* Revert "temporarily remove policies other than the machine one as the example and test policy to create a base code pr"
This reverts commit 08d377d4b8.
* extracted shared rego resources to a separate lib
* improvement: rego unit test and gator test polishing (#2767)
* rego unit test and gator test polishing
* lint fix
* rego lint fix
* adjusted user id related judgement plus match kinds for resources other than pod
* added test cases for priv'd ns to cover pull-secret deletion
* add new policy for machine config modification (#2879)
* add new policy for machine config modification
* reformat yaml
* revise api group logic
* added pod host path policy
* dont run guardrails if a standard gatekeeper instance is already started
* comment out corresponding gator tests as r/w PV check is temporarily removed
* satisfy mega linter
* temporarily backoff the standard gatekeeper check
* enable standard gatekeeper check with proper test case modifications
* comment out non-namespaced resources
* add k8s specific namespaces to the priv'd list
* update README plus add two SA to allowed list
* update Guardrails README
* a typo in README
* allow policies to enforce on openshift-azure-guardrails namespace
* added group support for user validation
* update: Guardrail policy scripts and doc updates (#2941)
* update generate.sh to support single dir gen
* update scripts to support params
* update README
* added usage print for scripts
* change to flexible mode for username, group and SA name validation
* update get func to print more debug info
* rely solely on userInfo for user authentication
* extend audit-interval to slow down the audit run, plus display more violations
* roll back a temp change for local test
* dont allow updates for machine and machineset
* removed MachineSet
* unified the constraint filename and resource name to make the config easier
* adjust constraint and template name and kind as per convention
* update gatekeeper params, affinity and tolerations
* log violations
* white list more user and group
* extend priv'd ns protection to ns itself
* add guardrails policy generate entry in makefile
* make gator in README lower cased to keep consistent with official doc
---------
Co-authored-by: Arris Li <huili@redhat.com>
Runs local development and PR E2E in podman containers, rather than using the inbuilt installer.
---------
Co-authored-by: Jeremy Facchetti <facchettos@gmail.com>
* sync with upstream
* remove network sdk from _validators.py
* ignore licensing in python/az/aro/azext_aro/aaz
* display command flag for get_subnet error message
* move import to top of file
* Update autorest core to 3.6.3. Update nodejs to new secure LTS version for client generation. Fix permissions error in autorest Dockerfile for client generation.
* Added closing console line after api version generation
* Fixed admin portal v2 navigation and e2e admin portal flakes
Check for docker before running e2e tests
* Assuming docker has failed until proven succeeded
* Made changes based on review feedback
PRoxy needs to include all its dependencies instead of
linking them.
With links and ubi-minimal it can lead to missing libraries issue.
Signed-off-by: Petr Kotas <pkotas@redhat.com>
* refactor: apply Guard clauses in _validators.py to simplify code
* fix _validators.py trailing whitespace
* improve python test tructure, include execution of unit tests in make test-python
* crate make directive to run python unit tests, add unit tests for azext_aro._validators.validate_cidr
* add tests for test_validate_client_id and include test cases description
* add unit tests for validate_client_secret from azext_aro._validators
* add explicit fields to named tuple in test cases in test_validators.py
* add two test scenarios for validate_cluster_resource_group
* simplify mocks
* add test case for test_validate_cluster_resource_group
* improve test descriptions
* add test_validate_disk_encryption_set test to test validate_disk_encryption_set
* add test cases to test_validate_disk_encryption_set()
* refactor test_validator.py to use classes instead of namedtuples. Use mocks instead of specific defined classes
* refactor (simplify code): remove explicit assignemnt to None when it is the default value
* create test_validate_domain() with 1st test case
* add test case, domain with '_'
* explicit import of unittest.TestCase
* fix test message in test_validate_domain
* finish test_validate_domain()
* finish test_validate_sdn() and test_validate_pull_secret()
* create test_validate_subnet() with first test case
* finish test_validate_subnet() and minor refactor in _validators.py
* create test_validate_subnets() and add first test case
* finish validate_vnet_resource_group_name()
* finish test_validate_worker_count() of test_validators.py and simple refactor in _validators.py
* finish test_validate_worker_vm_disk_size_gb()
* refactor _validators.py
* add test_validate_refresh_cluster_credentials() and minor refactor of test_validators()
* refactor _test_validators.py to use pytest, create script and invoke it from Makefile
* simplify test_validate_cidr() using pytest.mark.parametrize
* simplify some tests using pytest.mark.parametrize
* finish applying pytest.mark.parametrize
* clean up Makefile test-python
* add blank line to hack/unit-test-python.sh
* fix typo in test case
* fix mega-linter error, blank space
* fix test case to fail due to invalid range
* fix typo in beeing to be being
* remove redundant test case
* reformat code for better readability
* add missing license to __init__.py files
Add in sre portal v2, still default to v1
Co-authored-by: Amber Brown <ambrown@redhat.com>
Co-authored-by: Brett Embery <bembery@redhat.com>
Co-authored-by: Ben Vesel <10840174+bennerv@users.noreply.github.com>
The ARO-RP returns special characters in color encoding special character, which is not decoded as of now. This change removes the color encoding characters by default in e2e tests
ARO uses both tags and commits as its version.
The commits are used for the development scenario,
tags are used when building and deploing to
production.
Add annotated tag build and push into makefile.
Without annotation, the TAG is empty and
action is not performed.
Signed-off-by: Petr Kotas <pkotas@redhat.com>
Existing code for running localrp does not read version.gitCommit, resulting in ARO operator version as `unknown` for dev clusters.
With this PR, we pass the ${COMMIT} to the go run aro command.
split test-go to allow separate phases to be run in CI
each phase will be able to fail separately increasing
readability
Signed-off-by: Petr Kotas <pkotas@redhat.com>
Ben Vesel
Amber Brown
Goutham Muguluvalli Niranjan
Jeff Yuan
Srinivas Atmakuri
Tony Schneider
Ayato Tokubi
Carlo Wisse
Caden Marchese
Steven Fairchild
Andrew Denton
Aldo Fuster Turpin
Ellis Johnson
Mikalai Radchuk
Spencer Amann
Petr Kotas
Ross Bryan
Carlo Wisse
Christoph Blecker
Brendan Bergen
darthhexx
Brendan Bergen
cadenmarchese
Jeremy Facchetti
Peter Kostyukov
Nont
Neeraj Bhatt
Leszek Jakubowski
Petr Kotas
Karan Magdani
Petr Kotas
Mangirdas Judeikis
Drew Anderson
Jim Minter
Mikalai Radchuk
Michael Andescavage
Mangirdas Judeikis
Naveen Malik
Matthew Barnes