UNCLASSIFIED - NO CUI

Skip to content

Draft: Add Kyverno policy validation checks to Big Bang package, sandbox, and third-party pipelines

Lucas Rodriguez requested to merge kyverno_policies into master

Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/717 and https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/-/issues/68

Changes:

  • Replaced Gatekeeper rego policies with Kyverno YAML policies

  • Removed policy that validates whether pods have a status.qosClass of Guaranteed. See this doc for more information. The status.qosClass field is only present in pod YAML at runtime, so this check would never be satisfied because our pipelines perform policy checks against Kubernetes resources prior to being installed onto a cluster.

  • Removed unused tooling from bb-ci image

  • Update tools in bb-ci Dockerfile that had them available

  • Added kyverno cli to bb-ci image

  • Refactored bb-ci Dockerfile to use mulit-stage build approach

  • Updated image tag in templates.yaml

  • Replaced helm conftest commands with kyverno cli commands in templates.sh

  • Added two new variables, $GLOBAL_POLICY_EXIT_CODE && $PACKAGE_POLICY_EXIT_CODE.

  • Kyverno produces exit status code 1 when a policy check fails, so the pipelines are configured to have an allowed failure of exit code 1

  • Added a requirements.txt file for managing and installing Python packages instead of listing the packages directly in the Dockerfile

Tests:

The configuration validation job in these pipelines executes the kyverno apply command against a given Big Bang package and shows the failed policy checks in the output under Global Policy Tests in the pipeline output.

Since there was a pretty large refactor of the bb-ci Dockerfile, I verified that Big Bang pipelines using the updated image were still running fine.

There haven't been any issues observed with the latest 2.5.1 bb-ci image that was updated, pushed and used for testing the changes in this MR.

Edited by Lucas Rodriguez

Merge request reports

Loading