From e900274b4f5e5802e36e7af2401224970e409e22 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 2 Aug 2023 18:14:53 +0000 Subject: [PATCH 1/6] Update kindest/node Docker tag to v1.27.3 --- tests/kind-config-gatekeeper.yaml | 2 +- tests/kind-config-krail.yaml | 2 +- tests/kind-config-kubewarden.yaml | 2 +- tests/kind-config-kyverno.yaml | 2 +- tests/kind-config-pss.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/kind-config-gatekeeper.yaml b/tests/kind-config-gatekeeper.yaml index 556401f6..01506829 100644 --- a/tests/kind-config-gatekeeper.yaml +++ b/tests/kind-config-gatekeeper.yaml @@ -5,4 +5,4 @@ featureGates: ProcMountType: true nodes: - role: control-plane - image: kindest/node:v1.24.2 \ No newline at end of file + image: kindest/node:v1.27.3 \ No newline at end of file diff --git a/tests/kind-config-krail.yaml b/tests/kind-config-krail.yaml index 20ca8d7e..2b0322e3 100644 --- a/tests/kind-config-krail.yaml +++ b/tests/kind-config-krail.yaml @@ -5,4 +5,4 @@ featureGates: SeccompDefault: true nodes: - role: control-plane - image: kindest/node:v1.24.2 \ No newline at end of file + image: kindest/node:v1.27.3 \ No newline at end of file diff --git a/tests/kind-config-kubewarden.yaml b/tests/kind-config-kubewarden.yaml index 556401f6..01506829 100644 --- a/tests/kind-config-kubewarden.yaml +++ b/tests/kind-config-kubewarden.yaml @@ -5,4 +5,4 @@ featureGates: ProcMountType: true nodes: - role: control-plane - image: kindest/node:v1.24.2 \ No newline at end of file + image: kindest/node:v1.27.3 \ No newline at end of file diff --git a/tests/kind-config-kyverno.yaml b/tests/kind-config-kyverno.yaml index 556401f6..01506829 100644 --- a/tests/kind-config-kyverno.yaml +++ b/tests/kind-config-kyverno.yaml @@ -5,4 +5,4 @@ featureGates: ProcMountType: true nodes: - role: control-plane - image: kindest/node:v1.24.2 \ No newline at end of file + image: kindest/node:v1.27.3 \ No newline at end of file diff --git a/tests/kind-config-pss.yaml b/tests/kind-config-pss.yaml index 2530e717..3aa6b08f 100644 --- a/tests/kind-config-pss.yaml +++ b/tests/kind-config-pss.yaml @@ -6,4 +6,4 @@ featureGates: PodSecurity: true nodes: - role: control-plane - image: kindest/node:v1.24.2 \ No newline at end of file + image: kindest/node:v1.27.3 \ No newline at end of file From e8c6405cca56dff250242265b30553bcfca21088 Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Thu, 3 Aug 2023 10:09:29 +0100 Subject: [PATCH 2/6] bump gatekeeper version --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c6ccd261..eaeed082 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -229,7 +229,7 @@ jobs: - if: matrix.system == 'gatekeeper' name: Install gatekeeper run: | - kubectl apply --wait -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.7/deploy/gatekeeper.yaml + kubectl apply --wait -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.12/deploy/gatekeeper.yaml kubectl wait --for=condition=available --timeout=600s -n gatekeeper-system \ deployment/gatekeeper-audit \ deployment/gatekeeper-controller-manager From 39a6b4da282819ec619c2246d8dd51535c89e99b Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Thu, 3 Aug 2023 10:14:09 +0100 Subject: [PATCH 3/6] kyverno enforce>Enforce --- tests/seccomp/kyverno.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/seccomp/kyverno.yaml b/tests/seccomp/kyverno.yaml index c5c0cf46..d879fd1d 100644 --- a/tests/seccomp/kyverno.yaml +++ b/tests/seccomp/kyverno.yaml @@ -4,7 +4,7 @@ metadata: name: psp-seccomp spec: background: true - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: restrict-seccomp match: From 3a3384894c28fd53b1cbe79a19628438e7fbef5e Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Thu, 3 Aug 2023 10:17:00 +0100 Subject: [PATCH 4/6] roll k8s back to 1.24.3 for kyverno --- tests/kind-config-kyverno.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/kind-config-kyverno.yaml b/tests/kind-config-kyverno.yaml index 01506829..d986c763 100644 --- a/tests/kind-config-kyverno.yaml +++ b/tests/kind-config-kyverno.yaml @@ -5,4 +5,4 @@ featureGates: ProcMountType: true nodes: - role: control-plane - image: kindest/node:v1.27.3 \ No newline at end of file + image: kindest/node:v1.24.3 \ No newline at end of file From 8fc146480fe95cc871f817dd6c195ee2bdf6c5c6 Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Thu, 3 Aug 2023 10:23:32 +0100 Subject: [PATCH 5/6] enforce>Enforce --- tests/allowPrivilegeEscalation/kyverno.yaml | 2 +- tests/allowedCapabilities/kyverno.yaml | 2 +- tests/allowedFlexVolumes/kyverno.yaml | 2 +- tests/allowedHostPaths/kyverno.yaml | 2 +- tests/allowedProcMountTypes/kyverno.yaml | 2 +- tests/allowedUnsafeSysctls/kyverno.yaml | 2 +- tests/apparmor/kyverno.yaml | 2 +- tests/defaultAddCapabilities/kyverno-helper.yaml | 2 +- tests/defaultAllowPrivilegeEscalation/kyverno.yaml | 2 +- tests/forbiddenSysctls/kyverno.yaml | 2 +- tests/fsgroup/kyverno.yaml | 2 +- tests/hostIPC/kyverno.yaml | 2 +- tests/hostNetwork/kyverno.yaml | 2 +- tests/hostPID/kyverno.yaml | 2 +- tests/hostPorts/kyverno.yaml | 2 +- tests/privileged/kyverno.yaml | 2 +- tests/readOnlyRootFilesystem/kyverno.yaml | 2 +- tests/requiredDropCapabilities/kyverno.yaml | 2 +- tests/runAsGroup/kyverno.yaml | 2 +- tests/runAsUser/kyverno.yaml | 2 +- tests/seLinux/kyverno.yaml | 2 +- tests/supplementalGroups/kyverno.yaml | 2 +- tests/volumes/kyverno.yaml | 2 +- 23 files changed, 23 insertions(+), 23 deletions(-) diff --git a/tests/allowPrivilegeEscalation/kyverno.yaml b/tests/allowPrivilegeEscalation/kyverno.yaml index 2331ade9..c32a4007 100644 --- a/tests/allowPrivilegeEscalation/kyverno.yaml +++ b/tests/allowPrivilegeEscalation/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-allowprivilegeescalation spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-allowprivilegeescalation match: diff --git a/tests/allowedCapabilities/kyverno.yaml b/tests/allowedCapabilities/kyverno.yaml index 82de64b7..3beb2fac 100644 --- a/tests/allowedCapabilities/kyverno.yaml +++ b/tests/allowedCapabilities/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-allowedcapabilities spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: # Checks initContainers to ensure they don't add anything other than what is permitted. - name: psp-allowedcapabilities-initcontainers diff --git a/tests/allowedFlexVolumes/kyverno.yaml b/tests/allowedFlexVolumes/kyverno.yaml index 7d2ca614..d1324e89 100644 --- a/tests/allowedFlexVolumes/kyverno.yaml +++ b/tests/allowedFlexVolumes/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-allowedflexvolumes spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-allowedflexvolumes match: diff --git a/tests/allowedHostPaths/kyverno.yaml b/tests/allowedHostPaths/kyverno.yaml index 07e903e7..4b33019f 100644 --- a/tests/allowedHostPaths/kyverno.yaml +++ b/tests/allowedHostPaths/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-allowedhostpaths spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: host-path match: diff --git a/tests/allowedProcMountTypes/kyverno.yaml b/tests/allowedProcMountTypes/kyverno.yaml index c3e256df..24c8f81d 100644 --- a/tests/allowedProcMountTypes/kyverno.yaml +++ b/tests/allowedProcMountTypes/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: pspallowedprocmounttypes spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: check-proc-mount match: diff --git a/tests/allowedUnsafeSysctls/kyverno.yaml b/tests/allowedUnsafeSysctls/kyverno.yaml index b2086966..670fd249 100644 --- a/tests/allowedUnsafeSysctls/kyverno.yaml +++ b/tests/allowedUnsafeSysctls/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-allowedunsafesysctls spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: sysctls diff --git a/tests/apparmor/kyverno.yaml b/tests/apparmor/kyverno.yaml index 855602d9..c90d27b3 100644 --- a/tests/apparmor/kyverno.yaml +++ b/tests/apparmor/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-apparmor spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: app-armor match: diff --git a/tests/defaultAddCapabilities/kyverno-helper.yaml b/tests/defaultAddCapabilities/kyverno-helper.yaml index 309967bd..410b8672 100644 --- a/tests/defaultAddCapabilities/kyverno-helper.yaml +++ b/tests/defaultAddCapabilities/kyverno-helper.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-defaultaddcapabilitiescheck spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-defaultaddcapabilitiescheck match: diff --git a/tests/defaultAllowPrivilegeEscalation/kyverno.yaml b/tests/defaultAllowPrivilegeEscalation/kyverno.yaml index bd36a1cc..77a58781 100644 --- a/tests/defaultAllowPrivilegeEscalation/kyverno.yaml +++ b/tests/defaultAllowPrivilegeEscalation/kyverno.yaml @@ -21,7 +21,7 @@ kind: ClusterPolicy metadata: name: psp-allowprivilegeescalation spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-allowprivilegeescalation match: diff --git a/tests/forbiddenSysctls/kyverno.yaml b/tests/forbiddenSysctls/kyverno.yaml index b6d17031..b81d152d 100644 --- a/tests/forbiddenSysctls/kyverno.yaml +++ b/tests/forbiddenSysctls/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-forbiddensysctls spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: true rules: - name: sysctls diff --git a/tests/fsgroup/kyverno.yaml b/tests/fsgroup/kyverno.yaml index ba73c614..01f55dbb 100644 --- a/tests/fsgroup/kyverno.yaml +++ b/tests/fsgroup/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-fsgroup spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-fsgroup match: diff --git a/tests/hostIPC/kyverno.yaml b/tests/hostIPC/kyverno.yaml index 8bd6a6c4..3dad1bd7 100644 --- a/tests/hostIPC/kyverno.yaml +++ b/tests/hostIPC/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-host-namespace spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: host-namespaces match: diff --git a/tests/hostNetwork/kyverno.yaml b/tests/hostNetwork/kyverno.yaml index 51528806..3692363b 100644 --- a/tests/hostNetwork/kyverno.yaml +++ b/tests/hostNetwork/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-host-namespace spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: host-namespaces match: diff --git a/tests/hostPID/kyverno.yaml b/tests/hostPID/kyverno.yaml index 61216293..dd53a5ef 100644 --- a/tests/hostPID/kyverno.yaml +++ b/tests/hostPID/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-host-namespace spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: host-namespaces match: diff --git a/tests/hostPorts/kyverno.yaml b/tests/hostPorts/kyverno.yaml index 93fc9f40..b73f452f 100644 --- a/tests/hostPorts/kyverno.yaml +++ b/tests/hostPorts/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-hostports spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: host-ports match: diff --git a/tests/privileged/kyverno.yaml b/tests/privileged/kyverno.yaml index b652bb7f..50652301 100644 --- a/tests/privileged/kyverno.yaml +++ b/tests/privileged/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-privileged-container spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: privileged-containers match: diff --git a/tests/readOnlyRootFilesystem/kyverno.yaml b/tests/readOnlyRootFilesystem/kyverno.yaml index c7b7b5ef..d9777fa5 100644 --- a/tests/readOnlyRootFilesystem/kyverno.yaml +++ b/tests/readOnlyRootFilesystem/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-readonlyrootfilesystem spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-readonlyrootfilesystem match: diff --git a/tests/requiredDropCapabilities/kyverno.yaml b/tests/requiredDropCapabilities/kyverno.yaml index dfede8e3..1ad0fa16 100644 --- a/tests/requiredDropCapabilities/kyverno.yaml +++ b/tests/requiredDropCapabilities/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-requireddropcapabilities spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-requireddropcapabilities match: diff --git a/tests/runAsGroup/kyverno.yaml b/tests/runAsGroup/kyverno.yaml index dc3cfe0c..669f6c16 100644 --- a/tests/runAsGroup/kyverno.yaml +++ b/tests/runAsGroup/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-runasgroup spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-runasgroup match: diff --git a/tests/runAsUser/kyverno.yaml b/tests/runAsUser/kyverno.yaml index 39e8e2e4..4e9eda37 100644 --- a/tests/runAsUser/kyverno.yaml +++ b/tests/runAsUser/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-runasuser spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-runasuser match: diff --git a/tests/seLinux/kyverno.yaml b/tests/seLinux/kyverno.yaml index 02db1f9b..6e6894ed 100644 --- a/tests/seLinux/kyverno.yaml +++ b/tests/seLinux/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-selinux spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: seLinux match: diff --git a/tests/supplementalGroups/kyverno.yaml b/tests/supplementalGroups/kyverno.yaml index 0e4cd2cc..26a44f72 100644 --- a/tests/supplementalGroups/kyverno.yaml +++ b/tests/supplementalGroups/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-supplementalgroups spec: - validationFailureAction: enforce + validationFailureAction: Enforce rules: - name: psp-supplementalgroup match: diff --git a/tests/volumes/kyverno.yaml b/tests/volumes/kyverno.yaml index 2f9fdc48..def155a5 100644 --- a/tests/volumes/kyverno.yaml +++ b/tests/volumes/kyverno.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: psp-volumes spec: - validationFailureAction: enforce + validationFailureAction: Enforce background: false rules: - name: allowed-vols From 4d4f8f408f7b9b3f0e92ba4f9a4d33237c3b4d13 Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Thu, 3 Aug 2023 12:29:26 +0100 Subject: [PATCH 6/6] be more generious with kubewarden timeouts --- tests/tests.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tests.bats b/tests/tests.bats index 51a7a44f..eca24907 100644 --- a/tests/tests.bats +++ b/tests/tests.bats @@ -16,7 +16,7 @@ setup() { while [[ $(kubectl get -f tests/${testcase}/${SYSTEM}.yaml -o 'jsonpath={..status.ready}') != *"true"* ]]; do sleep 1; done fi if [ "${SYSTEM}" == "kubewarden" ]; then - kubectl wait --for=condition=PolicyActive --timeout=60s -f tests/${testcase}/${SYSTEM}.yaml + kubectl wait --for=condition=PolicyActive --timeout=120s -f tests/${testcase}/${SYSTEM}.yaml kubectl -n kubewarden rollout status deployment policy-server-default while [[ $(kubectl -n kubewarden get po -l app=kubewarden-policy-server-default | grep "Terminating") ]]; do sleep 1; done fi