init

2026-04-08 20:22:14 +07:00
commit 34fbdd1412
96 changed files with 5321 additions and 0 deletions
--- a/07-advanced/01-cicd/.github/workflows/policy-ci.yaml
+++ b/07-advanced/01-cicd/.github/workflows/policy-ci.yaml
@@ -0,0 +1,154 @@
+name: Kyverno Policy CI
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'policies/**'
+      - 'k8s/**'
+      - 'helm/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'policies/**'
+
+jobs:
+  # -------------------------------------------------------
+  # JOB 1: Линтинг и тестирование политик
+  # -------------------------------------------------------
+  test-policies:
+    name: Test Kyverno Policies
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Kyverno CLI
+        uses: kyverno/action-install-cli@v0.2.0
+        with:
+          release: 'v1.11.4'
+
+      - name: Verify Kyverno CLI
+        run: kyverno version
+
+      - name: Lint policies (validate YAML structure)
+        run: |
+          find policies/ -name '*.yaml' -exec kubectl apply \
+            --dry-run=client -f {} \; 2>&1 | \
+            grep -v "^$" | \
+            tee lint-results.txt
+          # Завершиться с ошибкой если есть failures
+          grep -q "error\|Error" lint-results.txt && exit 1 || exit 0
+
+      - name: Run Kyverno tests
+        run: |
+          kyverno test policies/ \
+            --detailed-results \
+            2>&1 | tee test-results.txt
+          # Проверить что все тесты прошли
+          grep -q "Tests Summary" test-results.txt || exit 1
+          grep "Passed" test-results.txt
+          # Завершиться с ошибкой если есть Failed тесты
+          grep -q "^Failed: [^0]" test-results.txt && exit 1 || exit 0
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: kyverno-test-results
+          path: test-results.txt
+
+  # -------------------------------------------------------
+  # JOB 2: Проверка Kubernetes манифестов против политик
+  # -------------------------------------------------------
+  validate-manifests:
+    name: Validate K8s Manifests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'v3.14.0'
+
+      - name: Install Kyverno CLI
+        uses: kyverno/action-install-cli@v0.2.0
+        with:
+          release: 'v1.11.4'
+
+      - name: Generate manifests from Helm
+        run: |
+          helm template my-app ./helm/my-app \
+            -f helm/my-app/values-production.yaml \
+            --namespace production \
+            > /tmp/rendered-manifests.yaml
+
+      - name: Validate manifests against policies
+        run: |
+          kyverno apply policies/ \
+            --resource /tmp/rendered-manifests.yaml \
+            --detailed-results \
+            --table \
+            2>&1 | tee kyverno-apply-results.txt
+
+          # Завершиться с ошибкой если есть FAIL
+          grep -q "^| FAIL" kyverno-apply-results.txt && exit 1 || exit 0
+
+      - name: Comment PR with violations
+        if: failure() && github.event_name == 'pull_request'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const results = fs.readFileSync('kyverno-apply-results.txt', 'utf8');
+            const body = `## ❌ Kyverno Policy Violations\n\n` +
+              `Следующие манифесты нарушают политики безопасности:\n\n` +
+              `\`\`\`\n${results}\`\`\`\n\n` +
+              `Исправьте нарушения перед merge.`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: body
+            });
+
+  # -------------------------------------------------------
+  # JOB 3: Деплой политик в staging (только main ветка)
+  # -------------------------------------------------------
+  deploy-staging:
+    name: Deploy Policies to Staging
+    runs-on: ubuntu-latest
+    needs: [test-policies, validate-manifests]
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    environment: staging
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Configure kubectl
+        run: |
+          echo "${{ secrets.STAGING_KUBECONFIG }}" | \
+            base64 -d > /tmp/kubeconfig
+          echo "KUBECONFIG=/tmp/kubeconfig" >> $GITHUB_ENV
+
+      - name: Deploy policies via Helm
+        run: |
+          helm upgrade --install kyverno-policies \
+            ./05-variables/03-templates/kyverno-policies \
+            --namespace kyverno \
+            -f ./05-variables/03-templates/kyverno-policies/values-staging.yaml \
+            --wait \
+            --timeout 5m
+
+      - name: Verify deployment
+        run: |
+          kubectl get clusterpolicies \
+            -l helm.sh/chart=kyverno-policies-1.0.0 \
+            -o wide