ci: testing with cel policies #519
Conversation
Signed-off-by: Jaydip Gabani <[email protected]>
|
@maxsmythe I added CEL source from your draft PR #503 here as well, that leaves you with 3 other policies to write CEL source for. |
.github/workflows/workflow.yaml
Outdated
| @@ -65,7 +65,8 @@ jobs: | |||
| runs-on: ubuntu-latest | |||
| strategy: | |||
| matrix: | |||
| gatekeeper: [ "release-3.13", "release-3.14" ] | |||
| gatekeeper: [ "3.14.2", "3.15.1" ] | |||
There was a problem hiding this comment.
why do we prefer to use specific patch versions instead of the latest?
There was a problem hiding this comment.
AFAIK, we have always tested with past two release versions. I am fine with testing it with latest, unless others have any objections.
There was a problem hiding this comment.
using the branch instead of the tag ensures we are always testing against the latest patch version without having to push a PR to update it.
There was a problem hiding this comment.
AFAIK helm can only install specifi version, I am not sure if it can take a branch and install the latest patch on that branch. If we do not use helm, then we would need to use sed or something similar to modify the file and set the flag manually.
There was a problem hiding this comment.
+1 to @JaydipGabani i think this is a better approach now since we previously installed from yaml directly
There was a problem hiding this comment.
ah I see. I'm ok with merging this as is. but it would be better to not having to bump the tag all the time. @JaydipGabani you can create an issue to do it as a follow up.
There was a problem hiding this comment.
I don't think we need to bump the patch version. We'll need to bump the minor version, which is same as today. I am not sure if there's a way we can automate that, but this can be a part of post GK release checklist
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
| @@ -4,7 +4,7 @@ metadata: | |||
| name: k8srequiredlabels | |||
| annotations: | |||
| metadata.gatekeeper.sh/title: "Required Labels" | |||
| metadata.gatekeeper.sh/version: 1.0.1 | |||
| metadata.gatekeeper.sh/version: 1.0.2 | |||
There was a problem hiding this comment.
| metadata.gatekeeper.sh/version: 1.0.2 | |
| metadata.gatekeeper.sh/version: 1.1.0 |
do we want to at least bump the minor version? @maxsmythe @sozercan
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
|
Can you drop the CEL from my draft PR? I'd rather only have one SOT for that, and just rebase/merge once the build system is ready, otherwise feedback will get clobbered. |
Signed-off-by: Jaydip Gabani <[email protected]>
Per this #519 (comment) all updates for "Allow Privilege Escalation" policy have been removed |
| @@ -4,7 +4,7 @@ metadata: | |||
| name: k8srequiredlabels | |||
| annotations: | |||
| metadata.gatekeeper.sh/title: "Required Labels" | |||
| metadata.gatekeeper.sh/version: 1.0.1 | |||
| metadata.gatekeeper.sh/version: 1.0.2 | |||
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
|
@JaydipGabani ptal conflicts |
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
Signed-off-by: Jaydip Gabani <[email protected]>
What this PR does / why we need it:
gator verifywith cel and rego enginesrequiredLablesandallow-priviledge-escalationWhich issue(s) does this PR fix (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: