1..8
ok 1 gatekeeper-controller-manager is running
ok 2 gatekeeper-audit is running
ok 3 namespace label webhook is serving
ok 4 constrainttemplates crd is established
ok 5 waiting for validating webhook
ok 6 applying sync config
ok 7 waiting for namespaces to be synced using metrics endpoint
not ok 8 testing constraint templates
# (from function `constraint_enforced' in file test/bats/helpers.bash, line 102,
# from function `wait_for_process' in file test/bats/helpers.bash, line 58,
# in test file test/bats/test.bats, line 80)
# `wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced $kind $name"' failed
# Context "kind-kind" modified.
# running integration test against policy group: general, constraint template: allowedrepos
# constrainttemplate.templates.gatekeeper.sh/k8sallowedrepos created
# testing sample constraint: repo-must-be-openpolicyagent
# k8sallowedrepos.constraints.gatekeeper.sh/repo-is-openpolicyagent created
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8879",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# }
# }
# jq: error (at <stdin>:65): Cannot iterate over null (null)
# ready: , expected: 3
# checking constraint {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "kind": "K8sAllowedRepos",
# "metadata": {
# "annotations": {
# "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"constraints.gatekeeper.sh/v1beta1\",\"kind\":\"K8sAllowedRepos\",\"metadata\":{\"annotations\":{},\"name\":\"repo-is-openpolicyagent\"},\"spec\":{\"match\":{\"kinds\":[{\"apiGroups\":[\"\"],\"kinds\":[\"Pod\"]}],\"namespaces\":[\"default\"]},\"parameters\":{\"repos\":[\"openpolicyagent/\"]}}}\n"
# },
# "creationTimestamp": "2021-06-02T08:27:35Z",
# "generation": 1,
# "managedFields": [
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:metadata": {
# "f:annotations": {
# ".": {},
# "f:kubectl.kubernetes.io/last-applied-configuration": {}
# }
# },
# "f:spec": {
# ".": {},
# "f:match": {
# ".": {},
# "f:kinds": {},
# "f:namespaces": {}
# },
# "f:parameters": {
# ".": {},
# "f:repos": {}
# }
# }
# },
# "manager": "kubectl-client-side-apply",
# "operation": "Update",
# "time": "2021-06-02T08:27:35Z"
# },
# {
# "apiVersion": "constraints.gatekeeper.sh/v1beta1",
# "fieldsType": "FieldsV1",
# "fieldsV1": {
# "f:status": {
# ".": {},
# "f:byPod": {}
# }
# },
# "manager": "gatekeeper",
# "operation": "Update",
# "time": "2021-06-02T08:28:12Z"
# }
# ],
# "name": "repo-is-openpolicyagent",
# "resourceVersion": "8950",
# "uid": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e"
# },
# "spec": {
# "match": {
# "kinds": [
# {
# "apiGroups": [
# ""
# ],
# "kinds": [
# "Pod"
# ]
# }
# ],
# "namespaces": [
# "default"
# ]
# },
# "parameters": {
# "repos": [
# "openpolicyagent/"
# ]
# }
# },
# "status": {
# "byPod": [
# {
# "constraintUID": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e",
# "enforced": true,
# "id": "gatekeeper-audit-5cc9fb45b9-5f9l7",
# "observedGeneration": 1,
# "operations": [
# "audit",
# "status"
# ]
# },
# {
# "constraintUID": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e",
# "enforced": true,
# "id": "gatekeeper-controller-manager-8d7b596c4-7gjxq",
# "observedGeneration": 1,
# "operations": [
# "webhook"
# ]
# },
# {
# "constraintUID": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e",
# "enforced": true,
# "id": "gatekeeper-controller-manager-8d7b596c4-f9jjz",
# "observedGeneration": 1,
# "operations": [
# "webhook"
# ]
# },
# {
# "constraintUID": "d628af69-41bd-4b6d-b3ff-0d1e6dcc422e",
# "enforced": true,
# "id": "gatekeeper-controller-manager-8d7b596c4-ksjfv",
# "observedGeneration": 1,
# "operations": [
# "webhook"
# ]
# }
# ]
# }
# }
# ready: 3, expected: 3
# pod "opa-allowed" deleted
# expected: denied the request
# actual: pod/nginx-disallowed unchanged
# cleaning...
# constrainttemplate.templates.gatekeeper.sh "k8sallowedrepos" deleted