-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add best practices policies in CEL expressions #925
feat: add best practices policies in CEL expressions #925
Conversation
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
best-practices-cel/restrict-node-port/.chainsaw-test/chainsaw-test.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
923a7bd
to
2908df9
Compare
Signed-off-by: Chandan-DK <[email protected]>
best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
Outdated
Show resolved
Hide resolved
best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml
Outdated
Show resolved
Hide resolved
06231b4
to
a448e2e
Compare
Signed-off-by: Chandan-DK <[email protected]>
a448e2e
to
13f8cb5
Compare
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
…quire-drop-all policy Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added some minor comments. Great job!
best-practices-cel/disallow-default-namespace/disallow-default-namespace.yaml
Outdated
Show resolved
Hide resolved
best-practices-cel/restrict-image-registries/restrict-image-registries.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
Signed-off-by: Chandan-DK <[email protected]>
best-practices-cel/disallow-latest-tag/disallow-latest-tag.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR looks good to me. We are waiting for this fix to be merged in the Kyverno repo and then we can merge this one.
Good Job @Chandan-DK!
Thanks Mariam! |
Signed-off-by: Chandan-DK <[email protected]>
Once the fix is merged, I will add the kyverno tests in this PR itself and move it out of draft mode |
There are some flake tests:
It seems that the issue arises when we patch the policy. Could you please have a look? |
CEL policies cause a lot of noise in the CI. If we check the past CI runs, we see that there's always a chainsaw test for a CEL policy failing due to the error you have mentioned. It is happening on versions I tried the following steps to reproduce it:
Logs from the admission controller:
It seems like the problem is client-side throttling. The troubleshooting guide suggests increasing I ran the same test on a kind
But there was no error saying: I'm not sure why this problem consistently occurs specifically on versions 1.25 and 1.26. Anything we can do about it? Edit: Not sure what has happened but flaky tests seem to have reduced on the latest CI runs |
@Chandan-DK - Could you please check the failed tests? |
Sure, I will send a fix. The tests fail due to chainsaw templating. @eddycharly recently bumped the chainsaw version and it causes this issue. |
Signed-off-by: Chandan-DK <[email protected]>
08b7e8c
to
d6ad7cd
Compare
Thank you! |
Related Issue(s)
Partially addresses #891
Description
This PR includes the conversion of Kubernetes best practices policies to Kyverno CEL policies. Conversions of other validate policies will be addressed in separate pull requests.
Policies converted in this PR:
Checklist