Skip to content

Commit

Permalink
Merge pull request #48 from slashben/main
Browse files Browse the repository at this point in the history 
Adding multiple API version support to the release process
  • Loading branch information
@slashben
slashben authored Sep 20, 2023
2 parents 1d76bd9 + 487b69e commit 6679e0c
Show file tree
Hide file tree
Showing 17 changed files with 173 additions and 148 deletions.
69 changes: 23 additions & 46 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,75 +17,52 @@ jobs:
uses: slashben/setup-minikube@master
with:
feature-gates: 'ValidatingAdmissionPolicy=true'
extra-config: 'apiserver.runtime-config=admissionregistration.k8s.io/v1alpha1'
kubernetes-version: 1.27.0
extra-config: 'apiserver.runtime-config=admissionregistration.k8s.io/v1beta1'
kubernetes-version: v1.28.0-rc.1
container-runtime: containerd
- uses: actions/setup-python@v4
with:
python-version: '3.10'
python-version: '3.10'
- uses: azure/setup-kubectl@v3
- name: Running all control policy tests
run: |
kubectl version
pip install --upgrade pip
pip install -r requirements.txt
./scripts/run-all-control-tests.sh
release:
needs: test-all-policies
runs-on: ubuntu-latest
outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }}
steps:
- uses: actions/checkout@v3

- name: Verify release tagged commit is on main
run: |
git fetch origin main
git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"
- uses: azure/setup-kubectl@v3

- name: Create release artifacts
run: |
mkdir release
./scripts/create-release-objects.sh release
kubectl kustomize apis/k8s-v1beta1/ > release/kubescape-validating-admission-policies-v1beta1.yaml
kubectl kustomize apis/x-k8s-v1alpha1/ > release/kubescape-validating-admission-policies-x-v1alpha1.yaml
kubectl kustomize apis/k8s-v1alpha1/ > release/kubescape-validating-admission-policies-v1alpha1.yaml
# Making a copy of the v1beta1 file to be used as the default policy release artifact
cp release/kubescape-validating-admission-policies-v1beta1.yaml release/kubescape-validating-admission-policies.yaml
- name: Create a GitHub release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: "${{ github.ref_name }}"
release_name: "Release ${{ github.ref_name }}"
draft: false
prerelease: false

- name: Publish policy object artifact
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: release/kubescape-validating-admission-policies.yaml
asset_name: kubescape-validating-admission-policies.yaml
asset_content_type: text/yaml

- name: Publish policy configuration CRD artifact
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: configuration/policy-configuration-definition.yaml
asset_name: policy-configuration-definition.yaml
asset_content_type: text/yaml

- name: Publish basic policy configuration
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: configuration/basic-control-configuration.yaml
asset_name: basic-control-configuration.yaml
asset_content_type: text/yaml
files: |
release/kubescape-validating-admission-policies.yaml
release/kubescape-validating-admission-policies-v1beta1.yaml
release/kubescape-validating-admission-policies-x-v1alpha1.yaml
release/kubescape-validating-admission-policies-v1alpha1.yaml
configuration/policy-configuration-definition.yaml
configuration/basic-control-configuration.yaml
10 changes: 10 additions & 0 deletions apis/k8s-v1alpha1/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
bases:
- ../../controls
- ../../runtime-policies
patches:
- target:
group: admissionregistration.k8s.io
version: v1beta1
kind: ValidatingAdmissionPolicy
name: ""
path: patch.json
7 changes: 7 additions & 0 deletions apis/k8s-v1alpha1/patch.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[
{
"op": "replace",
"path": "/apiVersion",
"value": "admissionregistration.k8s.io/v1alpha1"
}
]
10 changes: 10 additions & 0 deletions apis/k8s-v1beta1/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
bases:
- ../../controls
- ../../runtime-policies
patches:
- target:
group: admissionregistration.k8s.io
version: v1beta1
kind: ValidatingAdmissionPolicy
name: ""
path: patch.json
41 changes: 41 additions & 0 deletions apis/k8s-v1beta1/kustomization.yaml.old
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
resources:
- ../../controls/C-0017/policy.yaml
- ../../controls/C-0073/policy.yaml
- ../../controls/C-0020/policy.yaml
- ../../controls/C-0001/policy.yaml
- ../../controls/C-0045/policy.yaml
- ../../controls/C-0078/policy.yaml
- ../../controls/C-0016/policy.yaml
- ../../controls/C-0076/policy.yaml
- ../../controls/C-0056/policy.yaml
- ../../controls/C-0004/policy.yaml
- ../../controls/C-0018/policy.yaml
- ../../controls/C-0077/policy.yaml
- ../../controls/C-0048/policy.yaml
- ../../controls/C-0041/policy.yaml
- ../../controls/C-0009/policy.yaml
- ../../controls/C-0061/policy.yaml
- ../../controls/C-0042/policy.yaml
- ../../controls/C-0046/policy.yaml
- ../../controls/C-0062/policy.yaml
- ../../controls/C-0038/policy.yaml
- ../../controls/C-0055/policy.yaml
- ../../controls/C-0074/policy.yaml
- ../../controls/C-0034/policy.yaml
- ../../controls/C-0075/policy.yaml
- ../../controls/C-0044/policy.yaml
- ../../controls/C-0057/policy.yaml
- ../../controls/C-0050/policy.yaml
- ../../runtime-policies/hostmount/policy.yaml
- ../../runtime-policies/exec/policy.yaml
- ../../runtime-policies/portforward/policy.yaml
- ../../runtime-policies/insecure-capabilities/policy.yaml
- ../../runtime-policies/privileged/policy.yaml
- ../../runtime-policies/attach/policy.yaml
patches:
- target:
group: admissionregistration.k8s.io
version: v1beta1
kind: ValidatingAdmissionPolicy
name: ""
path: patch.json
7 changes: 7 additions & 0 deletions apis/k8s-v1beta1/patch.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[
{
"op": "replace",
"path": "/apiVersion",
"value": "admissionregistration.k8s.io/v1beta1"
}
]
10 changes: 10 additions & 0 deletions apis/x-k8s-v1alpha1/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
bases:
- ../../controls
- ../../runtime-policies
patches:
- target:
group: admissionregistration.k8s.io
version: v1beta1
kind: ValidatingAdmissionPolicy
name: ""
path: patch.json
7 changes: 7 additions & 0 deletions apis/x-k8s-v1alpha1/patch.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[
{
"op": "replace",
"path": "/apiVersion",
"value": "admissionregistration.x-k8s.io/v1alpha1"
}
]
28 changes: 28 additions & 0 deletions controls/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
resources:
- C-0017/policy.yaml
- C-0073/policy.yaml
- C-0020/policy.yaml
- C-0001/policy.yaml
- C-0045/policy.yaml
- C-0078/policy.yaml
- C-0016/policy.yaml
- C-0076/policy.yaml
- C-0056/policy.yaml
- C-0004/policy.yaml
- C-0018/policy.yaml
- C-0077/policy.yaml
- C-0048/policy.yaml
- C-0041/policy.yaml
- C-0009/policy.yaml
- C-0061/policy.yaml
- C-0042/policy.yaml
- C-0046/policy.yaml
- C-0062/policy.yaml
- C-0038/policy.yaml
- C-0055/policy.yaml
- C-0074/policy.yaml
- C-0034/policy.yaml
- C-0075/policy.yaml
- C-0044/policy.yaml
- C-0057/policy.yaml
- C-0050/policy.yaml
12 changes: 1 addition & 11 deletions runtime-policies/attach/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: admissionregistration.x-k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: cluster-policy-deny-attach
Expand All @@ -14,13 +14,3 @@ spec:
- expression: "false"
message: "attach is not allowed"
reason: "Medium"
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: cluster-policy-deny-attach-binding
spec:
policyName: cluster-policy-deny-attach
validationActions:
- Deny
- Audit
11 changes: 1 addition & 10 deletions runtime-policies/exec/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: admissionregistration.x-k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: cluster-policy-deny-exec
Expand All @@ -14,12 +14,3 @@ spec:
- expression: "false"
message: "exec is not allowed"
reason: "High"
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: cluster-policy-deny-exec-binding
spec:
policyName: cluster-policy-deny-exec
validationActions:
- Audit
12 changes: 1 addition & 11 deletions runtime-policies/hostmount/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: admissionregistration.x-k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: cluster-policy-deny-hostMount
Expand Down Expand Up @@ -28,13 +28,3 @@ spec:
- expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))"
message: "There are one or more hostPath mounts in the CronJob! (see more at https://hub.armosec.io/docs/c-0048)"
reason: "Medium"
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: cluster-policy-deny-hostMount-binding
spec:
policyName: cluster-policy-deny-hostMount
validationActions:
- Deny
- Audit
34 changes: 1 addition & 33 deletions runtime-policies/insecure-capabilities/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,4 @@
apiVersion: kubescape.io/v1
kind: PolicyConfiguration
metadata:
name: basic-policy-configuration
settings:
insecureCapabilities:
- SETPCAP
- NET_ADMIN
- NET_RAW
- SYS_MODULE
- SYS_RAWIO
- SYS_PTRACE
- SYS_ADMIN
- SYS_BOOT
- MAC_OVERRIDE
- MAC_ADMIN
- PERFMON
- ALL
- BPF
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: cluster-policy-deny-insecure-capabilities
Expand Down Expand Up @@ -66,15 +46,3 @@ spec:
))
message: "CronJob has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)"
reason: "High"
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: cluster-policy-deny-insecure-capabilities-binding
spec:
policyName: cluster-policy-deny-insecure-capabilities
paramRef:
name: basic-policy-configuration
validationActions:
- Deny
- Audit
7 changes: 7 additions & 0 deletions runtime-policies/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
resources:
- hostmount/policy.yaml
- exec/policy.yaml
- portforward/policy.yaml
- insecure-capabilities/policy.yaml
- privileged/policy.yaml
- attach/policy.yaml
12 changes: 1 addition & 11 deletions runtime-policies/portforward/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: admissionregistration.x-k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: cluster-policy-deny-portforward
Expand All @@ -14,13 +14,3 @@ spec:
- expression: "false"
message: "portforward is not allowed"
reason: "High"
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: cluster-policy-deny-portforward-binding
spec:
policyName: cluster-policy-deny-portforward
validationActions:
- Deny
- Audit
12 changes: 1 addition & 11 deletions runtime-policies/privileged/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: admissionregistration.x-k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: cluster-policy-deny-priviliged-flag
Expand Down Expand Up @@ -46,13 +46,3 @@ spec:
container.securityContext.capabilities.add.all(cap, cap != 'SYS_ADM')))
)
message: "CronJob has one or more privileged container.(see more at https://hub.armosec.io/docs/c-0057)"
---
apiVersion: admissionregistration.x-k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: cluster-policy-deny-privileged-flag-binding
spec:
policyName: cluster-policy-deny-priviliged-flag
validationActions:
- Deny
- Audit
Loading

0 comments on commit 6679e0c

Please sign in to comment.