Draft: Add Kyverno policy validation checks to Big Bang package, sandbox, and third-party pipelines
Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/717 and https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/-/issues/68
Changes:
-
Replaced Gatekeeper rego policies with Kyverno YAML policies
-
Removed policy that validates whether pods have a
status.qosClassofGuaranteed. See this doc for more information. Thestatus.qosClassfield is only present in pod YAML at runtime, so this check would never be satisfied because our pipelines perform policy checks against Kubernetes resources prior to being installed onto a cluster. -
Removed unused tooling from bb-ci image
-
Update tools in bb-ci Dockerfile that had them available
-
Added kyverno cli to bb-ci image
-
Refactored bb-ci Dockerfile to use mulit-stage build approach
-
Updated image tag in templates.yaml
-
Replaced helm conftest commands with kyverno cli commands in templates.sh
-
Added two new variables,
$GLOBAL_POLICY_EXIT_CODE&&$PACKAGE_POLICY_EXIT_CODE. -
Kyverno produces exit status code 1 when a policy check fails, so the pipelines are configured to have an allowed failure of exit code 1
-
Added a
requirements.txtfile for managing and installing Python packages instead of listing the packages directly in the Dockerfile
Tests:
The configuration validation job in these pipelines executes the kyverno apply command against a given Big Bang package and shows the failed policy checks in the output under Global Policy Tests in the pipeline output.
- https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/package-validation/-/pipelines/986316
- https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/package-validation/-/pipelines/986315
- https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/package-validation/-/pipelines/984890
- https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/package-validation/-/pipelines/984825
- https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/package-validation/-/pipelines/984782
- https://repo1.dso.mil/platform-one/big-bang/pipeline-templates/package-validation/-/pipelines/984774
Since there was a pretty large refactor of the bb-ci Dockerfile, I verified that Big Bang pipelines using the updated image were still running fine.
There haven't been any issues observed with the latest 2.5.1 bb-ci image that was updated, pushed and used for testing the changes in this MR.