restrict permitted e2e images to known images list
allows tag bumps, but prevents adding new images to e2e without test/images approval adds a pointer to agnhost as preferred before adding new images
This commit is contained in:
Benjamin Elder
53
hack/verify-e2e-images.sh
Executable file
53
hack/verify-e2e-images.sh
Executable file
@@ -0,0 +1,53 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
# Copyright 2024 The Kubernetes Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
set -o nounset
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
|
||||||
|
cd "${KUBE_ROOT}"
|
||||||
|
|
||||||
|
source hack/lib/init.sh
|
||||||
|
|
||||||
|
# NOTE: Please do NOT add any to this list!!
|
||||||
|
#
|
||||||
|
# We are aiming to consolidate on: registry.k8s.io/e2e-test-images/agnhost
|
||||||
|
# The sources for which are in test/images/agnhost.
|
||||||
|
# If agnhost is missing functionality for your tests, please reach out to SIG Testing.
|
||||||
|
kube::util::read-array PERMITTED_IMAGES < <(sed '/^#/d' ./test/images/.permitted-images)
|
||||||
|
|
||||||
|
# get current list of images, ignoring tags
|
||||||
|
echo "Getting e2e image list ..."
|
||||||
|
make WHAT=test/e2e/e2e.test
|
||||||
|
e2e_test="$(kube::util::find-binary e2e.test)"
|
||||||
|
kube::util::read-array IMAGES < <("${e2e_test}" --list-images | sed -E 's/^(.+):[^:]+$/\1/' | LC_ALL=C sort -u)
|
||||||
|
|
||||||
|
# diff versus known permitted images
|
||||||
|
ret=0
|
||||||
|
>&2 echo "Diffing e2e image list ..."
|
||||||
|
diff -Naupr <(printf '%s\n' "${IMAGES[@]}") <(printf '%s\n' "${PERMITTED_IMAGES[@]}") || ret=$?
|
||||||
|
if [[ $ret -eq 0 ]]; then
|
||||||
|
>&2 echo "PASS: e2e images used are OK."
|
||||||
|
else
|
||||||
|
>&2 echo "FAIL: e2e images do not match the approved list!"
|
||||||
|
>&2 echo ""
|
||||||
|
>&2 echo "Please use registry.k8s.io/e2e-test-images/agnhost wherever possible, we are consolidating test images."
|
||||||
|
>&2 echo "See: test/images/agnhost/README.md"
|
||||||
|
>&2 echo ""
|
||||||
|
>&2 echo "You can reach out to https://git.k8s.io/community/sig-testing for help."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
49
test/images/.permitted-images
Normal file
49
test/images/.permitted-images
Normal file
@@ -0,0 +1,49 @@
|
|||||||
|
# NOTE: Please do NOT add any to this list!!
|
||||||
|
#
|
||||||
|
# We are aiming to consolidate on: registry.k8s.io/e2e-test-images/agnhost
|
||||||
|
# The sources for which are in test/images/agnhost.
|
||||||
|
# If agnhost is missing functionality for your tests, please reach out to SIG Testing.
|
||||||
|
gcr.io/authenticated-image-pulling/alpine
|
||||||
|
gcr.io/authenticated-image-pulling/windows-nanoserver
|
||||||
|
gcr.io/k8s-authenticated-test/agnhost
|
||||||
|
invalid.registry.k8s.io/invalid/alpine
|
||||||
|
registry.k8s.io/build-image/distroless-iptables
|
||||||
|
registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver
|
||||||
|
registry.k8s.io/e2e-test-images/agnhost
|
||||||
|
registry.k8s.io/e2e-test-images/apparmor-loader
|
||||||
|
registry.k8s.io/e2e-test-images/busybox
|
||||||
|
registry.k8s.io/e2e-test-images/cuda-vector-add
|
||||||
|
registry.k8s.io/e2e-test-images/httpd
|
||||||
|
registry.k8s.io/e2e-test-images/ipc-utils
|
||||||
|
registry.k8s.io/e2e-test-images/jessie-dnsutils
|
||||||
|
registry.k8s.io/e2e-test-images/kitten
|
||||||
|
registry.k8s.io/e2e-test-images/nautilus
|
||||||
|
registry.k8s.io/e2e-test-images/nginx
|
||||||
|
registry.k8s.io/e2e-test-images/node-perf/npb-ep
|
||||||
|
registry.k8s.io/e2e-test-images/node-perf/npb-is
|
||||||
|
registry.k8s.io/e2e-test-images/node-perf/tf-wide-deep
|
||||||
|
registry.k8s.io/e2e-test-images/nonewprivs
|
||||||
|
registry.k8s.io/e2e-test-images/nonroot
|
||||||
|
registry.k8s.io/e2e-test-images/perl
|
||||||
|
registry.k8s.io/e2e-test-images/redis
|
||||||
|
registry.k8s.io/e2e-test-images/regression-issue-74839
|
||||||
|
registry.k8s.io/e2e-test-images/resource-consumer
|
||||||
|
registry.k8s.io/e2e-test-images/sample-apiserver
|
||||||
|
registry.k8s.io/e2e-test-images/volume/iscsi
|
||||||
|
registry.k8s.io/e2e-test-images/volume/nfs
|
||||||
|
registry.k8s.io/etcd
|
||||||
|
registry.k8s.io/pause
|
||||||
|
registry.k8s.io/prometheus-dummy-exporter
|
||||||
|
registry.k8s.io/prometheus-to-sd
|
||||||
|
registry.k8s.io/sd-dummy-exporter
|
||||||
|
registry.k8s.io/sig-storage/csi-attacher
|
||||||
|
registry.k8s.io/sig-storage/csi-external-health-monitor-controller
|
||||||
|
registry.k8s.io/sig-storage/csi-node-driver-registrar
|
||||||
|
registry.k8s.io/sig-storage/csi-provisioner
|
||||||
|
registry.k8s.io/sig-storage/csi-resizer
|
||||||
|
registry.k8s.io/sig-storage/csi-snapshotter
|
||||||
|
registry.k8s.io/sig-storage/hello-populator
|
||||||
|
registry.k8s.io/sig-storage/hostpathplugin
|
||||||
|
registry.k8s.io/sig-storage/livenessprobe
|
||||||
|
registry.k8s.io/sig-storage/nfs-provisioner
|
||||||
|
registry.k8s.io/sig-storage/volume-data-source-validator
|
||||||
Reference in New Issue
Block a user