Merge pull request #41 from slashben/main

support for Kubernetes 1.27

Author: slashben

.github/workflows/main.yaml

@@ -21,14 +21,15 @@ jobs:
       with:
           feature-gates: 'ValidatingAdmissionPolicy=true'
           extra-config: 'apiserver.runtime-config=admissionregistration.k8s.io/v1alpha1'
-          kubernetes-version: 1.26.0
+          kubernetes-version: 1.27.0
           container-runtime: containerd
     - uses: actions/setup-python@v4
       with:
         python-version: '3.10' 
     - uses: azure/setup-kubectl@v3
     - name: Running all control policy tests
       run: |
+        pip install --upgrade pip
         pip install -r requirements.txt
         ./scripts/run-all-control-tests.sh
 

scripts/run-all-control-tests.sh

@@ -34,9 +34,10 @@ for control in $(ls controls); do
     echo "--------------------------------------------------"
     pushd controls/$control
     $PYTHON_EXECUTABLE ../../scripts/run-control-tests.py
+    TEST_RESULT=$?
     # Check if test failed
     echo "--------------------------------------------------"
-    if [ $? -ne 0 ]; then
+    if [ $TEST_RESULT -ne 0 ]; then
         echo "Test $control failed"
         result=1
     else

scripts/run-control-tests.py

@@ -2,6 +2,7 @@
 import subprocess
 import os
 import sys
+import time
 import tempfile
 from termcolor import colored
 
@@ -10,6 +11,11 @@
 TEST_RESOURCES_DIR = os.path.join('..', '..', 'test-resources')
 CONFIGURATION_DIR = os.path.join('..', '..', 'configuration')
 
+DONT_CLEANUP = False
+if len(sys.argv) > 1:
+    if '--dont-cleanup' in sys.argv or '-d' in sys.argv:
+        DONT_CLEANUP = True
+
 # Get the name of the python executable
 python_executable = 'python3'
 try:
@@ -32,103 +38,114 @@
 # Create a test namespace
 subprocess.check_call(['kubectl', 'create', 'namespace','test-namespace'])
 
-# Apply the configuraton CRD
-subprocess.check_call(['kubectl', 'apply', '-f', os.path.join(CONFIGURATION_DIR, 'policy-configuration-definition.yaml')])
-
-# Open policy yaml
-with open(os.path.join('policy.yaml'), 'r') as f:
-    policy = yaml.load(f, Loader=yaml.FullLoader)
-
-# Test result variable
-all_tests_passed = True
-
-# Loop through the tests
-for test in tests:
-    name = test['name']
-    template = test['template']
-    field_change_list = test['field_change_list'] if 'field_change_list' in test else []
-    expected = test['expected']
-
-    print('-'*120)
-    print('Running test: ' + name)
-
-    # Generate temporary file name for the output file with tempfile
-    with tempfile.NamedTemporaryFile() as temp_file:
-        test_object_yaml = temp_file.name
-
-    # Run the change yaml field script
-    if len(field_change_list) > 0:
-        print('Changing fields: ' + str(field_change_list))
-        subprocess.check_call([python_executable, os.path.join(SCRIPTS_DIR, 'change-yaml-field.py'), '-i', os.path.join(TEST_RESOURCES_DIR, template), '-o', test_object_yaml] + field_change_list)
-    else:
-        subprocess.check_call(['cp', os.path.join(TEST_RESOURCES_DIR, template), test_object_yaml])
-    print('Generated test object: ' + test_object_yaml)
-
-    # Generate temporary file name for the binding file with tempfile
-    with tempfile.NamedTemporaryFile() as temp_file:
-        policy_bind_temp_file_name = temp_file.name
-    # Create the policy binding file
-    policy_name = policy['metadata']['name']
-    policy_bind_change_list = ['spec.policyName=' + policy_name, 'metadata.name=' + policy_name + '-binding', 'spec.paramRef.name=' + policy_name + '-params']
-    subprocess.check_call([python_executable, os.path.join(SCRIPTS_DIR, 'change-yaml-field.py'), '-i', os.path.join(TEST_RESOURCES_DIR, 'policy-binding.yaml'), '-o', policy_bind_temp_file_name] + policy_bind_change_list)
-    print('Generated policy binding: ' + policy_bind_temp_file_name)
-
-    # Create parameter file
-    with tempfile.NamedTemporaryFile() as temp_file:
-        param_file_name = temp_file.name
-    param_file_change_list = ['metadata.name=' + policy_name + '-params']
-    subprocess.check_call([python_executable, os.path.join(SCRIPTS_DIR, 'change-yaml-field.py'), '-i', os.path.join(TEST_RESOURCES_DIR, 'default-control-configuration.yaml'), '-o', param_file_name] + param_file_change_list)
-    print('Generated parameter file: ' + param_file_name)
-
-
-    # Run kubectl apply on the policy and policy binding
-    subprocess.check_call(['kubectl', 'apply', '-f', param_file_name])
-    subprocess.check_call(['kubectl', 'apply', '-f', policy_bind_temp_file_name])
-    subprocess.check_call(['kubectl', 'apply', '-f', 'policy.yaml'])
-
-    # Run kubectl apply on the test object
-    result = None
-    try:
-        subprocess.check_call(['kubectl', '--dry-run=server', 'apply', '-f' ,test_object_yaml])
-        result = 0
-    except subprocess.CalledProcessError as e:
-        result = e.returncode
-
-    test_passed = False
-    # Check if the result is as expected
-    if expected == 'pass' and result != 0:
-        print(colored('Test failed: expected to pass but failed','red'))
-    elif expected == 'fail' and result == 0:
-        print(colored('Test failed: expected to fail but passed','red'))
-    else:
-        test_passed = True
-        print(colored('Test passed!','green'))
-   
-    print(colored('Cleaning up...', 'yellow'))
-    # Run kubectl delete on the policy and policy binding.
-    try:
-        subprocess.check_call(['kubectl', 'delete', '-f', 'policy.yaml'],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
-        subprocess.check_call(['kubectl', 'delete', '-f', policy_bind_temp_file_name],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
-        subprocess.check_call(['kubectl', 'delete', '-f', test_object_yaml],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
-        subprocess.check_call(['kubectl', 'delete', '-f', param_file_name],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
-    except:
-        pass
+try:
+    # Apply the configuraton CRD
+    subprocess.check_call(['kubectl', 'apply', '-f', os.path.join(CONFIGURATION_DIR, 'policy-configuration-definition.yaml')])
+
+    # Open policy yaml
+    with open(os.path.join('policy.yaml'), 'r') as f:
+        policy = yaml.load(f, Loader=yaml.FullLoader)
+
+    # Test result variable
+    all_tests_passed = True
+
+    # Loop through the tests
+    for test in tests:
+        name = test['name']
+        template = test['template']
+        field_change_list = test['field_change_list'] if 'field_change_list' in test else []
+        expected = test['expected']
+
+        print('-'*120)
+        print('Running test: ' + name)
+
+        # Generate temporary file name for the output file with tempfile
+        with tempfile.NamedTemporaryFile() as temp_file:
+            test_object_yaml = temp_file.name
+
+        # Run the change yaml field script
+        if len(field_change_list) > 0:
+            print('Changing fields: ' + str(field_change_list))
+            subprocess.check_call([python_executable, os.path.join(SCRIPTS_DIR, 'change-yaml-field.py'), '-i', os.path.join(TEST_RESOURCES_DIR, template), '-o', test_object_yaml] + field_change_list)
+        else:
+            subprocess.check_call(['cp', os.path.join(TEST_RESOURCES_DIR, template), test_object_yaml])
+        print('Generated test object: ' + test_object_yaml)
+
+        # Generate temporary file name for the binding file with tempfile
+        with tempfile.NamedTemporaryFile() as temp_file:
+            policy_bind_temp_file_name = temp_file.name
+        # Create the policy binding file
+        policy_name = policy['metadata']['name']
+        policy_bind_change_list = ['spec.policyName=' + policy_name, 'metadata.name=' + policy_name + '-binding', 'spec.paramRef.name=' + policy_name + '-params']
+        subprocess.check_call([python_executable, os.path.join(SCRIPTS_DIR, 'change-yaml-field.py'), '-i', os.path.join(TEST_RESOURCES_DIR, 'policy-binding.yaml'), '-o', policy_bind_temp_file_name] + policy_bind_change_list)
+        print('Generated policy binding: ' + policy_bind_temp_file_name)
+
+        # Create parameter file
+        with tempfile.NamedTemporaryFile() as temp_file:
+            param_file_name = temp_file.name
+        param_file_change_list = ['metadata.name=' + policy_name + '-params']
+        subprocess.check_call([python_executable, os.path.join(SCRIPTS_DIR, 'change-yaml-field.py'), '-i', os.path.join(TEST_RESOURCES_DIR, 'default-control-configuration.yaml'), '-o', param_file_name] + param_file_change_list)
+        print('Generated parameter file: ' + param_file_name)
+
+
+        # Run kubectl apply on the policy and policy binding
+        subprocess.check_call(['kubectl', 'apply', '-f', param_file_name])
+        subprocess.check_call(['kubectl', 'apply', '-f', policy_bind_temp_file_name])
+        subprocess.check_call(['kubectl', 'apply', '-f', 'policy.yaml'])
+
+        time.sleep(1)
+
+        # Run kubectl apply on the test object
+        result = None
+        try:
+            subprocess.check_call(['kubectl', '--dry-run=server', 'apply', '-f' ,test_object_yaml])
+            result = 0
+        except subprocess.CalledProcessError as e:
+            result = e.returncode
+
+        test_passed = False
+        # Check if the result is as expected
+        if expected == 'pass' and result != 0:
+            print(colored('Test failed: expected to pass but failed','red'))
+        elif expected == 'fail' and result == 0:
+            print(colored('Test failed: expected to fail but passed','red'))
+        else:
+            test_passed = True
+            print(colored('Test passed!','green'))
 
-    # Call kubectl wait --for=delete pod -l app=test-pod  --timeout=360s
-    subprocess.check_call(['kubectl', 'wait', '--for=delete', 'pod', '-l', 'app=test-pod', '--timeout=360s'])
-
-    if not test_passed:
-        os.remove(policy_bind_temp_file_name)
-        os.remove(test_object_yaml)
-        os.remove(param_file_name)
-        print(colored('Done (left generated object in place)', 'yellow'))
-    else:
-        print(colored('Done', 'yellow'))
+        print(colored('Cleaning up...', 'yellow'))
+        # Run kubectl delete on the policy and policy binding.
+        try:
+            subprocess.check_call(['kubectl', 'delete', '-f', 'policy.yaml'],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+            subprocess.check_call(['kubectl', 'delete', '-f', policy_bind_temp_file_name],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+            subprocess.check_call(['kubectl', 'delete', '-f', test_object_yaml],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+            subprocess.check_call(['kubectl', 'delete', '-f', param_file_name],stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+        except:
+            pass
+        
+        # Call kubectl wait --for=delete pod -l app=test-pod  --timeout=360s
+        subprocess.check_call(['kubectl', 'wait', '--for=delete', 'pod', '-l', 'app=test-pod', '--timeout=360s'])
+
+        if not test_passed:
+            if not DONT_CLEANUP:
+                os.remove(policy_bind_temp_file_name)
+                os.remove(test_object_yaml)
+                os.remove(param_file_name)
+                print(colored('Done (left generated object in place)', 'yellow'))
+            else:
+                print(colored('Done', 'yellow'))
+        else:
+            print(colored('Done', 'yellow'))
+
+        all_tests_passed = all_tests_passed and test_passed
+
+        print('-'*120)
+        print('')
+except Exception as e:
+    print(colored('Exception: ' + str(e),'red'))
+    all_tests_passed = False
 
-    all_tests_passed = all_tests_passed and test_passed
 
-    print('-'*120)
-    print('')
 
 
 # Delete the test namespace

scripts/setup-test-minikube-cluster.sh

@@ -21,5 +21,5 @@ if minikube status | grep -q "host: Running"; then
     exit
 fi
 
-minikube start --driver=docker --kubernetes-version=1.26.0 --extra-config=apiserver.runtime-config=admissionregistration.k8s.io/v1alpha1  --feature-gates='ValidatingAdmissionPolicy=true' --container-runtime=containerd || exit 1
+minikube start --driver=docker --kubernetes-version=1.27.0 --extra-config=apiserver.runtime-config=admissionregistration.k8s.io/v1alpha1  --feature-gates='ValidatingAdmissionPolicy=true' --container-runtime=containerd || exit 1
 

test-resources/deployment-for-list-items.yaml

@@ -27,5 +27,4 @@ spec:
           capabilities:
             add:
             - SYS_ADM
-            drop:
             - NET_RAW

test-resources/policy-binding.yaml

@@ -4,6 +4,7 @@ metadata:
   name: placeholder
 spec:
   policyName: placeholder
+  validationActions: [Deny]
   paramRef:
     name: placeholder
   matchResources: