kyverno · realshuting · Oct 12, 2023 · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023
diff --git a/.github/actions/kyverno-wait-ready/action.yaml b/.github/actions/kyverno-wait-ready/action.yaml
@@ -0,0 +1,10 @@
+name: Kyverno pods ready
+
+description: Wait kyverno pods are ready
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
diff --git a/.github/actions/setup-test-env/action.yaml b/.github/actions/setup-test-env/action.yaml
@@ -0,0 +1,29 @@
+name: Setup test env
+
+description: Create kind cluster, deploy kyverno, and wait pods are ready.
+
+inputs:
+  version:
+    description: kubernetes version
+    default: v1.27.3
+  free-disk-space:
+    description: free disk space
+    default: 'false'
+
+runs:
+  using: composite
+  steps:
+    - uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0
+      if: ${{ inputs.free-disk-space == 'true' }}
+      with:
+        tool-cache: true
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: false
+        swap-storage: false
+    - shell: bash
+      run: |
+        export KIND_IMAGE=kindest/node:${{ inputs.version }}
+        make kind-create-cluster kind-deploy-kyverno
+    - uses: ./.github/actions/kyverno-wait-ready
diff --git a/.github/workflows/load-test.yaml b/.github/workflows/load-test.yaml
@@ -0,0 +1,52 @@
+name: load-test
+
+permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+      - 'add_threshold'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  run-load-test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        vus:
+          - name: vu
+            values:
+              - 1000
+        iterations:
+          - name: iteration
+            values:
+              - 1000
+        scripts:
+          - name: script
+            values:
+              - kyverno-pss.js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Setup build env
+        uses: ./.github/actions/setup-test-env
+        timeout-minutes: 10
+      - name: Wait for kyverno ready
+        uses: ./.github/actions/kyverno-wait-ready
+      - name: Run local k6 test
+        shell: bash
+        run: |
+          export VUS=${{ join(matrix.vus.values, ',') }}
+          export ITERATIONS=${{ join(matrix.iterations.values, ',') }}
+          export SCRIPT=${{ join(matrix.scripts.values, ',') }}
+          make kyverno-pss-block
+          cat k6/${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt
+      - name: Check errors
+        shell: bash
+        run: |
+          make check-error
diff --git a/Makefile b/Makefile
@@ -0,0 +1,70 @@
+############
+# DEFAULTS #
+############
+
+KIND_IMAGE           ?= kindest/node:v1.27.3
+KIND_NAME            ?= kind
+KIND_CONFIG          ?= default
+
+#########
+# TOOLS #
+#########
+
+TOOLS_DIR                          := $(PWD)/.tools
+KIND                               := $(TOOLS_DIR)/kind
+KIND_VERSION                       := v0.20.0
+HELM                               := $(TOOLS_DIR)/helm
+HELM_VERSION                       := v3.12.3
+HELM_DOCS                          := $(TOOLS_DIR)/helm-docs
+HELM_DOCS_VERSION                  := v1.11.0
+
+$(KIND):
+	@echo Install kind... >&2
+	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
+
+$(HELM):
+	@echo Install helm... >&2
+	@GOBIN=$(TOOLS_DIR) go install helm.sh/helm/v3/cmd/helm@$(HELM_VERSION)
+
+########
+# HELM #
+########
+
+.PHONY: helm-add-repo # Add Kyverno chart repository
+helm-add-repo: $(HELM)
+	@echo Add kyverno chart... >&2
+	@$(HELM) repo add kyverno https://kyverno.github.io/kyverno/
+
+.PHONY: helm-install-kyverno
+helm-install-kyverno: helm-add-repo ## Install kyverno helm chart
+	@echo Install kyverno chart... >&2
+	@$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait kyverno/kyverno --devel --values ./configs/kyverno/values.yaml
+
+########
+# KIND #
+########
+
+.PHONY: kind-create-cluster
+kind-create-cluster: $(KIND) ## Create kind cluster
+	@echo Create kind cluster... >&2
+	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./configs/kind/default.yaml
+
+.PHONY: kind-deploy-kyverno
+kind-deploy-kyverno: helm-add-repo helm-install-kyverno ## Deploy kyverno helm chart
+
+######
+# K6 #
+######
+
+VUS          ?= 10 
+ITERATIONS   ?= 1000
+SCRIPT       ?= kyverno-pss.js
+
+.PHONY: kyverno-pss-block
+kyverno-pss-block:
+	cd k6 && \
+	./start.sh ./tests/${SCRIPT} ${VUS} ${ITERATIONS}
+
+.PHONY: check-error
+check-error:
+	@grep -q "level=error" "k6/${SCRIPT}-${VUS}vu-${ITERATIONS}it-logs.txt" || (echo "Unexpected behavior during load testing, please check results."; exit 1)
diff --git a/configs/kind/default.yaml b/configs/kind/default.yaml
@@ -0,0 +1,36 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+kubeadmConfigPatches:
+  - |-
+    kind: ClusterConfiguration
+    controllerManager:
+      extraArgs:
+        bind-address: 0.0.0.0
+    etcd:
+      local:
+        extraArgs:
+          listen-metrics-urls: http://0.0.0.0:2382
+    scheduler:
+      extraArgs:
+        bind-address: 0.0.0.0
+  - |-
+    kind: KubeProxyConfiguration
+    metricsBindAddress: 0.0.0.0
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |-
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: TCP
+  - role: worker
+  - role: worker
+  - role: worker
diff --git a/configs/kyverno/values.yaml b/configs/kyverno/values.yaml
@@ -0,0 +1,40 @@
+features:
+  admissionReports:
+    enabled: false
+  omitEvents:
+    eventTypes:
+    - PolicyViolation
+    - PolicyApplied
+    - PolicyError
+    - PolicySkipped
+
+admissionController:
+
+  serviceMonitor:
+    enabled: true
+
+  container:
+    image:
+      tag: release-1.11
+
+    resources:
+      limits:
+        memory: 2Gi
+      requests:
+        cpu: 1
+        memory: 1Gi
+
+reportsController:
+  serviceMonitor:
+    enabled: true
+
+  container:
+    image:
+      tag: release-1.11
+
+    resources:
+      limits:
+        memory: 10Gi
+      requests:
+        cpu: 1
+        memory: 1Gi
diff --git a/k6/job.yaml b/k6/job.yaml
@@ -7,12 +7,11 @@ spec:
     spec:
       serviceAccountName: load-test
       containers:
-        - image: grafana/k6:0.45.0
+        - image: grafana/k6:0.47.0
           resources: {}
           name: k6
           securityContext:
             allowPrivilegeEscalation: false
-            runAsNonRoot: true
             seccompProfile:
               type: RuntimeDefault
             capabilities:

diff --git a/k6/pss-values.yml b/k6/pss-values.yml
@@ -5,101 +5,101 @@ policyExclude:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   adding-capabilities-strict:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-host-namespaces:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-host-path:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-host-ports:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-host-process:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-privilege-escalation:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-privileged-containers:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-proc-mount:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   disallow-selinux:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   require-run-as-non-root-user:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   require-run-as-nonroot:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   restrict-apparmor-profiles:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   restrict-seccomp:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   restrict-seccomp-strict:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   restrict-sysctls:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*
   restrict-volume-types:
     any:
     - resources:
         namespaces:
-        - load-tests
+        - load-test
         name: load-test*