-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: add end to end test case for kyverno-envoy-plugin
Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>
- Loading branch information
1 parent
aba5367
commit 40b8524
Showing
4 changed files
with
230 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: test-kyverno-envoy-plugin | ||
spec: | ||
steps: | ||
- try: | ||
- apply: | ||
file: ./deployment.yaml | ||
- script: | ||
content: kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --output-document - testapp.default.svc.cluster.local:8080/book | ||
check: | ||
# Checks if the standard error output contains the string '403'. | ||
# This is likely used to verify that the expected HTTP 403 Forbidden response was received from the test application. | ||
(contains($stdout, '403')): false | ||
- script: | ||
content: kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --post-data='{"bookname":"Harry Potter", "author":"J.K. Rowling"}' --output-document - testapp.default.svc.cluster.local:8080/book | ||
check: | ||
(contains($stderr, 'Error')): true | ||
(contains($stdout, '403')): true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,182 @@ | ||
# Application Deployment with kyverno-envoy-plugin and Envoy sidecars. | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: testapp | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: testapp | ||
template: | ||
metadata: | ||
labels: | ||
app: testapp | ||
spec: | ||
initContainers: | ||
- name: proxy-init | ||
image: sanskardevops/proxyinit:latest | ||
# Configure the iptables bootstrap script to redirect traffic to the | ||
# Envoy proxy on port 8000, specify that Envoy will be running as user | ||
# 1111, These values must match up with the configuration | ||
# defined below for the "envoy" and "kyverno-envoy-plugin" containers. | ||
args: ["-p", "7000", "-u", "1111"] | ||
securityContext: | ||
capabilities: | ||
add: | ||
- NET_ADMIN | ||
runAsNonRoot: false | ||
runAsUser: 0 | ||
containers: | ||
- name: test-application | ||
image: sanskardevops/test-application:0.0.1 | ||
ports: | ||
- containerPort: 8080 | ||
- name: envoy | ||
image: envoyproxy/envoy:v1.30-latest | ||
securityContext: | ||
runAsUser: 1111 | ||
imagePullPolicy: IfNotPresent | ||
volumeMounts: | ||
- readOnly: true | ||
mountPath: /config | ||
name: proxy-config | ||
args: | ||
- "envoy" | ||
- "--config-path" | ||
- "/config/envoy.yaml" | ||
- name: kyverno-envoy-plugin | ||
image: ko.local/github.com/kyverno/kyverno-envoy-plugin:latest | ||
imagePullPolicy: IfNotPresent | ||
ports: | ||
- containerPort: 8000 | ||
- containerPort: 9000 | ||
volumeMounts: | ||
- readOnly: true | ||
mountPath: /policies | ||
name: policy-files | ||
args: | ||
- "serve" | ||
- "--policy=/policies/policy.yaml" | ||
volumes: | ||
- name: proxy-config | ||
configMap: | ||
name: proxy-config | ||
- name: policy-files | ||
configMap: | ||
name: policy-files | ||
--- | ||
# Envoy Config with External Authorization filter that will query kyverno-envoy-plugin. | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: proxy-config | ||
data: | ||
envoy.yaml: | | ||
static_resources: | ||
listeners: | ||
- address: | ||
socket_address: | ||
address: 0.0.0.0 | ||
port_value: 7000 | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.http_connection_manager | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
codec_type: auto | ||
stat_prefix: ingress_http | ||
route_config: | ||
name: local_route | ||
virtual_hosts: | ||
- name: backend | ||
domains: | ||
- "*" | ||
routes: | ||
- match: | ||
prefix: "/" | ||
route: | ||
cluster: service | ||
http_filters: | ||
- name: envoy.ext_authz | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz | ||
transport_api_version: V3 | ||
with_request_body: | ||
max_request_bytes: 8192 | ||
allow_partial_message: true | ||
failure_mode_allow: false | ||
grpc_service: | ||
google_grpc: | ||
target_uri: 127.0.0.1:9000 | ||
stat_prefix: ext_authz | ||
timeout: 0.5s | ||
- name: envoy.filters.http.router | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
clusters: | ||
- name: service | ||
connect_timeout: 0.25s | ||
type: strict_dns | ||
lb_policy: round_robin | ||
load_assignment: | ||
cluster_name: service | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: 127.0.0.1 | ||
port_value: 8080 | ||
admin: | ||
access_log_path: "/dev/null" | ||
address: | ||
socket_address: | ||
address: 0.0.0.0 | ||
port_value: 8001 | ||
layered_runtime: | ||
layers: | ||
- name: static_layer_0 | ||
static_layer: | ||
envoy: | ||
resource_limits: | ||
listener: | ||
example_listener_name: | ||
connection_limit: 10000 | ||
overload: | ||
global_downstream_max_connections: 50000 | ||
--- | ||
# Example policy to enforce into kyverno-envoy-plugin sidecars. | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: policy-files | ||
data: | ||
policy.yaml: | | ||
apiVersion: json.kyverno.io/v1alpha1 | ||
kind: ValidatingPolicy | ||
metadata: | ||
name: checkrequest | ||
spec: | ||
rules: | ||
- name: deny-other-methods | ||
assert: | ||
any: | ||
- message: "only allow GET method calls at path /book " | ||
check: | ||
request: | ||
http: | ||
method: GET | ||
path: /book | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: testapp | ||
spec: | ||
type: ClusterIP | ||
selector: | ||
app: testapp | ||
ports: | ||
- port: 8080 | ||
targetPort: 8080 |