Kubewarden fix (#212)

* Fix kubewarden tests

* tidy up

* Package updates

* kubewarden pod-privileged policy update

* kubewarden - disable telemetry

* Exclude kubewarden namespace from tests so policy-server starts successfully

* Wait for kubewarden policy server to be ready before running test

* package updates

* Fix kubewarden volume test

.github/workflows/ci.yml

@@ -259,7 +259,9 @@ jobs:
           helm install --create-namespace -n kubewarden kubewarden-crds kubewarden/kubewarden-crds
           helm install --wait -n \
             kubewarden kubewarden-controller kubewarden/kubewarden-controller \
-            --set policyServer.replicaCount=1
+            --set telemetry.enabled=False
+          helm install --wait -n kubewarden kubewarden-defaults kubewarden/kubewarden-defaults \
+            --set policyServer.telemetry.enabled=False
 
       - if: matrix.system == 'kyverno'
         name: Install kyverno
@@ -385,4 +387,4 @@ jobs:
         uses: lukaszraczylo/semver-generator@58151695a343d0e676138cbcc8836801c79b21be # tag=1.4.18
         with:
           config_file: .github/semver.yaml
-          repository_local: true
+          repository_local: true

tests/allowPrivilegeEscalation/kubewarden.yaml

@@ -15,4 +15,9 @@ spec:
   mutating: false
   settings:
     default_allow_privilege_escalation: false
-
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/allowedCapabilities/kubewarden.yaml

@@ -15,3 +15,9 @@ spec:
   settings:
     allowed_capabilities:
     - something
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/allowedFlexVolumes/kubewarden.yaml

@@ -16,3 +16,9 @@ spec:
     allowedFlexVolumes:
       - driver: "example/lvm"
       - driver: "example/cifs"
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/allowedHostPaths/kubewarden.yaml

@@ -17,3 +17,9 @@ spec:
     allowedHostPaths:
       - pathPrefix: "/foo"
         readOnly: true
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/allowedProcMountTypes/kubewarden.yaml

@@ -15,3 +15,9 @@ spec:
   mutating: false
   settings:
     allow_unmasked_proc_mount_type: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/allowedUnsafeSysctls/kubewarden.yaml

@@ -16,3 +16,9 @@ spec:
   settings:
     allowedUnsafeSysctls:
     - kernel.msgmax
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/apparmor/kubewarden.yaml

@@ -16,3 +16,9 @@ spec:
   settings:
     allowed_profiles:
       - runtime/default
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/defaultAddCapabilities/kubewarden.yaml

@@ -18,3 +18,9 @@ spec:
       - something
     allowed_capabilities:
       - something
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/defaultAllowPrivilegeEscalation/kubewarden.yaml

@@ -15,3 +15,9 @@ spec:
   mutating: true
   settings:
     default_allow_privilege_escalation: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/forbiddenSysctls/kubewarden.yaml

@@ -18,3 +18,9 @@ spec:
   settings:
     forbiddenSysctls:
       - kernel.m*
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/fsgroup/kubewarden.yaml

@@ -18,3 +18,9 @@ spec:
     ranges:
       - min: 100
         max: 200
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/hostIPC/kubewarden.yaml

@@ -14,3 +14,9 @@ spec:
   mutating: false
   settings:
     allow_host_ipc: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/hostNetwork/kubewarden.yaml

@@ -14,3 +14,9 @@ spec:
   mutating: false
   settings:
     allow_host_network: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/hostPID/kubewarden.yaml

@@ -14,3 +14,9 @@ spec:
   mutating: false
   settings:
     allow_host_pid: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/hostPorts/kubewarden.yaml

@@ -16,3 +16,9 @@ spec:
     allow_host_ports:
     - min: 80
       max: 9000
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/privileged/kubewarden.yaml

@@ -3,12 +3,18 @@ kind: ClusterAdmissionPolicy
 metadata:
   name: privileged
 spec:
-  module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.10
+  module: registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.11
   rules:
   - apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
     operations:
     - CREATE
     - UPDATE
-  mutating: false
+  mutating: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/readOnlyRootFilesystem/kubewarden.yaml

@@ -13,3 +13,9 @@ spec:
     - CREATE
     - UPDATE
   mutating: false
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/requiredDropCapabilities/kubewarden.yaml

@@ -16,3 +16,9 @@ spec:
   settings:
     required_drop_capabilities:
       - something
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/runAsGroup/kubewarden.yaml

@@ -23,3 +23,9 @@ spec:
       rule: "RunAsAny"
     supplemental_groups: 
       rule: "RunAsAny"
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/runAsUser/kubewarden.yaml

@@ -23,3 +23,9 @@ spec:
       rule: "RunAsAny"
     supplemental_groups: 
       rule: "RunAsAny"
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/seLinux/kubewarden.yaml

@@ -19,3 +19,9 @@ spec:
     role: object_r
     type: svirt_sandbox_file_t
     level: s0:c123,c456
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/seccomp/kubewarden.yaml

@@ -22,3 +22,9 @@ spec:
     profile_types:
       - RuntimeDefault
     localhost_profiles: []
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/supplementalGroups/kubewarden.yaml

@@ -18,4 +18,10 @@ spec:
       rule: "MustRunAs"
       ranges:
         - min: 100
-          max: 200
+          max: 200
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden

tests/tests.bats

@@ -17,6 +17,8 @@ setup() {
     fi
     if [ "${SYSTEM}" == "kubewarden" ]; then
       kubectl wait --for=condition=PolicyActive --timeout=60s -f tests/${testcase}/${SYSTEM}.yaml
+      kubectl -n kubewarden rollout status deployment policy-server-default
+      while [[ $(kubectl -n kubewarden get po -l app=kubewarden-policy-server-default | grep "Terminating") ]]; do sleep 1; done
     fi
     if [ "${SYSTEM}" == "pss" ]; then
       kubectl config set-context --current --namespace=test
@@ -26,8 +28,8 @@ setup() {
       kubectl -n k-rail rollout status deployment k-rail
     fi
   fi
-  kubectl apply -f tests/${testcase}/allowed.yaml 
-  ! kubectl apply -f tests/${testcase}/disallowed.yaml 
+  kubectl apply -f tests/${testcase}/allowed.yaml
+  ! kubectl apply -f tests/${testcase}/disallowed.yaml
 }
 
 teardown() {
@@ -39,6 +41,9 @@ teardown() {
     if [ -f tests/${testcase}/${SYSTEM}-helper.yaml ]; then
       kubectl delete -f tests/${testcase}/${SYSTEM}-helper.yaml
     fi
+    if [ "${SYSTEM}" == "kubewarden" ]; then
+      kubectl -n kubewarden rollout status deployment policy-server-default
+    fi
     if [ "${SYSTEM}" == "kyverno" ]; then
       while [[ $(kubectl get -f tests/${testcase}/${SYSTEM}.yaml -o 'jsonpath={..status.ready}') == "true" ]]; do sleep 1; done
     fi

tests/volumes/kubewarden.yaml

@@ -22,3 +22,9 @@ spec:
     - downwardAPI
     - persistentVolumeClaim
     - flexVolume 
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: NotIn
+      values:
+      - kubewarden