplate(ctx, validRegoTemplate()); err != nil {
442 t.Fatalf("could not add template: %s", err)
443 }
444 if _, err := opa.AddConstraint(ctx, validRegoTemplateConstraint()); err != nil {
445 t.Fatalf("could not add constraint: %s", err)
446 }
447 pe := process.New()
448 pe.Add(cfg.Spec.Match)
449 expSystem := expansion.NewSystem(mutation.NewSystem(mutation.SystemOpts{}))
450 handler := validationHandler{
451 opa: opa,
452 expansionSystem: expSystem,
453 webhookHandler: webhookHandler{
454 injectedConfig: cfg,
455 client: &nsGetter{},
456 reader: &nsGetter{},
457 processExcluder: pe,
458 },
459 log: log,
460 }
461 tc := []struct {
462 Name string
463 Namespace string
464 Operation admissionv1.Operation
465 Raw []byte
466 OldRaw []byte
467 AllowedExpected bool
468 }{
469 {
470 Name: "ExcludedNamespace invalid create",
471 Namespace: "notkube-test",
472 Operation: admissionv1.Create,
473 Raw: []byte(`{"apiVersion": "v1", "kind": "Pod", "metadata": {"name": "acbd","namespace": ""}}`),
474 AllowedExpected: false,
475 },
476 {
477 Name: "ExcludedNamespace valid create",
478 Namespace: "kube-test",
479 Operation: admissionv1.Create,

Callers

nothing calls this directly

Calls 11

HandleMethod · 0.95
NewFunction · 0.92
NewSystemFunction · 0.92
NewSystemFunction · 0.92
makeOpaClientFunction · 0.85
validRegoTemplateFunction · 0.85
AddTemplateMethod · 0.65
AddConstraintMethod · 0.65
AddMethod · 0.65
RunMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…