Pr/tammach/k8s policytest#5135
Draft
sayboras wants to merge 13 commits into
Draft
Conversation
Add the pieces that let the runner scope a policy to a single pod for the Kubernetes case: - Conf gains Namespace and PodSelectorLabels plus a PodScoped() predicate to distinguish the Kubernetes case from the local one. - ScopePolicy rewrites a generated cluster-scoped TracingPolicy into a namespaced TracingPolicyNamespaced constrained to a pod via spec.podSelector; policy templates need no changes. - preparePolicy applies the scoping and parses out the policy name and namespace so namespaced policies are loaded and later deleted correctly. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add the kube package with a serializable result schema (TestResult, ScenarioResult) plus Encode/Decode and a Failed() helper. This is the contract exchanged between the in-pod runner and the client-side orchestrator over pod logs. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add a hidden run-inpod command that runs policy tests from inside a test pod: it connects to the node-local agent over gRPC, scopes the policy to the pod, runs the existing local runner, and emits machine-readable results for the orchestrator to collect. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add NewClient (ambient kubeconfig) and DiscoverAgent, which finds a ready Tetragon agent pod and its node, with an optional node override. The test pod is later co-located on that node to reach the agent locally. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add TestPodSpec.Build, which constructs the Pod that runs the in-pod entrypoint: pinned to the target node, restartPolicy Never, labeled with a unique run label, and invoked with the namespace, agent address, and podSelector label so the policy scopes to this pod. ImagePullPolicy is IfNotPresent so a locally built or loaded image is used. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add Orchestrator.Run, which creates the test pod, waits for it to finish, collects and decodes the results from its logs, and deletes the pod on every exit path. The log reader is injectable for unit testing. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add a --kube flag on `tetra policytest run` that runs policy tests on a Kubernetes cluster: it discovers a node-local agent, deploys a test pod that triggers the policy from within the cluster, collects the results, and exits non-zero on failure. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add Dockerfile.policytest and a `make image-policytest` target that build an image bundling the tetra CLI and the contrib/tester-progs trigger binaries, so a test pod can run policy tests in-cluster. Signed-off-by: Tam Mach <tam.mach@cilium.io>
A default install serves the gRPC API over mutual TLS. The orchestrator copies the agent's TLS secret into the test namespace and mounts it so the in-pod client can authenticate; run --kube gains --tls-secret and --tls-server-name flags. Pod logs interleave the runner's stderr with its result output, so the results are prefixed with a marker that the orchestrator extracts. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add examples/policytest/rbac.yaml with the minimum permissions the cluster runner needs: manage the test pod and copied TLS secret in the test namespace, and discover the agent and read its TLS secret in the agent namespace. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Add a contribution-guide page covering how run --kube works, its prerequisites (the policytest image and RBAC), an example run, and the gRPC mTLS flags. Signed-off-by: Tam Mach <tam.mach@cilium.io>
Build the policytest image in the e2e workflow, guarded to the policytest test package and to amd64 (its 32-bit tester program needs a cross-compiler before the image can build on arm64). Signed-off-by: Tam Mach <tam.mach@cilium.io>
Run a benign policy test from a test pod via the cluster orchestration and assert it passes. An existing-Tetragon mode skips install so a running cluster is left untouched. Signed-off-by: Tam Mach <tam.mach@cilium.io>
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes
Description
Changelog