Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gha: get ready to install genpolicy #8857

Merged
merged 1 commit into from Jan 22, 2024
Merged

gha: get ready to install genpolicy #8857

merged 1 commit into from Jan 22, 2024

Conversation

danmihai1
Copy link
Contributor

The changes to install and test genpolicy must come later, after CI picks up these gha changes.

Fixes: #8856

@katacontainersbot katacontainersbot added the size/small Small and simple task label Jan 18, 2024
@danmihai1
Copy link
Contributor Author

/test

@wainersm
Copy link
Contributor

Hi @danmihai1 !

Allow me to check if I understood. Although kata-deploy installs genpolicy tool on the cluster, for testing sake it is needed the binary on the runner machine. So it gets the same tarball used on create the kata-deploy payload image then extracts on the runner machine.

One side question: would make sense for the user to run genpolicy as a pod on the cluster? Likely not because as an user I wouldn't trust (on confidential terms) any binaries outside of the TCB. Anyway, I'd like to start that brainstorm.

@danmihai1
Copy link
Contributor Author

danmihai1 commented Jan 19, 2024
edited

Hi @danmihai1 !

Allow me to check if I understood. Although kata-deploy installs genpolicy tool on the cluster, for testing sake it is needed the binary on the runner machine. So it gets the same tarball used on create the kata-deploy payload image then extracts on the runner machine.

One side question: would make sense for the user to run genpolicy as a pod on the cluster? Likely not because as an user I wouldn't trust (on confidential terms) any binaries outside of the TCB. Anyway, I'd like to start that brainstorm.

Indeed, a customer would run genpolicy even before they created a cluster - and you described all the reasons why correctly.

@fidencio
Copy link
Member

@danmihai1, right now I see why we can have it as you proposed. However, in the future, I'd like us to create a second tarball that can be downloaded without getting the whole kata-containers bundle.

Would it be possible to create an issue for this?

fidencio
fidencio reviewed Jan 19, 2024
View reviewed changes
Copy link
Member

@fidencio fidencio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've left one comment in the code, which will make our lives slightly easier in the future.

tests/integration/kubernetes/gha-run.sh Outdated Show resolved Hide resolved
tests/integration/kubernetes/gha-run.sh Outdated Show resolved Hide resolved
.github/workflows/run-k8s-tests-on-aks.yaml Outdated Show resolved Hide resolved
@danmihai1 danmihai1 mentioned this pull request Jan 19, 2024
Open
@danmihai1
Copy link
Contributor Author

@danmihai1, right now I see why we can have it as you proposed. However, in the future, I'd like us to create a second tarball that can be downloaded without getting the whole kata-containers bundle.

Would it be possible to create an issue for this?

Done: #8864

@danmihai1
gha: get ready to install genpolicy
ea9c659 
The changes to install and test genpolicy must come later, after CI
picks up these gha changes.

Fixes: kata-containers#8856

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
@danmihai1
Copy link
Contributor Author

/test

wainersm
wainersm approved these changes Jan 22, 2024
View reviewed changes
Copy link
Contributor

@wainersm wainersm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With @fidencio 's suggestions it looks better now. Thanks @danmihai1 !

@danmihai1 danmihai1 merged commit 3d2ec5c into kata-containers:main Jan 22, 2024
281 of 290 checks passed
@danmihai1 danmihai1 deleted the danmihai1/k8s-gha branch April 26, 2024 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fidencio fidencio fidencio left review comments

@wainersm wainersm wainersm approved these changes

@GabyCT GabyCT GabyCT approved these changes

@sprt sprt Awaiting requested review from sprt

Assignees
No one assigned
Labels
ok-to-test size/small Small and simple task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gha: get ready to install genpolicy before running the kubernetes integration tests
5 participants
@danmihai1 @wainersm @fidencio @GabyCT @katacontainersbot