diff --git a/webhosting-operator/Makefile b/webhosting-operator/Makefile index 8dd78cea..bd91e3b4 100644 --- a/webhosting-operator/Makefile +++ b/webhosting-operator/Makefile @@ -71,6 +71,10 @@ modules: ## Runs go mod to ensure modules are up to date. test: $(SETUP_ENVTEST) manifests generate fmt vet ## Run tests. KUBEBUILDER_ASSETS="$(shell $(SETUP_ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -race ./... +.PHONY: test-kyverno +test-kyverno: $(KYVERNO) + $(KYVERNO) test --remove-color -v 4 . + ##@ Verification .PHONY: verify-fmt @@ -92,7 +96,7 @@ verify-modules: modules ## Verify go module files are up to date. fi .PHONY: verify -verify: verify-fmt verify-generate verify-modules test ## Verify everything (all verify-* rules + test). +verify: verify-fmt verify-generate verify-modules test test-kyverno ## Verify everything (all verify-* + test* rules). ##@ Build diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/kyverno-test.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/kyverno-test.yaml new file mode 100644 index 00000000..fbf1c55b --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/kyverno-test.yaml @@ -0,0 +1,15 @@ +name: kube-apiserver-scale +policies: +- ../../kube-apiserver-scale.yaml +resources: +# spec.replicas=1 -> expect spec.replicas=4 +- scale.yaml +variables: variables.yaml +results: +- policy: kube-apiserver-scale + rule: replicas + resource: kube-apiserver + namespace: shoot--fb28d21f90--sharding + kind: Scale + result: pass + patchedResource: scale_expected.yaml diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/scale.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/scale.yaml new file mode 100644 index 00000000..8f219f9c --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/scale.yaml @@ -0,0 +1,7 @@ +kind: Scale +apiVersion: autoscaling/v1 +metadata: + name: kube-apiserver + namespace: shoot--fb28d21f90--sharding +spec: + replicas: 1 diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/scale_expected.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/scale_expected.yaml new file mode 100644 index 00000000..586e23fa --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/scale_expected.yaml @@ -0,0 +1,7 @@ +kind: Scale +apiVersion: autoscaling/v1 +metadata: + name: kube-apiserver + namespace: shoot--fb28d21f90--sharding +spec: + replicas: 4 diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/variables.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/variables.yaml new file mode 100644 index 00000000..7cb80f5e --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver-scale/variables.yaml @@ -0,0 +1,11 @@ +subresources: +- subresource: + name: "deployments/scale" + kind: "Scale" + group: "autoscaling" + version: "v1" + parentResource: + name: "deployments" + kind: "Deployment" + group: "apps" + version: "v1" diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-awake.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-awake.yaml new file mode 100644 index 00000000..8dcd138e --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-awake.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kubernetes + role: apiserver + name: kube-apiserver-awake + namespace: shoot--fb28d21f90--sharding +spec: + replicas: 1 + template: + spec: + containers: + - name: kube-apiserver + resources: + requests: + cpu: 800m + memory: 800Mi diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-awake_expected.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-awake_expected.yaml new file mode 100644 index 00000000..a54e29d3 --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-awake_expected.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kubernetes + role: apiserver + name: kube-apiserver-awake + namespace: shoot--fb28d21f90--sharding +spec: + replicas: 4 + template: + spec: + containers: + - name: kube-apiserver + resources: + requests: + cpu: 800m + memory: 800Mi diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-hibernated.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-hibernated.yaml new file mode 100644 index 00000000..04ea41fb --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-hibernated.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kubernetes + role: apiserver + name: kube-apiserver-hibernated + namespace: shoot--fb28d21f90--sharding +spec: + replicas: 0 + template: + spec: + containers: + - name: kube-apiserver + resources: + requests: + cpu: 800m + memory: 800Mi diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-null.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-null.yaml new file mode 100644 index 00000000..9cb60263 --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-null.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kubernetes + role: apiserver + name: kube-apiserver-null + namespace: shoot--fb28d21f90--sharding +spec: + template: + spec: + containers: + - name: kube-apiserver + resources: + requests: + cpu: 800m + memory: 800Mi diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-null_expected.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-null_expected.yaml new file mode 100644 index 00000000..1ec8aeab --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kube-apiserver-null_expected.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kubernetes + role: apiserver + name: kube-apiserver-null + namespace: shoot--fb28d21f90--sharding +spec: + replicas: 4 + template: + spec: + containers: + - name: kube-apiserver + resources: + requests: + cpu: 800m + memory: 800Mi diff --git a/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kyverno-test.yaml b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kyverno-test.yaml new file mode 100644 index 00000000..e7de2d2b --- /dev/null +++ b/webhosting-operator/config/policy/controlplane/tests/kube-apiserver/kyverno-test.yaml @@ -0,0 +1,31 @@ +name: kube-apiserver +policies: +- ../../kube-apiserver.yaml +resources: +# spec.replicas=1 -> expect spec.replicas=4 +- kube-apiserver-awake.yaml +# spec.replicas=null -> expect spec.replicas=4 +- kube-apiserver-null.yaml +# spec.replicas=0 -> expect spec.replicas=0 +- kube-apiserver-hibernated.yaml +results: +- policy: kube-apiserver + rule: replicas + resource: kube-apiserver-awake + namespace: shoot--fb28d21f90--sharding + kind: Deployment + result: pass + patchedResource: kube-apiserver-awake_expected.yaml +- policy: kube-apiserver + rule: replicas + resource: kube-apiserver-null + namespace: shoot--fb28d21f90--sharding + kind: Deployment + result: pass + patchedResource: kube-apiserver-null_expected.yaml +- policy: kube-apiserver + rule: replicas + resource: kube-apiserver-hibernated + namespace: shoot--fb28d21f90--sharding + kind: Deployment + result: skip diff --git a/webhosting-operator/tools.mk b/webhosting-operator/tools.mk index cad5361f..2c4a8a9a 100644 --- a/webhosting-operator/tools.mk +++ b/webhosting-operator/tools.mk @@ -25,7 +25,7 @@ $(CONTROLLER_GEN): $(call tool_version_file,$(CONTROLLER_GEN),$(CONTROLLER_GEN_V KIND := $(TOOLS_BIN_DIR)/kind KIND_VERSION ?= v0.20.0 $(KIND): $(call tool_version_file,$(KIND),$(KIND_VERSION)) - curl -L -o $(KIND) https://kind.sigs.k8s.io/dl/$(KIND_VERSION)/kind-$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') + curl -Lo $(KIND) https://kind.sigs.k8s.io/dl/$(KIND_VERSION)/kind-$(shell uname -s | tr '[:upper:]' '[:lower:]')-$(shell uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') chmod +x $(KIND) KO := $(TOOLS_BIN_DIR)/ko @@ -44,6 +44,12 @@ KUSTOMIZE_VERSION ?= v5.1.0 $(KUSTOMIZE): $(call tool_version_file,$(KUSTOMIZE),$(KUSTOMIZE_VERSION)) GOBIN=$(abspath $(TOOLS_BIN_DIR)) go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION) +KYVERNO := $(TOOLS_BIN_DIR)/kyverno +KYVERNO_VERSION ?= v1.10.3 +$(KYVERNO): $(call tool_version_file,$(KYVERNO),$(KYVERNO_VERSION)) + curl -Lo - https://github.com/kyverno/kyverno/releases/download/$(KYVERNO_VERSION)/kyverno-cli_$(KYVERNO_VERSION)_$(shell uname -s | tr '[:upper:]' '[:lower:]')_$(shell uname -m | sed 's/aarch64/arm64/').tar.gz | tar -xzmf - -C $(TOOLS_BIN_DIR) kyverno + chmod +x $(KYVERNO) + GINKGO := $(TOOLS_BIN_DIR)/ginkgo $(GINKGO): go.mod go build -o $(GINKGO) github.com/onsi/ginkgo/v2/ginkgo @@ -61,5 +67,5 @@ $(SKAFFOLD): $(call tool_version_file,$(SKAFFOLD),$(SKAFFOLD_VERSION)) YQ := $(TOOLS_BIN_DIR)/yq YQ_VERSION ?= v4.34.2 $(YQ): $(call tool_version_file,$(YQ),$(YQ_VERSION)) - curl -L -o $(YQ) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$(shell uname -s | tr '[:upper:]' '[:lower:]')_$(shell uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') + curl -Lo $(YQ) https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$(shell uname -s | tr '[:upper:]' '[:lower:]')_$(shell uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/') chmod +x $(YQ)