# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json name: Conformance tests permissions: {} on: pull_request: branches: - "main" - "release*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: define-matrix: runs-on: ubuntu-latest outputs: tests: ${{ steps.tests.outputs.tests }} steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Set matrix data id: tests run: echo "tests=$(jq -c . < ./test/conformance/chainsaw/e2e-matrix.json)" >> $GITHUB_OUTPUT prepare-images: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Setup caches uses: ./.github/actions/setup-caches timeout-minutes: 5 continue-on-error: true with: build-cache-key: build-images - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: free-disk-space: false - name: ko build shell: bash run: | set -e VERSION=${{ github.ref_name }} make docker-save-image-all - name: upload images archive uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: kyverno.tar path: kyverno.tar retention-days: 1 if-no-files-found: error prepare-cli: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Setup caches uses: ./.github/actions/setup-caches timeout-minutes: 5 continue-on-error: true with: build-cache-key: build-cli - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: free-disk-space: false - name: Build CLI shell: bash run: | set -e VERSION=${{ github.ref_name }} make build-cli - name: upload images archive uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: kubectl-kyverno path: cmd/cli/kubectl-kyverno/kubectl-kyverno retention-days: 1 if-no-files-found: error assert: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).assert }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} autogen: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).autogen }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} background-only: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).background-only }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} cleanup: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).cleanup }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} deferred: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).deferred }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} events: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).events }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} exceptions: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).exceptions }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} filter: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).filter }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} force-failure-policy-ignore: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).force-failure-policy-ignore }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard,force-failure-policy-ignore token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} generate: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).generate }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} generate-validating-admission-policy: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).generate-validating-admission-policy }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kind-config: ./scripts/config/kind/vap-v1beta1.yaml kyverno-configs: standard,generate-validating-admission-policy token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} globalcontext: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).globalcontext }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} lease: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).lease }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} mutate: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).mutate }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} policy-validation: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).policy-validation }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} rangeoperators: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).rangeoperators }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} rbac: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: kyverno-configs: [ standard, default, 'standard,force-failure-policy-ignore' ] k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).rbac }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: ${{ matrix.kyverno-configs }} token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} reports: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).reports }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} ttl: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).ttl }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard,ttl token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} validate: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).validate }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} validating-admission-policy-reports: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).validating-admission-policy-reports }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kind-config: ./scripts/config/kind/vap-v1beta1.yaml kyverno-configs: standard,validating-admission-policy-reports token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} verify-manifests: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).verify-manifests }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} verifyImages: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).verifyImages }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} webhook-configurations: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).webhook-configurations }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kind-config: ./scripts/config/kind/vap-v1beta1.yaml kyverno-configs: standard,generate-validating-admission-policy token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} webhooks: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).webhooks }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kyverno-configs: standard token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} sigstore-custom-tuf: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] tests: ${{ fromJSON(needs.define-matrix.outputs.tests).sigstore-custom-tuf }} needs: [ prepare-images, define-matrix ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - uses: ./.github/actions/run-tests with: k8s-version: ${{ matrix.k8s-version }} kind-config: ./scripts/config/kind/vap-v1beta1.yaml kyverno-configs: standard,sigstore-custom-tuf token: ${{ secrets.GITHUB_TOKEN }} chainsaw-tests: ${{ matrix.tests }} custom-sigstore: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: - v1.28.x - v1.29.x - v1.30.x tests: - custom-sigstore needs: prepare-images steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 # install tools - name: Install helm id: helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Install crane uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 - name: Install Cosign uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Install chainsaw uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10 with: verify: true # create cluster - name: Create kind cluster and setup Sigstore Scaffolding uses: sigstore/scaffolding/actions/setup@3c79cb2714d1c724551ae859bcbde1a3204ff8ac # v0.7.11 with: version: main k8s-version: ${{ matrix.k8s-version }} knative-version: "1.10.0" - name: Create TUF values config map run: | set -e kubectl create namespace kyverno kubectl -n kyverno create configmap tufvalues --from-literal=TUF_MIRROR=$TUF_MIRROR --from-literal=FULCIO_URL=$FULCIO_URL --from-literal=REKOR_URL=$REKOR_URL --from-literal=CTLOG_URL=$CTLOG_URL --from-literal=ISSUER_URL=$ISSUER_URL kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: kyverno/' | kubectl create -f - # deploy kyverno - name: Download kyverno images archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e kind load image-archive kyverno.tar --name kind - name: Install kyverno shell: bash run: | set -e export HELM=${{ steps.helm.outputs.helm-path }} export USE_CONFIG=standard,custom-sigstore make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready # prepare test image - name: Create test image shell: bash run: | DIGEST=$(crane digest cgr.dev/chainguard/static) IMAGE_NAME=$(uuidgen | tr "[:upper:]" "[:lower:]") TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV # run tests - name: Test with Chainsaw shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs policy-library: runs-on: ubuntu-latest strategy: fail-fast: false matrix: k8s-version: - v1.28.13 - v1.29.8 - v1.30.4 - v1.31.0 tests: - ^argo$ - ^aws$ - ^best-practices$ - ^castai$ - ^cert-manager$ - ^consul$ - ^external-secret-operator$ - ^flux$ - ^istio$ - ^karpenter$ - ^kasten$ - ^kubecost$ - ^kubeops$ - ^kubevirt$ - ^linkerd$ - ^nginx-ingress$ - ^openshift$ - ^other$/^a - ^other$/^[b-d] - ^other$/^[e-l] - ^other$/^[m-q] - ^other$/^re[c-q] - ^other$/^res - ^other$/^[s-z] - ^pod-security$ - ^pod-security-cel$ - ^psa$ - ^psp-migration$ # - ^tekton # - ^traefik # - ^velero needs: - prepare-images - prepare-cli steps: - name: Checkout kyverno/kyverno uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Checkout kyverno/policies uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 with: repository: kyverno/policies path: policies # install tools - name: Install helm id: helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Install Cosign uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Install chainsaw uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10 with: verify: true - name: Download kyverno CLI archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kubectl-kyverno - name: Install Kyverno CLI shell: bash run: | set -e chmod +x kubectl-kyverno && mv kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: node_image: kindest/node:${{ matrix.k8s-version }} cluster_name: kind config: ./scripts/config/kind/default.yaml # deploy kyverno - name: Download kyverno images archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e kind load image-archive kyverno.tar --name kind - name: Install kyverno shell: bash run: | set -e export HELM=${{ steps.helm.outputs.helm-path }} export USE_CONFIG=standard make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready # run tests - name: Install CRDs run: | set -e kubectl apply -f ./policies/.chainsaw/crds - name: Test with Chainsaw env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e cd policies chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs monitor-helm-secret-size: runs-on: ubuntu-latest permissions: packages: read needs: prepare-images steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Setup caches uses: ./.github/actions/setup-caches timeout-minutes: 5 continue-on-error: true with: build-cache-key: run-conformance - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 - name: Create kind cluster shell: bash run: | set -e make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Check secret size shell: bash run: | set -e set -u SIZE=$(kubectl get secrets -n kyverno sh.helm.release.v1.kyverno.v1 -o jsonpath='{.data.release}' | base64 -d | wc -c | awk '{print $1}') MAX_ALLOWED=1030000 if [ "$SIZE" -gt "$MAX_ALLOWED" ]; then echo "Helm secret size ($SIZE bytes) is above the max allowed ($MAX_ALLOWED bytes)" exit 1 else echo "Helm secret size ($SIZE bytes) is below the max allowed ($MAX_ALLOWED bytes)" fi check-tests: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: tests: - ^cli$ needs: - prepare-cli steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 # install tools - name: Download kyverno CLI archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kubectl-kyverno - name: Install Cosign uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Install chainsaw uses: kyverno/action-install-chainsaw@d1a61148c0437a66760d11d8575332305c2234cb # v0.2.10 with: verify: true # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: node_image: kindest/node:v1.30.0 cluster_name: kind config: ./scripts/config/kind/default.yaml - name: Install Kyverno CLI shell: bash run: | set -e chmod +x kubectl-kyverno && mv kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH # run tests - name: Test with Chainsaw shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml - name: Fix test files shell: bash run: | set -e KYVERNO_EXPERIMENTAL=true kyverno fix test ./test/cli --save --compress make verify-cli-tests cleanup-test: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: - name: v1.31 version: v1.31.0 kyverno-config: - name: cleanup values: - kyverno-cleanup needs: - prepare-images name: ${{ matrix.k8s-version.name }} - kyverno uninstall steps: - name: Checkout kyverno/kyverno uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Install helm id: helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Install Kubectl run: | set -e curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: node_image: kindest/node:${{ matrix.k8s-version.version }} cluster_name: kind config: ./scripts/config/kind/default.yaml - name: Download kyverno images archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e kind load image-archive kyverno.tar --name kind - name: Install kyverno shell: bash run: | set -e export HELM=${{ steps.helm.outputs.helm-path }} export USE_CONFIG=${{ join(matrix.kyverno-config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Log finalizers from deployments shell: bash run: | set -e kubectl get deploy kyverno-admission-controller -n kyverno --template='{{.metadata.finalizers}}' kubectl get deploy kyverno-cleanup-controller -n kyverno --template='{{.metadata.finalizers}}' - name: Uninstall kyverno shell: bash run: | set -e helm uninstall kyverno -n kyverno --wait --no-hooks - name: Check validating webhook count shell: bash run: | set -e if [ `kubectl get validatingwebhookconfigurations -l webhook.kyverno.io/managed-by=kyverno --no-headers | wc -l` -gt 0 ] then exit 1 fi - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs helm-upgrade: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] kyverno-version: [ '3.2' ] needs: [ prepare-images ] steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 - name: Install helm id: helm uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 with: node_image: kindest/node:${{ matrix.k8s-version }} cluster_name: kind config: ./scripts/config/kind/default.yaml # deploy kyverno - name: Download kyverno images archive uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e kind load image-archive kyverno.tar --name kind - name: Install kyverno shell: bash run: | set -e ${{ steps.helm.outputs.helm-path }} install kyverno --namespace kyverno --create-namespace --wait \ --repo https://kyverno.github.io/kyverno kyverno \ --version ${{ matrix.kyverno-version }} - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Upgrade kyverno shell: bash run: | set -e export HELM=${{ steps.helm.outputs.helm-path }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready # debug - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs conformance-required-success: name: conformance-required needs: - assert - autogen - background-only - cleanup - deferred - events - exceptions - filter - force-failure-policy-ignore - generate - generate-validating-admission-policy - globalcontext - lease - mutate - policy-validation - rangeoperators - rbac - reports - ttl - validate - validating-admission-policy-reports - verify-manifests - verifyImages - webhook-configurations - webhooks - custom-sigstore - monitor-helm-secret-size - check-tests - helm-upgrade runs-on: ubuntu-latest if: ${{ success() }} steps: - run: ${{ true }} conformance-required-failure: name: conformance-required needs: - assert - autogen - background-only - cleanup - deferred - events - exceptions - filter - force-failure-policy-ignore - generate - generate-validating-admission-policy - globalcontext - lease - mutate - policy-validation - rangeoperators - rbac - reports - ttl - validate - validating-admission-policy-reports - verify-manifests - verifyImages - webhook-configurations - webhooks - custom-sigstore - monitor-helm-secret-size - check-tests - helm-upgrade runs-on: ubuntu-latest if: ${{ failure() || cancelled() }} steps: - run: ${{ false }}