diff --git a/Makefile b/Makefile index 49c11ba..72c11fd 100644 --- a/Makefile +++ b/Makefile @@ -58,13 +58,13 @@ kind-deploy-kyverno: helm-add-repo helm-install-kyverno ## Deploy kyverno helm c VUS ?= 10 ITERATIONS ?= 1000 -SCRIPT ?= "kyverno-pss.js" +SCRIPT ?= kyverno-pss.js .PHONY: kyverno-pss-block kyverno-pss-block: - cd k6 \ + cd k6 && \ ./start.sh ./tests/${SCRIPT} ${VUS} ${ITERATIONS} .PHONY: check-error check-error: - @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Error found in the file."; exit 1) \ No newline at end of file + @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Unexpected behavior during load testing, please check results."; exit 1) \ No newline at end of file diff --git a/configs/kind/tracing.yaml b/configs/kind/tracing.yaml deleted file mode 100644 index 598a1af..0000000 --- a/configs/kind/tracing.yaml +++ /dev/null @@ -1,56 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -kubeadmConfigPatches: - - |- - kind: ClusterConfiguration - apiServer: - extraVolumes: - - name: tracing-configuration - hostPath: /opt/kube-apiserver/tracing-configuration.yaml - mountPath: /opt/kube-apiserver/tracing-configuration.yaml - readOnly: true - pathType: File - extraArgs: - tracing-config-file: /opt/kube-apiserver/tracing-configuration.yaml - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - etcd: - local: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2382 - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - |- - kind: KubeProxyConfiguration - metricsBindAddress: 0.0.0.0 - - |- - kind: KubeletConfiguration - featureGates: - KubeletTracing: true - tracing: - endpoint: localhost:4317 - samplingRatePerMillion: 1000000 -nodes: - - role: control-plane - kubeadmConfigPatches: - - |- - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraMounts: - - hostPath: ./scripts/config/kube-apiserver/tracing-configuration.yaml - containerPath: /opt/kube-apiserver/tracing-configuration.yaml - readOnly: true - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - role: worker - - role: worker - - role: worker diff --git a/configs/kind/vap-v1alpha1.yaml b/configs/kind/vap-v1alpha1.yaml deleted file mode 100644 index b6d1c2a..0000000 --- a/configs/kind/vap-v1alpha1.yaml +++ /dev/null @@ -1,40 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -featureGates: - ValidatingAdmissionPolicy: true -runtimeConfig: - admissionregistration.k8s.io/v1alpha1: true -kubeadmConfigPatches: - - |- - kind: ClusterConfiguration - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - etcd: - local: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2382 - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - |- - kind: KubeProxyConfiguration - metricsBindAddress: 0.0.0.0 -nodes: - - role: control-plane - kubeadmConfigPatches: - - |- - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - role: worker - - role: worker - - role: worker diff --git a/configs/kind/vap-v1beta1.yaml b/configs/kind/vap-v1beta1.yaml deleted file mode 100644 index 8b9b433..0000000 --- a/configs/kind/vap-v1beta1.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -featureGates: - ValidatingAdmissionPolicy: true -runtimeConfig: - admissionregistration.k8s.io/v1beta1: true - admissionregistration.k8s.io/v1alpha1: true -kubeadmConfigPatches: - - |- - kind: ClusterConfiguration - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - etcd: - local: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2382 - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - |- - kind: KubeProxyConfiguration - metricsBindAddress: 0.0.0.0 -nodes: - - role: control-plane - kubeadmConfigPatches: - - |- - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - role: worker - - role: worker - - role: worker diff --git a/k6/job.yaml b/k6/job.yaml index 23741b5..11c01aa 100644 --- a/k6/job.yaml +++ b/k6/job.yaml @@ -7,12 +7,11 @@ spec: spec: serviceAccountName: load-test containers: - - image: grafana/k6:0.45.0 + - image: grafana/k6:0.47.0 resources: {} name: k6 securityContext: allowPrivilegeEscalation: false - runAsNonRoot: true seccompProfile: type: RuntimeDefault capabilities: diff --git a/k6/pss-values.yml b/k6/pss-values.yml index 295e02e..0176880 100644 --- a/k6/pss-values.yml +++ b/k6/pss-values.yml @@ -5,101 +5,101 @@ policyExclude: any: - resources: namespaces: - - load-tests + - load-test name: load-test* adding-capabilities-strict: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-namespaces: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-path: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-ports: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-process: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-privilege-escalation: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-privileged-containers: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-proc-mount: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-selinux: any: - resources: namespaces: - - load-tests + - load-test name: load-test* require-run-as-non-root-user: any: - resources: namespaces: - - load-tests + - load-test name: load-test* require-run-as-nonroot: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-apparmor-profiles: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-seccomp: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-seccomp-strict: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-sysctls: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-volume-types: any: - resources: namespaces: - - load-tests + - load-test name: load-test* \ No newline at end of file diff --git a/k6/report.sh b/k6/report.sh new file mode 100644 index 0000000..5cfbe91 --- /dev/null +++ b/k6/report.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -euo pipefail + +grep "level=error" "$file_path" + +# Store the exit code of the grep command +exit_code=$? + +# Check if the exit code is 0 (match found) or 1 (no match found) +if [ $exit_code -eq 0 ]; then + echo "Error found in the file." + exit 1 +elif [ $exit_code -eq 1 ]; then + echo "No error found in the file." + exit 0 +else + echo "An error occurred while searching the file." + exit 1 +fi \ No newline at end of file