Skip to content

Pr/tammach/k8s policytest#5135

Draft
sayboras wants to merge 13 commits into
mainfrom
pr/tammach/k8s-policytest
Draft

Pr/tammach/k8s policytest#5135
sayboras wants to merge 13 commits into
mainfrom
pr/tammach/k8s-policytest

Conversation

@sayboras

Copy link
Copy Markdown
Member

Fixes

Description

Changelog

sayboras added 13 commits June 16, 2026 18:05
Add the pieces that let the runner scope a policy to a single pod for
the Kubernetes case:

- Conf gains Namespace and PodSelectorLabels plus a PodScoped()
  predicate to distinguish the Kubernetes case from the local one.
- ScopePolicy rewrites a generated cluster-scoped TracingPolicy into a
  namespaced TracingPolicyNamespaced constrained to a pod via
  spec.podSelector; policy templates need no changes.
- preparePolicy applies the scoping and parses out the policy name and
  namespace so namespaced policies are loaded and later deleted
  correctly.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add the kube package with a serializable result schema (TestResult,
ScenarioResult) plus Encode/Decode and a Failed() helper. This is the
contract exchanged between the in-pod runner and the client-side
orchestrator over pod logs.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add a hidden run-inpod command that runs policy tests from inside a test
pod: it connects to the node-local agent over gRPC, scopes the policy to
the pod, runs the existing local runner, and emits machine-readable
results for the orchestrator to collect.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add NewClient (ambient kubeconfig) and DiscoverAgent, which finds a
ready Tetragon agent pod and its node, with an optional node override.
The test pod is later co-located on that node to reach the agent
locally.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add TestPodSpec.Build, which constructs the Pod that runs the in-pod
entrypoint: pinned to the target node, restartPolicy Never, labeled with
a unique run label, and invoked with the namespace, agent address, and
podSelector label so the policy scopes to this pod. ImagePullPolicy is
IfNotPresent so a locally built or loaded image is used.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add Orchestrator.Run, which creates the test pod, waits for it to
finish, collects and decodes the results from its logs, and deletes the
pod on every exit path. The log reader is injectable for unit testing.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add a --kube flag on `tetra policytest run` that runs policy tests on a
Kubernetes cluster: it discovers a node-local agent, deploys a test pod
that triggers the policy from within the cluster, collects the results,
and exits non-zero on failure.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add Dockerfile.policytest and a `make image-policytest` target that
build an image bundling the tetra CLI and the contrib/tester-progs
trigger binaries, so a test pod can run policy tests in-cluster.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
A default install serves the gRPC API over mutual TLS. The orchestrator
copies the agent's TLS secret into the test namespace and mounts it so
the in-pod client can authenticate; run --kube gains --tls-secret and
--tls-server-name flags.

Pod logs interleave the runner's stderr with its result output, so the
results are prefixed with a marker that the orchestrator extracts.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add examples/policytest/rbac.yaml with the minimum permissions the
cluster runner needs: manage the test pod and copied TLS secret in the
test namespace, and discover the agent and read its TLS secret in the
agent namespace.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add a contribution-guide page covering how run --kube works, its
prerequisites (the policytest image and RBAC), an example run, and the
gRPC mTLS flags.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Build the policytest image in the e2e workflow, guarded to the
policytest test package and to amd64 (its 32-bit tester program needs a
cross-compiler before the image can build on arm64).

Signed-off-by: Tam Mach <tam.mach@cilium.io>
Run a benign policy test from a test pod via the cluster orchestration
and assert it passes. An existing-Tetragon mode skips install so a
running cluster is left untouched.

Signed-off-by: Tam Mach <tam.mach@cilium.io>
@netlify

netlify Bot commented Jun 16, 2026

Copy link
Copy Markdown

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit bc690f1
🔍 Latest deploy log https://app.netlify.com/projects/tetragon/deploys/6a3103f984800f000839a08d
😎 Deploy Preview https://deploy-preview-5135--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant