minor: move deny-cabundle-changes Validating Admission Policy

Dragos Gerearequested to merge
dg/move-deny-ca-bundle-vap into main

What does this MR do and why?

This MR is a follow-up from the merge of !3779 (merged) and the discussion from !3802 (merged):

I would propose to:

  • for now put your VAP under kyverno-policies, for this MR (despite of the naming mismatch)
  • once !3779 (merged) merges, move your VAP there

It simply aims on moving the Validating Admission Policy deny-cabundle-changes from the Kyverno directory to the validating-admission-policies components directory.

Test coverage

This was tested in a CAPO environment and the VAP / VAP binding is getting correctly deployed:

kubectl get validatingadmissionpolicies.admissionregistration.k8s.io
NAME                           VALIDATIONS   PARAMKIND   AGE
deny-cabundle-changes          1             <unset>     105s
disallow-default-namespace     1             <unset>     105s
disallow-latest-and-main-tag   1             <unset>     105s
ensure-force-cluster-policy    1             <unset>     105s
kubectl get validatingadmissionpolicybindings.admissionregistration.k8s.io
NAME                            POLICYNAME                     PARAMREF   AGE
deny-cabundle-changes-binding   deny-cabundle-changes          <unset>    112s
disallow-default-namespace      disallow-default-namespace     <unset>    112s
disallow-latest-and-main-tag    disallow-latest-and-main-tag   <unset>    112s
ensure-force-cluster-policy     ensure-force-cluster-policy    <unset>    112s

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2
🐧 Node OS ubuntu, suse
🛠️ Deployment Options light-deploy, dev-sources, ha, misc, maxsurge-0
🎬 Pipeline Scenarios Available scenario list and description

  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu

  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse

  • ☁️ capo 🚀 rke2 🐧 suse

  • ☁️ capo 🚀 kadm 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🐧 suse

  • ☁️ capm3 🚀 kadm 🐧 ubuntu

  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ misc,ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines
  • record sylvactl events

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Marc Bailly

Merge request reports