Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

Basic Chainsaw Example

Chainsaw is an open-source tool initially developed to define and run Kyverno end-to-end tests. It can test any Kubernetes objects.

Below is a simple workflow for executing a Chainsaw test available on GitHub. You can paste this directly into the YAML of an existing or new test, just make sure to update the name and namespace for your environment as needed.

  • The spec.content property defines the path to the Chainsaw test in a GitHub repository.
  • The spec.container property uses the official Chainsaw image to set up test environment.
  • The spec.steps property defines a single step that runs the chainsaw test <test path> test command which generates a JUnit-style XML Report which Testkube can visualise accordingly (Read More)
Chainsaw Workflow
kind: TestWorkflow
apiVersion: testworkflows.testkube.io/v1
metadata:
  name: simple-chainsaw-test
  namespace: testkube
spec:
  content:
    git:
      uri: https://github.com/cerebro1/chainsaw-testkube-demo.git
  container:
    image: ghcr.io/kyverno/chainsaw:latest
  pod:
    serviceAccountName: chainsaw-service-account  
  steps:
  - name: Run test
    shell: |
      chainsaw test --report-format XML --report-path /data/repo --report-name chainsaw-report /data/repo/chainsaw-test/basic-test
    artifacts:
      paths:
        - /data/repo/chainsaw-report.xml
status: {}

After execution, you can see the log output from the Chainsaw execution under the "Log Output" panel:

Chainsaw Log Output

If your test produced a JUnit report it is available under the JUnit Report tab accordingly.

Using a custom ServiceAccount

Chainsaw tests attempt to create a temporary namespace to which they deploy resources to be asserted. The default ServiceAccount used by Testkube to run Workflows does not have permissions to create/get/delete namespaces, requiring you to define a corresponding ServiceAccount and use that in your Chainsaw Workflow (as shown on lines 12-13 in the example above).

Use kubectl to apply the following configuration to the cluster where the Testkube Agent is running.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: chainsaw-service-account
  namespace: testkube
---
# Example Cluster Role for Chainsaw Tests
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: chainsaw-service-account-cr
rules:
  - verbs:
      - create
      - delete
      - get
    apiGroups:
      - ''
    resources:
      - namespaces
---
# Bind SA to the ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: chainsaw-service-account-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: chainsaw-service-account-cr
subjects:
  - kind: ServiceAccount
    name: chainsaw-service-account
    namespace: testkube