Skip to content

Commit

Permalink
gen matrix
Browse files Browse the repository at this point in the history
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
eddycharly committed Aug 28, 2024
1 parent 08f1477 commit 1b012ee
Showing 1 changed file with 42 additions and 34 deletions.
76 changes: 42 additions & 34 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,40 +29,48 @@ jobs:
- name: v1.29
version: v1.29.2
tests:
- ^argo$
- ^aws$
- ^best-practices$
- ^castai$
- ^cert-manager$
- ^cleanup$
- ^consul$
- ^external-secret-operator$
- ^flux$
- ^istio$
- ^karpenter$
- ^kasten$
- ^kubecost$
- ^kubeops$
- ^kubevirt$
- ^linkerd$
- ^nginx-ingress$
- ^openshift$
- ^other$/^a
- ^other$/^[b-d]
- ^other$/^[e-l]
- ^other$/^[m-q]
- ^other$/^re[c-q]
- ^other$/^res
- ^other$/^[s-z]
- ^pod-security$
- ^psa$
- ^psp-migration$
- ^psp-migration-cel$
- ^tekton$
- ^tekton-cel$
- ^traefik$
- ^velero$
- ^velero-cel$
- ^argo$/^(application-field-validation|application-prevent-default-project|application-prevent-updates-project|applicationset-name-matches-project|appproject-clusterresourceblacklist|argo-cluster-generation-from-rancher-capi)$
- ^aws$/^(require-encryption-aws-loadbalancers)$
- ^best-practices$/^(add-network-policy|add-networkpolicy-dns|add-ns-quota|add-rolebinding|add-safe-to-evict|disallow-cri-sock-mount|disallow-default-namespace|disallow-empty-ingress-host|disallow-helm-tiller|disallow-latest-tag|require-drop-all|require-drop-cap-net-raw|require-labels)$
- ^best-practices$/^(require-pod-requests-limits|require-probes|require-ro-rootfs|restrict-image-registries|restrict-node-port|restrict-service-external-ips)$
- ^castai$/^(add-castai-removal-disabled)$
- ^cert-manager$/^(limit-dnsnames|limit-duration|restrict-issuer)$
- ^cleanup$/^(cleanup-bare-pods|cleanup-empty-replicasets)$
- ^consul$/^(enforce-min-tls-version)$
- ^external-secret-operator$/^(add-external-secret-prefix)$
- ^flux$/^(generate-flux-multi-tenant-resources|verify-flux-images|verify-flux-sources|verify-git-repositories)$
- ^istio$/^(add-ambient-mode-namespace|add-sidecar-injection-namespace|create-authorizationpolicy|enforce-ambient-mode-namespace|enforce-sidecar-injection-namespace|enforce-strict-mtls|enforce-tls-hosts-host-subnets|prevent-disabling-injection-pods|require-authorizationpolicy|restrict-virtual-service-wildcard|service-mesh-disallow-capabilities|service-mesh-require-run-as-nonroot)$
- ^karpenter$/^(add-karpenter-daemonset-priority-class|add-karpenter-donot-evict|add-karpenter-nodeselector|set-karpenter-non-cpu-limits)$
- ^kasten$/^(kasten-3-2-1-backup|kasten-data-protection-by-label|kasten-generate-policy-by-preset-label|kasten-hourly-rpo|kasten-minimum-retention|kasten-validate-ns-by-preset-label)$
- ^kubecost$/^(enable-kubecost-continuous-rightsizing|require-kubecost-labels)$
- ^kubeops$/^(config-syncer-secret-generation-from-rancher-capi)$
- ^kubevirt$/^(add-services|enforce-instancetype)$
- ^linkerd$/^(add-linkerd-mesh-injection|add-linkerd-policy-annotation|check-linkerd-authorizationpolicy|prevent-linkerd-pod-injection-override|prevent-linkerd-port-skipping|require-linkerd-mesh-injection|require-linkerd-server)$
- ^nginx-ingress$/^(disallow-ingress-nginx-custom-snippets|restrict-annotations|restrict-ingress-paths)$
- ^openshift$/^(check-routes|disallow-security-context-constraint-anyuid|disallow-self-provisioner-binding)$
- ^other$/^(add-certificates-volume|add-default-resources|add-default-securitycontext|add-emptydir-sizelimit|add-env-vars-from-cm|add-image-as-env-var|add-imagepullsecrets|add-imagepullsecrets-for-containers-and-initcontainers|add-labels|add-ndots|add-node-affinity|add-node-labels-pod|add-nodeSelector)$
- ^other$/^(add-pod-priorityclassname|add-pod-proxies|add-tolerations|add-ttl-jobs|add-volume-deployment|advanced-restrict-image-registries|allowed-annotations|allowed-base-images|allowed-image-repos|allowed-label-changes|allowed-pod-priorities|always-pull-images|annotate-base-images)$
- ^other$/^(apply-pss-restricted-profile|audit-event-on-delete|audit-event-on-exec|block-cluster-admin-from-ns|block-ephemeral-containers|block-images-with-volumes|block-large-images|block-pod-exec-by-namespace|block-pod-exec-by-namespace-label|block-pod-exec-by-pod-and-container|block-pod-exec-by-pod-label|block-pod-exec-by-pod-name|block-stale-images)$
- ^other$/^(block-updates-deletes|check-env-vars|check-hpa-exists|check-nvidia-gpu|check-serviceaccount|check-serviceaccount-secrets|check-subjectaccessreview|check-vpa-configuration|concatenate-configmaps|copy-namespace-labels|create-default-pdb|create-pod-antiaffinity|deny-commands-in-exec-probe)$
- ^other$/^(deny-secret-service-account-token-type|deployment-replicas-higher-than-pdb|disable-automountserviceaccounttoken|disable-service-discovery|disallow-all-secrets|disallow-localhost-services|disallow-secrets-from-env-vars|dns-policy-and-dns-config|docker-socket-requires-label|enforce-pod-duration|enforce-resources-as-ratio|ensure-probes-different|ensure-production-matches-staging)$
- ^other$/^(ensure-readonly-hostpath|exclude-namespaces-dynamically|forbid-cpu-limits|generate-networkpolicy-existing|get-debug-information|imagepullpolicy-always|ingress-host-match-tls|inject-env-var-from-image-label|inject-sidecar-deployment|inspect-csr|kubernetes-version-check|label-existing-namespaces|label-nodes-cri)$
- ^other$/^(limit-configmap-for-sa|limit-containers-per-pod|limit-hostpath-type-pv|limit-hostpath-vols|memory-requests-equal-limits|metadata-match-regex|mitigate-log4shell|mutate-large-termination-gps|mutate-pod-binding|namespace-inventory-check|nfs-subdir-external-provisioner-storage-path|only-trustworthy-registries-set-root|pdb-maxunavailable)$
- ^other$/^(pdb-maxunavailable-with-deployments|pdb-minavailable|policy-for-exceptions|prepend-image-registry|prevent-bare-pods|prevent-cr8escape|prevent-duplicate-hpa|prevent-duplicate-vpa|protect-node-taints|record-creation-details|refresh-env-var-in-pod|refresh-volumes-in-pods|remove-hostpath-volumes)$
- ^other$/^(remove-serviceaccount-token|replace-image-registry|replace-image-registry-with-harbor|replace-ingress-hosts|require-annotations|require-base-image|require-container-port-names|require-cpu-limits|require-deployments-have-multiple-replicas|require-emptydir-requests-limits|require-image-checksum|require-image-source|require-imagepullsecrets)$
- ^other$/^(require-ingress-https|require-netpol|require-non-root-groups|require-pdb|require-pod-priorityclassname|require-qos-burstable|require-qos-guaranteed|require-reasonable-pdbs|require-replicas-allow-disruption|require-storageclass|require-unique-external-dns|require-unique-service-selector|require-unique-uid-per-workload)$
- ^other$/^(resolve-image-to-digest|resource-creation-updating-denied|restart-deployment-on-secret-change|restrict-annotations|restrict-automount-sa-token|restrict-binding-clusteradmin|restrict-binding-system-groups|restrict-clusterrole-csr|restrict-clusterrole-mutating-validating-admission-webhooks|restrict-clusterrole-nodesproxy|restrict-controlplane-scheduling|restrict-deprecated-registry|restrict-escalation-verbs-roles)$
- ^other$/^(restrict-ingress-classes|restrict-ingress-defaultbackend|restrict-ingress-host|restrict-ingress-wildcard|restrict-jobs|restrict-loadbalancer|restrict-networkpolicy-empty-podselector|restrict-node-affinity|restrict-node-label-changes|restrict-node-label-creation|restrict-node-selection|restrict-pod-controller-serviceaccount-updates|restrict-sa-automount-sa-token)$
- ^other$/^(restrict-secret-role-verbs|restrict-secrets-by-label|restrict-secrets-by-name|restrict-service-port-range|restrict-storageclass|restrict-usergroup-fsgroup-id|restrict-wildcard-resources|restrict-wildcard-verbs|scale-deployment-zero|spread-pods-across-topology|sync-secrets|topologyspreadconstraints-policy|unique-ingress-host-and-path)$
- ^other$/^(unique-ingress-paths|update-image-tag|verify-vpa-target)$
- ^pod-security$/^baseline$/^(disallow-capabilities|disallow-host-namespaces|disallow-host-path|disallow-host-ports|disallow-host-ports-range|disallow-host-process|disallow-privileged-containers|disallow-proc-mount|disallow-selinux|restrict-apparmor-profiles|restrict-seccomp|restrict-sysctls)$
- ^pod-security$/^restricted$/^(disallow-capabilities-strict|disallow-privilege-escalation|require-run-as-non-root-user|require-run-as-nonroot|restrict-seccomp-strict|restrict-volume-types)$
- ^pod-security$/^subrule$/^restricted$/^(restricted-exclude-capabilities|restricted-exclude-seccomp|restricted-latest)$
- ^psa$/^(add-privileged-existing-namespaces|add-psa-labels|add-psa-namespace-reporting|deny-privileged-profile)$
- ^psp-migration$/^(add-apparmor|add-capabilities|add-runtimeClassName|check-supplemental-groups|restrict-adding-capabilities|restrict-runtimeClassName)$
- ^tekton$/^(block-tekton-task-runs|require-tekton-bundle|require-tekton-namespace-pipelinerun)$
- ^traefik$/^(disallow-default-tlsoptions)$
- ^velero$/^(backup-all-volumes|block-velero-restore|validate-cron-schedule)$
- ^windows-security$/^(require-run-as-containeruser)$
runs-on: ubuntu-latest
name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
steps:
Expand Down

0 comments on commit 1b012ee

Please sign in to comment.