diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index b55dc49bb..fae866849 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -66,7 +66,7 @@ jobs: strategy: matrix: gatekeeper: [ "3.17.1", "3.18.1" ] - engine: [ "cel", "rego" ] + engine: [ "cel", "rego"] name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies" steps: - name: Harden Runner @@ -86,7 +86,7 @@ jobs: - name: Run integration test run: | - make test-integration + make test-integration POLICY_ENGINE=${{ matrix.engine }} - name: Save logs run: | @@ -100,6 +100,45 @@ jobs: name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }} path: | logs-*.json + build_test_VAP: + needs: generate + runs-on: ubuntu-latest + strategy: + matrix: + gatekeeper: [ "3.17.1", "3.18.1" ] + name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} with VAP" + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: Check out code into the Go module directory + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Bootstrap integration test + run: | + mkdir -p $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + make integration-bootstrap + make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} ENABLE_VAP=true + + - name: Run integration test + run: | + make test-integration ENABLE_VAP=true + + - name: Save logs + run: | + kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json + kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json + + - name: Upload artifacts + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + if: ${{ always() }} + with: + name: logs-int-test-${{ matrix.gatekeeper }}-with-vap + path: | + logs-*.json require_suites: runs-on: ubuntu-latest name: "Require a suite.yaml file alongside every template.yaml" diff --git a/Makefile b/Makefile index 064e6ec94..a651d9ba0 100755 --- a/Makefile +++ b/Makefile @@ -3,11 +3,12 @@ KIND_VERSION ?= 0.23.0 # note: k8s version pinned since KIND image availability lags k8s releases KUBERNETES_VERSION ?= 1.30.0 KUSTOMIZE_VERSION ?= 4.5.5 -GATEKEEPER_VERSION ?= 3.16.3 +GATEKEEPER_VERSION ?= 3.18.1 BATS_VERSION ?= 1.8.2 -GATOR_VERSION ?= 3.17.0 +GATOR_VERSION ?= 3.18.1 GOMPLATE_VERSION ?= 3.11.6 POLICY_ENGINE ?= rego +ENABLE_VAP ?= false REPO_ROOT := $(shell git rev-parse --show-toplevel) WEBSITE_SCRIPT_DIR := $(REPO_ROOT)/scripts/website @@ -33,12 +34,13 @@ integration-bootstrap: deploy: helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts -ifeq ($(POLICY_ENGINE), rego) - helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=false +# If the policy engine is rego, enableK8sNativeValidation should be set to false because K8sNativeValidation engine holds more priority than Rego engine. Otherwise Rego engine will not get evaluated for CT containing K8sNativeValidation engine. +ifeq ($(ENABLE_VAP), true) + helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=true --set defaultCreateVAPForTemplates=true --set defaultCreateVAPBindingForConstraints=true else ifeq ($(POLICY_ENGINE), cel) -ifneq ($(GATEKEEPER_VERSION), 3.15.1) helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=true -endif +else ifeq ($(POLICY_ENGINE), rego) + helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=false endif uninstall: diff --git a/test/bats/test.bats b/test/bats/test.bats index f45441166..335742870 100755 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -85,17 +85,27 @@ setup() { if [ -d "$policy" ]; then local policy_group=$(basename "$(dirname "$policy")") local template_name=$(basename "$policy") + deny_substr="denied the request" echo "running integration test against policy group: $policy_group, constraint template: $template_name" # apply template wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -k $policy" - local kind=$(yq e .metadata.name "$policy"/template.yaml) + local kind=$(cat "$policy"/template.yaml | yq e .metadata.name) + if [ "$ENABLE_VAP" == "true" ] && grep -q "engine: K8sNativeValidation" "$policy"/template.yaml; then + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicy gatekeeper-$kind -o yaml" + sleep 30 + deny_substr="ValidatingAdmissionPolicy" + fi for sample in "$policy"/samples/*; do echo "testing sample constraint: $(basename "$sample")" # apply constraint wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${sample}/constraint.yaml" - local name=$(yq e .metadata.name "$sample"/constraint.yaml) + local name=$(cat "$sample"/constraint.yaml | yq e .metadata.name) wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced $kind $name" + if [ "$ENABLE_VAP" == "true" ] && grep -q "engine: K8sNativeValidation" "$policy"/template.yaml; then + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl get ValidatingAdmissionPolicyBinding gatekeeper-$name -o yaml" + fi + for inventory in "$sample"/example_inventory*.yaml; do if [[ -e "$inventory" ]]; then run kubectl apply -f "$inventory" @@ -123,7 +133,7 @@ setup() { echo "Applying ${disallowed} with contents:" cat ${disallowed} run kubectl apply -f "$disallowed" - assert_match_either 'denied the request' 'no matches for kind' "${output}" + assert_match_either "$deny_substr" 'no matches for kind' "${output}" assert_failure # delete resource run kubectl delete --ignore-not-found -f "$disallowed"