Identify test to insure all constraints were successfully deployed
If a constraint does not get deployed due to misconfiguration, it will not be flagged or tested in the pipeline. We need a way to identify that a constraint failed to deploy. First thought is to compare the number of constraints to the number deployed. Or, we may need to parse deployment logs for failures.
Currently, the chart/tests/script to check constraints uses kubectl get constraints
to get the list of all installed constraints in the cluster. Then it verifies if each of these has a violation on the bad manifest. The problem with this approach is if you have a Constraint
that has an issue with it, it will not be deployed by OPA Gatekeeper. This means that constraint would not be shown in the kubectl get constraints
command and therefore not actually tested in the pipeline and there is no failure.
The testing needs to be able to know if all of the intended constraints in the package were deployed successfully.