From 333df45c33e60055de5959849b62ce99215153b5 Mon Sep 17 00:00:00 2001 From: Allen Porter Date: Tue, 31 Dec 2024 15:50:04 +0000 Subject: [PATCH] Remove kyverno support --- .devcontainer/Dockerfile | 1 - .github/workflows/flux-local-test.yaml | 1 - .github/workflows/test.yaml | 5 - Dockerfile | 1 - README.md | 18 +-- action/test/action.yml | 14 --- flux_local/exceptions.py | 4 - flux_local/git_repo.py | 32 +----- flux_local/kustomize.py | 41 ------- flux_local/manifest.py | 41 ------- flux_local/tool/selector.py | 2 - flux_local/tool/test.py | 10 -- flux_local/tool/visitor.py | 3 +- script/DESIGN.md | 4 +- tests/__snapshots__/test_git_repo.ambr | 106 ++++-------------- tests/test_kustomize.py | 21 ---- tests/testdata/policies/fail.yaml | 25 ----- tests/testdata/policies/pass.yaml | 25 ----- .../tool/__snapshots__/test_get_cluster.ambr | 16 --- tests/tool/test_test.py | 4 +- 20 files changed, 27 insertions(+), 347 deletions(-) delete mode 100644 tests/testdata/policies/fail.yaml delete mode 100644 tests/testdata/policies/pass.yaml diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index bcfa0df1..d6ac95f4 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -14,7 +14,6 @@ RUN apt-get update --fix-missing && \ COPY --from=docker.io/bitnami/kubectl:1.32.0 /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/kubectl COPY --from=registry.k8s.io/kustomize/kustomize:v5.4.3 /app/kustomize /usr/local/bin/kustomize -COPY --from=ghcr.io/kyverno/kyverno-cli:v1.13.2 /ko-app/kubectl-kyverno /usr/local/bin/kyverno COPY --from=docker.io/alpine/helm:3.16.4 /usr/bin/helm /usr/local/bin/helm COPY --from=ghcr.io/fluxcd/flux-cli:v2.4.0 /usr/local/bin/flux /usr/local/bin/flux diff --git a/.github/workflows/flux-local-test.yaml b/.github/workflows/flux-local-test.yaml index 11c5e7f5..5c84413f 100644 --- a/.github/workflows/flux-local-test.yaml +++ b/.github/workflows/flux-local-test.yaml @@ -29,7 +29,6 @@ jobs: - uses: ./action/test with: enable-helm: true - enable-kyverno: false sources: cluster=tests/testdata/cluster3,flux-system,home-ops-kubernetes path: ${{ matrix.cluster_path }} api-versions: batch/v1/CronJob diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4b5560a4..13acf442 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -22,11 +22,6 @@ jobs: - uses: actions/checkout@v4 - name: Setup Flux CLI uses: fluxcd/flux2/action@v2.4.0 - - uses: supplypike/setup-bin@v4 - with: - uri: https://github.com/kyverno/kyverno/releases/download/v1.11.3/kyverno-cli_v1.11.3_linux_x86_64.tar.gz - name: kyverno-cli - version: v1.11.3 - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 with: diff --git a/Dockerfile b/Dockerfile index 74fef74c..f05040cb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,6 @@ COPY --from=ghcr.io/fluxcd/flux-cli:v2.4.0 /usr/local/bin/flux COPY --from=docker.io/alpine/helm:3.16.4 /usr/bin/helm /usr/local/bin/helm COPY --from=docker.io/bitnami/kubectl:1.32.0 /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/kubectl COPY --from=registry.k8s.io/kustomize/kustomize:v5.4.3 /app/kustomize /usr/local/bin/kustomize -COPY --from=ghcr.io/kyverno/kyverno-cli:v1.13.2 /ko-app/kubectl-kyverno /usr/local/bin/kyverno USER 1001 ENTRYPOINT ["/usr/local/bin/flux-local"] diff --git a/README.md b/README.md index 70368175..8a1cdfe3 100644 --- a/README.md +++ b/README.md @@ -209,18 +209,7 @@ collected 18 items You may also validate `HelmRelease` objects can be templated properly with the `--enable-helm` flag. This will run `kustomize build` then run `helm template` on all the `HelmRelease` objects -found. Additionally the `--enable-kyverno` flag will apply any found `ClusterPolicy` objects to -all objects in the cluster and verify they pass: -``` -$ flux-local test --enable-helm --enable-kyverno -============================================= test session starts ============================================= -collected 81 items - -clusters/dev ..................................... [ 45%] -clusters/prod ............................................ [100%] - -======================================== 81 passed in 75.40s (0:01:15) ======================================== -``` +found. ## GitHub Action @@ -230,9 +219,7 @@ or PRs. The actions expect to find the `flux` and `kustomize` binaries installed ### test action The `test` action will validate the cluster will build, and can optionally -validate flux `HelmRelease` builds and also verify that all objects pass -kyverno policies (e.g. for determining there are no deprecated api resources -or that ingress objects are valid). +validate flux `HelmRelease` builds. This example will run `flux-local test` against the cluster in `clusters/prod` with helm release expansion enabled. @@ -244,7 +231,6 @@ helm release expansion enabled. with: path: clusters/prod enable-helm: true - enable-kyverno: false ``` ### diff action diff --git a/action/test/action.yml b/action/test/action.yml index a12339a6..8598eb8d 100644 --- a/action/test/action.yml +++ b/action/test/action.yml @@ -13,13 +13,6 @@ inputs: description: Kubernetes api versions used for helm Capabilities.APIVersions default: policy/v1/PodDisruptionBudget required: false - enable-kyverno: - description: Validate cluster resources against kyverno policies found in the cluster - default: false - required: false - kyverno-version: - description: Kyverno version to use when enabled - default: v1.9.0 python-version: description: Python version used for running flux-local default: "3.10" @@ -57,19 +50,12 @@ runs: pip install -r ${{ steps.copy-requirements.outputs.directory }}/requirements.txt pip install -e ${{ github.action_path }}/../../ shell: bash - - uses: supplypike/setup-bin@v3 - with: - uri: https://github.com/kyverno/kyverno/releases/download/${{ inputs.kyverno-version }}/kyverno-cli_${{ inputs.kyverno-version }}_linux_x86_64.tar.gz - name: "kyverno-cli" - version: ${{ inputs.kyverno-version }} - if: ${{ inputs.enable-kyverno == 'true' }} - name: Test cluster (flux-local) run: | flux-local \ --log-level ${{ inputs.debug != 'true' && 'INFO' || 'DEBUG' }} \ test \ --${{ inputs.enable-helm != 'true' && 'no-' || '' }}enable-helm \ - --${{ inputs.enable-kyverno != 'true' && 'no-' || '' }}enable-kyverno \ --api-versions "${{ inputs.api-versions }}" \ --kustomize-build-flags="${{ inputs.kustomize-build-flags }}" \ --sources "${{ inputs.sources }}" \ diff --git a/flux_local/exceptions.py b/flux_local/exceptions.py index 8d0fdc02..91951d4a 100644 --- a/flux_local/exceptions.py +++ b/flux_local/exceptions.py @@ -31,10 +31,6 @@ class HelmException(CommandException): """Raised when there is a failure running a helm command.""" -class KyvernoException(CommandException): - """Raised when there is an error running kyverno policy command.""" - - class InvalidValuesReference(FluxException): """Exception raised for an unsupported ValuesReference.""" diff --git a/flux_local/git_repo.py b/flux_local/git_repo.py index 167b16c0..6a8fb81b 100644 --- a/flux_local/git_repo.py +++ b/flux_local/git_repo.py @@ -49,7 +49,6 @@ FLUXTOMIZE_DOMAIN, KUSTOMIZE_DOMAIN, Cluster, - ClusterPolicy, HelmRelease, HelmRepository, Kustomization, @@ -77,7 +76,6 @@ KUSTOMIZE_KIND = "Kustomization" HELM_REPO_KIND = "HelmRepository" HELM_RELEASE_KIND = "HelmRelease" -CLUSTER_POLICY_KIND = "ClusterPolicy" GIT_REPO_KIND = "GitRepository" OCI_REPO_KIND = "OCIRepository" DEFAULT_NAMESPACE = "flux-system" @@ -208,7 +206,6 @@ class ResourceVisitor: Kustomization | HelmRelease | HelmRepository - | ClusterPolicy | OCIRepository, kustomize.Kustomize | None, ], @@ -271,7 +268,7 @@ class MetadataSelector: def predicate( self, ) -> Callable[ - [Kustomization | HelmRelease | HelmRepository | ClusterPolicy | OCIRepository], + [Kustomization | HelmRelease | HelmRepository | OCIRepository], bool, ]: """A predicate that selects Kustomization objects.""" @@ -281,7 +278,6 @@ def predicate( Kustomization | HelmRelease | HelmRepository - | ClusterPolicy | OCIRepository ), ) -> bool: @@ -340,9 +336,6 @@ class ResourceSelector: oci_repo: MetadataSelector = field(default_factory=MetadataSelector) """OCIRepository objects to return.""" - cluster_policy: MetadataSelector = field(default_factory=MetadataSelector) - """ClusterPolicy objects to return.""" - doc_visitor: DocumentVisitor | None = None """Raw objects to visit.""" @@ -587,13 +580,11 @@ async def build_kustomization( helm_repo_selector: MetadataSelector = selector.helm_repo oci_repo_selector: MetadataSelector = selector.oci_repo helm_release_selector: MetadataSelector = selector.helm_release - cluster_policy_selector: MetadataSelector = selector.cluster_policy if ( not kustomization_selector.enabled and not helm_repo_selector.enabled and not oci_repo_selector.visitor and not helm_release_selector.enabled - and not cluster_policy_selector.enabled and not selector.doc_visitor ): return @@ -633,8 +624,6 @@ async def build_kustomization( kinds.append(HELM_RELEASE_KIND) # Needed for expanding value references kinds.append(SECRET_KIND) - if cluster_policy_selector.enabled: - kinds.append(CLUSTER_POLICY_KIND) if selector.doc_visitor: kinds.extend(selector.doc_visitor.kinds) if not kinds: @@ -681,16 +670,6 @@ async def build_kustomization( ], ) ) - kustomization.cluster_policies = list( - filter( - cluster_policy_selector.predicate, - [ - ClusterPolicy.parse_doc(doc) - for doc in docs - if doc.get("kind") == CLUSTER_POLICY_KIND - ], - ) - ) kustomization.config_maps = [ ConfigMap.parse_doc(doc) for doc in docs @@ -842,15 +821,6 @@ async def update_kustomization(cluster: Cluster) -> None: None, ) - if selector.cluster_policy.visitor: - for kustomization in cluster.kustomizations: - for cluster_policy in kustomization.cluster_policies: - await selector.cluster_policy.visitor.func( - Path(kustomization.path), - cluster_policy, - None, - ) - return Manifest(clusters=clusters) diff --git a/flux_local/kustomize.py b/flux_local/kustomize.py index 496466bd..d21bea21 100644 --- a/flux_local/kustomize.py +++ b/flux_local/kustomize.py @@ -30,8 +30,6 @@ for object in objects: print(f"Found ConfigMap: {object['metadata']['name']}") ``` - -You can apply kyverno policies to the objects with the `validate` method. """ from aiofiles.ospath import isdir @@ -50,7 +48,6 @@ from .exceptions import ( InputException, KustomizeException, - KyvernoException, KustomizePathException, ) from .manifest import Kustomization @@ -64,7 +61,6 @@ ] KUSTOMIZE_BIN = "kustomize" -KYVERNO_BIN = "kyverno" FLUX_BIN = "flux" HELM_RELEASE_KIND = "HelmRelease" @@ -148,43 +144,6 @@ def filter_resources(self, kinds: list[str]) -> "Kustomize": skip_re = "|".join(kinds) return self.grep(f"kind=^({skip_re})$", invert=False) - async def validate_policies(self, policies: list[manifest.ClusterPolicy]) -> None: - """Apply kyverno policies to objects built so far.""" - if not policies: - return - _LOGGER.debug("Validating policies (len=%d)", len(policies)) - with tempfile.TemporaryDirectory() as tmpdir: - policyfile = Path(tmpdir) / "policies.yaml" - policyfile.write_text( - yaml.dump_all( - [policy.doc for policy in policies], - sort_keys=False, - explicit_start=True, - ) - ) - await self.validate(policyfile) - - async def validate(self, policy_path: Path) -> None: - """Apply kyverno policies from the directory to any objects built so far. - - The specified `policy_path` is a file or directory containing policy objects. - All secrets will stripped since otherwise they fail the kyverno cli. - """ - kustomize = self.skip_resources([manifest.SECRET_KIND]) - cmds = kustomize._cmds + [ # pylint: disable=protected-access - Command( - [ - KYVERNO_BIN, - "apply", - str(policy_path), - "--resource", - "-", - ], - exc=KyvernoException, - ), - ] - await run_piped(cmds) - async def stash(self) -> "Kustomize": """Memoize the contents built so far for efficient reuse. diff --git a/flux_local/manifest.py b/flux_local/manifest.py index 99915bee..d2e5a435 100644 --- a/flux_local/manifest.py +++ b/flux_local/manifest.py @@ -27,7 +27,6 @@ "HelmRepository", "HelmRelease", "HelmChart", - "ClusterPolicy", "ConfigMap", "Secret", ] @@ -42,7 +41,6 @@ HELM_REPO_DOMAIN = "source.toolkit.fluxcd.io" HELM_RELEASE_DOMAIN = "helm.toolkit.fluxcd.io" OCI_REPOSITORY_DOMAIN = "source.toolkit.fluxcd.io" -CLUSTER_POLICY_DOMAIN = "kyverno.io" CRD_KIND = "CustomResourceDefinition" SECRET_KIND = "Secret" CONFIG_MAP_KIND = "ConfigMap" @@ -336,33 +334,6 @@ def repo_name(self) -> str: return f"{self.namespace}-{self.name}" -@dataclass -class ClusterPolicy(BaseManifest): - """A kyverno policy object.""" - - name: str - """The name of the kustomization.""" - - namespace: str | None = None - """The namespace of the kustomization.""" - - doc: dict[str, Any] | None = field(metadata={"serialize": "omit"}, default=None) - """The raw ClusterPolicy document.""" - - @classmethod - def parse_doc(cls, doc: dict[str, Any]) -> "ClusterPolicy": - """Parse a cluster policy object from a kubernetes resource.""" - _check_version(doc, CLUSTER_POLICY_DOMAIN) - if not (metadata := doc.get("metadata")): - raise InputException(f"Invalid {cls} missing metadata: {doc}") - if not (name := metadata.get("name")): - raise InputException(f"Invalid {cls} missing metadata.name: {doc}") - namespace = metadata.get("namespace") - if not doc.get("spec"): - raise InputException(f"Invalid {cls} missing spec: {doc}") - return ClusterPolicy(name=name, namespace=namespace, doc=doc) - - @dataclass class ConfigMap(BaseManifest): """A ConfigMap is an API object used to store data in key-value pairs.""" @@ -481,9 +452,6 @@ class Kustomization(BaseManifest): helm_releases: list[HelmRelease] = field(default_factory=list) """The set of HelmRelease represented in this kustomization.""" - cluster_policies: list[ClusterPolicy] = field(default_factory=list) - """The set of ClusterPolicies represented in this kustomization.""" - config_maps: list[ConfigMap] = field(default_factory=list) """The list of config maps referenced in the kustomization.""" @@ -648,15 +616,6 @@ def helm_releases(self) -> list[HelmRelease]: for release in kustomization.helm_releases ] - @property - def cluster_policies(self) -> list[ClusterPolicy]: - """Return the list of ClusterPolicy objects from all Kustomizations.""" - return [ - policy - for kustomization in self.kustomizations - for policy in kustomization.cluster_policies - ] - @dataclass class Manifest(BaseManifest): diff --git a/flux_local/tool/selector.py b/flux_local/tool/selector.py index e0a50837..5a8f496d 100644 --- a/flux_local/tool/selector.py +++ b/flux_local/tool/selector.py @@ -137,7 +137,6 @@ def build_ks_selector( # type: ignore[no-untyped-def] selector.kustomization.namespace = None selector.kustomization.skip_crds = kwargs["skip_crds"] selector.kustomization.skip_secrets = kwargs["skip_secrets"] - selector.cluster_policy.enabled = False return selector @@ -170,7 +169,6 @@ def build_hr_selector( # type: ignore[no-untyped-def] selector.helm_release.skip_secrets = kwargs["skip_secrets"] selector.kustomization.name = None selector.kustomization.namespace = None - selector.cluster_policy.enabled = False return selector diff --git a/flux_local/tool/test.py b/flux_local/tool/test.py index 7e39f78e..e25bf3a6 100644 --- a/flux_local/tool/test.py +++ b/flux_local/tool/test.py @@ -94,7 +94,6 @@ async def async_runtest(self) -> None: self.test_config.helm_options, ) await cmd.objects() - await cmd.validate_policies(self.cluster.cluster_policies) def active_repos(self) -> list[HelmRepository | OCIRepository]: """Return HelmRepositories referenced by a HelmRelease.""" @@ -148,7 +147,6 @@ async def async_runtest(self) -> None: self.kustomization, Path(self.kustomization.path) ).stash() await cmd.objects() - await cmd.validate_policies(self.cluster.cluster_policies) class KustomizationCollector(pytest.Collector): @@ -360,12 +358,6 @@ def register( action=BooleanOptionalAction, help="Enable use of HelmRelease inflation", ) - args.add_argument( - "--enable-kyverno", - type=bool, - action=BooleanOptionalAction, - help="Enable testing of resources against Kyverno policies", - ) # Flags consistent with pytest for pass through args.add_argument( "test_path", @@ -398,7 +390,6 @@ def register( async def run( # type: ignore[no-untyped-def] self, enable_helm: bool, - enable_kyverno: bool, test_path: str | None, verbosity: int, **kwargs, # pylint: disable=unused-argument @@ -416,7 +407,6 @@ async def run( # type: ignore[no-untyped-def] query.kustomization.skip_crds = True query.helm_release.enabled = enable_helm query.helm_release.namespace = None - query.cluster_policy.enabled = enable_kyverno options = selector.options(**kwargs) helm_options = selector.build_helm_options(**kwargs) diff --git a/flux_local/tool/visitor.py b/flux_local/tool/visitor.py index 009f1e09..a194b867 100644 --- a/flux_local/tool/visitor.py +++ b/flux_local/tool/visitor.py @@ -16,7 +16,6 @@ HelmRelease, Kustomization, HelmRepository, - ClusterPolicy, Manifest, OCIRepository, ) @@ -34,7 +33,7 @@ ResourceType = ( - Kustomization | HelmRelease | HelmRepository | ClusterPolicy | OCIRepository + Kustomization | HelmRelease | HelmRepository | OCIRepository ) diff --git a/script/DESIGN.md b/script/DESIGN.md index e808c0e7..d72f3b3c 100644 --- a/script/DESIGN.md +++ b/script/DESIGN.md @@ -47,7 +47,7 @@ The second step is to then process the results of the cluster by rebuilding all the kustomizations again. Any CRDs and Secrets are filtered out if needed. The results from the previous steps are cached with a brittle very specific cache. Specifically, a few types of resources are collected: `HelmRepository`, -`HelmRelease`, and `ClusterPolicy`. Additional, generic objects are collected +`HelmRelease`, etc. Additional, generic objects are collected with an object listener that supports arbitrary doc kinds, which in practice is used for tracking images used. Each of the objects built are associated with the generated `Kustomization` object. @@ -77,4 +77,4 @@ for a sub-problem that is currently somewhat hairy. An attactive option may be to rewrite the entire thing on golang so that it can reuse the actual flux libraries. This is worth exploring in more detail, or -possibly prototyping. \ No newline at end of file +possibly prototyping. diff --git a/tests/__snapshots__/test_git_repo.ambr b/tests/__snapshots__/test_git_repo.ambr index c296adcc..809871fa 100644 --- a/tests/__snapshots__/test_git_repo.ambr +++ b/tests/__snapshots__/test_git_repo.ambr @@ -5,8 +5,6 @@ dict({ 'kustomizations': list([ dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'podinfo-config', @@ -36,8 +34,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'cluster-config', @@ -57,11 +53,6 @@ ]), }), dict({ - 'cluster_policies': list([ - dict({ - 'name': 'test-allow-policy', - }), - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -95,8 +86,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -149,8 +138,6 @@ dict({ 'kustomizations': list([ dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'podinfo-config', @@ -170,8 +157,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'cluster-config', @@ -191,11 +176,6 @@ ]), }), dict({ - 'cluster_policies': list([ - dict({ - 'name': 'test-allow-policy', - }), - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -229,8 +209,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -257,8 +235,6 @@ dict({ 'kustomizations': list([ dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'podinfo-config', @@ -288,8 +264,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'cluster-config', @@ -309,11 +283,6 @@ ]), }), dict({ - 'cluster_policies': list([ - dict({ - 'name': 'test-allow-policy', - }), - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -347,8 +316,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -414,8 +381,6 @@ dict({ 'kustomizations': list([ dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'podinfo-config', @@ -445,8 +410,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'cluster-config', @@ -466,11 +429,6 @@ ]), }), dict({ - 'cluster_policies': list([ - dict({ - 'name': 'test-allow-policy', - }), - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -486,8 +444,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -534,8 +490,6 @@ dict({ 'kustomizations': list([ dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'podinfo-config', @@ -565,8 +519,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'cluster-config', @@ -586,11 +538,6 @@ ]), }), dict({ - 'cluster_policies': list([ - dict({ - 'name': 'test-allow-policy', - }), - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -624,8 +571,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -691,31 +636,31 @@ "Build 'flux-system/cluster'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/cluster-apps'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/cluster-apps-ingress-nginx'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/cluster-apps-ingress-nginx-certificates'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/cluster-apps-kubernetes-dashboard'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/cluster'": dict({ @@ -774,13 +719,13 @@ "Build 'flux-system/namespaces'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/tenants'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/namespaces'": dict({ @@ -815,19 +760,19 @@ "Build 'flux-system/cluster'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/cluster-apps'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/cluster-apps-kubernetes-dashboard'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/cluster'": dict({ @@ -870,7 +815,7 @@ "Build 'flux-system/flux-system'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/flux-system'": dict({ @@ -897,13 +842,13 @@ "Build 'flux-system/apps'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/flux-system'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/apps'": dict({ @@ -938,19 +883,19 @@ "Build 'flux-system/apps'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/charts'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/flux-system'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/apps'": dict({ @@ -994,25 +939,25 @@ 'cmds': list([ 'flux build tests/testdata/cluster/apps/prod (abs)', "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/flux-system'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/infra-configs'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Build 'flux-system/infra-controllers'": dict({ 'cmds': list([ "kustomize cfg grep 'kind=^(CustomResourceDefinition|Secret)$' --invert-match", - "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret|ClusterPolicy)$'", + "kustomize cfg grep 'kind=^(ConfigMap|HelmRepository|OCIRepository|HelmRelease|Secret)$'", ]), }), "Kustomization 'flux-system/apps'": dict({ @@ -1074,8 +1019,6 @@ dict({ 'kustomizations': list([ dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'podinfo-config', @@ -1105,8 +1048,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ dict({ 'name': 'cluster-config', @@ -1126,11 +1067,6 @@ ]), }), dict({ - 'cluster_policies': list([ - dict({ - 'name': 'test-allow-policy', - }), - ]), 'config_maps': list([ ]), 'helm_releases': list([ @@ -1164,8 +1100,6 @@ ]), }), dict({ - 'cluster_policies': list([ - ]), 'config_maps': list([ ]), 'helm_releases': list([ diff --git a/tests/test_kustomize.py b/tests/test_kustomize.py index 5e38323d..4c8873bf 100644 --- a/tests/test_kustomize.py +++ b/tests/test_kustomize.py @@ -85,27 +85,6 @@ async def test_stash(path: Path) -> None: assert len(result) == 0 -@pytest.mark.parametrize( - "path", - [TESTDATA_DIR / "repo", (TESTDATA_DIR / "repo").absolute()], -) -async def test_validate_pass(path: Path) -> None: - """Test applying policies to validate resources.""" - cmd = kustomize.grep("kind=ConfigMap", path) - await cmd.validate(TESTDATA_DIR / "policies/pass.yaml") - - -@pytest.mark.parametrize( - "path", - [TESTDATA_DIR / "repo", (TESTDATA_DIR / "repo").absolute()], -) -async def test_validate_fail(path: Path) -> None: - """Test applying policies to validate resources.""" - cmd = kustomize.grep("kind=ConfigMap", path) - with pytest.raises(exceptions.CommandException, match="fail: 1"): - await cmd.validate(TESTDATA_DIR / "policies/fail.yaml") - - async def test_target_namespace() -> None: """Test a kustomization with a target namespace.""" ks = kustomize.grep("kind=ConfigMap", TESTDATA_DIR / "repo") diff --git a/tests/testdata/policies/fail.yaml b/tests/testdata/policies/fail.yaml deleted file mode 100644 index f6b929f5..00000000 --- a/tests/testdata/policies/fail.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-deny-policy - annotations: - policies.kyverno.io/title: Test Allow Policy - policies.kyverno.io/description: >- - Policy that is expected to fail resources under test since no resources - should have the needed annotation. -spec: - validationFailureAction: audit - background: true - rules: - - name: require-test-annotation - match: - resources: - kinds: - - ConfigMap - validate: - message: "Missing test-annotation" - pattern: - metadata: - annotations: - flux-local/test-annotation: "null" diff --git a/tests/testdata/policies/pass.yaml b/tests/testdata/policies/pass.yaml deleted file mode 100644 index fe3bc47a..00000000 --- a/tests/testdata/policies/pass.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: test-allow-policy - annotations: - policies.kyverno.io/title: Test Allow Policy - policies.kyverno.io/description: >- - Policy that is expected to allow resources under test through since no - resources should have this annotation. -spec: - validationFailureAction: audit - background: true - rules: - - name: forbid-test-annotation - match: - resources: - kinds: - - ConfigMap - validate: - message: "Found test-annotation" - pattern: - metadata: - =(annotations): - X(flux-local/test-annotation): "null" diff --git a/tests/tool/__snapshots__/test_get_cluster.ambr b/tests/tool/__snapshots__/test_get_cluster.ambr index 4dbc3753..03e6f797 100644 --- a/tests/tool/__snapshots__/test_get_cluster.ambr +++ b/tests/tool/__snapshots__/test_get_cluster.ambr @@ -84,7 +84,6 @@ images: - ghcr.io/stefanprodan/podinfo:6.3.2 - public.ecr.aws/docker/library/redis:7.0.6 - cluster_policies: [] config_maps: - name: podinfo-config namespace: podinfo @@ -95,7 +94,6 @@ helm_repos: [] oci_repos: [] helm_releases: [] - cluster_policies: [] config_maps: - name: cluster-config namespace: flux-system @@ -118,8 +116,6 @@ repo_type: oci oci_repos: [] helm_releases: [] - cluster_policies: - - name: test-allow-policy config_maps: [] secrets: [] - name: infra-controllers @@ -147,7 +143,6 @@ repo_kind: HelmRepository images: - ghcr.io/weaveworks/wego-app:v0.24.0 - cluster_policies: [] config_maps: [] secrets: [] @@ -172,7 +167,6 @@ repo_name: podinfo repo_namespace: flux-system repo_kind: HelmRepository - cluster_policies: [] config_maps: - name: podinfo-config namespace: podinfo @@ -183,7 +177,6 @@ helm_repos: [] oci_repos: [] helm_releases: [] - cluster_policies: [] config_maps: - name: cluster-config namespace: flux-system @@ -206,8 +199,6 @@ repo_type: oci oci_repos: [] helm_releases: [] - cluster_policies: - - name: test-allow-policy config_maps: [] secrets: [] - name: infra-controllers @@ -230,7 +221,6 @@ repo_name: weave-charts repo_namespace: flux-system repo_kind: HelmRepository - cluster_policies: [] config_maps: [] secrets: [] @@ -275,7 +265,6 @@ repo_kind: HelmRepository images: - tailscale/k8s-operator:v1.68.1 - cluster_policies: [] config_maps: - name: podinfo-values namespace: podinfo @@ -290,7 +279,6 @@ helm_repos: [] oci_repos: [] helm_releases: [] - cluster_policies: [] config_maps: [] secrets: [] @@ -335,7 +323,6 @@ repo_kind: HelmRepository images: - tailscale/k8s-operator:v1.68.1 - cluster_policies: [] config_maps: - name: podinfo-values namespace: podinfo @@ -349,7 +336,6 @@ helm_repos: [] oci_repos: [] helm_releases: [] - cluster_policies: [] config_maps: [] secrets: [] @@ -389,7 +375,6 @@ repo_name: tailscale repo_namespace: flux-system repo_kind: HelmRepository - cluster_policies: [] config_maps: - name: podinfo-values namespace: podinfo @@ -400,7 +385,6 @@ helm_repos: [] oci_repos: [] helm_releases: [] - cluster_policies: [] config_maps: [] secrets: [] diff --git a/tests/tool/test_test.py b/tests/tool/test_test.py index d2d36b25..87d642c1 100644 --- a/tests/tool/test_test.py +++ b/tests/tool/test_test.py @@ -24,11 +24,9 @@ async def test_test_ks(args: list[str]) -> None: (["tests/testdata/cluster"]), (["tests/testdata/cluster2"]), (["--sources", "cluster=tests/testdata/cluster3", "tests/testdata/cluster3"]), - (["--enable-kyverno", "tests/testdata/cluster"]), - (["--enable-kyverno", "tests/testdata/cluster2"]), (["tests/testdata/cluster9/clusters/dev"]), ], - ids=["cluster", "cluster2", "cluster3", "policy", "policy-cluster2", "cluster9"], + ids=["cluster", "cluster2", "cluster3", "cluster9"], ) async def test_test_hr(args: list[str]) -> None: """Test test helmrelease commands."""