Working with Assertion Trees
Kyverno 1.12 introduced assertion trees support in the test command.
The purpose of assertion trees is to offer more flexibility than the traditional syntax in results.
Assertion trees reside under the checks stanza as shown in the example below:
1checks:
2- match:
3 resource:
4 kind: Namespace
5 metadata:
6 name: hello-world-namespace
7 policy:
8 kind: ClusterPolicy
9 metadata:
10 name: sync-secret
11 rule:
12 name: sync-my-secret
13 assert:
14 status: pass
15 error:
16 (status != 'pass'): true
Composition of a check item
A check is made of the following parts:
- A
matchstatement to select the elements considered by a check. This match can act on the resource, the policy and/or the rule. It is not limited to matching by kind or name but can match on anything in the payload (labels, annotations, etc…). - An
assertstatement defining the conditions to verify on the matched elements. - An
errorstatement (the opposite of anassert) defining the conditions that must NOT evaluate totrueon the matched elements.
In the example above the check is matching Namespace elements named hello-world-namespace for the cluster policy named sync-secret and rule named sync-my-secret. For those elements the status is expected to be equal to pass and the expression (status != 'pass') is NOT expected to be true.
Examples
Implementation is based on Kyverno JSON - assertion trees. Please refer to the documentation for more details on the syntax.
Select all results
To select all results, all you need to do is to provide an empty match statement:
1
2- match: {} # this will match everything
3 assert:
4 # ...
5 error:
6 # ...
Select based on labels
To select results based on labels, specify those labels in the stanza where they apply:
1- match:
2 resource:
3 metadata:
4 labels:
5 foo: bar
6 policy:
7 metadata:
8 labels:
9 bar: baz
10 assert:
11 # ...
12 error:
13 # ...
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.