Skip to content

Commit 0f0027d

Browse files
pedjakclaude
pedjak
and
claude
committed
Migrate E2e NetworkPolicy tests to static analysis with kube-score and conftest
Replace the e2e NetworkPolicy tests with static analysis tools that validate NetworkPolicy configurations at build time rather than runtime. Tools: - kube-score: https://github.com/zegl/kube-score - conftest: https://www.conftest.dev/ - OPA (Open Policy Agent): https://www.openpolicyagent.org/docs/latest/policy-language/ Changes: - Add kube-score via bingo for validating deployed NetworkPolicy resources - Add conftest via bingo for OPA-based policy validation of Helm charts - Add OPA policies to enforce NetworkPolicy requirements: - Deny-all default policy must exist - catalogd-controller-manager must allow ingress on ports 7443, 8443, 9443 - operator-controller-controller-manager must allow ingress on port 8443 - Both controllers must have general egress enabled - Prometheus NetworkPolicy must allow ingress/egress (when deployed) - Add lint-helm target integration with conftest policy checks - Add lint-deployed-resources target for runtime validation with kube-score - Add conftest validation to manifest generation - Add CI workflow to detect NetworkPolicy changes in PRs and post a comment - Remove network_policy_test.go as tests are now covered by static analysis This approach provides faster feedback by catching NetworkPolicy issues during helm linting and manifest generation rather than requiring a full e2e test run. Co-Authored-By: Claude <noreply@anthropic.com>
1 parent cc8ed2b commit 0f0027d

File tree

15 files changed

+2497
-416
lines changed

15 files changed

+2497
-416
lines changed

.bingo/Variables.mk

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,12 @@ $(BINGO): $(BINGO_DIR)/bingo.mod
2323
@echo "(re)installing $(GOBIN)/bingo-v0.9.0"
2424
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=bingo.mod -o=$(GOBIN)/bingo-v0.9.0 "github.com/bwplotka/bingo"
2525

26+
CONFTEST := $(GOBIN)/conftest-v0.62.0
27+
$(CONFTEST): $(BINGO_DIR)/conftest.mod
28+
@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
29+
@echo "(re)installing $(GOBIN)/conftest-v0.62.0"
30+
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=conftest.mod -o=$(GOBIN)/conftest-v0.62.0 "github.com/open-policy-agent/conftest"
31+
2632
CONTROLLER_GEN := $(GOBIN)/controller-gen-v0.19.0
2733
$(CONTROLLER_GEN): $(BINGO_DIR)/controller-gen.mod
2834
@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
@@ -71,6 +77,12 @@ $(KIND): $(BINGO_DIR)/kind.mod
7177
@echo "(re)installing $(GOBIN)/kind-v0.30.0"
7278
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kind.mod -o=$(GOBIN)/kind-v0.30.0 "sigs.k8s.io/kind"
7379

80+
KUBE_SCORE := $(GOBIN)/kube-score-v1.20.0
81+
$(KUBE_SCORE): $(BINGO_DIR)/kube-score.mod
82+
@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
83+
@echo "(re)installing $(GOBIN)/kube-score-v1.20.0"
84+
@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=kube-score.mod -o=$(GOBIN)/kube-score-v1.20.0 "github.com/zegl/kube-score/cmd/kube-score"
85+
7486
KUSTOMIZE := $(GOBIN)/kustomize-v5.7.1
7587
$(KUSTOMIZE): $(BINGO_DIR)/kustomize.mod
7688
@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.

.bingo/conftest.mod

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
2+
3+
go 1.24.6
4+
5+
require github.com/open-policy-agent/conftest v0.62.0

.bingo/conftest.sum

Lines changed: 2041 additions & 0 deletions
Large diffs are not rendered by default.

.bingo/kube-score.mod

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
2+
3+
go 1.24.6
4+
5+
require github.com/zegl/kube-score v1.20.0 // cmd/kube-score

.bingo/kube-score.sum

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
2+
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
3+
github.com/eidolon/wordwrap v0.0.0-20161011182207-e0f54129b8bb h1:ioQwBmKdOCpMVS/bDaESqNWXIE/aw4+gsVtysCGMWZ4=
4+
github.com/eidolon/wordwrap v0.0.0-20161011182207-e0f54129b8bb/go.mod h1:ZAPs+OyRzeVJFGvXVDVffgCzQfjg3qU9Ig8G/MU3zZ4=
5+
github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
6+
github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
7+
github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
8+
github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
9+
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
10+
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
11+
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
12+
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
13+
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
14+
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
15+
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
16+
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
17+
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
18+
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
19+
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
20+
github.com/jstemmer/go-junit-report/v2 v2.1.0 h1:X3+hPYlSczH9IMIpSC9CQSZA0L+BipYafciZUWHEmsc=
21+
github.com/jstemmer/go-junit-report/v2 v2.1.0/go.mod h1:mgHVr7VUo5Tn8OLVr1cKnLuEy0M92wdRntM99h7RkgQ=
22+
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
23+
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
24+
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
25+
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
26+
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
27+
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
28+
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
29+
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
30+
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
31+
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
32+
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
33+
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
34+
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
35+
github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
36+
github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
37+
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
38+
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
39+
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
40+
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
41+
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
42+
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
43+
github.com/zegl/kube-score v1.20.0 h1:J1VqK86SunV4Gg8emPTmwUVxe0rmXnAs5K9ZUbGMKR8=
44+
github.com/zegl/kube-score v1.20.0/go.mod h1:mBOw3S3g7TBG/GziT8xNG15dCFn54/jUeEHndxLinE8=
45+
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
46+
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
47+
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
48+
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
49+
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
50+
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
51+
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
52+
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
53+
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
54+
golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
55+
golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
56+
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
57+
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
58+
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
59+
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
60+
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
61+
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
62+
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
63+
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
64+
golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
65+
golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
66+
golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
67+
golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
68+
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
69+
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
70+
golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
71+
golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
72+
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
73+
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
74+
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
75+
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
76+
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
77+
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
78+
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
79+
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
80+
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
81+
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
82+
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
83+
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
84+
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
85+
k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
86+
k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
87+
k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
88+
k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
89+
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
90+
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
91+
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
92+
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
93+
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
94+
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
95+
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
96+
sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
97+
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
98+
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

.bingo/variables.env

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ fi
1010

1111
BINGO="${GOBIN}/bingo-v0.9.0"
1212

13+
CONFTEST="${GOBIN}/conftest-v0.62.0"
14+
1315
CONTROLLER_GEN="${GOBIN}/controller-gen-v0.19.0"
1416

1517
CRD_DIFF="${GOBIN}/crd-diff-v0.5.0"
@@ -26,6 +28,10 @@ HELM="${GOBIN}/helm-v3.18.4"
2628

2729
KIND="${GOBIN}/kind-v0.30.0"
2830

31+
KUBE_LINTER="${GOBIN}/kube-linter-v0.7.1"
32+
33+
KUBE_SCORE="${GOBIN}/kube-score-v1.20.0"
34+
2935
KUSTOMIZE="${GOBIN}/kustomize-v5.7.1"
3036

3137
OPERATOR_SDK="${GOBIN}/operator-sdk-v1.41.1"

.github/workflows/files-diff.yaml

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
name: file-diff
2+
3+
on:
4+
pull_request:
5+
6+
permissions:
7+
pull-requests: write
8+
9+
jobs:
10+
check-networkpolicy-changes:
11+
runs-on: ubuntu-latest
12+
steps:
13+
- uses: actions/checkout@v6
14+
15+
- uses: dorny/paths-filter@v3
16+
id: filter
17+
with:
18+
filters: |
19+
networkpolicy:
20+
- 'helm/olmv1/templates/networkpolicy/**'
21+
22+
- name: Comment on PR if NetworkPolicy files changed
23+
if: steps.filter.outputs.networkpolicy == 'true'
24+
uses: marocchino/sticky-pull-request-comment@v2
25+
with:
26+
header: networkpolicy-changes
27+
message: |
28+
## ⚠️ NetworkPolicy Changes Detected
29+
30+
This PR modifies NetworkPolicy files which affect cluster security.
31+
32+
**Changed files:**
33+
```
34+
${{ steps.filter.outputs.networkpolicy_files }}
35+
```
36+
37+
**Please ensure:**
38+
- These changes are intentional and reviewed carefully
39+
- The OPA policies in `hack/conftest/policy/` are updated accordingly
40+
- The changes have been validated with `make lint-helm`
41+
42+
NetworkPolicy changes require careful review as they affect cluster security.
43+
44+
- name: Fail if NetworkPolicy files changed
45+
if: steps.filter.outputs.networkpolicy == 'true'
46+
run: |
47+
echo "::error::NetworkPolicy files have been modified. See PR comment for details."
48+
exit 1

Makefile

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -121,9 +121,23 @@ help-extended: #HELP Display extended help.
121121
lint: lint-custom $(GOLANGCI_LINT) #HELP Run golangci linter.
122122
$(GOLANGCI_LINT) run --build-tags $(GO_BUILD_TAGS) $(GOLANGCI_LINT_ARGS)
123123

124-
lint-helm: $(HELM) #HELP Run helm linter
124+
lint-helm: $(HELM) $(CONFTEST) #HELP Run helm linter
125125
helm lint helm/olmv1
126126
helm lint helm/prometheus
127+
(helm template olmv1 helm/olmv1; helm template prometheus helm/prometheus) | $(CONFTEST) test --policy hack/conftest/policy/ --combine -n main -n prometheus -
128+
129+
.PHONY: lint-deployed-resources
130+
lint-deployed-resources: $(KUBE_SCORE) #HELP Lint NetworkPolicy resources in olmv1-system namespace using kube-score.
131+
(for ns in $$(echo -e "olmv1-system\n$(CATD_NAMESPACE)" | uniq); do \
132+
for resource in $$(kubectl api-resources --verbs=list --namespaced -o name); do \
133+
kubectl get $$resource -n $$ns -o yaml ; \
134+
echo "---" ; \
135+
done \
136+
done) | $(KUBE_SCORE) score - \
137+
--ignore-test container-resources \
138+
--ignore-test container-image-pull-policy \
139+
--ignore-test container-ephemeral-storage-request-and-limit \
140+
--ignore-test container-security-context-user-group-id
127141

128142
.PHONY: custom-linter-build
129143
custom-linter-build: #EXHELP Build custom linter
@@ -164,9 +178,10 @@ $(EXPERIMENTAL_MANIFEST) ?= helm/cert-manager.yaml helm/experimental.yaml
164178
$(EXPERIMENTAL_E2E_MANIFEST) ?= helm/cert-manager.yaml helm/experimental.yaml helm/e2e.yaml
165179
HELM_SETTINGS ?=
166180
.PHONY: $(MANIFESTS)
167-
$(MANIFESTS): $(HELM)
181+
$(MANIFESTS): $(HELM) $(CONFTEST)
168182
@mkdir -p $(MANIFEST_HOME)
169183
$(HELM) template olmv1 helm/olmv1 $(addprefix --values ,$($@)) $(addprefix --set ,$(HELM_SETTINGS)) > $@
184+
$(CONFTEST) test --policy hack/conftest/policy/ -n main --combine $@
170185

171186
# Generate manifests stored in source-control
172187
.PHONY: manifests
@@ -474,7 +489,7 @@ go-build-linux: export GOARCH=amd64
474489
go-build-linux: $(BINARIES)
475490

476491
.PHONY: run-internal
477-
run-internal: docker-build kind-cluster kind-load kind-deploy wait
492+
run-internal: docker-build kind-cluster kind-load kind-deploy lint-deployed-resources wait
478493

479494
.PHONY: run
480495
run: SOURCE_MANIFEST := $(STANDARD_MANIFEST)

hack/conftest/policy/README.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
# OPA Policies for NetworkPolicy Validation
2+
3+
This directory contains [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) Rego policies used by [conftest](https://www.conftest.dev/) to validate generated Kubernetes manifests.
4+
5+
## Policy Files
6+
7+
### olm-networkpolicies.rego
8+
9+
Package: `main`
10+
11+
Validates core OLM NetworkPolicy requirements:
12+
13+
- **Deny-all policy**: Ensures a default deny-all NetworkPolicy exists with empty podSelector and both Ingress/Egress policy types
14+
- **catalogd-controller-manager policy**: Validates the NetworkPolicy for catalogd:
15+
- Ingress on port 7443 (Prometheus metrics scraping)
16+
- Ingress on port 8443 (catalog metadata queries from operator-controller)
17+
- Ingress on port 9443 (Kubernetes API server webhook access)
18+
- General egress enabled
19+
- **operator-controller-controller-manager policy**: Validates the NetworkPolicy for operator-controller:
20+
- Ingress on port 8443 (Prometheus metrics scraping)
21+
- General egress enabled (for pulling bundle images, connecting to catalogd, and Kubernetes API)
22+
23+
### prometheus-networkpolicies.rego
24+
25+
Package: `prometheus`
26+
27+
Validates Prometheus NetworkPolicy requirements:
28+
29+
- Ensures a NetworkPolicy exists that allows both ingress and egress traffic for prometheus pods
30+
31+
## Usage
32+
33+
These policies are automatically run as part of:
34+
35+
- `make lint-helm` - Validates both helm/olmv1 and helm/prometheus charts
36+
- `make manifests` - Validates generated manifests (main namespace only)
37+
38+
### Running manually
39+
40+
```bash
41+
# Run all policies (main + prometheus namespaces)
42+
helm template olmv1 helm/olmv1 | conftest test --policy hack/conftest/policy/ --combine -n main -n prometheus -
43+
44+
# Run only OLM policies
45+
helm template olmv1 helm/olmv1 | conftest test --policy hack/conftest/policy/ --combine -n main -
46+
47+
# Run only prometheus policies
48+
helm template prometheus helm/prometheus | conftest test --policy hack/conftest/policy/ --combine -n prometheus -
49+
```
50+
51+
### Excluding policies
52+
53+
Use the `-n` (namespace) flag to selectively run policies:
54+
55+
```bash
56+
# Skip prometheus policies
57+
conftest test --policy hack/conftest/policy/ --combine -n main <input>
58+
59+
# Skip OLM policies
60+
conftest test --policy hack/conftest/policy/ --combine -n prometheus <input>
61+
```
62+
63+
## Adding New Policies
64+
65+
1. Add new rules to an existing `.rego` file or create a new one
66+
2. Use `package main` for policies that should run by default on all manifests
67+
3. Use a custom package name (e.g., `package prometheus`) for optional policies
68+
4. Update the Makefile targets if new namespaces need to be included

0 commit comments

Comments
 (0)