ci(gitlab): Check also for optional lint issues

.gitlab-ci.yml

@@ -4,7 +4,7 @@
 ---
 include:
   - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.4"
+    ref: "v2.4.2"
     file:
       - "ci/common/automr.yml"
       - "ci/common/lint.yml"

.gitlab/lint/lint-kyverno.yml

@@ -27,7 +27,19 @@ lint-kyverno:
     - >
       node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
       -d ${CI_PROJECT_DIR}/helmfile/environments
-    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "cd ${CI_PROJECT_DIR}/.kyverno"
+    # Test optional
+    - >
+      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
+      -d ${CI_PROJECT_DIR}/.kyverno
+      -t optional
+      -s manifest
+      -f opendesk.yaml
+      --skip-tests true
+      ${APP}
+    - "kyverno test . || true"
+    # Test required
     - >
       node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
       -d ${CI_PROJECT_DIR}/.kyverno
@@ -36,8 +48,5 @@ lint-kyverno:
       -f opendesk.yaml
       --skip-tests true
       ${APP}
-    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "cd ${CI_PROJECT_DIR}/.kyverno"
     - "kyverno test ."
-
 ...

.kyverno/policies/_policies.yaml

@@ -13,7 +13,7 @@ pod:
       - "DaemonSet"
   - name: "disallow-default-serviceaccount"
     rule: "disallow-default-serviceAccountName"
-    type: "required"
+    type: "optional"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -58,7 +58,7 @@ pod:
       - "DaemonSet"
   - name: "require-health-and-liveness-check"
     rule: "require-health-and-liveness-check"
-    type: "required"
+    type: "optional"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -158,7 +158,7 @@ pod:
       - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-seccomp-profile"
-    type: "required"
+    type: "optional"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -176,7 +176,7 @@ pod:
       - "DaemonSet"
   - name: "require-containersecuritycontext"
     rule: "require-empty-seLinuxOptions"
-    type: "required"
+    type: "optional"
     kinds:
       - "StatefulSet"
       - "Deployment"
@@ -285,7 +285,7 @@ pod:
       - "Ingress"
   - name: "template-replicas"
     rule: "template-replicas"
-    type: "required"
+    type: "optional"
     kinds:
       - "StatefulSet"
       - "Deployment"

.kyverno/policies/require-requests-limits.yaml

@@ -27,6 +27,20 @@ spec:
         message: "CPU and memory resource requests and limits are required."
         pattern:
           spec:
+            =(ephemeralContainers):
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
+            =(initContainers):
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
             containers:
               - resources:
                   limits: