fix: handle pod deletion in kubearmor controller #2033
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-test-controllers | |
| on: | |
| pull_request: | |
| branches: | |
| - "main" | |
| paths: | |
| - "pkg/**" | |
| - ".github/workflows/ci-test-controllers.yml" | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| kubearmor-controller-test: | |
| name: Build and Test KubeArmorController Using Ginkgo | |
| runs-on: ubuntu-20.04 | |
| timeout-minutes: 30 | |
| env: | |
| RUNTIME: "containerd" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'KubeArmor/go.mod' | |
| - name: Check what paths were updated | |
| uses: dorny/paths-filter@v2 | |
| id: filter | |
| with: | |
| filters: | | |
| kubearmor: | |
| - "KubeArmor/**" | |
| - "protobuf/**" | |
| controller: | |
| - 'pkg/KubeArmorController/**' | |
| - name: Setup a Kubernetes environment | |
| run: ./.github/workflows/install-k3s.sh | |
| - name: Install the latest LLVM toolchain | |
| if: steps.filter.outputs.kubearmor == 'true' | |
| run: ./.github/workflows/install-llvm.sh | |
| - name: Compile libbpf | |
| if: steps.filter.outputs.kubearmor == 'true' | |
| run: ./.github/workflows/install-libbpf.sh | |
| - name: Generate KubeArmor artifacts | |
| if: steps.filter.outputs.kubearmor == 'true' | |
| run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh | |
| - name: Build KubeArmorController | |
| run: make -C pkg/KubeArmorController/ docker-build TAG=latest | |
| - name: Build Kubearmor-Operator | |
| working-directory: pkg/KubeArmorOperator | |
| run: | | |
| make docker-build | |
| - name: Install KubeArmor Latest and KubeArmorController using Helm | |
| timeout-minutes: 7 | |
| run: | | |
| # save images | |
| docker save kubearmor/kubearmor-controller:latest | sudo k3s ctr images import - | |
| docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import - | |
| docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import - | |
| helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest | |
| kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator | |
| kubectl get pods -A | |
| # create kubearmorconfig | |
| if [[ ${{ steps.filter.outputs.kubearmor }} == 'true' ]]; then | |
| docker save kubearmor/kubearmor:latest | sudo k3s ctr images import - | |
| docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import - | |
| kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml --dry-run=client -o json | \ | |
| jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never"' | \ | |
| kubectl apply -f - | |
| else | |
| # use latest kubearmor if no changes in kubearmor or protobuf dir | |
| kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml --dry-run=client -o json | \ | |
| jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never" | .spec.kubearmorImage.imagePullPolicy = "Always" | .spec.kubearmorInitImage.imagePullPolicy = "Always"' | \ | |
| kubectl apply -f - | |
| fi | |
| kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test | |
| while [ ! "$(kubectl wait --timeout=5s --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor >/dev/null 2>&1; echo $?)" -eq 0 ]; do | |
| kubectl rollout status --timeout=5m deployment -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-controller -n kubearmor | |
| kubectl rollout status --timeout=5m daemonset -l kubearmor-app=kubearmor -n kubearmor | |
| kubectl rollout status --timeout=5m deployment -n kubearmor -l kubearmor-app=kubearmor-controller -n kubearmor | |
| kubectl get pods -A | |
| done | |
| - name: Get KubeArmor POD info | |
| run: | | |
| DAEMONSET_NAME=$(kubectl get daemonset -n kubearmor -o jsonpath='{.items[0].metadata.name}') | |
| LABEL_SELECTOR=$(kubectl get daemonset $DAEMONSET_NAME -n kubearmor -o jsonpath='{.spec.selector.matchLabels}' | jq -r 'to_entries[] | "\(.key)=\(.value)"' | paste -sd, -) | |
| POD_NAME=$(kubectl get pods -n kubearmor -l "$LABEL_SELECTOR" -o jsonpath='{.items[*].metadata.name}') | |
| echo "Pod: $POD_NAME" | |
| echo "POD_NAME=$POD_NAME" >> $GITHUB_ENV | |
| sleep 15 | |
| kubectl get pods -A | |
| kubectl logs -n kubearmor "$POD_NAME" | |
| - name: Test KubeArmor using Ginkgo | |
| run: | | |
| go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo | |
| ginkgo --vv --flake-attempts=3 --timeout=10m blockposture/ | |
| working-directory: ./tests/k8s_env | |
| timeout-minutes: 30 | |
| - name: Controller logs | |
| if: ${{ failure() }} | |
| run: | | |
| kubectl logs -n kubearmor deployments/kubearmor-controller | |
| - name: Get karmor sysdump | |
| if: ${{ failure() }} | |
| run: | | |
| kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor | |
| curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin | |
| mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump | |
| - name: Archive log artifacts | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: kubearmor.logs | |
| path: | | |
| /tmp/kubearmor/ | |
| /tmp/kubearmor.* |