From b84fd806085d1614d32b97dccabc02c1030bf46b Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Mon, 26 Aug 2024 21:56:32 +0200 Subject: [PATCH 1/6] add image-policy-test prefix to allowed softwail namespaces for image validator --- test/e2e/cluster_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/cluster_config.sh b/test/e2e/cluster_config.sh index 9bcee96c8f..24678916d8 100755 --- a/test/e2e/cluster_config.sh +++ b/test/e2e/cluster_config.sh @@ -46,7 +46,7 @@ clusters: teapot_admission_controller_daemonset_reserved_cpu: "518m" karpenter_pools_enabled: "true" okta_auth_client_id: "kubernetes.cluster.teapot-e2e" - teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$" + teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$,^image-policy-test" criticality_level: 1 environment: e2e id: ${CLUSTER_ID} From 73e863c43a1f2b93e8102c3d620ceb8fcff33542 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 09:40:56 +0200 Subject: [PATCH 2/6] update compliant and non-compliant images for apiserver e2e tests --- test/e2e/apiserver.go | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index b657b3b162..18606a967b 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -39,24 +39,26 @@ import ( ) const ( - compliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" // these are several compliant images - compliantImage2 = "registry.opensource.zalan.do/teapot/skipper:v0.14.1" - compliantImage3 = "registry.opensource.zalan.do/teapot/skipper:v0.14.2" - compliantImage4 = "registry.opensource.zalan.do/teapot/skipper:v0.14.3" - compliantImage5 = "registry.opensource.zalan.do/teapot/skipper:v0.14.4" - compliantImage6 = "registry.opensource.zalan.do/teapot/skipper:v0.14.5" - compliantImage7 = "registry.opensource.zalan.do/teapot/skipper:v0.14.6" - compliantImage8 = "registry.opensource.zalan.do/teapot/skipper:v0.14.7" - nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-2" // these are several non-compliant images - nonCompliantImage2 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-3" - nonCompliantImage3 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-5" - nonCompliantImage4 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-6" - nonCompliantImage5 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-7" - nonCompliantImage6 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-8" - nonCompliantImage7 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-10" - nonCompliantImage8 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-11" - nonCompliantImage9 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-12" - nonCompliantImage10 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-13" + compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" // these are several compliant images + compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" + compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" + compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" + compliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" + compliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" + compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" + compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" + + // these are non-compliant because of expired base image + nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" + nonCompliantImage2 = "registry.opensource.zalan.do/teapot/skipper:v0.14.1" + nonCompliantImage3 = "registry.opensource.zalan.do/teapot/skipper:v0.14.2" + nonCompliantImage4 = "registry.opensource.zalan.do/teapot/skipper:v0.14.3" + nonCompliantImage5 = "registry.opensource.zalan.do/teapot/skipper:v0.14.4" + nonCompliantImage6 = "registry.opensource.zalan.do/teapot/skipper:v0.14.5" + nonCompliantImage7 = "registry.opensource.zalan.do/teapot/skipper:v0.14.6" + nonCompliantImage8 = "registry.opensource.zalan.do/teapot/skipper:v0.14.7" + nonCompliantImage9 = "registry.opensource.zalan.do/teapot/skipper:v0.14.8" + nonCompliantImage10 = "registry.opensource.zalan.do/teapot/skipper:v0.14.9" waitForPodTimeout = 5 * time.Minute ) From d46a073feafbf6d6b4f390b84a0b6a03c9b42417 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 09:44:51 +0200 Subject: [PATCH 3/6] remove image-policy prefix from softfail namespaces --- test/e2e/cluster_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/cluster_config.sh b/test/e2e/cluster_config.sh index 24678916d8..9bcee96c8f 100755 --- a/test/e2e/cluster_config.sh +++ b/test/e2e/cluster_config.sh @@ -46,7 +46,7 @@ clusters: teapot_admission_controller_daemonset_reserved_cpu: "518m" karpenter_pools_enabled: "true" okta_auth_client_id: "kubernetes.cluster.teapot-e2e" - teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$,^image-policy-test" + teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$" criticality_level: 1 environment: e2e id: ${CLUSTER_ID} From 0a34ba730e5f942b0a68c67e4013d85aa081f1da Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 09:48:47 +0200 Subject: [PATCH 4/6] use skipper v0.21.x as compliant images --- test/e2e/apiserver.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index 18606a967b..1ee347b652 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -39,14 +39,14 @@ import ( ) const ( - compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" // these are several compliant images - compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" - compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" - compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" - compliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" - compliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" - compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" - compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" + compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.21.0" // these are several compliant images + compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.21.1" + compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.21.2" + compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.21.3" + compliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.21.4" + compliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.21.5" + compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.21.6" + compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" // these are non-compliant because of expired base image nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" From 68d2f9c105596a14a4b43100f97ae05f40ac1cb4 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 10:20:55 +0200 Subject: [PATCH 5/6] use same registry for compliant and non-compliant images --- test/e2e/apiserver.go | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index 1ee347b652..a49e954b34 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -39,7 +39,8 @@ import ( ) const ( - compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.21.0" // these are several compliant images + // these are several compliant images + compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.21.0" compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.21.1" compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.21.2" compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.21.3" @@ -49,16 +50,16 @@ const ( compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" // these are non-compliant because of expired base image - nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" - nonCompliantImage2 = "registry.opensource.zalan.do/teapot/skipper:v0.14.1" - nonCompliantImage3 = "registry.opensource.zalan.do/teapot/skipper:v0.14.2" - nonCompliantImage4 = "registry.opensource.zalan.do/teapot/skipper:v0.14.3" - nonCompliantImage5 = "registry.opensource.zalan.do/teapot/skipper:v0.14.4" - nonCompliantImage6 = "registry.opensource.zalan.do/teapot/skipper:v0.14.5" - nonCompliantImage7 = "registry.opensource.zalan.do/teapot/skipper:v0.14.6" - nonCompliantImage8 = "registry.opensource.zalan.do/teapot/skipper:v0.14.7" - nonCompliantImage9 = "registry.opensource.zalan.do/teapot/skipper:v0.14.8" - nonCompliantImage10 = "registry.opensource.zalan.do/teapot/skipper:v0.14.9" + nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" + nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" + nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" + nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" + nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" + nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" + nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" + nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" + nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.19.8" + nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.19.9" waitForPodTimeout = 5 * time.Minute ) From 461012dc8a47113be756a31090c5f3ef37240a0e Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 12:00:02 +0200 Subject: [PATCH 6/6] use older images for non-compliant images --- test/e2e/apiserver.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index a49e954b34..69ab33d5b4 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -50,16 +50,16 @@ const ( compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" // these are non-compliant because of expired base image - nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" - nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" - nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" - nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" - nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" - nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" - nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" - nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" - nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.19.8" - nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.19.9" + nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.16.0" + nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.16.1" + nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.16.2" + nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.16.3" + nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.16.4" + nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.16.5" + nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.16.6" + nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.16.7" + nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.16.8" + nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.16.9" waitForPodTimeout = 5 * time.Minute )