pub/kyverno-2026-example
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
kyverno-2026-example/07-advanced/01-cicd/.github/workflows/policy-ci.yaml
Vassiliy Yegorov 34fbdd1412 init
2026-04-08 20:22:14 +07:00

155 lines
5.0 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
name: Kyverno Policy CI
on:
pull_request:
branches:
- main
paths:
- 'policies/**'
- 'k8s/**'
- 'helm/**'
push:
branches:
- main
paths:
- 'policies/**'
jobs:
# -------------------------------------------------------
# JOB 1: Линтинг и тестирование политик
# -------------------------------------------------------
test-policies:
name: Test Kyverno Policies
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Kyverno CLI
uses: kyverno/action-install-cli@v0.2.0
with:
release: 'v1.11.4'
- name: Verify Kyverno CLI
run: kyverno version
- name: Lint policies (validate YAML structure)
run: |
find policies/ -name '*.yaml' -exec kubectl apply \
--dry-run=client -f {} \; 2>&1 | \
grep -v "^$" | \
tee lint-results.txt
# Завершиться с ошибкой если есть failures
grep -q "error\|Error" lint-results.txt && exit 1 || exit 0
- name: Run Kyverno tests
run: |
kyverno test policies/ \
--detailed-results \
2>&1 | tee test-results.txt
# Проверить что все тесты прошли
grep -q "Tests Summary" test-results.txt || exit 1
grep "Passed" test-results.txt
# Завершиться с ошибкой если есть Failed тесты
grep -q "^Failed: [^0]" test-results.txt && exit 1 || exit 0
- name: Upload test results
uses: actions/upload-artifact@v4
if: always()
with:
name: kyverno-test-results
path: test-results.txt
# -------------------------------------------------------
# JOB 2: Проверка Kubernetes манифестов против политик
# -------------------------------------------------------
validate-manifests:
name: Validate K8s Manifests
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Helm
uses: azure/setup-helm@v4
with:
version: 'v3.14.0'
- name: Install Kyverno CLI
uses: kyverno/action-install-cli@v0.2.0
with:
release: 'v1.11.4'
- name: Generate manifests from Helm
run: |
helm template my-app ./helm/my-app \
-f helm/my-app/values-production.yaml \
--namespace production \
> /tmp/rendered-manifests.yaml
- name: Validate manifests against policies
run: |
kyverno apply policies/ \
--resource /tmp/rendered-manifests.yaml \
--detailed-results \
--table \
2>&1 | tee kyverno-apply-results.txt
# Завершиться с ошибкой если есть FAIL
grep -q "^| FAIL" kyverno-apply-results.txt && exit 1 || exit 0
- name: Comment PR with violations
if: failure() && github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const results = fs.readFileSync('kyverno-apply-results.txt', 'utf8');
const body = `## ❌ Kyverno Policy Violations\n\n` +
`Следующие манифесты нарушают политики безопасности:\n\n` +
`\`\`\`\n${results}\`\`\`\n\n` +
`Исправьте нарушения перед merge.`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
# -------------------------------------------------------
# JOB 3: Деплой политик в staging (только main ветка)
# -------------------------------------------------------
deploy-staging:
name: Deploy Policies to Staging
runs-on: ubuntu-latest
needs: [test-policies, validate-manifests]
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
environment: staging
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Helm
uses: azure/setup-helm@v4
- name: Configure kubectl
run: |
echo "${{ secrets.STAGING_KUBECONFIG }}" | \
base64 -d > /tmp/kubeconfig
echo "KUBECONFIG=/tmp/kubeconfig" >> $GITHUB_ENV
- name: Deploy policies via Helm
run: |
helm upgrade --install kyverno-policies \
./05-variables/03-templates/kyverno-policies \
--namespace kyverno \
-f ./05-variables/03-templates/kyverno-policies/values-staging.yaml \
--wait \
--timeout 5m
- name: Verify deployment
run: |
kubectl get clusterpolicies \
-l helm.sh/chart=kyverno-policies-1.0.0 \
-o wide
Reference in New Issue View Git Blame Copy Permalink