Skip to content

Check Kubernetes version

The test below fetches the Kubernetes cluster version using the x_k8s_server_version function. It then uses the minor version retrieved to adapt an assertion based on the value in the $minorversion binding.

Tip

You can implement a ternary operator in JMESPath using an expression like this:

<condition> && <value-if-true> || <value-if-false>

apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
  name: example
spec:
  bindings:
  - name: version
    value: (x_k8s_server_version($config))
  - name: minorversion
    value: (to_number($version.minor))
  steps:
  - try:
    - apply:
        resource:
          apiVersion: v1
          kind: Pod
          metadata:
            name: pod01
          spec:
            containers:
            - name: busybox
              image: busybox:1.35
    # ...
    - assert:
        resource:
          apiVersion: v1
          kind: Pod
          metadata:
            annotations:
              # If the minor version of the Kubernetes cluster against
              # which this is tested is less than 29, the annotation is
              # expected to have the group 'system:masters' in it.
              # Otherwise, due to a change in kubeadm, the group should
              # be 'kubeadm:cluster-admins'.
              kyverno.io/created-by: (($minorversion < `29` && '{"groups":["system:masters","system:authenticated"],"username":"kubernetes-admin"}') || '{"groups":["kubeadm:cluster-admins","system:authenticated"],"username":"kubernetes-admin"}')
            name: pod01