kubernetes/staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/admission_test.go

var clusterScopedParamsGVK

var paramsGVK

var denyPolicy

var fakeParams

var denyBinding

var denyBindingWithNoParamRef

var denyBindingWithAudit

var denyBindingWithWarn

var denyBindingWithAll

func newParam(name, namespace string, labels map[string]string) *unstructured.Unstructured {}

func newClusterScopedParam(name string, labels map[string]string) *unstructured.Unstructured {}

var _

type validateFunc

type fakeCompiler

func (f *fakeCompiler) getNumCompiles(p *validating.Policy) int {}

func (f *fakeCompiler) RegisterDefinition(definition *validating.Policy, vf validateFunc) {}

func (f *fakeCompiler) CompilePolicy(policy *validating.Policy) validating.Validator {}

func (f validateFunc) Validate(
	ctx context.Context,
	matchResource schema.GroupVersionResource,
	versionedAttr *admission.VersionedAttributes,
	versionedParams runtime.Object,
	namespace *v1.Namespace,
	runtimeCELCostBudget int64,
	authz authorizer.Authorizer,
) validating.ValidateResult {}

var _

func (f *fakeMatcher) ValidateInitialization() error {}

func (f *fakeMatcher) GetNamespace(name string) (*v1.Namespace, error) {}

type fakeMatcher

func (f *fakeMatcher) RegisterDefinition(definition *admissionregistrationv1.ValidatingAdmissionPolicy, matchFunc func(generic.PolicyAccessor, admission.Attributes) bool) {}

func (f *fakeMatcher) RegisterBinding(binding *admissionregistrationv1.ValidatingAdmissionPolicyBinding, matchFunc func(generic.BindingAccessor, admission.Attributes) bool) {}

// Matches says whether this policy definition matches the provided admission
// resource request
func (f *fakeMatcher) DefinitionMatches(a admission.Attributes, o admission.ObjectInterfaces, definition generic.PolicyAccessor) (bool, schema.GroupVersionResource, schema.GroupVersionKind, error) {}

// Matches says whether this policy definition matches the provided admission
// resource request
func (f *fakeMatcher) BindingMatches(a admission.Attributes, o admission.ObjectInterfaces, binding generic.BindingAccessor) (bool, error) {}

func setupFakeTest(t *testing.T, comp *fakeCompiler, match *fakeMatcher) *generic.PolicyTestContext[*validating.Policy, *validating.PolicyBinding, validating.Validator] {}

// Starts CEL admission controller and sets up a plugin configured with it as well
// as object trackers for manipulating the objects available to the system
//
// ParamTracker only knows the gvk `paramGVK`. If in the future we need to
// support multiple types of params this function needs to be augmented
//
// PolicyTracker expects FakePolicyDefinition and FakePolicyBinding types
// !TODO: refactor this test/framework to remove startInformers argument and
// clean up the return args, and in general make it more accessible.
func setupTestCommon(
	t *testing.T,
	compiler *fakeCompiler,
	matcher generic.PolicyMatcher,
	shouldStartInformers bool,
) *generic.PolicyTestContext[*validating.Policy, *validating.PolicyBinding, validating.Validator] {}

func attributeRecord(
	old, new runtime.Object,
	operation admission.Operation,
) *FakeAttributes {}

func ptrTo[T any](obj T) *T {}

func TestPluginNotReady(t *testing.T) {}

func TestBasicPolicyDefinitionFailure(t *testing.T) {}

// Shows that if a definition does not match the input, it will not be used.
// But with a different input it will be used.
func TestDefinitionDoesntMatch(t *testing.T) {}

func TestReconfigureBinding(t *testing.T) {}

// Shows that a policy which is in effect will stop being in effect when removed
func TestRemoveDefinition(t *testing.T) {}

// Shows that a binding which is in effect will stop being in effect when removed
func TestRemoveBinding(t *testing.T) {}

// Shows that an error is surfaced if a paramSource specified in a binding does
// not actually exist
func TestInvalidParamSourceGVK(t *testing.T) {}

// Shows that an error is surfaced if a param specified in a binding does not
// actually exist
func TestInvalidParamSourceInstanceName(t *testing.T) {}

// Show that policy still gets evaluated with `nil` param if paramRef & namespaceParamRef
// are both unset
func TestEmptyParamRef(t *testing.T) {}

// Shows that a definition with no param source works just fine, and has
// nil params passed to its evaluator.
//
// Also shows that if binding has specified params in this instance then they
// are silently ignored.
func TestEmptyParamSource(t *testing.T) {}

// Shows what happens when multiple policies share one param type, then
// one policy stops using the param. The expectation is the second policy
// keeps behaving normally
func TestMultiplePoliciesSharedParamType(t *testing.T) {}

// Shows that we can refer to native-typed params just fine
// (as opposed to CRD params)
func TestNativeTypeParam(t *testing.T) {}

func TestAuditValidationAction(t *testing.T) {}

func TestWarnValidationAction(t *testing.T) {}

func TestAllValidationActions(t *testing.T) {}

func TestNamespaceParamRefName(t *testing.T) {}

func TestParamRef(t *testing.T) {}

// testParamRefCase constructs a ParamRef and policy with appropriate ParamKind
// for the given parameters, then constructs a scenario with several matching/non-matching params
// of varying names, namespaces, labels.
//
// Test then selects subset of params that should match provided configuration
// and ensuers those params are the only ones used.
//
// Also ensures NotFound action is enforced correctly by deleting all found
// params and ensuring the Action is used.
//
// This test is not meant to test every possible scenario of matching/not matching:
// only that each ParamRef CAN be evaluated correctly for both cluster scoped
// and namespace-scoped request kinds, and that the failure action is correctly
// applied.
func testParamRefCase(t *testing.T, paramIsClusterScoped, nameIsSet, namespaceIsSet, selectorIsSet, denyNotFound bool) {}

// If the ParamKind is ClusterScoped, and namespace param is used.
// This is a Configuration Error of the policy
func TestNamespaceParamRefClusterScopedParamError(t *testing.T) {}

func TestAuditAnnotations(t *testing.T) {}

type FakeAttributes

// AddAnnotation adds an annotation key value pair to FakeAttributes
func (f *FakeAttributes) AddAnnotation(k, v string) error {}

// AddAnnotationWithLevel adds an annotation key value pair to FakeAttributes
func (f *FakeAttributes) AddAnnotationWithLevel(k, v string, _ auditinternal.Level) error {}

// GetAnnotations reads annotations from FakeAttributes
func (f *FakeAttributes) GetAnnotations(_ auditinternal.Level) map[string]string {}

type warningRecorder

func newWarningRecorder() *warningRecorder {}

func (r *warningRecorder) AddWarning(_, text string) {}

func (r *warningRecorder) hasWarning(text string) bool {}

func (r *warningRecorder) len() int {}