Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: adding vap testing #618

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 7 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 41 additions & 2 deletions .github/workflows/workflow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
strategy:
matrix:
gatekeeper: [ "3.17.1", "3.18.1" ]
engine: [ "cel", "rego" ]
engine: [ "cel", "rego"]
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
Expand All @@ -86,7 +86,7 @@ jobs:

- name: Run integration test
run: |
make test-integration
make test-integration POLICY_ENGINE=${{ matrix.engine }}

- name: Save logs
run: |
Expand All @@ -100,6 +100,45 @@ jobs:
name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}
path: |
logs-*.json
build_test_VAP:
needs: generate
runs-on: ubuntu-latest
strategy:
matrix:
gatekeeper: [ "3.17.1", "3.18.1" ]
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} with VAP"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Bootstrap integration test
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make integration-bootstrap
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} ENABLE_VAP=true

- name: Run integration test
run: |
make test-integration ENABLE_VAP=true

- name: Save logs
run: |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json

- name: Upload artifacts
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: ${{ always() }}
with:
name: logs-int-test-${{ matrix.gatekeeper }}-with-vap
path: |
logs-*.json
require_suites:
runs-on: ubuntu-latest
name: "Require a suite.yaml file alongside every template.yaml"
Expand Down
14 changes: 8 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@ KIND_VERSION ?= 0.23.0
# note: k8s version pinned since KIND image availability lags k8s releases
KUBERNETES_VERSION ?= 1.30.0
KUSTOMIZE_VERSION ?= 4.5.5
GATEKEEPER_VERSION ?= 3.16.3
GATEKEEPER_VERSION ?= 3.18.1
BATS_VERSION ?= 1.8.2
GATOR_VERSION ?= 3.17.0
GATOR_VERSION ?= 3.18.1
GOMPLATE_VERSION ?= 3.11.6
POLICY_ENGINE ?= rego
ENABLE_VAP ?= false

REPO_ROOT := $(shell git rev-parse --show-toplevel)
WEBSITE_SCRIPT_DIR := $(REPO_ROOT)/scripts/website
Expand All @@ -33,12 +34,13 @@ integration-bootstrap:

deploy:
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
ifeq ($(POLICY_ENGINE), rego)
helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=false
# If the policy engine is rego, enableK8sNativeValidation should be set to false because K8sNativeValidation engine holds more priority than Rego engine. Otherwise Rego engine will not get evaluated for CT containing K8sNativeValidation engine.
ifeq ($(ENABLE_VAP), true)
helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=true --set defaultCreateVAPForTemplates=true --set defaultCreateVAPBindingForConstraints=true
else ifeq ($(POLICY_ENGINE), cel)
ifneq ($(GATEKEEPER_VERSION), 3.15.1)
helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=true
endif
else ifeq ($(POLICY_ENGINE), rego)
helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=false
endif

uninstall:
Expand Down
16 changes: 13 additions & 3 deletions test/bats/test.bats
Original file line number Diff line number Diff line change
Expand Up @@ -85,17 +85,27 @@ setup() {
if [ -d "$policy" ]; then
local policy_group=$(basename "$(dirname "$policy")")
local template_name=$(basename "$policy")
deny_substr="denied the request"
echo "running integration test against policy group: $policy_group, constraint template: $template_name"
# apply template
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -k $policy"
local kind=$(yq e .metadata.name "$policy"/template.yaml)
local kind=$(cat "$policy"/template.yaml | yq e .metadata.name)
if [ "$ENABLE_VAP" == "true" ] && grep -q "engine: K8sNativeValidation" "$policy"/template.yaml; then
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicy gatekeeper-$kind"
sleep 30
deny_substr="ValidatingAdmissionPolicy"
fi
for sample in "$policy"/samples/*; do
echo "testing sample constraint: $(basename "$sample")"
# apply constraint
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${sample}/constraint.yaml"
local name=$(yq e .metadata.name "$sample"/constraint.yaml)
local name=$(cat "$sample"/constraint.yaml | yq e .metadata.name)
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced $kind $name"

if [ "$ENABLE_VAP" == "true" ] && grep -q "engine: K8sNativeValidation" "$policy"/template.yaml; then
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-$name"
fi

for inventory in "$sample"/example_inventory*.yaml; do
if [[ -e "$inventory" ]]; then
run kubectl apply -f "$inventory"
Expand Down Expand Up @@ -123,7 +133,7 @@ setup() {
echo "Applying ${disallowed} with contents:"
cat ${disallowed}
run kubectl apply -f "$disallowed"
assert_match_either 'denied the request' 'no matches for kind' "${output}"
assert_match_either "$deny_substr" 'no matches for kind' "${output}"
assert_failure
# delete resource
run kubectl delete --ignore-not-found -f "$disallowed"
Expand Down
Loading