Working with Assertion Trees

Advanced testing with the Kyverno CLI

Kyverno 1.12 introduced assertion trees support in the test command.

The purpose of assertion trees is to offer more flexibility than the traditional syntax in results.

Assertion trees reside under the checks stanza as shown in the example below:

 1checks:
 2- match:
 3    resource:
 4      kind: Namespace
 5      metadata:
 6        name: hello-world-namespace
 7    policy:
 8      kind: ClusterPolicy
 9      metadata:
10        name: sync-secret
11    rule:
12      name: sync-my-secret
13  assert:
14    status: pass
15  error:
16    (status != 'pass'): true

Composition of a check item

A check is made of the following parts:

  • A match statement to select the elements considered by a check. This match can act on the resource, the policy and/or the rule. It is not limited to matching by kind or name but can match on anything in the payload (labels, annotations, etc…).
  • An assert statement defining the conditions to verify on the matched elements.
  • An error statement (the opposite of an assert) defining the conditions that must NOT evaluate to true on the matched elements.

In the example above the check is matching Namespace elements named hello-world-namespace for the cluster policy named sync-secret and rule named sync-my-secret. For those elements the status is expected to be equal to pass and the expression (status != 'pass') is NOT expected to be true.

Examples

Implementation is based on Kyverno JSON - assertion trees. Please refer to the documentation for more details on the syntax.

Select all results

To select all results, all you need to do is to provide an empty match statement:

1
2- match: {} # this will match everything
3  assert:
4    # ...
5  error:
6    # ...

Select based on labels

To select results based on labels, specify those labels in the stanza where they apply:

 1- match:
 2    resource:
 3      metadata:
 4        labels:
 5          foo: bar
 6    policy:
 7      metadata:
 8        labels:
 9          bar: baz
10  assert:
11    # ...
12  error:
13    # ...

Last modified April 29, 2024 at 11:02 AM PST: Cherry Pick PR 1223 (#1232) (c6f6b34)