Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate configuration changes #1734

Closed
ameukam opened this issue Feb 27, 2021 · 15 comments
Closed

Validate configuration changes #1734

ameukam opened this issue Feb 27, 2021 · 15 comments
Labels
area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/infra Infrastructure management, infrastructure design, code in infra/ area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing.

Comments

@ameukam
Copy link
Member

ameukam commented Feb 27, 2021

if possible, any configuration change introducted should be validated with presubmits prowjobs.

There are different and tools we can explore :

/priority backlog
@k8s-ci-robot k8s-ci-robot added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Feb 27, 2021
@ameukam
Copy link
Member Author

ameukam commented Feb 27, 2021

cc @spiffxp

@spiffxp
Copy link
Member

spiffxp commented Feb 27, 2021

Was literally just about to file this issue, thank you!

/remove-priority backlog
/priority important-longterm
/sig testing
/area access
/area cluster-mgmt
/area cluster-infra

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/testing Categorizes an issue or PR as relevant to SIG Testing. area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/cluster-mgmt area/infra Infrastructure management, infrastructure design, code in infra/ and removed priority/backlog Higher priority than priority/awaiting-more-evidence. labels Feb 27, 2021
@spiffxp
Copy link
Member

spiffxp commented Feb 27, 2021

/area prow

@k8s-ci-robot k8s-ci-robot added the area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters label Feb 27, 2021
@spiffxp
Copy link
Member

spiffxp commented Feb 27, 2021

Presubmits we have thus far:

  • sig-release:
    • if /k8s.gcr.io/**/{images,promoter-manifest}.yaml changes
      • pull-k8sio-cip: dry-run container image promoter
      • pull-k8sio-cip-vuln: (for vuln-check-test branch) dry-run container image promoter with vuln-severity-threshold=1
    • if /infra/gcp/backup_tools changes
      • run infra/gcp/backup_tools/backup_test
  • sig-contribex:
    • if /groups changes
      • pull-k8sio-groups-test: run cd groups && go test (some policy enforcement)
  • sig-testing:
    • pull-k8sio-yamllint: verifies all yaml in this repo is valid yaml (could enforce style conventions)

@spiffxp
Copy link
Member

spiffxp commented Feb 27, 2021

  • Globally, define policies with rego language and enforce them with Open Policy Agent
  • Kubernetes resources validation with conftest (also based on rego)

Really, really good idea. Way more interested in conftest as a starting point, seems like basically any YAML is fair game.

I am pretty interested in how much this could allow us to share enforcement logic at different phases in our deployment lifecycle, eg: presubmit, admission, etc.

@ameukam
Copy link
Member Author

ameukam commented Feb 27, 2021
edited
Loading

Also since 0.13, Terraform has embebbed mechanism for variable validation : https://www.hashicorp.com/blog/custom-variable-validation-in-terraform-0-13.

ameukam added a commit to ameukam/k8s.io that referenced this issue Mar 4, 2021
@ameukam
Add tests for data validation
fb8becc 
Add policices written in [rego](https://www.openpolicyagent.org/docs/latest/policy-language/)
that validate kubernetes resources configuration of the community
infrastructure. Only the ingresses resources are covered.
THis is heavily inspired from https://github.com/deliveryhero/helm-charts/tree/master/ci/helm-conftest-policies.
[conftest](https://github.com/open-policy-agent/conftest) will be
against those policies.

Ref: kubernetes#1734

Signed-off-by: Arnaud Meukam <[email protected]>
ameukam added a commit to ameukam/k8s.io that referenced this issue Mar 4, 2021
@ameukam
Add tests for data validation
51a05dc 
Add policices written in [rego](https://www.openpolicyagent.org/docs/latest/policy-language/) that validate kubernetes resouces. Only the ingresses are covered.
THis is heavily inspired from https://github.com/deliveryhero/helm-charts/tree/master/ci/helm-conftest-policies.
[conftest](https://github.com/open-policy-agent/conftest) will be against those policies.

Ref: kubernetes#1734

Signed-off-by: Arnaud Meukam <[email protected]>
@ameukam ameukam mentioned this issue Mar 4, 2021
Merged
ameukam added a commit to ameukam/k8s.io that referenced this issue Mar 8, 2021
@ameukam
Add tests for data validation
0454b92 
Add policices written in [rego](https://www.openpolicyagent.org/docs/latest/policy-language/) that validate kubernetes resouces. Only the ingresses are covered.
THis is heavily inspired from https://github.com/deliveryhero/helm-charts/tree/master/ci/helm-conftest-policies.
[conftest](https://github.com/open-policy-agent/conftest) will be against those policies.

Ref: kubernetes#1734

Signed-off-by: Arnaud Meukam <[email protected]>
ameukam added a commit to ameukam/k8s.io that referenced this issue Mar 26, 2021
@ameukam
Add tests for data validation
5119304 
Add policices written in [rego](https://www.openpolicyagent.org/docs/latest/policy-language/) that validate kubernetes resouces. Only the ingresses are covered.
THis is heavily inspired from https://github.com/deliveryhero/helm-charts/tree/master/ci/helm-conftest-policies.
[conftest](https://github.com/open-policy-agent/conftest) will be against those policies.

Ref: kubernetes#1734

Signed-off-by: Arnaud Meukam <[email protected]>
ameukam added a commit to ameukam/test-infra that referenced this issue Apr 5, 2021
@ameukam
wg-k8s-infra: Add presubmit to validate k8s resources
14e8fdb 
Ref: kubernetes/k8s.io#1734

/wg k8s-infra

Signed-off-by: Arnaud Meukam <[email protected]>
@ameukam ameukam mentioned this issue Apr 5, 2021
Closed
ameukam added a commit to ameukam/test-infra that referenced this issue Apr 5, 2021
@ameukam
wg-k8s-infra: Add presubmit to validate k8s resources
64dd283 
Ref: kubernetes/k8s.io#1734

/wg k8s-infra

Signed-off-by: Arnaud Meukam <[email protected]>
ameukam added a commit to ameukam/test-infra that referenced this issue Apr 5, 2021
@ameukam
wg-k8s-infra: Add presubmit to validate k8s resources
ea308ba 
Ref: kubernetes/k8s.io#1734

/wg k8s-infra

Signed-off-by: Arnaud Meukam <[email protected]>
@ameukam
Copy link
Member Author

ameukam commented Apr 16, 2021

/milestone v1.22

@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone Apr 16, 2021
@spiffxp
Copy link
Member

spiffxp commented Jun 11, 2021

An update on where we're at.

We now have a container gcr.io/k8s-staging-infra-tools/k8s-infra:latest which is used by all of our CI jobs (ref: #2134 and kubernetes/test-infra#22463). This image is capable of running tools like contest, opa and terraform

We use this image to run a few sets of tests:

We've taken tentative steps toward extracting our configuration data into YAML (ref: #2188). We should spend some time deciding what we want this to look like.

Some ideas:

  • continue down the path of a custom home-grown schema
    • continue extracting hardcoded data out of infra/gcp/*.sh (lists of services, lists of buckets, shared constants, etc.)
    • shard infra.yaml into multiple yaml files
    • write non-bash code (e.g. go or python) to encode our schema
    • validate our schema (using aforementioned code, or conftest/opa)
  • example off-the-shelf tooling for configuration-as-code, e.g.

@ameukam
Copy link
Member Author

ameukam commented Jun 11, 2021

example off-the-shelf tooling for configuration-as-code, e.g.

Also investigate https://cloud.google.com/config-connector/docs/overview

@spiffxp spiffxp mentioned this issue Jul 12, 2021
Merged
@spiffxp
Copy link
Member

spiffxp commented Aug 4, 2021

/milestone v1.23

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.22, v1.23 Aug 4, 2021
@k8s-ci-robot k8s-ci-robot added sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. and removed wg/k8s-infra labels Sep 29, 2021
@ameukam
Copy link
Member Author

ameukam commented Dec 6, 2021

/milestone v1.24
/help wanted

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.23, v1.24 Dec 6, 2021
@ameukam ameukam mentioned this issue Feb 5, 2022
Open
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 6, 2022
@ameukam
Copy link
Member Author

ameukam commented Mar 7, 2022

/remove-lifecycle stale
/lifecycle frozen
/milestone clear

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 7, 2022
@k8s-ci-robot k8s-ci-robot removed this from the v1.24 milestone Mar 7, 2022
@ameukam
Copy link
Member Author

ameukam commented Dec 6, 2024

We are currently using ArgoCD for some deployments. We should probably revisit this in a new issue.
/close

@k8s-ci-robot
Copy link
Contributor

@ameukam: Closing this issue.

In response to this:

We are currently using ArgoCD for some deployments. We should probably revisit this in a new issue.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/access Define who has access to what via IAM bindings, role bindings, policy, etc. area/infra Infrastructure management, infrastructure design, code in infra/ area/prow Setting up or working with prow in general, prow.k8s.io, prow build clusters lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. sig/testing Categorizes an issue or PR as relevant to SIG Testing.
Projects
SIG K8S Infra
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@spiffxp @ameukam @k8s-ci-robot @k8s-triage-robot