ci(gitlab): Check also for optional lint issues

2025-12-06 07:21:36 +01:00 · 2024-10-03 20:02:38 +02:00
parent b7faa24d76
commit 3a9468f04d
4 changed files with 33 additions and 10 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@
 ---
 include:
  - project: "${PROJECT_PATH_GITLAB_CONFIG_TOOLING}"
-    ref: "v2.3.4"
+    ref: "v2.4.2"
    file:
      - "ci/common/automr.yml"
      - "ci/common/lint.yml"
--- a/.gitlab/lint/lint-kyverno.yml
+++ b/.gitlab/lint/lint-kyverno.yml
@@ -27,7 +27,19 @@ lint-kyverno:
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-env
      -d ${CI_PROJECT_DIR}/helmfile/environments
-    - "helmfile template -e test --include-needs > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "helmfile template -e test --include-needs --skip-tests > ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
+    - "cd ${CI_PROJECT_DIR}/.kyverno"
+    # Test optional
+    - >
+      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
+      -d ${CI_PROJECT_DIR}/.kyverno
+      -t optional
+      -s manifest
+      -f opendesk.yaml
+      --skip-tests true
+      ${APP}
+    - "kyverno test . || true"
+    # Test required
    - >
      node /app/opendesk-ci-cli/src/index.js generate-kyverno-tests
      -d ${CI_PROJECT_DIR}/.kyverno
@@ -36,8 +48,5 @@ lint-kyverno:
      -f opendesk.yaml
      --skip-tests true
      ${APP}
-    - "node /app/opendesk-ci-cli/src/index.js filter-for-kinds -f ${CI_PROJECT_DIR}/.kyverno/opendesk.yaml"
-    - "cd ${CI_PROJECT_DIR}/.kyverno"
    - "kyverno test ."
-
 ...
--- a/.kyverno/policies/_policies.yaml
+++ b/.kyverno/policies/_policies.yaml
@@ -13,7 +13,7 @@ pod:
      - "DaemonSet"
  - name: "disallow-default-serviceaccount"
    rule: "disallow-default-serviceAccountName"
-    type: "required"
+    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
@@ -58,7 +58,7 @@ pod:
      - "DaemonSet"
  - name: "require-health-and-liveness-check"
    rule: "require-health-and-liveness-check"
-    type: "required"
+    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
@@ -158,7 +158,7 @@ pod:
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-seccomp-profile"
-    type: "required"
+    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
@@ -176,7 +176,7 @@ pod:
      - "DaemonSet"
  - name: "require-containersecuritycontext"
    rule: "require-empty-seLinuxOptions"
-    type: "required"
+    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
@@ -285,7 +285,7 @@ pod:
      - "Ingress"
  - name: "template-replicas"
    rule: "template-replicas"
-    type: "required"
+    type: "optional"
    kinds:
      - "StatefulSet"
      - "Deployment"
--- a/.kyverno/policies/require-requests-limits.yaml
+++ b/.kyverno/policies/require-requests-limits.yaml
@@ -27,6 +27,20 @@ spec:
        message: "CPU and memory resource requests and limits are required."
        pattern:
          spec:
+            =(ephemeralContainers):
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
+            =(initContainers):
+              - resources:
+                  limits:
+                    memory: "?*"
+                  requests:
+                    cpu: "?*"
+                    memory: "?*"
            containers:
              - resources:
                  limits: