Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update disallow-helm-tiller and disallow-latest-tag to include all container types in a pod #1111

Merged
merged 38 commits into from
Aug 14, 2024
Merged

Update disallow-helm-tiller and disallow-latest-tag to include all container types in a pod #1111

merged 38 commits into from
Aug 14, 2024

Conversation

dolisss
Copy link
Contributor

@dolisss dolisss commented Aug 5, 2024
edited
Loading

Related Issue(s)

Partially addresses #951

Description

Updating disallow-helm-tiller and disallow-latest-tag policies to handle all pod types and test cases to handle initContainers.

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@dolisss
Update disallow-helm-tiller.yaml
74863db 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update artifacthub-pkg.yml
6313df2 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss dolisss marked this pull request as draft August 5, 2024 20:43
@dolisss dolisss marked this pull request as ready for review August 5, 2024 20:45
@dolisss dolisss changed the title Update sample policies to include all container types in a pod. Issue reference: #951 Update sample policies to include all container types in a pod. Aug 5, 2024
chipzoller
chipzoller suggested changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiller (Helm v2) is so old technology I don't think it's worth making this change. Would suggest focusing on more useful policies in the present.

@dolisss
Copy link
Contributor Author

dolisss commented Aug 6, 2024

I am updating all the best practice policies. Can you approve this one while I add the logic in other policies too?

@chipzoller
Copy link
Contributor

chipzoller commented Aug 6, 2024
edited
Loading

Go ahead and make those updates. Remove from draft mode when ready for review. Please remember to follow the contribution guide as linked in the PR template. And please also ensure to increase test coverage of the policies you update in this PR as well.

@chipzoller chipzoller marked this pull request as draft August 6, 2024 13:04
@dolisss
Merge branch 'kyverno:main' into main
ab78502
@dolisss
Update disallow-latest-tag.yaml
f7c7605 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update artifacthub-pkg.yml
ca010a2 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-latest-fail-first.yaml
63c511e 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-latest-success-first.yaml
0f4cf5b 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-no-tag.yaml
5e6cb53 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update good-pod.yaml
3b18868 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Copy link
Contributor Author

dolisss commented Aug 6, 2024

@chipzoller Extended the logic to the "disallow latest tag" policy along with changes needed for the chainsaw test cases.

@dolisss dolisss requested a review from chipzoller August 6, 2024 19:33
@dolisss dolisss closed this Aug 6, 2024
@dolisss dolisss reopened this Aug 6, 2024
@dolisss dolisss marked this pull request as ready for review August 6, 2024 19:37
chipzoller
chipzoller suggested changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing extended tests for disallow-helm-tiller.

@dolisss
Update bad-deploy.yaml
a773ac7 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-fail-first.yaml
4381b0e 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod.yaml
7f26eca 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-success-first.yaml
7e95415 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update good-deploy.yaml
f535163 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update good-pod.yaml
7a425ba 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Copy link
Contributor Author

dolisss commented Aug 6, 2024

@chipzoller thought the Helm Tiller policy was outdated and that test cases might not be necessary. However, I’ve updated them now. Please review the changes

@dolisss dolisss requested a review from chipzoller August 6, 2024 19:45
@chipzoller chipzoller changed the title Update sample policies to include all container types in a pod. Update disallow-helm-tiller and disallow-latest-tag to include all container types in a pod Aug 6, 2024
chipzoller
chipzoller suggested changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix failing tests. Also complete the PR template (checklist).

@dolisss
Merge branch 'kyverno:main' into main
34a48e7
@dolisss
Update artifacthub-pkg.yml
408fe22 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss dolisss requested a review from chipzoller August 7, 2024 14:34
@dolisss
Copy link
Contributor Author

dolisss commented Aug 7, 2024
edited
Loading

@chipzoller I tried updating the digest using my Mac, but the check failed. I reverted to the old digest and I think it got verified. How can I generate the digest? I am using the following command.
It's strange that it takes the digest for the other policy I generated in the same way.

 shasum -a 256 disallow-latest-tag.yaml 
2760272e57d9988ba447f62d23bba382092d00a5e14dbf00555e4170ea90593a

@dolisss
Update artifacthub-pkg.yml
3df3b44 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
chipzoller
chipzoller suggested changes Aug 9, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Digests are expected to be generated in Linux; you can see the digest expected in the Policy Test step and use that if you're unable to generate one on your own system.

Tests still need to be fixed here.

@dolisss
Merge branch 'main' into main
c2b114c
@dolisss
Update artifacthub-pkg.yml
72e9cdc 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Copy link
Contributor Author

dolisss commented Aug 12, 2024

@chipzoller Thanks! it worked with Linux. What checks are you referring to? I don't see any on my page.

@chipzoller
Copy link
Contributor

Please see failing CI checks.

@dolisss
Merge branch 'main' into main
6eae741
@dolisss
Update artifacthub-pkg.yml
44f4af4 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update good-pod.yaml
f46de98 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-deploy.yaml
ccef2ff 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-fail-first.yaml
4ef4d04 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-success-first.yaml
74ebde2 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod.yaml
c5c11af 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update good-deploy.yaml
51446a1 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update resource.yaml
7ef7667 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-latest-fail-first.yaml
95207a9 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-latest-success-first.yaml
f235ddb 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update bad-pod-no-tag.yaml
82a713b 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update good-pod.yaml
649f864 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Update resource.yaml
051e3b9 
Signed-off-by: Dolis Sharma <71091713+dolisss@users.noreply.github.com>
@dolisss
Copy link
Contributor Author

dolisss commented Aug 14, 2024

@chipzoller Please review.

@chipzoller chipzoller merged commit 4ee239a into kyverno:main Aug 14, 2024
280 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dolisss @chipzoller