Skip to content

fix: disallow-privilege-escalation (cel) #1587

fix: disallow-privilege-escalation (cel)

fix: disallow-privilege-escalation (cel) #1587

Workflow file for this run

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
# to update the workflow jobs, run the script below from the repository root:
# `(cd .hack/chainsaw-matrix && go run . > ../../.github/workflows/test.yml)`
name: E2E Tests
permissions: {}
on:
pull_request:
branches:
- main
- release-*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
argo:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^argo$/^(application-field-validation|application-prevent-default-project|application-prevent-updates-project|applicationset-name-matches-project|appproject-clusterresourceblacklist|argo-cluster-generation-from-rancher-capi)$
aws:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^aws$/^(require-encryption-aws-loadbalancers)$
best-practices:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^best-practices$/^(add-network-policy|add-networkpolicy-dns|add-ns-quota|add-rolebinding|add-safe-to-evict|disallow-cri-sock-mount|disallow-default-namespace|disallow-empty-ingress-host|disallow-helm-tiller|disallow-latest-tag|require-drop-all|require-drop-cap-net-raw)$
best-practices-12:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^best-practices$/^(require-labels|require-pod-requests-limits|require-probes|require-ro-rootfs|restrict-image-registries|restrict-node-port|restrict-service-external-ips)$
castai:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^castai$/^(add-castai-removal-disabled)$
cert-manager:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^cert-manager$/^(limit-dnsnames|limit-duration|restrict-issuer)$
cleanup:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^cleanup$/^(cleanup-bare-pods|cleanup-empty-replicasets)$
consul:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^consul$/^(enforce-min-tls-version)$
external-secret-operator:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^external-secret-operator$/^(add-external-secret-prefix)$
flux:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^flux$/^(generate-flux-multi-tenant-resources|verify-flux-images|verify-flux-sources|verify-git-repositories)$
istio:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^istio$/^(add-ambient-mode-namespace|add-sidecar-injection-namespace|create-authorizationpolicy|enforce-ambient-mode-namespace|enforce-sidecar-injection-namespace|enforce-strict-mtls|enforce-tls-hosts-host-subnets|prevent-disabling-injection-pods|require-authorizationpolicy|restrict-virtual-service-wildcard|service-mesh-disallow-capabilities|service-mesh-require-run-as-nonroot)$
karpenter:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^karpenter$/^(add-karpenter-daemonset-priority-class|add-karpenter-donot-evict|add-karpenter-nodeselector|set-karpenter-non-cpu-limits)$
kasten:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^kasten$/^(kasten-3-2-1-backup|kasten-data-protection-by-label|kasten-generate-policy-by-preset-label|kasten-hourly-rpo|kasten-minimum-retention|kasten-validate-ns-by-preset-label)$
kubecost:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^kubecost$/^(enable-kubecost-continuous-rightsizing|require-kubecost-labels)$
kubeops:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^kubeops$/^(config-syncer-secret-generation-from-rancher-capi)$
kubevirt:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^kubevirt$/^(add-services|enforce-instancetype)$
linkerd:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^linkerd$/^(add-linkerd-mesh-injection|add-linkerd-policy-annotation|check-linkerd-authorizationpolicy|prevent-linkerd-pod-injection-override|prevent-linkerd-port-skipping|require-linkerd-mesh-injection|require-linkerd-server)$
nginx-ingress:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^nginx-ingress$/^(disallow-ingress-nginx-custom-snippets|restrict-annotations|restrict-ingress-paths)$
openshift:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^openshift$/^(check-routes|disallow-security-context-constraint-anyuid|disallow-self-provisioner-binding)$
other:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(add-certificates-volume|add-default-resources|add-default-securitycontext|add-emptydir-sizelimit|add-env-vars-from-cm|add-image-as-env-var|add-imagepullsecrets|add-imagepullsecrets-for-containers-and-initcontainers|add-labels|add-ndots|add-node-affinity|add-node-labels-pod)$
other-12:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(add-nodeSelector|add-pod-priorityclassname|add-pod-proxies|add-tolerations|add-ttl-jobs|add-volume-deployment|advanced-restrict-image-registries|allowed-annotations|allowed-base-images|allowed-image-repos|allowed-label-changes|allowed-pod-priorities)$
other-24:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(always-pull-images|annotate-base-images|apply-pss-restricted-profile|audit-event-on-delete|audit-event-on-exec|block-cluster-admin-from-ns|block-ephemeral-containers|block-images-with-volumes|block-large-images|block-pod-exec-by-namespace|block-pod-exec-by-namespace-label|block-pod-exec-by-pod-and-container)$
other-36:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(block-pod-exec-by-pod-label|block-pod-exec-by-pod-name|block-stale-images|block-updates-deletes|check-env-vars|check-hpa-exists|check-ingress-nginx-controller-version-and-annotation-policy|check-nvidia-gpu|check-serviceaccount|check-serviceaccount-secrets|check-subjectaccessreview|check-vpa-configuration)$
other-48:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(concatenate-configmaps|copy-namespace-labels|create-default-pdb|create-pod-antiaffinity|deny-commands-in-exec-probe|deny-secret-service-account-token-type|deployment-replicas-higher-than-pdb|disable-automountserviceaccounttoken|disable-service-discovery|disallow-all-secrets|disallow-localhost-services|disallow-secrets-from-env-vars)$
other-60:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(dns-policy-and-dns-config|docker-socket-requires-label|enforce-pod-duration|enforce-resources-as-ratio|ensure-probes-different|ensure-production-matches-staging|ensure-readonly-hostpath|exclude-namespaces-dynamically|forbid-cpu-limits|generate-networkpolicy-existing|get-debug-information|imagepullpolicy-always)$
other-72:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(ingress-host-match-tls|inject-env-var-from-image-label|inject-sidecar-deployment|inspect-csr|kubernetes-version-check|label-existing-namespaces|label-nodes-cri|limit-configmap-for-sa|limit-containers-per-pod|limit-hostpath-type-pv|limit-hostpath-vols|memory-requests-equal-limits)$
other-84:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(metadata-match-regex|mitigate-log4shell|mutate-large-termination-gps|mutate-pod-binding|namespace-inventory-check|nfs-subdir-external-provisioner-storage-path|only-trustworthy-registries-set-root|pdb-maxunavailable|pdb-maxunavailable-with-deployments|pdb-minavailable|policy-for-exceptions|prepend-image-registry)$
other-96:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(prevent-bare-pods|prevent-cr8escape|prevent-duplicate-hpa|prevent-duplicate-vpa|protect-node-taints|record-creation-details|refresh-env-var-in-pod|refresh-volumes-in-pods|remove-hostpath-volumes|remove-serviceaccount-token|replace-image-registry|replace-image-registry-with-harbor)$
other-108:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(replace-ingress-hosts|require-annotations|require-base-image|require-container-port-names|require-cpu-limits|require-deployments-have-multiple-replicas|require-emptydir-requests-limits|require-image-checksum|require-image-source|require-imagepullsecrets|require-ingress-https|require-netpol)$
other-120:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(require-non-root-groups|require-pdb|require-pod-priorityclassname|require-qos-burstable|require-qos-guaranteed|require-reasonable-pdbs|require-replicas-allow-disruption|require-storageclass|require-unique-external-dns|require-unique-service-selector|require-unique-uid-per-workload|resolve-image-to-digest)$
other-132:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(resource-creation-updating-denied|restart-deployment-on-secret-change|restrict-annotations|restrict-automount-sa-token|restrict-binding-clusteradmin|restrict-binding-system-groups|restrict-clusterrole-csr|restrict-clusterrole-mutating-validating-admission-webhooks|restrict-clusterrole-nodesproxy|restrict-controlplane-scheduling|restrict-deprecated-registry|restrict-escalation-verbs-roles)$
other-144:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(restrict-ingress-classes|restrict-ingress-defaultbackend|restrict-ingress-host|restrict-ingress-wildcard|restrict-jobs|restrict-loadbalancer|restrict-networkpolicy-empty-podselector|restrict-node-affinity|restrict-node-label-changes|restrict-node-label-creation|restrict-node-selection|restrict-pod-controller-serviceaccount-updates)$
other-156:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(restrict-sa-automount-sa-token|restrict-secret-role-verbs|restrict-secrets-by-label|restrict-secrets-by-name|restrict-service-port-range|restrict-storageclass|restrict-usergroup-fsgroup-id|restrict-wildcard-resources|restrict-wildcard-verbs|scale-deployment-zero|spread-pods-across-topology|sync-secrets)$
other-168:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^other$/^(topologyspreadconstraints-policy|unique-ingress-host-and-path|unique-ingress-paths|update-image-tag|verify-vpa-target)$
pod-security_baseline:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^pod-security$/^baseline$/^(disallow-capabilities|disallow-host-namespaces|disallow-host-path|disallow-host-ports|disallow-host-ports-range|disallow-host-process|disallow-privileged-containers|disallow-proc-mount|disallow-selinux|restrict-apparmor-profiles|restrict-seccomp|restrict-sysctls)$
pod-security_restricted:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^pod-security$/^restricted$/^(disallow-capabilities-strict|disallow-privilege-escalation|require-run-as-non-root-user|require-run-as-nonroot|restrict-seccomp-strict|restrict-volume-types)$
pod-security_subrule_restricted:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^pod-security$/^subrule$/^restricted$/^(restricted-exclude-capabilities|restricted-exclude-seccomp|restricted-latest)$
psa:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^psa$/^(add-privileged-existing-namespaces|add-psa-labels|add-psa-namespace-reporting|deny-privileged-profile)$
psp-migration:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^psp-migration$/^(add-apparmor|add-capabilities|add-runtimeClassName|check-supplemental-groups|restrict-adding-capabilities|restrict-runtimeClassName)$
tekton:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^tekton$/^(block-tekton-task-runs|require-tekton-bundle|require-tekton-namespace-pipelinerun)$
traefik:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^traefik$/^(disallow-default-tlsoptions)$
velero:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^velero$/^(backup-all-volumes|block-velero-restore|validate-cron-schedule)$
windows-security:
strategy:
fail-fast: false
matrix:
k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Environment
uses: ./.github/actions/setup-env
with:
k8s-version: ${{ matrix.k8s-version }}
- name: Run Tests
uses: ./.github/actions/run-tests
with:
tests: ^windows-security$/^(require-run-as-containeruser)$
e2e-required-success:
name: e2e-required
needs:
- argo
- aws
- best-practices
- best-practices-12
- castai
- cert-manager
- cleanup
- consul
- external-secret-operator
- flux
- istio
- karpenter
- kasten
- kubecost
- kubeops
- kubevirt
- linkerd
- nginx-ingress
- openshift
- other
- other-12
- other-24
- other-36
- other-48
- other-60
- other-72
- other-84
- other-96
- other-108
- other-120
- other-132
- other-144
- other-156
- other-168
- pod-security_baseline
- pod-security_restricted
- pod-security_subrule_restricted
- psa
- psp-migration
- tekton
- traefik
- velero
- windows-security
runs-on: ubuntu-latest
if: ${{ success() }}
steps:
- run: ${{ true }}
e2e-required-failure:
name: e2e-required
needs:
- argo
- aws
- best-practices
- best-practices-12
- castai
- cert-manager
- cleanup
- consul
- external-secret-operator
- flux
- istio
- karpenter
- kasten
- kubecost
- kubeops
- kubevirt
- linkerd
- nginx-ingress
- openshift
- other
- other-12
- other-24
- other-36
- other-48
- other-60
- other-72
- other-84
- other-96
- other-108
- other-120
- other-132
- other-144
- other-156
- other-168
- pod-security_baseline
- pod-security_restricted
- pod-security_subrule_restricted
- psa
- psp-migration
- tekton
- traefik
- velero
- windows-security
runs-on: ubuntu-latest
if: ${{ failure() || cancelled() }}
steps:
- run: ${{ false }}