kyverno · eddycharly · Jan 6, 2025 · Jan 6, 2025
@@ -0,0 +1,41 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: policy-ordering
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy-b.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          ($stdout): |-
+            Unauthorized Request from Policy B
+            http_code=403
+    - create:
+        file: ./policy-a.yaml
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          ($stdout): |-
+            Unauthorized Request from Policy A
+            http_code=403
+    finally:
+    - sleep:
+        duration: 10s
@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}
@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy-a
+spec:
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request from Policy A")
+        .Response()
+
@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy-b
+spec:
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request from Policy B")
+        .Response()
+
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true