From 9e145b2ef14fa7a467b1e6805a089866896bf142 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Mon, 26 Aug 2024 21:56:32 +0200 Subject: [PATCH 1/7] add image-policy-test prefix to allowed softwail namespaces for image validator --- test/e2e/cluster_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/cluster_config.sh b/test/e2e/cluster_config.sh index 36869500cb..f209eeea31 100755 --- a/test/e2e/cluster_config.sh +++ b/test/e2e/cluster_config.sh @@ -46,7 +46,7 @@ clusters: teapot_admission_controller_daemonset_reserved_cpu: "518m" karpenter_pools_enabled: "true" okta_auth_client_id: "kubernetes.cluster.teapot-e2e" - teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$" + teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$,^image-policy-test" criticality_level: 1 environment: e2e id: ${CLUSTER_ID} From f30acafbd429e595eaae2dbbf99bd3e4091b3667 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 09:40:56 +0200 Subject: [PATCH 2/7] update compliant and non-compliant images for apiserver e2e tests --- test/e2e/apiserver.go | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index b657b3b162..18606a967b 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -39,24 +39,26 @@ import ( ) const ( - compliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" // these are several compliant images - compliantImage2 = "registry.opensource.zalan.do/teapot/skipper:v0.14.1" - compliantImage3 = "registry.opensource.zalan.do/teapot/skipper:v0.14.2" - compliantImage4 = "registry.opensource.zalan.do/teapot/skipper:v0.14.3" - compliantImage5 = "registry.opensource.zalan.do/teapot/skipper:v0.14.4" - compliantImage6 = "registry.opensource.zalan.do/teapot/skipper:v0.14.5" - compliantImage7 = "registry.opensource.zalan.do/teapot/skipper:v0.14.6" - compliantImage8 = "registry.opensource.zalan.do/teapot/skipper:v0.14.7" - nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-2" // these are several non-compliant images - nonCompliantImage2 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-3" - nonCompliantImage3 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-5" - nonCompliantImage4 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-6" - nonCompliantImage5 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-7" - nonCompliantImage6 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-8" - nonCompliantImage7 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-10" - nonCompliantImage8 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-11" - nonCompliantImage9 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-12" - nonCompliantImage10 = "registry.opensource.zalan.do/teapot/skipper-test:pr-2080-13" + compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" // these are several compliant images + compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" + compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" + compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" + compliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" + compliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" + compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" + compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" + + // these are non-compliant because of expired base image + nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" + nonCompliantImage2 = "registry.opensource.zalan.do/teapot/skipper:v0.14.1" + nonCompliantImage3 = "registry.opensource.zalan.do/teapot/skipper:v0.14.2" + nonCompliantImage4 = "registry.opensource.zalan.do/teapot/skipper:v0.14.3" + nonCompliantImage5 = "registry.opensource.zalan.do/teapot/skipper:v0.14.4" + nonCompliantImage6 = "registry.opensource.zalan.do/teapot/skipper:v0.14.5" + nonCompliantImage7 = "registry.opensource.zalan.do/teapot/skipper:v0.14.6" + nonCompliantImage8 = "registry.opensource.zalan.do/teapot/skipper:v0.14.7" + nonCompliantImage9 = "registry.opensource.zalan.do/teapot/skipper:v0.14.8" + nonCompliantImage10 = "registry.opensource.zalan.do/teapot/skipper:v0.14.9" waitForPodTimeout = 5 * time.Minute ) From b769895c28afe7950c00650a5f32beb05b3ef0a6 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 09:44:51 +0200 Subject: [PATCH 3/7] remove image-policy prefix from softfail namespaces --- test/e2e/cluster_config.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e/cluster_config.sh b/test/e2e/cluster_config.sh index f209eeea31..36869500cb 100755 --- a/test/e2e/cluster_config.sh +++ b/test/e2e/cluster_config.sh @@ -46,7 +46,7 @@ clusters: teapot_admission_controller_daemonset_reserved_cpu: "518m" karpenter_pools_enabled: "true" okta_auth_client_id: "kubernetes.cluster.teapot-e2e" - teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$,^image-policy-test" + teapot_admission_controller_validate_pod_images_soft_fail_namespaces: "^kube-system$" criticality_level: 1 environment: e2e id: ${CLUSTER_ID} From 8af73242676a1f895926537f5578df5f12c8d571 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 09:48:47 +0200 Subject: [PATCH 4/7] use skipper v0.21.x as compliant images --- test/e2e/apiserver.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index 18606a967b..1ee347b652 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -39,14 +39,14 @@ import ( ) const ( - compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" // these are several compliant images - compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" - compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" - compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" - compliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" - compliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" - compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" - compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" + compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.21.0" // these are several compliant images + compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.21.1" + compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.21.2" + compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.21.3" + compliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.21.4" + compliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.21.5" + compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.21.6" + compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" // these are non-compliant because of expired base image nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" From d71c16e1448a277f8263a9006bd0b44e638e0334 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 10:20:55 +0200 Subject: [PATCH 5/7] use same registry for compliant and non-compliant images --- test/e2e/apiserver.go | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index 1ee347b652..a49e954b34 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -39,7 +39,8 @@ import ( ) const ( - compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.21.0" // these are several compliant images + // these are several compliant images + compliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.21.0" compliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.21.1" compliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.21.2" compliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.21.3" @@ -49,16 +50,16 @@ const ( compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" // these are non-compliant because of expired base image - nonCompliantImage1 = "registry.opensource.zalan.do/teapot/skipper:v0.14.0" - nonCompliantImage2 = "registry.opensource.zalan.do/teapot/skipper:v0.14.1" - nonCompliantImage3 = "registry.opensource.zalan.do/teapot/skipper:v0.14.2" - nonCompliantImage4 = "registry.opensource.zalan.do/teapot/skipper:v0.14.3" - nonCompliantImage5 = "registry.opensource.zalan.do/teapot/skipper:v0.14.4" - nonCompliantImage6 = "registry.opensource.zalan.do/teapot/skipper:v0.14.5" - nonCompliantImage7 = "registry.opensource.zalan.do/teapot/skipper:v0.14.6" - nonCompliantImage8 = "registry.opensource.zalan.do/teapot/skipper:v0.14.7" - nonCompliantImage9 = "registry.opensource.zalan.do/teapot/skipper:v0.14.8" - nonCompliantImage10 = "registry.opensource.zalan.do/teapot/skipper:v0.14.9" + nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" + nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" + nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" + nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" + nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" + nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" + nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" + nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" + nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.19.8" + nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.19.9" waitForPodTimeout = 5 * time.Minute ) From 8d2165bd5418184b62310266a46a323aeb954f3c Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 28 Aug 2024 12:00:02 +0200 Subject: [PATCH 6/7] use older images for non-compliant images --- test/e2e/apiserver.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index a49e954b34..69ab33d5b4 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -50,16 +50,16 @@ const ( compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" // these are non-compliant because of expired base image - nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.19.0" - nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.19.1" - nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.19.2" - nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.19.3" - nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.19.4" - nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.19.5" - nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.19.6" - nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.19.7" - nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.19.8" - nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.19.9" + nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.16.0" + nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.16.1" + nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.16.2" + nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.16.3" + nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.16.4" + nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.16.5" + nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.16.6" + nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.16.7" + nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.16.8" + nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.16.9" waitForPodTimeout = 5 * time.Minute ) From 9210a0c695529f94b32f06da5044a934b0bc4506 Mon Sep 17 00:00:00 2001 From: Noor Malik Date: Wed, 22 Jan 2025 16:39:31 +0100 Subject: [PATCH 7/7] update non-compliant images to be test images --- test/e2e/apiserver.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/test/e2e/apiserver.go b/test/e2e/apiserver.go index 69ab33d5b4..23d6181f21 100644 --- a/test/e2e/apiserver.go +++ b/test/e2e/apiserver.go @@ -49,17 +49,17 @@ const ( compliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.21.6" compliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.21.7" - // these are non-compliant because of expired base image - nonCompliantImage1 = "container-registry.zalando.net/teapot/skipper:v0.16.0" - nonCompliantImage2 = "container-registry.zalando.net/teapot/skipper:v0.16.1" - nonCompliantImage3 = "container-registry.zalando.net/teapot/skipper:v0.16.2" - nonCompliantImage4 = "container-registry.zalando.net/teapot/skipper:v0.16.3" - nonCompliantImage5 = "container-registry.zalando.net/teapot/skipper:v0.16.4" - nonCompliantImage6 = "container-registry.zalando.net/teapot/skipper:v0.16.5" - nonCompliantImage7 = "container-registry.zalando.net/teapot/skipper:v0.16.6" - nonCompliantImage8 = "container-registry.zalando.net/teapot/skipper:v0.16.7" - nonCompliantImage9 = "container-registry.zalando.net/teapot/skipper:v0.16.8" - nonCompliantImage10 = "container-registry.zalando.net/teapot/skipper:v0.16.9" + // these are non-compliant because of being test images + nonCompliantImage1 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3380-1" + nonCompliantImage2 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3379-1" + nonCompliantImage3 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3378-1" + nonCompliantImage4 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3377-1" + nonCompliantImage5 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3376-1" + nonCompliantImage6 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3373-1" + nonCompliantImage7 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3372-1" + nonCompliantImage8 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3371-1" + nonCompliantImage9 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3375-9" + nonCompliantImage10 = "container-registry-test.zalando.net/teapot/skipper-test:pr-3374-8" waitForPodTimeout = 5 * time.Minute )