Skip to content

Commit 75f5365

Browse files
authored
add chainsaw tests for kyverno policies (#167)
* add chainsaw tests for kyverno policies Signed-off-by: Francesco Ilario <filario@redhat.com> * fix kube-linter complaints Signed-off-by: Francesco Ilario <filario@redhat.com> --------- Signed-off-by: Francesco Ilario <filario@redhat.com>
1 parent b82f9b0 commit 75f5365

8 files changed

Lines changed: 217 additions & 0 deletions

File tree

.chainsaw.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha1.json
2+
apiVersion: chainsaw.kyverno.io/v1alpha1
3+
kind: Configuration
4+
metadata:
5+
name: configuration
6+
spec:
7+
# parallel: 1
8+
timeouts:
9+
apply: 1m30s
10+
assert: 1m30s
11+
cleanup: 1m30s
12+
delete: 1m30s
13+
error: 1m30s
14+
exec: 1m30s
15+
fullName: true
16+
forceTerminationGracePeriod: 5s
17+
delayBeforeCleanup: 3s
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
name: Run Chainsaw tests
2+
3+
on:
4+
pull_request:
5+
branches: [ main ]
6+
paths:
7+
- '.github/workflows/chainsaw-tests.yaml'
8+
- 'components/kyverno/**'
9+
- 'components/policies/**'
10+
11+
jobs:
12+
find-chainsaw-tests:
13+
name: Find chainsaw tests
14+
runs-on: ubuntu-latest
15+
outputs:
16+
directories: ${{ steps.list-tests.outputs.directories }}
17+
steps:
18+
- name: Checkout Git Repository
19+
uses: actions/checkout@v4
20+
21+
- id: list-tests
22+
run: |
23+
DIRS=$(find -name .chainsaw-test -type d | jq -R -s -c 'split("\n")[:-1]')
24+
echo "directories=${DIRS}" >> $GITHUB_OUTPUT
25+
26+
chainsaw-test:
27+
name: Run Chainsaw tests
28+
runs-on: ubuntu-latest
29+
needs: ["find-chainsaw-tests"]
30+
strategy:
31+
fail-fast: false
32+
matrix:
33+
directory: ${{ fromJSON(needs.find-chainsaw-tests.outputs.directories) }}
34+
35+
steps:
36+
- name: Create k8s Kind Cluster
37+
uses: helm/kind-action@v1
38+
39+
- uses: actions/checkout@v4
40+
41+
- name: Install Dependencies
42+
shell: bash
43+
run: |
44+
kustomize build --enable-helm components/kyverno/chainsaw | \
45+
kubectl apply -f - --server-side
46+
47+
- name: Install Cosign
48+
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
49+
50+
- name: Install Chainsaw
51+
uses: kyverno/action-install-chainsaw@f2b47b97dc889c12702113753d713f01ec268de5 # v0.2.12
52+
with:
53+
verify: true
54+
55+
- name: Wait for kyverno to be ready
56+
shell: bash
57+
run: |
58+
set -e
59+
kubectl rollout status deployment \
60+
--namespace konflux-kyverno \
61+
--selector '!job-name' \
62+
--timeout=300s
63+
64+
- name: Run chainsaw
65+
shell: bash
66+
run: |
67+
chainsaw test \
68+
--config .chainsaw.yaml \
69+
--no-color=false \
70+
"${{ matrix.directory }}"
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
---
2+
- op: add
3+
path: /spec/template/spec/containers/0/resources
4+
value:
5+
requests:
6+
cpu: 100m
7+
memory: 64M
8+
limits:
9+
cpu: 400m
10+
memory: 256M
11+
- op: add
12+
path: /spec/ttlSecondsAfterFinished
13+
value: 3600
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
4+
namespace: konflux-kyverno
5+
6+
resources:
7+
- namespace.yaml
8+
9+
generators:
10+
- kyverno-helm-generator.yaml
11+
12+
# set resources to jobs
13+
patches:
14+
- path: job_patches.yaml
15+
target:
16+
group: batch
17+
kind: Job
18+
name: konflux-kyverno-migrate-resources
19+
version: v1
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
apiVersion: builtin
2+
kind: HelmChartInflationGenerator
3+
metadata:
4+
name: kyverno
5+
name: kyverno
6+
repo: https://kyverno.github.io/kyverno/
7+
version: 3.5.2
8+
namespace: konflux-kyverno
9+
valuesFile: kyverno-helm-values.yaml
10+
releaseName: kyverno
11+
skipTests: true
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
---
2+
fullnameOverride: konflux-kyverno
3+
namespaceOverride: konflux-kyverno
4+
config:
5+
updateRequestThreshold: 1000
6+
preserve: false
7+
admissionController:
8+
replicas: 1
9+
initContainer:
10+
securityContext:
11+
allowPrivilegeEscalation: false
12+
readOnlyRootFilesystem: true
13+
runAsNonRoot: true
14+
capabilities:
15+
drop:
16+
- "ALL"
17+
container:
18+
securityContext:
19+
allowPrivilegeEscalation: false
20+
readOnlyRootFilesystem: true
21+
runAsNonRoot: true
22+
capabilities:
23+
drop:
24+
- "ALL"
25+
backgroundController:
26+
replicas: 1
27+
securityContext:
28+
allowPrivilegeEscalation: false
29+
readOnlyRootFilesystem: true
30+
runAsNonRoot: true
31+
capabilities:
32+
drop:
33+
- "ALL"
34+
cleanupController:
35+
enabled: false
36+
reportsController:
37+
enabled: false
38+
policyReportsCleanup:
39+
enabled: false
40+
webhooksCleanup:
41+
enabled: false
42+
crds:
43+
migration:
44+
securityContext:
45+
allowPrivilegeEscalation: false
46+
readOnlyRootFilesystem: true
47+
runAsNonRoot: true
48+
runAsGroup: null
49+
runAsUser: null
50+
capabilities:
51+
drop:
52+
- "ALL"
53+
features:
54+
admissionReports:
55+
enabled: false
56+
aggregateReports:
57+
enabled: false
58+
policyReports:
59+
enabled: false
60+
validatingAdmissionPolicyReports:
61+
enabled: false
62+
reporting:
63+
validate: false
64+
mutate: false
65+
mutateExisting: false
66+
imageVerify: false
67+
generate: false
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
apiVersion: v1
2+
kind: Namespace
3+
metadata:
4+
name: konflux-kyverno

hack/chainsaw/chainsaw-prepare.sh

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
#!/bin/bash
2+
3+
set -e
4+
5+
## Create the kind cluster
6+
kind create cluster --name infra-common-deployments-chainsaw
7+
8+
## Install kyverno
9+
kustomize build --enable-helm components/kyverno/chainsaw | \
10+
kubectl apply -f - --server-side
11+
12+
## wait for kyverno to rollout
13+
kubectl rollout status deployment \
14+
--namespace konflux-kyverno \
15+
--selector '!job-name' \
16+
--timeout=300s

0 commit comments

Comments
 (0)