chore: Upgrade kind to v0.23.0; use k8s 1.30.0 for integration tests (#…

…548) * chore: Upgrade kind to v0.23.0; use k8s 1.30.0 for integration tests Signed-off-by: Max Smythe <[email protected]> * Fix procmount examples Signed-off-by: Max Smythe <[email protected]> * Generate website and artifact hub artifacts Signed-off-by: Max Smythe <[email protected]> * More verbose test failures Signed-off-by: Max Smythe <[email protected]> * Enable UserNamespacesSupport feature flag in tests Signed-off-by: Max Smythe <[email protected]> --------- Signed-off-by: Max Smythe <[email protected]> Co-authored-by: Rita Zhang <[email protected]>
open-policy-agent · Jun 12, 2024 · 3a24c1a · 3a24c1a
1 parent ca7f616
commit 3a24c1a
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 docker := docker #You can build with podman by doing: make docker=podman
-KIND_VERSION ?= 0.17.0
+KIND_VERSION ?= 0.23.0
 # note: k8s version pinned since KIND image availability lags k8s releases
-KUBERNETES_VERSION ?= 1.26.0
+KUBERNETES_VERSION ?= 1.30.0
 KUSTOMIZE_VERSION ?= 4.5.5
 GATEKEEPER_VERSION ?= 3.16.3
 BATS_VERSION ?= 1.8.2

diff --git a/...ary/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/disallowed_ephemeral.yaml b/...ary/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/disallowed_ephemeral.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   ephemeralContainers:
   - name: nginx
     image: nginx

diff --git a/.../library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_allowed.yaml b/.../library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_allowed.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-proc-mount-disallowed
+  name: nginx-proc-mount-allowed
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   containers:
   - name: nginx
     image: nginx

diff --git a/...brary/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_disallowed.yaml b/...brary/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_disallowed.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   containers:
   - name: nginx
     image: nginx

diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   ephemeralContainers:
   - name: nginx
     image: nginx

diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_allowed.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_allowed.yaml
@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-proc-mount-disallowed
+  name: nginx-proc-mount-allowed
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   containers:
   - name: nginx
     image: nginx

diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_disallowed.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_disallowed.yaml
@@ -5,6 +5,7 @@ metadata:
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   containers:
   - name: nginx
     image: nginx

diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -107,6 +107,8 @@ setup() {
         for allowed in "$sample"/example_allowed*.yaml; do
           if [[ -e "$allowed" ]]; then
             # apply resource
+            echo "Applying ${allowed} with contents:"
+            cat ${allowed}
             run kubectl apply -f "$allowed"
             assert_match 'created' "$output"
             assert_success
@@ -118,6 +120,8 @@ setup() {
         for disallowed in "$sample"/example_disallowed*.yaml; do
           if [[ -e "$disallowed" ]]; then
             # apply resource
+            echo "Applying ${disallowed} with contents:"
+            cat ${disallowed}
             run kubectl apply -f "$disallowed"
             assert_match_either 'denied the request' 'no matches for kind' "${output}"
             assert_failure

diff --git a/test/kind_config.yaml b/test/kind_config.yaml
@@ -2,3 +2,4 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 featureGates:
   "ProcMountType": true
+  "UserNamespacesSupport": true
diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md
@@ -238,6 +238,7 @@ metadata:
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   containers:
   - name: nginx
     image: nginx
@@ -260,10 +261,11 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-proc-mount-disallowed
+  name: nginx-proc-mount-allowed
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   containers:
   - name: nginx
     image: nginx
@@ -290,6 +292,7 @@ metadata:
   labels:
     app: nginx-proc-mount
 spec:
+  hostUsers: false
   ephemeralContainers:
   - name: nginx
     image: nginx