Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Control the policy controller monitoring resources from chart, enhanc… #1687

Open
wants to merge 21 commits into
base: main
Choose a base branch
from

Conversation

senanz
Copy link

@senanz senanz commented Nov 3, 2024

…ment for the current implmentation to hadd all the resources by default, The new change add avail to pass resourcesNames through the chart with list of resources comma sperataed for which resources to be monitored by the policy controller, the default is all resources if the flag wasn't presented in the chart

This PR resolves #1388

Signed-off-by: Senan Zedan (EXT-Nokia) [email protected]

Summary

The new change add avail to pass resourcesNames through the chart with list of resources comma sperataed for which resources to be monitored by the policy controller, the default is all resources if the flag wasn't presented in the chart

codysoyland and others added 3 commits November 3, 2024 15:06
Signed-off-by: Cody Soyland <[email protected]>
Signed-off-by: Senan Zedan (EXT-Nokia) <[email protected]>
…store#1683)

Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.6 to 2.1.7.
- [Release notes](https://github.com/google-github-actions/auth/releases)
- [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md)
- [Commits](google-github-actions/auth@8254fb7...6fc4af4)

---
updated-dependencies:
- dependency-name: google-github-actions/auth
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Senan Zedan (EXT-Nokia) <[email protected]>
…ment for the current implmentation to hadd all the resources by default, The new change add avail to pass resourcesNames through the chart with list of resources comma sperataed for which resources to be monitored by the policy controller, the default is all resources if the flag wasn't presented in the chart

Signed-off-by: Senan Zedan (EXT-Nokia) <[email protected]>
@senanz
Copy link
Author

senanz commented Nov 11, 2024

@vaikas - Could you please look into this?

@vaikas
Copy link
Collaborator

vaikas commented Nov 11, 2024

Could you add some tests, maybe here: https://github.com/sigstore/policy-controller/tree/main/test

@senanz
Copy link
Author

senanz commented Nov 12, 2024

@vaikas - per your request, test added.

@vaikas
Copy link
Collaborator

vaikas commented Nov 12, 2024

@vaikas - per your request, test added.

That does not really test any of this new code. You'd have to add a test that launches policy controller with these new flags, here's one example where we change the policy-controller behaviour by the flags:

# Install policy-controller that does not have TUF embedded or installed.

So, create a new kustomize file that launches policy controller with say --resource-name=pods, and customize it like here:

kustomize build test/kustomize-no-tuf | kubectl apply -f -

And then after the policy-controller has been started with the flags under test, you'd run your new test:

./test/e2e_test_cluster_image_policy_with_tsa.sh

It should at the bare minimum have a negative test and a positive test. So, if you're using resource-name pods, then launching a deployment with a failing config should succeed if you instead launch a pod.

Copy link
Collaborator

@vaikas vaikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking great! There's just some nits for naming, namespaces. One change that should be made it so make sure the tag->digest resolution does not actually happen. The webhook configuration is a good check, but it's easy enough to also make sure the actual resource (deployment) does not get modified.

.github/workflows/kind-cluster-custom-resources.yaml Outdated Show resolved Hide resolved
.github/workflows/kind-cluster-custom-resources.yaml Outdated Show resolved Hide resolved
test/e2e_test_policy_custom_resource.sh Show resolved Hide resolved
- args:
- resource-name="pods"
- name: demo-custom-resource
image: TEST_IMAGE
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem here is that the TEST_IMAGE as created has a full digest in it so it's harder to tell if it's been resolved to digest or not. I'd suggest that you have an image that has a tag, which would without this change be resolved to digest for a deployment, so creating a deployment with a tag here would be the simplest way to verify the functionality works. Then the resulting pods should have the digests resolved.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test was added.

Copy link

codecov bot commented Dec 9, 2024

Codecov Report

Attention: Patch coverage is 0% with 26 lines in your changes missing coverage. Please review.

Project coverage is 42.66%. Comparing base (50ef092) to head (ee188b3).
Report is 289 commits behind head on main.

Files with missing lines Patch % Lines
cmd/webhook/main.go 0.00% 26 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff             @@
##             main    #1687       +/-   ##
===========================================
- Coverage   52.92%   42.66%   -10.27%     
===========================================
  Files          44      121       +77     
  Lines        3979     9010     +5031     
===========================================
+ Hits         2106     3844     +1738     
- Misses       1651     4811     +3160     
- Partials      222      355      +133     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@vaikas
Copy link
Collaborator

vaikas commented Dec 9, 2024

Looks like some of the changes I requested, and you marked as fixed have not made it in to this PR 🤔 ?

Also, looks like bunch of sed commands are failing, for example:
https://github.com/sigstore/policy-controller/actions/runs/12234409121/job/34140387122?pr=1687#step:14:132

@senanz
Copy link
Author

senanz commented Dec 9, 2024 via email

@senanz
Copy link
Author

senanz commented Dec 12, 2024

apolofize for the delay, updated.

@senanz senanz requested a review from vaikas December 12, 2024 12:58
cmd/webhook/main.go Outdated Show resolved Hide resolved
cmd/webhook/main.go Outdated Show resolved Hide resolved
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.27.x
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpanato is updating the tested k8s versions, should proabably bump these once it merges.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpanato - Could you please let me know when you merge your changes so i can make the right adjcments here?

@senanz senanz requested a review from vaikas December 22, 2024 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Verify only pods
3 participants