From 8a5d13805a9ed8e13d6c0ba7c410d8bed8e536da Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Thu, 12 Oct 2023 20:35:23 +0800 Subject: [PATCH 01/27] add thresholds Signed-off-by: ShutingZhao --- k6/tests/kyverno-pss.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/k6/tests/kyverno-pss.js b/k6/tests/kyverno-pss.js index ed2ad48..8911dc2 100644 --- a/k6/tests/kyverno-pss.js +++ b/k6/tests/kyverno-pss.js @@ -17,6 +17,13 @@ import { buildKubernetesBaseUrl, generatePod, getParamsWithAuth, getTestNamespac const baseUrl = buildKubernetesBaseUrl(); const namespace = getTestNamespace(); +export const options = { + thresholds: { + http_req_failed: ['rate<0.01'], // http errors should be less than 1% + http_req_duration: ['p(95)<200'], // 95% of requests should be below 200ms + }, +}; + export default function() { const podName = `test-${randomString(8)}`; const pod = generatePod(podName); From 7fdda2384af64a66964537f2a39546d70d7d2c60 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 17 Oct 2023 17:37:50 +0800 Subject: [PATCH 02/27] add GH actions Signed-off-by: ShutingZhao --- .../actions/kyverno-wait-ready/action.yaml | 10 ++++ .github/actions/setup-test-env/action.yaml | 29 +++++++++++ .github/workflows/load-test.yaml | 29 +++++++++++ Makefile | 49 +++++++++++++++++++ configs/standard/values.yaml | 40 +++++++++++++++ 5 files changed, 157 insertions(+) create mode 100644 .github/actions/kyverno-wait-ready/action.yaml create mode 100644 .github/actions/setup-test-env/action.yaml create mode 100644 .github/workflows/load-test.yaml create mode 100644 Makefile create mode 100644 configs/standard/values.yaml diff --git a/.github/actions/kyverno-wait-ready/action.yaml b/.github/actions/kyverno-wait-ready/action.yaml new file mode 100644 index 0000000..edf36e3 --- /dev/null +++ b/.github/actions/kyverno-wait-ready/action.yaml @@ -0,0 +1,10 @@ +name: Kyverno pods ready + +description: Wait kyverno pods are ready + +runs: + using: composite + steps: + - shell: bash + run: | + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s diff --git a/.github/actions/setup-test-env/action.yaml b/.github/actions/setup-test-env/action.yaml new file mode 100644 index 0000000..c75800e --- /dev/null +++ b/.github/actions/setup-test-env/action.yaml @@ -0,0 +1,29 @@ +name: Setup test env + +description: Create kind cluster, deploy kyverno, and wait pods are ready. + +inputs: + version: + description: kubernetes version + default: v1.27.3 + free-disk-space: + description: free disk space + default: 'false' + +runs: + using: composite + steps: + - uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0 + if: ${{ inputs.free-disk-space == 'true' }} + with: + tool-cache: true + android: true + dotnet: true + haskell: true + large-packages: false + swap-storage: false + - shell: bash + run: | + export KIND_IMAGE=kindest/node:${{ inputs.version }} + make kind-create-cluster kind-install-kyverno + - uses: ./.github/actions/kyverno-wait-ready diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml new file mode 100644 index 0000000..6bb2f02 --- /dev/null +++ b/.github/workflows/load-test.yaml @@ -0,0 +1,29 @@ +name: load-test + +permissions: {} + +on: + pull_request: + branches: + - 'main' + - 'add_threshold' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + run-load-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup build env + uses: ./.github/actions/setup-test-env + timeout-minutes: 10 + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + - name: Run local k6 test + uses: grafana/k6-action@v0.3.0 + with: + filename: k6/tests/kyverno-pss.js 10 100 \ No newline at end of file diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c5ce561 --- /dev/null +++ b/Makefile @@ -0,0 +1,49 @@ +############ +# DEFAULTS # +############ + +KIND_IMAGE ?= kindest/node:v1.27.3 +KIND_NAME ?= kind +KIND_CONFIG ?= default + +######### +# TOOLS # +######### + +TOOLS_DIR := $(PWD)/.tools +KIND := $(TOOLS_DIR)/kind +KIND_VERSION := v0.20.0 +HELM := $(TOOLS_DIR)/helm +HELM_VERSION := v3.12.3 +HELM_DOCS := $(TOOLS_DIR)/helm-docs +HELM_DOCS_VERSION := v1.11.0 + +$(KIND): + @echo Install kind... >&2 + @GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION) + +$(HELM): + @echo Install helm... >&2 + @GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION) + +######## +# HELM # +######## + +.PHONY: helm-update-repo # Update Kyverno chart repository + @echo Install kyverno chart... >&2 + @$(HELM) repo update + +######## +# KIND # +######## + +.PHONY: kind-create-cluster +kind-create-cluster: $(KIND) ## Create kind cluster + @echo Create kind cluster... >&2 + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./scripts/config/kind/$(KIND_CONFIG).yaml + +.PHONY: kind-install-kyverno +kind-install-kyverno: $(HELM) helm-update-repo ## Install kyverno helm chart + @echo Install kyverno chart... >&2 + @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/standard/kyverno.yaml \ No newline at end of file diff --git a/configs/standard/values.yaml b/configs/standard/values.yaml new file mode 100644 index 0000000..cd9d7a1 --- /dev/null +++ b/configs/standard/values.yaml @@ -0,0 +1,40 @@ +features: + admissionReports: + enabled: false + omitEvents: + eventTypes: + - PolicyViolation + - PolicyApplied + - PolicyError + - PolicySkipped + +admissionController: + + serviceMonitor: + enabled: true + + container: + image: + tag: release-1.11 + + resources: + limits: + memory: 2Gi + requests: + cpu: 1 + memory: 1Gi + +reportsController: + serviceMonitor: + enabled: true + + container: + image: + tag: release-1.11 + + resources: + limits: + memory: 10Gi + requests: + cpu: 1 + memory: 1Gi \ No newline at end of file From 801a1ec410080dac8638434c2cc720c060665c5e Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 17 Oct 2023 17:51:50 +0800 Subject: [PATCH 03/27] add KIND config files Signed-off-by: ShutingZhao --- Makefile | 4 +-- configs/kind/default.yaml | 36 ++++++++++++++++++++++ configs/kind/tracing.yaml | 56 ++++++++++++++++++++++++++++++++++ configs/kind/vap-v1alpha1.yaml | 40 ++++++++++++++++++++++++ configs/kind/vap-v1beta1.yaml | 41 +++++++++++++++++++++++++ configs/standard/values.yaml | 40 ------------------------ 6 files changed, 175 insertions(+), 42 deletions(-) create mode 100644 configs/kind/default.yaml create mode 100644 configs/kind/tracing.yaml create mode 100644 configs/kind/vap-v1alpha1.yaml create mode 100644 configs/kind/vap-v1beta1.yaml delete mode 100644 configs/standard/values.yaml diff --git a/Makefile b/Makefile index c5ce561..3a1ae7f 100644 --- a/Makefile +++ b/Makefile @@ -41,9 +41,9 @@ $(HELM): .PHONY: kind-create-cluster kind-create-cluster: $(KIND) ## Create kind cluster @echo Create kind cluster... >&2 - @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./scripts/config/kind/$(KIND_CONFIG).yaml + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./config/kind/default.yaml .PHONY: kind-install-kyverno kind-install-kyverno: $(HELM) helm-update-repo ## Install kyverno helm chart @echo Install kyverno chart... >&2 - @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/standard/kyverno.yaml \ No newline at end of file + @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/kyverno.yaml \ No newline at end of file diff --git a/configs/kind/default.yaml b/configs/kind/default.yaml new file mode 100644 index 0000000..9438061 --- /dev/null +++ b/configs/kind/default.yaml @@ -0,0 +1,36 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +kubeadmConfigPatches: + - |- + kind: ClusterConfiguration + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + etcd: + local: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2382 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + - |- + kind: KubeProxyConfiguration + metricsBindAddress: 0.0.0.0 +nodes: + - role: control-plane + kubeadmConfigPatches: + - |- + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - role: worker + - role: worker + - role: worker diff --git a/configs/kind/tracing.yaml b/configs/kind/tracing.yaml new file mode 100644 index 0000000..598a1af --- /dev/null +++ b/configs/kind/tracing.yaml @@ -0,0 +1,56 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +kubeadmConfigPatches: + - |- + kind: ClusterConfiguration + apiServer: + extraVolumes: + - name: tracing-configuration + hostPath: /opt/kube-apiserver/tracing-configuration.yaml + mountPath: /opt/kube-apiserver/tracing-configuration.yaml + readOnly: true + pathType: File + extraArgs: + tracing-config-file: /opt/kube-apiserver/tracing-configuration.yaml + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + etcd: + local: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2382 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + - |- + kind: KubeProxyConfiguration + metricsBindAddress: 0.0.0.0 + - |- + kind: KubeletConfiguration + featureGates: + KubeletTracing: true + tracing: + endpoint: localhost:4317 + samplingRatePerMillion: 1000000 +nodes: + - role: control-plane + kubeadmConfigPatches: + - |- + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraMounts: + - hostPath: ./scripts/config/kube-apiserver/tracing-configuration.yaml + containerPath: /opt/kube-apiserver/tracing-configuration.yaml + readOnly: true + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - role: worker + - role: worker + - role: worker diff --git a/configs/kind/vap-v1alpha1.yaml b/configs/kind/vap-v1alpha1.yaml new file mode 100644 index 0000000..b6d1c2a --- /dev/null +++ b/configs/kind/vap-v1alpha1.yaml @@ -0,0 +1,40 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1alpha1: true +kubeadmConfigPatches: + - |- + kind: ClusterConfiguration + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + etcd: + local: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2382 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + - |- + kind: KubeProxyConfiguration + metricsBindAddress: 0.0.0.0 +nodes: + - role: control-plane + kubeadmConfigPatches: + - |- + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - role: worker + - role: worker + - role: worker diff --git a/configs/kind/vap-v1beta1.yaml b/configs/kind/vap-v1beta1.yaml new file mode 100644 index 0000000..8b9b433 --- /dev/null +++ b/configs/kind/vap-v1beta1.yaml @@ -0,0 +1,41 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +featureGates: + ValidatingAdmissionPolicy: true +runtimeConfig: + admissionregistration.k8s.io/v1beta1: true + admissionregistration.k8s.io/v1alpha1: true +kubeadmConfigPatches: + - |- + kind: ClusterConfiguration + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + etcd: + local: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2382 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + - |- + kind: KubeProxyConfiguration + metricsBindAddress: 0.0.0.0 +nodes: + - role: control-plane + kubeadmConfigPatches: + - |- + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - role: worker + - role: worker + - role: worker diff --git a/configs/standard/values.yaml b/configs/standard/values.yaml deleted file mode 100644 index cd9d7a1..0000000 --- a/configs/standard/values.yaml +++ /dev/null @@ -1,40 +0,0 @@ -features: - admissionReports: - enabled: false - omitEvents: - eventTypes: - - PolicyViolation - - PolicyApplied - - PolicyError - - PolicySkipped - -admissionController: - - serviceMonitor: - enabled: true - - container: - image: - tag: release-1.11 - - resources: - limits: - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - -reportsController: - serviceMonitor: - enabled: true - - container: - image: - tag: release-1.11 - - resources: - limits: - memory: 10Gi - requests: - cpu: 1 - memory: 1Gi \ No newline at end of file From c267037a76f02536eb17a6f1a985e38f9a2f0988 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 17 Oct 2023 17:55:22 +0800 Subject: [PATCH 04/27] fix path Signed-off-by: ShutingZhao --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 3a1ae7f..1920319 100644 --- a/Makefile +++ b/Makefile @@ -41,7 +41,7 @@ $(HELM): .PHONY: kind-create-cluster kind-create-cluster: $(KIND) ## Create kind cluster @echo Create kind cluster... >&2 - @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./config/kind/default.yaml + @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./configs/kind/default.yaml .PHONY: kind-install-kyverno kind-install-kyverno: $(HELM) helm-update-repo ## Install kyverno helm chart From 281017df0b9e590f428301d8ec130a0cd3d5b9bd Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 17 Oct 2023 21:06:53 +0800 Subject: [PATCH 05/27] add kyverno chart Signed-off-by: ShutingZhao --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 1920319..7064236 100644 --- a/Makefile +++ b/Makefile @@ -30,9 +30,9 @@ $(HELM): # HELM # ######## -.PHONY: helm-update-repo # Update Kyverno chart repository +.PHONY: helm-add-repo # Update Kyverno chart repository @echo Install kyverno chart... >&2 - @$(HELM) repo update + @$(HELM) repo add kyverno https://kyverno.github.io/kyverno/ ######## # KIND # @@ -44,6 +44,6 @@ kind-create-cluster: $(KIND) ## Create kind cluster @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./configs/kind/default.yaml .PHONY: kind-install-kyverno -kind-install-kyverno: $(HELM) helm-update-repo ## Install kyverno helm chart +kind-install-kyverno: $(HELM) helm-add-repo ## Install kyverno helm chart @echo Install kyverno chart... >&2 @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/kyverno.yaml \ No newline at end of file From 09072fab4eb75576b7332b15f4bc3487bc10258d Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 16:39:03 +0800 Subject: [PATCH 06/27] add helm repo Signed-off-by: ShutingZhao --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 7064236..ec16397 100644 --- a/Makefile +++ b/Makefile @@ -30,8 +30,8 @@ $(HELM): # HELM # ######## -.PHONY: helm-add-repo # Update Kyverno chart repository - @echo Install kyverno chart... >&2 +.PHONY: helm-add-repo # Add Kyverno chart repository + @echo Add kyverno chart... >&2 @$(HELM) repo add kyverno https://kyverno.github.io/kyverno/ ######## From 83c3efd81a4d1566c91ffe8239c07cbb4e97a2be Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 17:14:12 +0800 Subject: [PATCH 07/27] refactor Signed-off-by: ShutingZhao --- Makefile | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index ec16397..4fa9921 100644 --- a/Makefile +++ b/Makefile @@ -31,9 +31,15 @@ $(HELM): ######## .PHONY: helm-add-repo # Add Kyverno chart repository +helm-add-repo: $(HELM) @echo Add kyverno chart... >&2 @$(HELM) repo add kyverno https://kyverno.github.io/kyverno/ +.PHONY: helm-install-kyverno +helm-install-kyverno: helm-add-repo ## Install kyverno helm chart + @echo Install kyverno chart... >&2 + @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/kyverno.yaml + ######## # KIND # ######## @@ -43,7 +49,5 @@ kind-create-cluster: $(KIND) ## Create kind cluster @echo Create kind cluster... >&2 @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./configs/kind/default.yaml -.PHONY: kind-install-kyverno -kind-install-kyverno: $(HELM) helm-add-repo ## Install kyverno helm chart - @echo Install kyverno chart... >&2 - @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/kyverno.yaml \ No newline at end of file +.PHONY: kind-deploy-kyverno +kind-deploy-kyverno: helm-add-repo helm-install-kyverno ## Deploy kyverno helm chart \ No newline at end of file From 75f251831244a3288b7b128848bb4d75f8132d39 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 17:17:20 +0800 Subject: [PATCH 08/27] update cmd Signed-off-by: ShutingZhao --- .github/actions/setup-test-env/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-test-env/action.yaml b/.github/actions/setup-test-env/action.yaml index c75800e..8c74f4c 100644 --- a/.github/actions/setup-test-env/action.yaml +++ b/.github/actions/setup-test-env/action.yaml @@ -25,5 +25,5 @@ runs: - shell: bash run: | export KIND_IMAGE=kindest/node:${{ inputs.version }} - make kind-create-cluster kind-install-kyverno + make kind-create-cluster kind-deploy-kyverno - uses: ./.github/actions/kyverno-wait-ready From 1260c6f1657c35ac0365f6642c2850f8bb16ca7a Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 17:24:04 +0800 Subject: [PATCH 09/27] add values.yaml Signed-off-by: ShutingZhao --- configs/kyverno/values.yaml | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 configs/kyverno/values.yaml diff --git a/configs/kyverno/values.yaml b/configs/kyverno/values.yaml new file mode 100644 index 0000000..cd9d7a1 --- /dev/null +++ b/configs/kyverno/values.yaml @@ -0,0 +1,40 @@ +features: + admissionReports: + enabled: false + omitEvents: + eventTypes: + - PolicyViolation + - PolicyApplied + - PolicyError + - PolicySkipped + +admissionController: + + serviceMonitor: + enabled: true + + container: + image: + tag: release-1.11 + + resources: + limits: + memory: 2Gi + requests: + cpu: 1 + memory: 1Gi + +reportsController: + serviceMonitor: + enabled: true + + container: + image: + tag: release-1.11 + + resources: + limits: + memory: 10Gi + requests: + cpu: 1 + memory: 1Gi \ No newline at end of file From 5c9286bb48b452cc62579a045f0a78ffa2efea2f Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 17:30:25 +0800 Subject: [PATCH 10/27] add values.yaml Signed-off-by: ShutingZhao --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4fa9921..934e5ca 100644 --- a/Makefile +++ b/Makefile @@ -38,7 +38,7 @@ helm-add-repo: $(HELM) .PHONY: helm-install-kyverno helm-install-kyverno: helm-add-repo ## Install kyverno helm chart @echo Install kyverno chart... >&2 - @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/kyverno.yaml + @$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/values.yaml ######## # KIND # From abe380afbef9bddd3dc60aa96dcef9be5aa0fe37 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 18:37:54 +0800 Subject: [PATCH 11/27] update workflow cmd Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index 6bb2f02..f102786 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -24,6 +24,10 @@ jobs: - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Run local k6 test - uses: grafana/k6-action@v0.3.0 - with: - filename: k6/tests/kyverno-pss.js 10 100 \ No newline at end of file + shell: bash + run: | + cd k6 + ./start.sh tests/kyverno-pss.js 10 1000 + # uses: grafana/k6-action@v0.3.0 + # with: + # filename: k6/tests/kyverno-pss.js 10 100 \ No newline at end of file From cb4ed6ca7556052fb74cafd70118e63dfb9f9d4d Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Tue, 24 Oct 2023 18:46:17 +0800 Subject: [PATCH 12/27] addcat output Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index f102786..183e67e 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -28,6 +28,7 @@ jobs: run: | cd k6 ./start.sh tests/kyverno-pss.js 10 1000 + cat kyverno-pss.js-10vu-1000it-logs.txt # uses: grafana/k6-action@v0.3.0 # with: # filename: k6/tests/kyverno-pss.js 10 100 \ No newline at end of file From 1cc0db2b41be1516d4e082a3273cd8105f7c498b Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Wed, 25 Oct 2023 17:15:10 +0800 Subject: [PATCH 13/27] add tests/kyverno-pss.js Signed-off-by: ShutingZhao --- k6/tests/kyverno-pss.js | 1 + 1 file changed, 1 insertion(+) diff --git a/k6/tests/kyverno-pss.js b/k6/tests/kyverno-pss.js index 8911dc2..73fb994 100644 --- a/k6/tests/kyverno-pss.js +++ b/k6/tests/kyverno-pss.js @@ -21,6 +21,7 @@ export const options = { thresholds: { http_req_failed: ['rate<0.01'], // http errors should be less than 1% http_req_duration: ['p(95)<200'], // 95% of requests should be below 200ms + abortOnFail: true, }, }; From 6a33d5f076edb534fc46860b0517bd5aca299cc3 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Wed, 25 Oct 2023 17:36:38 +0800 Subject: [PATCH 14/27] update failure threshold Signed-off-by: ShutingZhao --- k6/tests/kyverno-pss.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/k6/tests/kyverno-pss.js b/k6/tests/kyverno-pss.js index 73fb994..ed6663d 100644 --- a/k6/tests/kyverno-pss.js +++ b/k6/tests/kyverno-pss.js @@ -20,8 +20,7 @@ const namespace = getTestNamespace(); export const options = { thresholds: { http_req_failed: ['rate<0.01'], // http errors should be less than 1% - http_req_duration: ['p(95)<200'], // 95% of requests should be below 200ms - abortOnFail: true, + http_req_duration: [{ threshold: 'p(95)<200' , abortOnFail: true} ], // 95% of requests should be below 200ms }, }; From a28a913e5f7247f2d6dfb288e10ce46045226de4 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Wed, 25 Oct 2023 19:03:35 +0800 Subject: [PATCH 15/27] fail on error Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index 183e67e..a6af336 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -27,7 +27,26 @@ jobs: shell: bash run: | cd k6 - ./start.sh tests/kyverno-pss.js 10 1000 + export VUS=10 + export ITERATIONS=1000 + export SCRIPT=kyverno-pss.js + ./start.sh tests/$SCRIPT $VUS $ITERATIONS + + grep "level=error" "$SCRIPT-$VUSvu-$ITERATIONSit-logs.txt" + # Store the exit code of the grep command + exit_code=$? + + # Check if the exit code is 0 (match found) or 1 (no match found) + if [ $exit_code -eq 0 ]; then + echo "Error found in the file." + exit 1 + elif [ $exit_code -eq 1 ]; then + echo "No error found in the file." + exit 0 + else + echo "An error occurred while searching the file." + exit 1 + fi cat kyverno-pss.js-10vu-1000it-logs.txt # uses: grafana/k6-action@v0.3.0 # with: From 1d2d75ad156357edf3b111e5905ecf9a64a5f1fa Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Wed, 25 Oct 2023 19:20:45 +0800 Subject: [PATCH 16/27] fix typo Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index a6af336..634a056 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -32,7 +32,7 @@ jobs: export SCRIPT=kyverno-pss.js ./start.sh tests/$SCRIPT $VUS $ITERATIONS - grep "level=error" "$SCRIPT-$VUSvu-$ITERATIONSit-logs.txt" + grep "level=error" "$SCRIPT-${VUS}vu-${ITERATIONS}it-logs.txt" # Store the exit code of the grep command exit_code=$? From 5174113eafae8e54ea8ce09db08e0a3606f5c75b Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Wed, 25 Oct 2023 19:45:45 +0800 Subject: [PATCH 17/27] remove unused files Signed-off-by: ShutingZhao --- configs/kind/tracing.yaml | 56 ---------------------------------- configs/kind/vap-v1alpha1.yaml | 40 ------------------------ configs/kind/vap-v1beta1.yaml | 41 ------------------------- 3 files changed, 137 deletions(-) delete mode 100644 configs/kind/tracing.yaml delete mode 100644 configs/kind/vap-v1alpha1.yaml delete mode 100644 configs/kind/vap-v1beta1.yaml diff --git a/configs/kind/tracing.yaml b/configs/kind/tracing.yaml deleted file mode 100644 index 598a1af..0000000 --- a/configs/kind/tracing.yaml +++ /dev/null @@ -1,56 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -kubeadmConfigPatches: - - |- - kind: ClusterConfiguration - apiServer: - extraVolumes: - - name: tracing-configuration - hostPath: /opt/kube-apiserver/tracing-configuration.yaml - mountPath: /opt/kube-apiserver/tracing-configuration.yaml - readOnly: true - pathType: File - extraArgs: - tracing-config-file: /opt/kube-apiserver/tracing-configuration.yaml - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - etcd: - local: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2382 - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - |- - kind: KubeProxyConfiguration - metricsBindAddress: 0.0.0.0 - - |- - kind: KubeletConfiguration - featureGates: - KubeletTracing: true - tracing: - endpoint: localhost:4317 - samplingRatePerMillion: 1000000 -nodes: - - role: control-plane - kubeadmConfigPatches: - - |- - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraMounts: - - hostPath: ./scripts/config/kube-apiserver/tracing-configuration.yaml - containerPath: /opt/kube-apiserver/tracing-configuration.yaml - readOnly: true - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - role: worker - - role: worker - - role: worker diff --git a/configs/kind/vap-v1alpha1.yaml b/configs/kind/vap-v1alpha1.yaml deleted file mode 100644 index b6d1c2a..0000000 --- a/configs/kind/vap-v1alpha1.yaml +++ /dev/null @@ -1,40 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -featureGates: - ValidatingAdmissionPolicy: true -runtimeConfig: - admissionregistration.k8s.io/v1alpha1: true -kubeadmConfigPatches: - - |- - kind: ClusterConfiguration - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - etcd: - local: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2382 - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - |- - kind: KubeProxyConfiguration - metricsBindAddress: 0.0.0.0 -nodes: - - role: control-plane - kubeadmConfigPatches: - - |- - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - role: worker - - role: worker - - role: worker diff --git a/configs/kind/vap-v1beta1.yaml b/configs/kind/vap-v1beta1.yaml deleted file mode 100644 index 8b9b433..0000000 --- a/configs/kind/vap-v1beta1.yaml +++ /dev/null @@ -1,41 +0,0 @@ -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -featureGates: - ValidatingAdmissionPolicy: true -runtimeConfig: - admissionregistration.k8s.io/v1beta1: true - admissionregistration.k8s.io/v1alpha1: true -kubeadmConfigPatches: - - |- - kind: ClusterConfiguration - controllerManager: - extraArgs: - bind-address: 0.0.0.0 - etcd: - local: - extraArgs: - listen-metrics-urls: http://0.0.0.0:2382 - scheduler: - extraArgs: - bind-address: 0.0.0.0 - - |- - kind: KubeProxyConfiguration - metricsBindAddress: 0.0.0.0 -nodes: - - role: control-plane - kubeadmConfigPatches: - - |- - kind: InitConfiguration - nodeRegistration: - kubeletExtraArgs: - node-labels: "ingress-ready=true" - extraPortMappings: - - containerPort: 80 - hostPort: 80 - protocol: TCP - - containerPort: 443 - hostPort: 443 - protocol: TCP - - role: worker - - role: worker - - role: worker From 334dfeafb324d6a4d559449222699ffcf16dfb26 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 18:26:34 +0800 Subject: [PATCH 18/27] update makefile Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 49 ++++++++++++++++++-------------- Makefile | 19 ++++++++++++- 2 files changed, 46 insertions(+), 22 deletions(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index 634a056..eca1194 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -15,6 +15,21 @@ concurrency: jobs: run-load-test: runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + vus: + - name: vu + values: + - 1000 + iterations: + - name: iteration + values: + - 1000 + scripts: + - name: script + values: + - kyverno-pss.js steps: - name: Checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 @@ -26,28 +41,20 @@ jobs: - name: Run local k6 test shell: bash run: | - cd k6 - export VUS=10 - export ITERATIONS=1000 - export SCRIPT=kyverno-pss.js - ./start.sh tests/$SCRIPT $VUS $ITERATIONS - - grep "level=error" "$SCRIPT-${VUS}vu-${ITERATIONS}it-logs.txt" - # Store the exit code of the grep command - exit_code=$? + export VUS=${{ join(matrix.vus.values, ',') }} + export ITERATIONS=${{ join(matrix.iterations.values, ',') }} + export SCRIPT=${{ join(matrix.scripts.values, ',') }} + make kyverno-pss-block + cat ${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt + - name: Check errors: + shell: bash + run: | + make check-error + # - name: Debug + # if: failure() + # run: | + # cat kyverno-pss.js-10vu-1000it-logs.txt - # Check if the exit code is 0 (match found) or 1 (no match found) - if [ $exit_code -eq 0 ]; then - echo "Error found in the file." - exit 1 - elif [ $exit_code -eq 1 ]; then - echo "No error found in the file." - exit 0 - else - echo "An error occurred while searching the file." - exit 1 - fi - cat kyverno-pss.js-10vu-1000it-logs.txt # uses: grafana/k6-action@v0.3.0 # with: # filename: k6/tests/kyverno-pss.js 10 100 \ No newline at end of file diff --git a/Makefile b/Makefile index 934e5ca..49c11ba 100644 --- a/Makefile +++ b/Makefile @@ -50,4 +50,21 @@ kind-create-cluster: $(KIND) ## Create kind cluster @$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./configs/kind/default.yaml .PHONY: kind-deploy-kyverno -kind-deploy-kyverno: helm-add-repo helm-install-kyverno ## Deploy kyverno helm chart \ No newline at end of file +kind-deploy-kyverno: helm-add-repo helm-install-kyverno ## Deploy kyverno helm chart + +###### +# K6 # +###### + +VUS ?= 10 +ITERATIONS ?= 1000 +SCRIPT ?= "kyverno-pss.js" + +.PHONY: kyverno-pss-block +kyverno-pss-block: + cd k6 \ + ./start.sh ./tests/${SCRIPT} ${VUS} ${ITERATIONS} + +.PHONY: check-error +check-error: + @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Error found in the file."; exit 1) \ No newline at end of file From 47c90b943c4a45324a08feb56075ccbea65ab189 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 18:32:25 +0800 Subject: [PATCH 19/27] fix typo Signed-off-by: ShutingZhao --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 49c11ba..4ae0ad0 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,7 @@ SCRIPT ?= "kyverno-pss.js" .PHONY: kyverno-pss-block kyverno-pss-block: - cd k6 \ + cd k6 && \ ./start.sh ./tests/${SCRIPT} ${VUS} ${ITERATIONS} .PHONY: check-error From 6ca54fda5d48431a2b9eb5a7eb271509784a917d Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 18:34:18 +0800 Subject: [PATCH 20/27] fix indent Signed-off-by: ShutingZhao --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4ae0ad0..0f747cf 100644 --- a/Makefile +++ b/Makefile @@ -67,4 +67,4 @@ kyverno-pss-block: .PHONY: check-error check-error: - @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Error found in the file."; exit 1) \ No newline at end of file + @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Error found in the file."; exit 1) \ No newline at end of file From 8038764c555c1f9c31d7cff5276647161e99ca5c Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 18:37:26 +0800 Subject: [PATCH 21/27] fix format Signed-off-by: ShutingZhao --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0f747cf..fb5d41e 100644 --- a/Makefile +++ b/Makefile @@ -58,7 +58,7 @@ kind-deploy-kyverno: helm-add-repo helm-install-kyverno ## Deploy kyverno helm c VUS ?= 10 ITERATIONS ?= 1000 -SCRIPT ?= "kyverno-pss.js" +SCRIPT ?= kyverno-pss.js .PHONY: kyverno-pss-block kyverno-pss-block: From 0f4860d76ebfac479cb13b5d983fd5b167ba5b11 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 18:51:05 +0800 Subject: [PATCH 22/27] fix excluded namespace Signed-off-by: ShutingZhao --- k6/pss-values.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/k6/pss-values.yml b/k6/pss-values.yml index 295e02e..0176880 100644 --- a/k6/pss-values.yml +++ b/k6/pss-values.yml @@ -5,101 +5,101 @@ policyExclude: any: - resources: namespaces: - - load-tests + - load-test name: load-test* adding-capabilities-strict: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-namespaces: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-path: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-ports: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-host-process: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-privilege-escalation: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-privileged-containers: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-proc-mount: any: - resources: namespaces: - - load-tests + - load-test name: load-test* disallow-selinux: any: - resources: namespaces: - - load-tests + - load-test name: load-test* require-run-as-non-root-user: any: - resources: namespaces: - - load-tests + - load-test name: load-test* require-run-as-nonroot: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-apparmor-profiles: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-seccomp: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-seccomp-strict: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-sysctls: any: - resources: namespaces: - - load-tests + - load-test name: load-test* restrict-volume-types: any: - resources: namespaces: - - load-tests + - load-test name: load-test* \ No newline at end of file From 4acee8b9b8f5a875214589da243d1e69721bd57a Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 18:53:39 +0800 Subject: [PATCH 23/27] bump k6 Signed-off-by: ShutingZhao --- k6/job.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/k6/job.yaml b/k6/job.yaml index 23741b5..11c01aa 100644 --- a/k6/job.yaml +++ b/k6/job.yaml @@ -7,12 +7,11 @@ spec: spec: serviceAccountName: load-test containers: - - image: grafana/k6:0.45.0 + - image: grafana/k6:0.47.0 resources: {} name: k6 securityContext: allowPrivilegeEscalation: false - runAsNonRoot: true seccompProfile: type: RuntimeDefault capabilities: From b10511f6e8fa2134ed9ba5d29b3e485fb9f5bdb8 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 19:01:33 +0800 Subject: [PATCH 24/27] typo Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index eca1194..755b22a 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -46,7 +46,7 @@ jobs: export SCRIPT=${{ join(matrix.scripts.values, ',') }} make kyverno-pss-block cat ${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt - - name: Check errors: + - name: Check errors shell: bash run: | make check-error diff --git a/Makefile b/Makefile index fb5d41e..72c11fd 100644 --- a/Makefile +++ b/Makefile @@ -67,4 +67,4 @@ kyverno-pss-block: .PHONY: check-error check-error: - @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Error found in the file."; exit 1) \ No newline at end of file + @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Unexpected behavior during load testing, please check results."; exit 1) \ No newline at end of file From e16d558cd9f767ce6c69dd02bfc02ce5b9a1c835 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 19:16:11 +0800 Subject: [PATCH 25/27] fix paths Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index eca1194..1cd3e8d 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -45,7 +45,7 @@ jobs: export ITERATIONS=${{ join(matrix.iterations.values, ',') }} export SCRIPT=${{ join(matrix.scripts.values, ',') }} make kyverno-pss-block - cat ${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt + cat k6/${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt - name: Check errors: shell: bash run: | From 813d7401ef98654067c095c590cb15b265dc995d Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 19:18:42 +0800 Subject: [PATCH 26/27] fix path Signed-off-by: ShutingZhao --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 72c11fd..23be07c 100644 --- a/Makefile +++ b/Makefile @@ -67,4 +67,4 @@ kyverno-pss-block: .PHONY: check-error check-error: - @grep -q "level=error" "${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Unexpected behavior during load testing, please check results."; exit 1) \ No newline at end of file + @grep -q "level=error" "k6/${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Unexpected behavior during load testing, please check results."; exit 1) \ No newline at end of file From 742094db2e3ff563332c3e1b03bc1bdc04829e62 Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Fri, 27 Oct 2023 19:19:32 +0800 Subject: [PATCH 27/27] fix typo Signed-off-by: ShutingZhao --- .github/workflows/load-test.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml index 1cd3e8d..337cef4 100644 --- a/.github/workflows/load-test.yaml +++ b/.github/workflows/load-test.yaml @@ -46,15 +46,7 @@ jobs: export SCRIPT=${{ join(matrix.scripts.values, ',') }} make kyverno-pss-block cat k6/${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt - - name: Check errors: + - name: Check errors shell: bash run: | make check-error - # - name: Debug - # if: failure() - # run: | - # cat kyverno-pss.js-10vu-1000it-logs.txt - - # uses: grafana/k6-action@v0.3.0 - # with: - # filename: k6/tests/kyverno-pss.js 10 100 \ No newline at end of file