Add permissions for Azure CIS 9.1 rule #4282
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: K8s-CI | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - "[0-9]+.[0-9]+" | |
| types: [ opened, synchronize, reopened ] | |
| push: | |
| branches: | |
| - main | |
| - "[0-9]+.[0-9]+" | |
| env: | |
| CONTAINER_SUFFIX: ${{ github.run_id }} | |
| CI_ELASTIC_AGENT_DOCKER_TAG: "8.13.0-SNAPSHOT" | |
| CI_ELASTIC_AGENT_DOCKER_IMAGE: "704479110758.dkr.ecr.eu-west-2.amazonaws.com/elastic-agent" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| Build: | |
| name: Build | |
| runs-on: ubuntu-20.04 | |
| timeout-minutes: 40 | |
| steps: | |
| # Disk cleanup | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| docker-images: true | |
| swap-storage: true | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Setup GO (with caching) | |
| uses: magnetikonline/action-golang-cache@v5 | |
| with: | |
| go-version-file: .go-version | |
| - name: build cloudbeat binary | |
| uses: magefile/mage-action@v3 | |
| with: | |
| version: latest | |
| args: build | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Cache Build dependencies | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.workflow }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Build cloudbeat-docker | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./deploy/Dockerfile | |
| push: false | |
| tags: cloudbeat:latest | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new | |
| outputs: type=docker,dest=/tmp/cloudbeat-${{ env.CONTAINER_SUFFIX }}.tar | |
| - name: Build elastic-agent | |
| env: | |
| BASE_IMAGE: docker.elastic.co/beats/elastic-agent:${{ env.CI_ELASTIC_AGENT_DOCKER_TAG }} | |
| GOOS: linux | |
| GOARCH: amd64 | |
| run: ./scripts/packaging/docker/elastic-agent/build.sh -t ${{ env.CI_ELASTIC_AGENT_DOCKER_IMAGE }}:${{ env.CI_ELASTIC_AGENT_DOCKER_TAG }} | |
| shell: bash | |
| - name: Build pytest-docker | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./tests/. | |
| push: false | |
| tags: cloudbeat-test:latest | |
| cache-from: type=local,mode=max,src=/tmp/.buildx-cache | |
| cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new | |
| outputs: type=docker,dest=/tmp/pytest-${{ env.CONTAINER_SUFFIX }}.tar | |
| - name: Cache docker images | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/*.tar | |
| key: ${{ runner.os }}-dockers-cache-${{ env.CONTAINER_SUFFIX }} | |
| - name: Move cache | |
| run: | | |
| ./.ci/scripts/gh-cache.sh | |
| shell: bash | |
| k8s_functional_tests: | |
| # Run only selected tests on PRs | |
| if: github.event_name == 'pull_request' | |
| name: ${{ matrix.test-target }}-${{ matrix.kind-config }} | |
| needs: [ Build ] | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 55 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - test-target: pre_merge | |
| range: "" | |
| kind-config: kind-multi | |
| - test-target: pre_merge_agent | |
| range: '' | |
| values_file: tests/test_environments/values/ci-sa-agent.yml | |
| kind-config: kind-multi | |
| - test-target: k8s_file_system_rules | |
| range: '' | |
| values_file: tests/test_environments/values/ci-test-k8s-files.yml | |
| kind-config: kind-test-files | |
| - test-target: k8s_object_psp_rules | |
| range: '' | |
| values_file: tests/test_environments/values/ci-test-k8s-objects.yml | |
| kind-config: kind-multi | |
| - test-target: k8s_process_rules | |
| range: '' | |
| values_file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml | |
| kind-config: kind-test-proc-conf1 | |
| - test-target: k8s_process_rules | |
| range: '' | |
| values_file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml | |
| kind-config: kind-test-proc-conf2 | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| docker-images: true | |
| swap-storage: true | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Init Hermit | |
| run: ./bin/hermit env -r >> $GITHUB_ENV | |
| - name: Prepare Kind Cluster for Process Tests | |
| if: contains(matrix.kind-config, 'conf2') | |
| run: | | |
| # Workaround: Direct creation of a Kind cluster for config2 fails to start control-plane (kubelet fails) | |
| # Creating and deleting a kind-mono cluster as a preparation for configuring Kind for process tests | |
| just create-kind-cluster kind-mono | |
| just delete-kind-cluster kind-mono | |
| - name: Create k8s Kind Cluster | |
| run: | | |
| just create-kind-cluster ${{ matrix.kind-config }} | |
| - name: Cache docker images | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/*.tar | |
| key: ${{ runner.os }}-dockers-cache-${{ env.CONTAINER_SUFFIX }} | |
| - name: Load images to kind | |
| run: | | |
| ./.ci/scripts/kind-images.sh ${{ env.CONTAINER_SUFFIX }} ${{ matrix.kind-config }} | |
| shell: bash | |
| - name: Deploy tests Helm chart | |
| id: deploy_helm | |
| run: | | |
| just deploy-tests-helm ${{ matrix.test-target }} ${{ matrix.values_file }} ${{ matrix.range }} | |
| - name: Deploy K8s Objects | |
| if: contains(matrix.test-target, 'object_psp') | |
| run: | | |
| just apply-k8s-test-objects | |
| - name: Run Tests | |
| id: run_tests | |
| run: | | |
| just run-tests ${{ matrix.test-target }} kind-${{ matrix.kind-config }} | |
| - name: Upload Test Results | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: allure_results-${{ matrix.test-target}} | |
| path: tests/allure/results/ | |
| - name: clear cache | |
| id: clear_cache | |
| if: always() | |
| run: rm -rf /tmp/*-${{ env.CONTAINER_SUFFIX }}.tar | |
| k8s_functional_tests_full: | |
| # Run full test suit on post-merge | |
| name: ${{ matrix.test-target }}-${{ matrix.range }}-tests | |
| if: github.event_name == 'push' | |
| needs: [ Build ] | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 55 | |
| env: | |
| KIND_CONFIG: kind-multi | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - test-target: pre_merge_agent | |
| range: '' | |
| values_file: tests/test_environments/values/ci-sa-agent.yml | |
| - test-target: pre_merge | |
| range: "" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "0..5" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "5..10" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "10..15" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "15..20" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "20..25" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "25..30" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "30..35" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "35..40" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "40..45" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "45..50" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "50..55" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "55..60" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "60..65" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "65..70" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: file_system_rules | |
| range: "70.." | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: k8s_object_rules | |
| range: "0..6" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: k8s_object_rules | |
| range: "6..12" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: k8s_object_rules | |
| range: "12..18" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: k8s_object_rules | |
| range: "18.." | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_scheduler_rules | |
| range: "0..3" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_scheduler_rules | |
| range: "3.." | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "0..5" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "5..10" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "10..15" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "15..20" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "20..24" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "24..28" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "28..32" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "32..36" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "36..40" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "40..44" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "44..48" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "48..52" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "52..56" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_api_server_rules | |
| range: "56.." | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_controller_manager_rules | |
| range: "0..4" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_controller_manager_rules | |
| range: "4..8" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_controller_manager_rules | |
| range: "8..12" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_controller_manager_rules | |
| range: "12.." | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_etcd_rules | |
| range: "0..4" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_etcd_rules | |
| range: "4..8" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_etcd_rules | |
| range: "8.." | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_kubelet_rules | |
| range: "0..4" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_kubelet_rules | |
| range: "4..8" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_kubelet_rules | |
| range: "8..12" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_kubelet_rules | |
| range: "12..16" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_kubelet_rules | |
| range: "16..20" | |
| values_file: tests/test_environments/values/ci.yml | |
| - test-target: process_kubelet_rules | |
| range: "20.." | |
| values_file: tests/test_environments/values/ci.yml | |
| steps: | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| android: true | |
| dotnet: true | |
| haskell: true | |
| large-packages: false | |
| docker-images: true | |
| swap-storage: true | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: Init Hermit | |
| run: ./bin/hermit env -r >> $GITHUB_ENV | |
| - name: Create k8s Kind Cluster | |
| run: | | |
| just create-kind-cluster ${{ env.KIND_CONFIG }} | |
| - name: Cache docker images | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/*.tar | |
| key: ${{ runner.os }}-dockers-cache-${{ env.CONTAINER_SUFFIX }} | |
| - name: Load images to kind | |
| run: | | |
| ./.ci/scripts/kind-images.sh ${{ env.CONTAINER_SUFFIX }} ${{ env.KIND_CONFIG }} | |
| shell: bash | |
| - name: Deploy tests Helm chart | |
| id: deploy_helm | |
| run: | | |
| just deploy-tests-helm '${{ matrix.test-target }}' ${{ matrix.values_file }} ${{ matrix.range }} | |
| - name: Run Tests | |
| id: run_tests | |
| run: | | |
| just run-tests '${{ matrix.test-target }}' kind-${{ env.KIND_CONFIG }} | |
| - name: Upload Test Results | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: allure_results-${{ matrix.test-target}} | |
| path: tests/allure/results/ | |
| - name: clear cache | |
| id: clear_cache | |
| if: always() | |
| run: rm -rf /tmp/*-${{ env.CONTAINER_SUFFIX }}.tar |