mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
kyverno/.github/workflows/conformance.yaml
Mariam Fahmy c583b64120
feat: generate validating admission policies and their bindings from Kyverno policies (#7840) 
* feat: generate validating admission policies and their bindings from Kyverno policies

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add generate VAPs feature flag

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: use container flags instead of feature flags

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: limit VAP generation to cluster policies

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add policy checks for generating VAPs

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: rename package

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: translate match/exclude resources in Kyverno policies to their alternatives in validating admission policies

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add vap info in kyverno policy status

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: delete the translation of

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add kuttl tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add generateValidatingAdmissionPolicy feature flag in the helm chart

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: update codegen

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add validating admission policy kuttl tests in the workflow

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: check K8s server version

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix lint issue

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: remove the kind config of VAPs

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2023-08-31 10:25:21 +00:00

444 lines
14 KiB
YAML
Raw Blame History

name: Conformance tests
permissions: {}
on:
pull_request:
branches:
- 'main'
- 'release*'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
prepare-images:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
timeout-minutes: 10
with:
build-cache-key: build-images
- name: ko build
run: VERSION=${{ github.ref_name }} make docker-save-image-all
- name: upload images archive
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: kyverno.tar
path: kyverno.tar
retention-days: 1
if-no-files-found: error
# runs conformance test suites with configuration:
standard:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: standard
values:
- standard
k8s-version:
- name: v1.25
version: v1.25.11
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- autogen
- background-only
- cleanup
- deferred
- events
- exceptions
- filter
- generate/clusterpolicy
- generate/policy
- generate/validation
- mutate
- policy-validation
- rangeoperators
- rbac
- reports
- validate
- verify-manifests
- verifyImages
- webhooks
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
timeout-minutes: 10
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
# runs conformance test suites with configuration:
ttl:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: ttl
values:
- standard
- ttl
k8s-version:
- name: v1.25
version: v1.25.11
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- ttl
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
timeout-minutes: 10
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
# runs conformance test suites with configuration:
force-failure-policy-ignore:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: force-failure-policy-ignore
values:
- standard
- force-failure-policy-ignore
k8s-version:
- name: v1.25
version: v1.25.11
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- force-failure-policy-ignore
- rbac
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
timeout-minutes: 10
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
# runs conformance test suites with configuration:
validating-admission-policies:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: validating-admission-policies
values:
- standard
- generate-validating-admission-policy
k8s-version:
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
tests:
- generate-validating-admission-policy
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup build env
uses: ./.github/actions/setup-build-env
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
export KIND_CONFIG=vap-v1alpha1
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
# runs conformance test suites with configuration:
default:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: default
values:
- default
k8s-version:
- name: v1.25
version: v1.25.11
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- rbac
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup build env
uses: ./.github/actions/setup-build-env
timeout-minutes: 10
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Test with kuttl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \
--config ./test/conformance/kuttl/_config/common.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
# runs conformance test suites with configuration:
policy-library:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
config:
- name: policy-library
values:
- standard
k8s-version:
- name: v1.25
version: v1.25.11
- name: v1.26
version: v1.26.6
- name: v1.27
version: v1.27.3
- name: v1.28
version: v1.28.0
tests:
- argo
- aws
- best-practices
- castai
- cert-manager
- consul
- external-secret-operator
- flux
- istio
- karpenter
- kasten
- kubecost
- kubeops
- kubevirt
- linkerd
- nginx-ingress
- openshift
# - other
- other/a
- other/b-d
- other/e-l
- other/m-q
- other/rec-req
- other/res
- other/s-z
# - pod-security
# - psa
- psp-migration
# - tekton
# - traefik
# - velero
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout kyverno/kyverno
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Checkout kyverno/policies
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
repository: kyverno/policies
path: policies
- name: Setup build env
uses: ./.github/actions/setup-build-env
timeout-minutes: 10
with:
build-cache-key: run-conformance
- name: Create kind cluster
run: |
export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
make kind-create-cluster
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
run: make kind-load-image-archive
- name: Install kyverno
run: |
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
- name: Build Kyverno CLI
run: |
set -e
make build-cli
ln -s $PWD/cmd/cli/kubectl-kyverno/kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno
echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH
- name: Test policy library with kuttl
run: |
cd policies
../.tools/kubectl-kuttl test ./${{ matrix.tests }} --config ./kuttl-test.yaml
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
View git blame Copy permalink