name: Kyverno Policy CI on: pull_request: branches: - main paths: - 'policies/**' - 'k8s/**' - 'helm/**' push: branches: - main paths: - 'policies/**' jobs: # ------------------------------------------------------- # JOB 1: Линтинг и тестирование политик # ------------------------------------------------------- test-policies: name: Test Kyverno Policies runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Kyverno CLI uses: kyverno/action-install-cli@v0.2.0 with: release: 'v1.11.4' - name: Verify Kyverno CLI run: kyverno version - name: Lint policies (validate YAML structure) run: | find policies/ -name '*.yaml' -exec kubectl apply \ --dry-run=client -f {} \; 2>&1 | \ grep -v "^$" | \ tee lint-results.txt # Завершиться с ошибкой если есть failures grep -q "error\|Error" lint-results.txt && exit 1 || exit 0 - name: Run Kyverno tests run: | kyverno test policies/ \ --detailed-results \ 2>&1 | tee test-results.txt # Проверить что все тесты прошли grep -q "Tests Summary" test-results.txt || exit 1 grep "Passed" test-results.txt # Завершиться с ошибкой если есть Failed тесты grep -q "^Failed: [^0]" test-results.txt && exit 1 || exit 0 - name: Upload test results uses: actions/upload-artifact@v4 if: always() with: name: kyverno-test-results path: test-results.txt # ------------------------------------------------------- # JOB 2: Проверка Kubernetes манифестов против политик # ------------------------------------------------------- validate-manifests: name: Validate K8s Manifests runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install Helm uses: azure/setup-helm@v4 with: version: 'v3.14.0' - name: Install Kyverno CLI uses: kyverno/action-install-cli@v0.2.0 with: release: 'v1.11.4' - name: Generate manifests from Helm run: | helm template my-app ./helm/my-app \ -f helm/my-app/values-production.yaml \ --namespace production \ > /tmp/rendered-manifests.yaml - name: Validate manifests against policies run: | kyverno apply policies/ \ --resource /tmp/rendered-manifests.yaml \ --detailed-results \ --table \ 2>&1 | tee kyverno-apply-results.txt # Завершиться с ошибкой если есть FAIL grep -q "^| FAIL" kyverno-apply-results.txt && exit 1 || exit 0 - name: Comment PR with violations if: failure() && github.event_name == 'pull_request' uses: actions/github-script@v7 with: script: | const fs = require('fs'); const results = fs.readFileSync('kyverno-apply-results.txt', 'utf8'); const body = `## ❌ Kyverno Policy Violations\n\n` + `Следующие манифесты нарушают политики безопасности:\n\n` + `\`\`\`\n${results}\`\`\`\n\n` + `Исправьте нарушения перед merge.`; github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: body }); # ------------------------------------------------------- # JOB 3: Деплой политик в staging (только main ветка) # ------------------------------------------------------- deploy-staging: name: Deploy Policies to Staging runs-on: ubuntu-latest needs: [test-policies, validate-manifests] if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: staging steps: - name: Checkout uses: actions/checkout@v4 - name: Install Helm uses: azure/setup-helm@v4 - name: Configure kubectl run: | echo "${{ secrets.STAGING_KUBECONFIG }}" | \ base64 -d > /tmp/kubeconfig echo "KUBECONFIG=/tmp/kubeconfig" >> $GITHUB_ENV - name: Deploy policies via Helm run: | helm upgrade --install kyverno-policies \ ./05-variables/03-templates/kyverno-policies \ --namespace kyverno \ -f ./05-variables/03-templates/kyverno-policies/values-staging.yaml \ --wait \ --timeout 5m - name: Verify deployment run: | kubectl get clusterpolicies \ -l helm.sh/chart=kyverno-policies-1.0.0 \ -o wide