fix

.github/workflows/.reusable-integration-test.yml

@@ -96,7 +96,7 @@ jobs:
       matrix:
         integration-test-arg:
           [
-            "basic",
+            "rules",
           ]
     steps:
       - name: Checkout code
@@ -116,7 +116,7 @@ jobs:
           k8s-version: v1.25
       - name: Run test
         run: |
-          bash tests/integration/integration-test.sh "${{ matrix.integration-test-arg }}"
+          bash tests/integration/main.sh "${{ matrix.integration-test-arg }}"
       - name: Display semgr8s configuration
         if: always()
         run: |
@@ -169,7 +169,7 @@ jobs:
           k8s-version: ${{ matrix.k8s-version }}
       - name: Run pre-config and workload integration tests
         run: |
-          bash tests/integration/integration-test.sh "pre-and-workload"
+          bash tests/integration/main.sh "basic"
       - name: Display k8s state and logs if integration test failed
         if: failure()
         run: |
@@ -222,7 +222,7 @@ jobs:
           k8s-version: ${{ matrix.k8s-version }}
       - name: Run pre-config and workload integration tests
         run: |
-          bash tests/integration/integration-test.sh "pre-and-workload"
+          bash tests/integration/main.sh "basic"
       - name: Display k8s state and logs if integration test failed
         if: failure()
         run: |

README.md

@@ -99,30 +99,30 @@ Once all resources are in `READY` state, you have successfully installed semgr8s
 
 ### Testing
 
-Several test resources are provided under `tests/`.
-Semgr8s denies creating pods with insecure configuration according to the rules in `charts/semgr8s/rules`:
+Several test resources are provided under `tests/demo/`.
+For namespaces with label `semgr8s/validation=enabled`, Semgr8s denies creating pods with insecure configuration according to the rules in `charts/semgr8s/rules`:
 
 ```bash
-kubectl create -f tests/failing_deployment.yaml
+kubectl create -f tests/demo/failing_deployment.yaml
 ```
 <details>
   <summary>output</summary>
 
   ```bash
   namespace/test-semgr8s-failing created
-  Error from server: error when creating "tests/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
+  Error from server: error when creating "tests/demo/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
   * rules.allow-privilege-escalation-no-securitycontext
-  Error from server: error when creating "tests/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
+  Error from server: error when creating "tests/demo/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
   * rules.privileged-container
-  Error from server: error when creating "tests/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
+  Error from server: error when creating "tests/demo/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
   * rules.hostnetwork-pod
   ```
 </details>
 
 Securely configured resources on the other hand are permitted to the cluster:
 
 ```bash
-kubectl create -f tests/passing_deployment.yaml
+kubectl create -f tests/demo/passing_deployment.yaml
 ```
 <details>
   <summary>output</summary>
@@ -153,7 +153,7 @@ kubectl delete ns semgr8ns
 Test resources are deleted via:
 
 ```bash
-kubectl delete -f tests/
+kubectl delete -f tests/demo/
 ```
 <details>
   <summary>output</summary>
@@ -162,9 +162,9 @@ kubectl delete -f tests/
   namespace "test-semgr8s-failing" deleted
   namespace "test-semgr8s-passing" deleted
   pod "passing-testpod-1" deleted
-  Error from server (NotFound): error when deleting "tests/failing_deployment.yaml": pods "failing-testpod-1" not found
-  Error from server (NotFound): error when deleting "tests/failing_deployment.yaml": pods "failing-testpod-2" not found
-  Error from server (NotFound): error when deleting "tests/failing_deployment.yaml": pods "failing-testpod-3" not found
+  Error from server (NotFound): error when deleting "tests/demo/failing_deployment.yaml": pods "failing-testpod-1" not found
+  Error from server (NotFound): error when deleting "tests/demo/failing_deployment.yaml": pods "failing-testpod-2" not found
+  Error from server (NotFound): error when deleting "tests/demo/failing_deployment.yaml": pods "failing-testpod-3" not found
 
   ```
 </details>

charts/semgr8s/values.yaml

@@ -1,18 +1,16 @@
 deployment:
   replicaCount: 1
   image:
-    repository: ghcr.io/sse-secure-systems/semgr8s
+    repository: "{IMAGE}"
     pullPolicy: IfNotPresent
-    tag: ""
+    tag: "{TAG}"
   containerPort: 5000
   imagePullSecrets: []
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
-
 service:
   type: ClusterIP
   port: 443
-
 application:
   remoteRules: []

tests/integration/README.md

@@ -0,0 +1,14 @@
+# Run integration tests
+
+Use the cluster of your choice, e.g. [kind](https://kind.sigs.k8s.io/).
+Specify which semgr8s image is to be used as environment variable, e.g.:
+
+```bash
+export IMAGE=ghcr.io/sse-secure-systems/semgr8s
+export TAG=v0.1.0
+```
+
+Run the desired integration test via:
+```bash
+tests/integration/main.sh "basic"
+```

tests/integration/main.sh

@@ -22,9 +22,13 @@ cp charts/semgr8s/values.yaml charts/semgr8s/values.yaml.bak
 
 case $1 in
 "basic")
-	# testing basic functionality of all validators
+	# testing basic functionality
 	basic_integration_test
 	;;
+"basic")
+	# testing multiple pre-built rules
+	rules_integration_test
+	;;
 "restore")
 	restore
 	;;

tests/integration/scripts/rules.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+rules_integration_test() {
+	create_namespaces
+	update_with_file "basic"
+	install "make"
+	multi_test "rules"
+	uninstall "make"
+}

tests/integration/test_cases/basic.yaml

@@ -11,17 +11,9 @@ testCases:
   ref: 40_nosc_pod
   namespace: validatedns
   expected_msg: rules.allow-privilege-escalation-no-securitycontext
-- id: b-03
-  txt: Testing non-compliant privileged pod...
-  type: k8s-yaml
-  ref: 41_privileged_pod
-  namespace: validatedns
-  expected_msg: rules.privileged-container
-- id: b-04
-  txt: Testing non-compliant pod w/ access to host network...
-  type: k8s-yaml
-  ref: 42_hostnetwork_pod
-  namespace: validatedns
-  expected_msg: rules.hostnetwork-pod
 
-values: {}
+values:
+  deployment:
+    image:
+      repository: "${IMAGE}"
+      tag: "${TAG}"

tests/integration/test_cases/rules.yaml

@@ -0,0 +1,31 @@
+testCases:
+- id: r-01
+  txt: Testing compliant pod...
+  type: k8s-yaml
+  ref: 20_compliant_pod
+  namespace: validatedns
+  expected_msg: pod/compliant-pod created
+- id: r-02
+  txt: Testing non-compliant pod w/o securityContext...
+  type: k8s-yaml
+  ref: 40_nosc_pod
+  namespace: validatedns
+  expected_msg: rules.allow-privilege-escalation-no-securitycontext
+- id: r-03
+  txt: Testing non-compliant privileged pod...
+  type: k8s-yaml
+  ref: 41_privileged_pod
+  namespace: validatedns
+  expected_msg: rules.privileged-container
+- id: r-04
+  txt: Testing non-compliant pod w/ access to host network...
+  type: k8s-yaml
+  ref: 42_hostnetwork_pod
+  namespace: validatedns
+  expected_msg: rules.hostnetwork-pod
+
+values:
+  deployment:
+    image:
+      repository: "${IMAGE}"
+      tag: "${TAG}"