�[0KRunning with gitlab-runner 17.8.0 (e4f782b3)�[0;m
�[0K on gitlab-runner-8499b86c48-rh4tp t2__Ghhs, system ID: r_oNIBmvSDbUJm�[0;m
�[0K�[36;1mResolving secrets�[0;m�[0;m
section_start:1742331247:prepare_executor
�[0K�[0K�[36;1mPreparing the "kubernetes" executor�[0;m�[0;m
�[0KUsing Kubernetes namespace: gitlab-runner�[0;m
�[0KUsing Kubernetes executor with image registry1.dso.mil/bigbang-ci/bb-ci:2.21.1 ...�[0;m
�[0KUsing attach strategy to execute scripts...�[0;m
section_end:1742331247:prepare_executor
�[0Ksection_start:1742331247:prepare_script
�[0K�[0K�[36;1mPreparing environment�[0;m�[0;m
�[0KUsing FF_USE_POD_ACTIVE_DEADLINE_SECONDS, the Pod activeDeadlineSeconds will be set to the job timeout: 1h0m0s...�[0;m
Waiting for pod gitlab-runner/runner-t2ghhs-project-2489-concurrent-0-09501t0n to be running, status is Pending
Waiting for pod gitlab-runner/runner-t2ghhs-project-2489-concurrent-0-09501t0n to be running, status is Pending
ContainersNotInitialized: "containers with incomplete status: [init-permissions]"
ContainersNotReady: "containers with unready status: [build helper]"
ContainersNotReady: "containers with unready status: [build helper]"
Running on runner-t2ghhs-project-2489-concurrent-0-09501t0n via gitlab-runner-8499b86c48-rh4tp...
section_end:1742331253:prepare_script
�[0Ksection_start:1742331254:get_sources
�[0K�[0K�[36;1mGetting source from Git repository�[0;m�[0;m
�[32;1mFetching changes with git depth set to 20...�[0;m
Initialized empty Git repository in /builds/big-bang/product/packages/minio/.git/
�[32;1mCreated fresh repository.�[0;m
�[32;1mChecking out 581bcdbd as detached HEAD (ref is main)...�[0;m
�[32;1mSkipping Git submodules setup�[0;m
section_end:1742331255:get_sources
�[0Ksection_start:1742331255:step_script
�[0K�[0K�[36;1mExecuting "step_script" stage of the job script�[0;m�[0;m
�[32;1m$ git clone -b ${PIPELINE_REPO_BRANCH} ${PIPELINE_REPO} ${PIPELINE_REPO_DESTINATION}�[0;m
Cloning into '../pipeline-repo'...
�[32;1m$ source ${PIPELINE_REPO_DESTINATION}/library/templates.sh�[0;m
�[32;1m$ source ${PIPELINE_REPO_DESTINATION}/library/bigbang-functions.sh�[0;m
�[32;1m$ source ${PIPELINE_REPO_DESTINATION}/library/package-functions.sh�[0;m
�[32;1m$ source ${PIPELINE_REPO_DESTINATION}/library/k8s-functions.sh�[0;m
�[32;1m$ source ${PIPELINE_REPO_DESTINATION}/library/rds-functions.sh�[0;m
�[32;1m$ source ${PIPELINE_REPO_DESTINATION}/library/alerting-functions.sh�[0;m
�[32;1m$ package_auth_setup�[0;m
�[32;1m$ package_lint�[0;m
�[0Ksection_start:1742331256:package_lint[collapsed=true]
�[0K�[33;1mPackage Linting�[37m
Linting with default values using ==> Linting chart
1 chart(s) linted, 0 chart(s) failed...
==> Linting chart
1 chart(s) linted, 0 chart(s) failed
Linting with test values using ...
�[0Ksection_end:1742331256:package_lint
�[0K
�[32;1m$ bash ${PIPELINE_REPO_DESTINATION}/scripts/policies/kyverno_policy_tests.sh�[0;m
�[0Ksection_start:1742331256:kyverno_policy_tests[collapsed=true]
�[0K�[33;1mKyverno Policy Tests�[37m
Executing Kyverno policy tests using the tests/test-values.yaml file as override values for the minio chart...
Applying 68 policy rule(s) to 11 resource(s)...
policy add-default-capability-drop applied to default/Secret/minio-creds-secret:
apiVersion: v1
data:
accesskey: bWluaW8=
secretkey: bWluaW8xMjM=
kind: Secret
metadata:
name: minio-creds-secret
namespace: default
stringData:
config.env: |-
export MINIO_ROOT_USER="minio"
export MINIO_ROOT_PASSWORD="minio123"
type: Opaque
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to default/Secret/minio-creds-secret:
apiVersion: v1
data:
accesskey: bWluaW8=
secretkey: bWluaW8xMjM=
kind: Secret
metadata:
name: minio-creds-secret
namespace: default
stringData:
config.env: |-
export MINIO_ROOT_USER="minio"
export MINIO_ROOT_PASSWORD="minio123"
type: Opaque
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to default/Tenant/minio-minio-instance:
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
labels:
app: minio
app.kubernetes.io/name: minio
app.kubernetes.io/version: v7.0.0
name: minio-minio-instance
namespace: default
spec:
configuration:
name: minio-creds-secret
features:
bucketDNS: false
enableSFTP: false
image: registry1.dso.mil/ironbank/opensource/minio/minio:RELEASE.2025-01-20T14-49-07Z
imagePullPolicy: IfNotPresent
imagePullSecret:
name: private-registry
mountPath: /export
podManagementPolicy: Parallel
pools:
- name: pool-0
securityContext:
capabilities:
drop:
- ALL
fsGroup: 1001
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
servers: 2
volumeClaimTemplate:
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumesPerServer: 4
prometheusOperator: false
requestAutoCert: false
subPath: /data
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to default/Tenant/minio-minio-instance:
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
labels:
app: minio
app.kubernetes.io/name: minio
app.kubernetes.io/version: v7.0.0
name: minio-minio-instance
namespace: default
spec:
configuration:
name: minio-creds-secret
features:
bucketDNS: false
enableSFTP: false
image: registry1.dso.mil/ironbank/opensource/minio/minio:RELEASE.2025-01-20T14-49-07Z
imagePullPolicy: IfNotPresent
imagePullSecret:
name: private-registry
mountPath: /export
podManagementPolicy: Parallel
pools:
- name: pool-0
securityContext:
capabilities:
drop:
- ALL
fsGroup: 1001
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
servers: 2
volumeClaimTemplate:
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumesPerServer: 4
prometheusOperator: false
requestAutoCert: false
subPath: /data
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/ServiceAccount/minio-instance-wait-job-sa:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/ServiceAccount/minio-instance-wait-job-sa:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/ConfigMap/minio-instance-cypress-config:
apiVersion: v1
data:
01-minio-login.spec.cy.js: "describe('Minio Login', function() {\n it('Check Minio
Login', function() {\n cy.visit(Cypress.env('url'), { timeout: 15000 })\n
\ // Fill the username\n cy.get('input[id=\"accessKey\"]').type(Cypress.env('accesskey'),{delay:
0})\n\n // Fill the password\n cy.get('input[id=\"secretKey\"]').type(Cypress.env('secretkey'),{delay:
0})\n\n // Locate and submit the form\n cy.get('form').submit();\n \n
\ // Verify the page title is \"Home\"\n cy.title().should('eq', 'MinIO
Console');\n \n })\n})\n"
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-cypress-config
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/ConfigMap/minio-instance-cypress-config:
apiVersion: v1
data:
01-minio-login.spec.cy.js: "describe('Minio Login', function() {\n it('Check Minio
Login', function() {\n cy.visit(Cypress.env('url'), { timeout: 15000 })\n
\ // Fill the username\n cy.get('input[id=\"accessKey\"]').type(Cypress.env('accesskey'),{delay:
0})\n\n // Fill the password\n cy.get('input[id=\"secretKey\"]').type(Cypress.env('secretkey'),{delay:
0})\n\n // Locate and submit the form\n cy.get('form').submit();\n \n
\ // Verify the page title is \"Home\"\n cy.title().should('eq', 'MinIO
Console');\n \n })\n})\n"
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-cypress-config
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/ConfigMap/minio-instance-wait-script:
apiVersion: v1
data:
wait.sh: |-
#!/bin/bash
timeElapsed=0
while true; do
resourceHealth=$(kubectl get tenant -n minio -o jsonpath='{.items[0].status.healthStatus}')
if [[ $resourceHealth == "green" ]]; then # Update with desired health/output of the jsonpath
echo "minio custom resource creation finished"
break
fi
sleep 5
timeElapsed=$(($timeElapsed+5))
if [[ $timeElapsed -ge 600 ]]; then
echo "timeout waiting 600 seconds for minio resource creation, running describe..." 1>&2
kubectl describe tenant -n minio 1>&2
exit 1
fi
done
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
wait-job: enabled
name: minio-instance-wait-script
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/ConfigMap/minio-instance-wait-script:
apiVersion: v1
data:
wait.sh: |-
#!/bin/bash
timeElapsed=0
while true; do
resourceHealth=$(kubectl get tenant -n minio -o jsonpath='{.items[0].status.healthStatus}')
if [[ $resourceHealth == "green" ]]; then # Update with desired health/output of the jsonpath
echo "minio custom resource creation finished"
break
fi
sleep 5
timeElapsed=$(($timeElapsed+5))
if [[ $timeElapsed -ge 600 ]]; then
echo "timeout waiting 600 seconds for minio resource creation, running describe..." 1>&2
kubectl describe tenant -n minio 1>&2
exit 1
fi
done
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
wait-job: enabled
name: minio-instance-wait-script
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/ConfigMap/minio-instance-script-config:
apiVersion: v1
data:
test-write.sh: |-
#!/bin/bash
set -ex
attempt_counter=0
max_attempts=25
until [ $(mc --config-dir /test config host add bigbang ${MINIO_HOST}$(if [ -n "${MINIO_PORT}" ] ; then echo ":";fi)${MINIO_PORT} ${ACCESS_KEY} ${SECRET_KEY} >/dev/null; echo $?) -eq 0 ]; do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
attempt_counter=$(($attempt_counter+1))
sleep 10
done
# cleanup from pervious runs
mc --config-dir /test rb bigbang/foobar --force || true
mc --config-dir /test mb bigbang/foobar
mc --config-dir /test ls bigbang/foobar
base64 /dev/urandom | head -c 10000000 > /test/file.txt
md5sum /test/file.txt > /test/filesig
mc --config-dir /test cp /test/file.txt bigbang/foobar/file.txt
mc --config-dir /test ls bigbang/foobar/file.txt
mc --config-dir /test cp bigbang/foobar/file.txt /test/file.txt
mc --config-dir /test rb bigbang/foobar --force
md5sum -c /test/filesig
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-script-config
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/ConfigMap/minio-instance-script-config:
apiVersion: v1
data:
test-write.sh: |-
#!/bin/bash
set -ex
attempt_counter=0
max_attempts=25
until [ $(mc --config-dir /test config host add bigbang ${MINIO_HOST}$(if [ -n "${MINIO_PORT}" ] ; then echo ":";fi)${MINIO_PORT} ${ACCESS_KEY} ${SECRET_KEY} >/dev/null; echo $?) -eq 0 ]; do
if [ ${attempt_counter} -eq ${max_attempts} ];then
echo "Max attempts reached"
exit 1
fi
attempt_counter=$(($attempt_counter+1))
sleep 10
done
# cleanup from pervious runs
mc --config-dir /test rb bigbang/foobar --force || true
mc --config-dir /test mb bigbang/foobar
mc --config-dir /test ls bigbang/foobar
base64 /dev/urandom | head -c 10000000 > /test/file.txt
md5sum /test/file.txt > /test/filesig
mc --config-dir /test cp /test/file.txt bigbang/foobar/file.txt
mc --config-dir /test ls bigbang/foobar/file.txt
mc --config-dir /test cp bigbang/foobar/file.txt /test/file.txt
mc --config-dir /test rb bigbang/foobar --force
md5sum -c /test/filesig
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-script-config
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/Role/minio-instance-wait-job-role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-role
namespace: minio
rules:
- apiGroups:
- minio.min.io
- minio.min.io/v2
resources:
- tenants
- tenant
- tenants.minio.min.io
verbs:
- get
- list
- watch
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/Role/minio-instance-wait-job-role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-role
namespace: minio
rules:
- apiGroups:
- minio.min.io
- minio.min.io/v2
resources:
- tenants
- tenant
- tenants.minio.min.io
verbs:
- get
- list
- watch
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/RoleBinding/minio-instance-wait-job-rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-rolebinding
namespace: minio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: minio-instance-wait-job-role
subjects:
- kind: ServiceAccount
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/RoleBinding/minio-instance-wait-job-rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-rolebinding
namespace: minio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: minio-instance-wait-job-role
subjects:
- kind: ServiceAccount
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/Pod/minio-instance-cypress-test:
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-cypress-test
namespace: minio
spec:
containers:
- command:
- /bin/bash
- -c
- "trap 'curl -s -X POST http://localhost:15000/quitquitquit || true' ERR\nexport
EXIT_CODE=0\nset -e\n cp /src/*.cy.js /test/cypress/e2e\nif [[ -d /custom ]];
then\n cp /custom/*.cy.js /test/cypress/e2e \nfi\nif [[ -d /test/cypress/e2e
&& -n \"$(ls /test/cypress/e2e/*.cy.js 2>/dev/null)\" ]]; then\n wget -P /test/cypress/common
https://repo1.dso.mil/big-bang/product/packages/gluon/-/raw/master/common/commands.js\n
\ (npx cypress run --browser chrome --headless && export EXIT_CODE=$?) || export
EXIT_CODE=$?\n if [[ -n \"$(ls /test/cypress/logs/* 2>/dev/null)\" ]]; then\n
\ echo \"found cypress logs from the pod\"\n mkdir -p /cypress/logs/minio\n
\ mv /test/cypress/logs/* /cypress/logs/minio/\n else\n echo \"no cypress
logs found from the pod\"\n fi\n if [[ -n \"$(ls /test/cypress/screenshots/*
2>/dev/null)\" ]]; then\n echo \"found cypress screenshots from the pod\"\n
\ mkdir -p /cypress/screenshots/minio\n mv /test/cypress/screenshots/*
/cypress/screenshots/minio/\n else\n echo \"no cypress screenshots found
from the pod\"\n fi\n if [[ -n \"$(ls /test/cypress/videos/* 2>/dev/null)\"
]]; then\n echo \"found cypress videos from the pod\"\n mkdir -p /cypress/videos/minio\n
\ mv /test/cypress/videos/* /cypress/videos/minio/\n else\n echo \"no
cypress videos found from the pod\"\n fi\nfi\ncurl -s -X POST http://localhost:15000/quitquitquit
|| true\nexit ${EXIT_CODE}\n"
env:
- name: XDG_CONFIG_HOME
value: /tmp
- name: cypress_gluon_version
value: 0.5.14
- name: cypress_url
value: http://minio-minio-instance-console:9090/login
- name: cypress_secretkey
valueFrom:
secretKeyRef:
key: secretkey
name: minio-creds-secret
- name: cypress_accesskey
valueFrom:
secretKeyRef:
key: accesskey
name: minio-creds-secret
image: registry1.dso.mil/bigbang-ci/cypress:13.17.0
imagePullPolicy: IfNotPresent
name: minio-instance-cypress-test
resources:
limits:
cpu: "2"
memory: 4Gi
requests:
cpu: "2"
memory: 4Gi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /test/cypress/common
name: commondir
- mountPath: /test/cypress/e2e
name: testdir
- mountPath: /src
name: cypress-tests
- mountPath: /tmp
name: tmpdir
- mountPath: /test/cypress/logs
name: cypress-logs
- mountPath: /test/cypress/screenshots
name: screenshots
- mountPath: /test/cypress/videos
name: videos
- mountPath: /home/node/.npm
name: logs
- mountPath: /cypress
name: cypress-artifacts
imagePullSecrets:
- name: private-registry
restartPolicy: Never
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
volumes:
- configMap:
name: minio-instance-cypress-config
name: cypress-tests
- emptyDir: {}
name: tmpdir
- emptyDir: {}
name: commondir
- emptyDir: {}
name: testdir
- emptyDir: {}
name: cypress-logs
- emptyDir: {}
name: screenshots
- emptyDir: {}
name: videos
- emptyDir: {}
name: logs
- hostPath:
path: /cypress
name: cypress-artifacts
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/Pod/minio-instance-cypress-test:
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-cypress-test
namespace: minio
spec:
containers:
- command:
- /bin/bash
- -c
- "trap 'curl -s -X POST http://localhost:15000/quitquitquit || true' ERR\nexport
EXIT_CODE=0\nset -e\n cp /src/*.cy.js /test/cypress/e2e\nif [[ -d /custom ]];
then\n cp /custom/*.cy.js /test/cypress/e2e \nfi\nif [[ -d /test/cypress/e2e
&& -n \"$(ls /test/cypress/e2e/*.cy.js 2>/dev/null)\" ]]; then\n wget -P /test/cypress/common
https://repo1.dso.mil/big-bang/product/packages/gluon/-/raw/master/common/commands.js\n
\ (npx cypress run --browser chrome --headless && export EXIT_CODE=$?) || export
EXIT_CODE=$?\n if [[ -n \"$(ls /test/cypress/logs/* 2>/dev/null)\" ]]; then\n
\ echo \"found cypress logs from the pod\"\n mkdir -p /cypress/logs/minio\n
\ mv /test/cypress/logs/* /cypress/logs/minio/\n else\n echo \"no cypress
logs found from the pod\"\n fi\n if [[ -n \"$(ls /test/cypress/screenshots/*
2>/dev/null)\" ]]; then\n echo \"found cypress screenshots from the pod\"\n
\ mkdir -p /cypress/screenshots/minio\n mv /test/cypress/screenshots/*
/cypress/screenshots/minio/\n else\n echo \"no cypress screenshots found
from the pod\"\n fi\n if [[ -n \"$(ls /test/cypress/videos/* 2>/dev/null)\"
]]; then\n echo \"found cypress videos from the pod\"\n mkdir -p /cypress/videos/minio\n
\ mv /test/cypress/videos/* /cypress/videos/minio/\n else\n echo \"no
cypress videos found from the pod\"\n fi\nfi\ncurl -s -X POST http://localhost:15000/quitquitquit
|| true\nexit ${EXIT_CODE}\n"
env:
- name: XDG_CONFIG_HOME
value: /tmp
- name: cypress_gluon_version
value: 0.5.14
- name: cypress_url
value: http://minio-minio-instance-console:9090/login
- name: cypress_secretkey
valueFrom:
secretKeyRef:
key: secretkey
name: minio-creds-secret
- name: cypress_accesskey
valueFrom:
secretKeyRef:
key: accesskey
name: minio-creds-secret
image: registry1.dso.mil/bigbang-ci/cypress:13.17.0
imagePullPolicy: IfNotPresent
name: minio-instance-cypress-test
resources:
limits:
cpu: "2"
memory: 4Gi
requests:
cpu: "2"
memory: 4Gi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /test/cypress/common
name: commondir
- mountPath: /test/cypress/e2e
name: testdir
- mountPath: /src
name: cypress-tests
- mountPath: /tmp
name: tmpdir
- mountPath: /test/cypress/logs
name: cypress-logs
- mountPath: /test/cypress/screenshots
name: screenshots
- mountPath: /test/cypress/videos
name: videos
- mountPath: /home/node/.npm
name: logs
- mountPath: /cypress
name: cypress-artifacts
imagePullSecrets:
- name: private-registry
restartPolicy: Never
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumes:
- configMap:
name: minio-instance-cypress-config
name: cypress-tests
- emptyDir: {}
name: tmpdir
- emptyDir: {}
name: commondir
- emptyDir: {}
name: testdir
- emptyDir: {}
name: cypress-logs
- emptyDir: {}
name: screenshots
- emptyDir: {}
name: videos
- emptyDir: {}
name: logs
- hostPath:
path: /cypress
name: cypress-artifacts
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/Pod/minio-instance-script-test:
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "10"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-script-test
namespace: minio
spec:
containers:
- command:
- /bin/bash
- -c
- |
trap 'curl -s -X POST http://localhost:15000/quitquitquit || true' ERR
set -e
if [[ -d /src && -n "$(ls /src/* 2>/dev/null)" ]]; then
cp /src/* /test/
fi
if [[ -n "$(ls . 2>/dev/null)" ]]; then
for script in *; do
if [[ -d ${script} ]]; then
continue;
fi
chmod +x ${script}
echo "---"
echo "Running ${script}..."
echo "---"
./${script}
done
fi
curl -s -X POST http://localhost:15000/quitquitquit || true
env:
- name: MINIO_HOST
value: http://minio
- name: MINIO_PORT
value: "80"
- name: SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: minio-creds-secret
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: minio-creds-secret
image: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2025-01-17T23-25-50Z
imagePullPolicy: IfNotPresent
name: minio-instance-script-test
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: "1"
memory: 1Gi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /src
name: script-tests
- mountPath: /test
name: workdir
workingDir: /test
imagePullSecrets:
- name: private-registry
restartPolicy: Never
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
volumes:
- configMap:
name: minio-instance-script-config
name: script-tests
- emptyDir: {}
name: workdir
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/Pod/minio-instance-script-test:
apiVersion: v1
kind: Pod
metadata:
annotations:
helm.sh/hook: test-success
helm.sh/hook-weight: "10"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm-test: enabled
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-script-test
namespace: minio
spec:
containers:
- command:
- /bin/bash
- -c
- |
trap 'curl -s -X POST http://localhost:15000/quitquitquit || true' ERR
set -e
if [[ -d /src && -n "$(ls /src/* 2>/dev/null)" ]]; then
cp /src/* /test/
fi
if [[ -n "$(ls . 2>/dev/null)" ]]; then
for script in *; do
if [[ -d ${script} ]]; then
continue;
fi
chmod +x ${script}
echo "---"
echo "Running ${script}..."
echo "---"
./${script}
done
fi
curl -s -X POST http://localhost:15000/quitquitquit || true
env:
- name: MINIO_HOST
value: http://minio
- name: MINIO_PORT
value: "80"
- name: SECRET_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: minio-creds-secret
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
key: accesskey
name: minio-creds-secret
image: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2025-01-17T23-25-50Z
imagePullPolicy: IfNotPresent
name: minio-instance-script-test
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: "1"
memory: 1Gi
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /src
name: script-tests
- mountPath: /test
name: workdir
workingDir: /test
imagePullSecrets:
- name: private-registry
restartPolicy: Never
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumes:
- configMap:
name: minio-instance-script-config
name: script-tests
- emptyDir: {}
name: workdir
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/Job/minio-instance-wait-job:
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "10000"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job
namespace: minio
spec:
template:
metadata: null
spec:
containers:
- command:
- /bin/bash
- -c
- |
if [[ -d /src && -n "$(ls /src/* 2>/dev/null)" ]]; then
cp /src/* /wait/
fi
if [[ -n "$(ls . 2>/dev/null)" ]]; then
for script in *; do
if [[ -d ${script} ]]; then
continue;
fi
chmod +x ${script}
echo "---"
echo "Running ${script}..."
echo "---"
./${script}
done
fi
image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.6
imagePullPolicy: IfNotPresent
name: wait-job
resources:
limits:
cpu: 0.5
memory: 128Mi
requests:
cpu: 0.5
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /wait
name: workdir
- mountPath: /src
name: wait-scripts
workingDir: /wait
imagePullSecrets:
- name: private-registry
restartPolicy: Never
serviceAccountName: minio-instance-wait-job-sa
volumes:
- emptyDir: {}
name: workdir
- configMap:
name: minio-instance-wait-script
name: wait-scripts
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/Job/minio-instance-wait-job:
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "10000"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job
namespace: minio
spec:
template:
metadata: null
spec:
containers:
- command:
- /bin/bash
- -c
- |
if [[ -d /src && -n "$(ls /src/* 2>/dev/null)" ]]; then
cp /src/* /wait/
fi
if [[ -n "$(ls . 2>/dev/null)" ]]; then
for script in *; do
if [[ -d ${script} ]]; then
continue;
fi
chmod +x ${script}
echo "---"
echo "Running ${script}..."
echo "---"
./${script}
done
fi
image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.6
imagePullPolicy: IfNotPresent
name: wait-job
resources:
limits:
cpu: 0.5
memory: 128Mi
requests:
cpu: 0.5
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /wait
name: workdir
- mountPath: /src
name: wait-scripts
workingDir: /wait
imagePullSecrets:
- name: private-registry
restartPolicy: Never
securityContext:
fsGroup: 65534
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: minio-instance-wait-job-sa
volumes:
- emptyDir: {}
name: workdir
- configMap:
name: minio-instance-wait-script
name: wait-scripts
---
Mutation:
Mutation has been applied successfully.policy disallow-auto-mount-service-account-token -> resource minio/ServiceAccount/minio-instance-wait-job-sa failed:
1 - automount-service-accounts validation error: Automount Kubernetes API Credentials isn't turned off. The field automountServiceAccountToken must be set to false. rule automount-service-accounts failed at path /automountServiceAccountToken/
skipped mutate policy add-default-capability-drop -> resource minio/Pod/minio-instance-cypress-test
policy restrict-host-path-mount -> resource minio/Pod/minio-instance-cypress-test failed:
1 - restrict-hostpath-dirs validation error: hostPath volume paths are restricted to the allowed list. rule restrict-hostpath-dirs failed at path /spec/volumes/8/hostPath/path/
policy restrict-host-path-write -> resource minio/Pod/minio-instance-cypress-test failed:
1 - require-readonly-hostpath validation failure: hostPath volumes must be mounted as readOnly.
policy restrict-volume-types -> resource minio/Pod/minio-instance-cypress-test failed:
1 - restrict-volume-types validation failure: validation error: One or more volume types used in the pod is not in the allowed list. rule restrict-volume-types[0] failed at path / rule restrict-volume-types[1] failed at path / rule restrict-volume-types[2] failed at path / rule restrict-volume-types[3] failed at path / rule restrict-volume-types[4] failed at path / rule restrict-volume-types[5] failed at path / rule restrict-volume-types[6] failed at path / rule restrict-volume-types[7] failed at path /
skipped mutate policy add-default-capability-drop -> resource minio/Pod/minio-instance-script-test
skipped mutate policy add-default-capability-drop -> resource minio/Job/minio-instance-wait-job
pass: 57, fail: 0, warn: 4, error: 0, skip: 3
⬆️ �[34mSee the policy test results above (tested using test values)�[37m ⬆️
Executing Kyverno policy tests using the default values for the minio chart...
Applying 68 policy rule(s) to 7 resource(s)...
policy add-default-capability-drop applied to default/Secret/minio-creds-secret:
apiVersion: v1
data:
accesskey: bWluaW8=
secretkey: bWluaW8xMjM=
kind: Secret
metadata:
name: minio-creds-secret
namespace: default
stringData:
config.env: |-
export MINIO_ROOT_USER="minio"
export MINIO_ROOT_PASSWORD="minio123"
type: Opaque
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to default/Secret/minio-creds-secret:
apiVersion: v1
data:
accesskey: bWluaW8=
secretkey: bWluaW8xMjM=
kind: Secret
metadata:
name: minio-creds-secret
namespace: default
stringData:
config.env: |-
export MINIO_ROOT_USER="minio"
export MINIO_ROOT_PASSWORD="minio123"
type: Opaque
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to default/Tenant/minio-minio-instance:
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
labels:
app: minio
app.kubernetes.io/name: minio
app.kubernetes.io/version: v7.0.0
name: minio-minio-instance
namespace: default
spec:
configuration:
name: minio-creds-secret
features:
bucketDNS: false
enableSFTP: false
image: registry1.dso.mil/ironbank/opensource/minio/minio:RELEASE.2025-01-20T14-49-07Z
imagePullPolicy: IfNotPresent
imagePullSecret:
name: private-registry
mountPath: /export
podManagementPolicy: Parallel
pools:
- containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
name: pool-0
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 1000m
memory: 2Gi
securityContext:
fsGroup: 1001
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
servers: 4
volumeClaimTemplate:
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumesPerServer: 4
prometheusOperator: false
requestAutoCert: false
subPath: /data
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to default/Tenant/minio-minio-instance:
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
labels:
app: minio
app.kubernetes.io/name: minio
app.kubernetes.io/version: v7.0.0
name: minio-minio-instance
namespace: default
spec:
configuration:
name: minio-creds-secret
features:
bucketDNS: false
enableSFTP: false
image: registry1.dso.mil/ironbank/opensource/minio/minio:RELEASE.2025-01-20T14-49-07Z
imagePullPolicy: IfNotPresent
imagePullSecret:
name: private-registry
mountPath: /export
podManagementPolicy: Parallel
pools:
- containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seccompProfile:
type: RuntimeDefault
name: pool-0
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 1000m
memory: 2Gi
securityContext:
fsGroup: 1001
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
servers: 4
volumeClaimTemplate:
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
volumesPerServer: 4
prometheusOperator: false
requestAutoCert: false
subPath: /data
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/ServiceAccount/minio-instance-wait-job-sa:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/ServiceAccount/minio-instance-wait-job-sa:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/ConfigMap/minio-instance-wait-script:
apiVersion: v1
data:
wait.sh: |-
#!/bin/bash
timeElapsed=0
while true; do
resourceHealth=$(kubectl get tenant -n minio -o jsonpath='{.items[0].status.healthStatus}')
if [[ $resourceHealth == "green" ]]; then # Update with desired health/output of the jsonpath
echo "minio custom resource creation finished"
break
fi
sleep 5
timeElapsed=$(($timeElapsed+5))
if [[ $timeElapsed -ge 600 ]]; then
echo "timeout waiting 600 seconds for minio resource creation, running describe..." 1>&2
kubectl describe tenant -n minio 1>&2
exit 1
fi
done
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
wait-job: enabled
name: minio-instance-wait-script
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/ConfigMap/minio-instance-wait-script:
apiVersion: v1
data:
wait.sh: |-
#!/bin/bash
timeElapsed=0
while true; do
resourceHealth=$(kubectl get tenant -n minio -o jsonpath='{.items[0].status.healthStatus}')
if [[ $resourceHealth == "green" ]]; then # Update with desired health/output of the jsonpath
echo "minio custom resource creation finished"
break
fi
sleep 5
timeElapsed=$(($timeElapsed+5))
if [[ $timeElapsed -ge 600 ]]; then
echo "timeout waiting 600 seconds for minio resource creation, running describe..." 1>&2
kubectl describe tenant -n minio 1>&2
exit 1
fi
done
kind: ConfigMap
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-weight: "-5"
sidecar.istio.io/inject: "false"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
wait-job: enabled
name: minio-instance-wait-script
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/Role/minio-instance-wait-job-role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-role
namespace: minio
rules:
- apiGroups:
- minio.min.io
- minio.min.io/v2
resources:
- tenants
- tenant
- tenants.minio.min.io
verbs:
- get
- list
- watch
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/Role/minio-instance-wait-job-role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-role
namespace: minio
rules:
- apiGroups:
- minio.min.io
- minio.min.io/v2
resources:
- tenants
- tenant
- tenants.minio.min.io
verbs:
- get
- list
- watch
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/RoleBinding/minio-instance-wait-job-rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-rolebinding
namespace: minio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: minio-instance-wait-job-role
subjects:
- kind: ServiceAccount
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/RoleBinding/minio-instance-wait-job-rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "-5"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job-rolebinding
namespace: minio
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: minio-instance-wait-job-role
subjects:
- kind: ServiceAccount
name: minio-instance-wait-job-sa
namespace: minio
---
Mutation:
Mutation has been applied successfully.
policy add-default-capability-drop applied to minio/Job/minio-instance-wait-job:
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "10000"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job
namespace: minio
spec:
template:
metadata: null
spec:
containers:
- command:
- /bin/bash
- -c
- |
if [[ -d /src && -n "$(ls /src/* 2>/dev/null)" ]]; then
cp /src/* /wait/
fi
if [[ -n "$(ls . 2>/dev/null)" ]]; then
for script in *; do
if [[ -d ${script} ]]; then
continue;
fi
chmod +x ${script}
echo "---"
echo "Running ${script}..."
echo "---"
./${script}
done
fi
image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.6
imagePullPolicy: IfNotPresent
name: wait-job
resources:
limits:
cpu: 0.5
memory: 128Mi
requests:
cpu: 0.5
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /wait
name: workdir
- mountPath: /src
name: wait-scripts
workingDir: /wait
imagePullSecrets:
- name: private-registry
restartPolicy: Never
serviceAccountName: minio-instance-wait-job-sa
volumes:
- emptyDir: {}
name: workdir
- configMap:
name: minio-instance-wait-script
name: wait-scripts
---
Mutation:
Mutation has been applied successfully.
policy add-default-securitycontext applied to minio/Job/minio-instance-wait-job:
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation, hook-failed
helm.sh/hook-weight: "10000"
labels:
app.kubernetes.io/instance: minio
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: minio-instance
app.kubernetes.io/version: v7.0.0
helm.sh/chart: minio-instance-7.0.0-bb.3
name: minio-instance-wait-job
namespace: minio
spec:
template:
metadata: null
spec:
containers:
- command:
- /bin/bash
- -c
- |
if [[ -d /src && -n "$(ls /src/* 2>/dev/null)" ]]; then
cp /src/* /wait/
fi
if [[ -n "$(ls . 2>/dev/null)" ]]; then
for script in *; do
if [[ -d ${script} ]]; then
continue;
fi
chmod +x ${script}
echo "---"
echo "Running ${script}..."
echo "---"
./${script}
done
fi
image: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.29.6
imagePullPolicy: IfNotPresent
name: wait-job
resources:
limits:
cpu: 0.5
memory: 128Mi
requests:
cpu: 0.5
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /wait
name: workdir
- mountPath: /src
name: wait-scripts
workingDir: /wait
imagePullSecrets:
- name: private-registry
restartPolicy: Never
securityContext:
fsGroup: 65534
runAsGroup: 65534
runAsNonRoot: true
runAsUser: 65534
serviceAccountName: minio-instance-wait-job-sa
volumes:
- emptyDir: {}
name: workdir
- configMap:
name: minio-instance-wait-script
name: wait-scripts
---
Mutation:
Mutation has been applied successfully.policy disallow-auto-mount-service-account-token -> resource minio/ServiceAccount/minio-instance-wait-job-sa failed:
1 - automount-service-accounts validation error: Automount Kubernetes API Credentials isn't turned off. The field automountServiceAccountToken must be set to false. rule automount-service-accounts failed at path /automountServiceAccountToken/
skipped mutate policy add-default-capability-drop -> resource minio/Job/minio-instance-wait-job
pass: 1, fail: 0, warn: 1, error: 0, skip: 1
⬆️ �[34mSee the policy test results above (tested using default values)�[37m ⬆️
�[0Ksection_end:1742331268:kyverno_policy_tests
�[0K
�[32;1m$ oscal_validate�[0;m
�[32;1m$ package_deprecation_check�[0;m
�[0Ksection_start:1742331268:package_deprecation_check[collapsed=true]
�[0K�[33;1mPackage API Deprecation Check�[37m
There were no resources found with known deprecated apiVersions.
Want more? Automate Pluto for free with Fairwinds Insights!
🚀 https://fairwinds.com/insights-signup/pluto 🚀
�[0Ksection_end:1742331268:package_deprecation_check
�[0K
�[32;1m$ if [[ $API_EXIT_CODE -eq 2 ]]; then # collapsed multi-line command�[0;m
section_end:1742331268:step_script
�[0Ksection_start:1742331268:cleanup_file_variables
�[0K�[0K�[36;1mCleaning up project directory and file based variables�[0;m�[0;m
section_end:1742331269:cleanup_file_variables
�[0K�[32;1mJob succeeded�[0;m