How to update Kyverno Policies📜
Update dependencies📜
-
Create a development branch and merge request from the Gitlab issue or use the existing
renovate/ironbank
branch and existing MR created by Renovate. -
Kyervno Policies only uses a Gluon dependency. Validate it is on the latest version in
chart/Chart.yaml
then runhelm dependency update chart
. -
Append
-bb.x
to theversion
inchart/Chart.yaml
. -
Update
CHANGELOG.md
adding an entry for the new version and noting all changes (Example:Updated kubectl from x.x.x to x.x.x
). -
Generate the
README.md
updates by following the guide in gluon. -
Open an MR in “Draft” status ( or the Renovate created MR ) and validate that CI passes. This will perform a number of smoke tests against the package, but it is good to manually deploy to test some things that CI doesn’t. Follow the steps below for manual testing.
-
Test the package in a Big Bang pipeline using the instructions detailed here: test-package-against-bb and modify test-values with the settings from the Helm chart below:
Deploy Kyverno Policies using the Helm chart ( pointing to your branch )
istioOperator:
enabled: true
istio:
enabled: true
monitoring:
enabled: true
kyverno:
enabled: true
kyvernoPolicies:
git:
tag: null
branch: "renovate/ironbank" # Or your branch
enabled: true
You will want to install with: - Kyverno, Kyverno-Policies, and Kyverno-Reporter enabled - Istio enabled - Monitoring enabled
Manual Testing with Big Bang📜
NOTE: For these testing steps it is good to do them on both a clean install and an upgrade. For clean install, point kyvernoPolicies to your branch. For an upgrade do an install with kyvernoPolicies pointing to the latest tag, then perform a helm upgrade with kyverno pointing to your branch. Use the settings listed in above.
Checking Prometheus for Kyverno dashboards
- Login to Prometheus, validate under Status
-> Targets
that all kyverno targets are showing as up
- Login to Grafana, then navigate to the Kyverno daskboard ( Dashboards > Browse > Kyverno ) and validate that the dashboard displays policy data
📌 NOTE: if using MacOS make sure that you have gnu sed installed and add it to your PATH variable GNU SED Instructions - [ ] Test secret sync in new namespace
- [ ] Delete the test resources# create secret in kyverno NS kubectl create secret generic \ -n kyverno kyverno-bbtest-secret \ --from-literal=username='username' \ --from-literal=password='password' # Create Kyverno Policy kubectl apply -f https://repo1.dso.mil/big-bang/product/packages/kyverno/-/raw/main/chart/tests/manifests/sync-secrets.yaml # Wait until the policy shows as ready before proceeding kubectl get clusterpolicy sync-secrets # Create a namespace with the correct label (essentially we are dry-running a namespace creation to get the yaml, adding the label, then applying) kubectl create namespace kyverno-bbtest --dry-run=client -o yaml | sed '/^metadata:/a\ \ labels: {"kubernetes.io/metadata.name": "kyverno-bbtest"}' | kubectl apply -f - # Check for the secret that should be synced - if it exists this test is successful kubectl get secrets kyverno-bbtest-secret -n kyverno-bbtest
# If above is successful, delete test resources kubectl delete -f https://repo1.dso.mil/big-bang/product/packages/kyverno/-/raw/main/chart/tests/manifests/sync-secrets.yaml kubectl delete secret kyverno-bbtest-secret -n kyverno kubectl delete ns kyverno-bbtest
- Once all testing is complete take your MR out of “Draft” status and add the review label on both the Issue and MR. When in doubt with any testing or upgrade steps, reach out to the CODEOWNERS for assistance.