(feat): added coco-workload e2e test

tests/e2e/coco-workload/create/chainsaw-test.yaml

@@ -0,0 +1,79 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-adapter-policy-creation
+spec:
+  description: >
+   This test validates that creating a `coco-workload` SecurityIntent with SecurityIntentBinding generates the expected Kyverno Policy and its effect.
+  steps:
+    - name: "Create a sample deployment"
+      try:
+      - script:
+          content: kubectl create deployment -n $NAMESPACE nginx --image=nginx
+          check: 
+            (contains($stdout, 'deployment.apps/nginx created')): true
+
+    - name: "Verify deployment creation"
+      try:
+        - assert:
+            file: ../deploy-assert.yaml
+
+    - name: "Create a sample runtimeclass"
+      try:
+      - script:
+          content: kubectl apply -f ../runtime.yaml -n $NAMESPACE
+          check: 
+            (contains($stdout, 'runtimeclass.node.k8s.io/kata-clh created')): true  
+
+    - name: "Verify runtime creation"
+      try:
+        - assert:
+            file: ../runtime.yaml
+
+
+    - name: "Create a SecurityIntent"
+      try:
+        - apply:
+            file: ../../resources/namespaced/coco-workload-si.yaml
+
+    - name: "Create a SecurityIntentBinding"
+      try:
+        - apply:
+            file: ../../resources/namespaced/coco-workload-sib.yaml
+
+    - name: "Verify NimbusPolicy creation"
+      try:
+        - assert:
+            file: ../nimbus-policy-assert.yaml
+
+    - name: "Verify KyvernoPolicies creation"
+      try:
+        - assert:
+            file: ../kyverno-mutateexisting-policy.yaml
+        - assert:
+            file: ../kyverno-mutateoncreate-policy.yaml
+
+    - name: "Verify status of created SecurityIntentBinding"
+      description: >
+        Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, 
+        along with the generated NimbusPolicy name.
+      try:
+        - assert:
+            file: ../sib-status-assert.yaml
+
+    - name: "Verify status of created NimbusPolicy"
+      try:
+        - assert:
+            file: ../np-status-assert.yaml
+
+
+    - name: "Verify that the existing deployment is being mutated"
+      try:
+      - script:
+          content: kubectl get deploy -n $NAMESPACE nginx -o=jsonpath='{.spec.template.spec.runtimeClassName}'
+          check: 
+            (contains($stdout, 'kata-clh')): true
+

tests/e2e/coco-workload/deploy-assert.yaml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: nginx
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app: nginx
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: nginx
+        imagePullPolicy: Always
+        name: nginx
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      terminationGracePeriodSeconds: 30

tests/e2e/coco-workload/kyverno-mutateexisting-policy.yaml

@@ -0,0 +1,45 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  annotations:
+    app.kubernetes.io/managed-by: nimbus-kyverno
+    policies.kyverno.io/description: Ensure workload is encryted by running the specified
+      workload in a Confidential VM
+  name: coco-workload-binding-mutateexisting
+  ownerReferences:
+  - apiVersion: intent.security.nimbus.com/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: NimbusPolicy
+    name: coco-workload-binding
+spec:
+  admission: true
+  background: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - exclude:
+      resources: {}
+    generate:
+      clone: {}
+      cloneList: {}
+    match:
+      any:
+      - resources:
+          kinds:
+          - v1/ConfigMap
+          name: coco-workload-binding-mutateexisting-trigger-configmap
+      resources: {}
+    mutate:
+      patchStrategicMerge:
+        spec:
+          template:
+            spec:
+              runtimeClassName: kata-clh
+      targets:
+      - apiVersion: apps/v1
+        kind: Deployment
+        name: nginx
+    name: add runtime
+    skipBackgroundRequests: true
+    validate: {}
+  validationFailureAction: Enforce

tests/e2e/coco-workload/kyverno-mutateoncreate-policy.yaml

@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  annotations:
+    app.kubernetes.io/managed-by: nimbus-kyverno
+    policies.kyverno.io/description: Ensure workload is encryted by running the specified
+      workload in a Confidential VM
+  name: coco-workload-binding-mutateoncreate
+  ownerReferences:
+  - apiVersion: intent.security.nimbus.com/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: NimbusPolicy
+    name: coco-workload-binding
+spec:
+  admission: true
+  background: true
+  rules:
+  - exclude:
+      resources: {}
+    generate:
+      clone: {}
+      cloneList: {}
+    match:
+      any:
+      - resources:
+          kinds:
+          - apps/v1/Deployment
+          selector:
+            matchLabels:
+              app: nginx
+      resources: {}
+    mutate:
+      patchStrategicMerge:
+        spec:
+          template:
+            spec:
+              runtimeClassName: kata-clh
+    name: add runtime
+    skipBackgroundRequests: true
+    validate: {}
+  validationFailureAction: Enforce
+

tests/e2e/coco-workload/nimbus-policy-assert.yaml

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: NimbusPolicy
+metadata:
+  name: coco-workload-binding
+  ownerReferences:
+  - apiVersion: intent.security.nimbus.com/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: SecurityIntentBinding
+    name: coco-workload-binding
+spec:
+  rules:
+  - description: Ensure workload is encryted by running the specified workload in
+      a Confidential VM
+    id: cocoWorkload
+    rule:
+      action: Block
+  selector:
+    matchLabels:
+      app: nginx

tests/e2e/coco-workload/np-status-assert.yaml

@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: NimbusPolicy
+metadata:
+  name: coco-workload-binding
+  ownerReferences:
+    - apiVersion: intent.security.nimbus.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: SecurityIntentBinding
+      name: coco-workload-binding
+status:
+  numberOfAdapterPolicies: 2
+  status: Created

tests/e2e/coco-workload/runtime.yaml

@@ -0,0 +1,6 @@
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-clh
+handler: kata
+

tests/e2e/coco-workload/sib-status-assert.yaml

@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntentBinding
+metadata:
+  name: coco-workload-binding
+status:
+  boundIntents:
+    - coco-workload
+  nimbusPolicy: coco-workload-binding
+  numberOfBoundIntents: 1
+  status: Created

tests/e2e/resources/namespaced/coco-workload-si.yaml

@@ -0,0 +1,9 @@
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntent
+metadata:
+  name: coco-workload
+spec:
+  intent:
+    id: cocoWorkload
+    description: "Ensure workload is encryted by running the specified workload in a Confidential VM"
+    action: Block

tests/e2e/resources/namespaced/coco-workload-sib.yaml

@@ -0,0 +1,11 @@
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: SecurityIntentBinding
+metadata:
+  name: coco-workload-binding
+spec:
+  intents:
+    - name: coco-workload
+  selector:
+    workloadSelector:
+      matchLabels:
+        app: nginx