feat(security): guard sealed secrets rollout
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled

This commit is contained in:
ogt
2026-07-15 09:43:23 +08:00
parent 3bf84fdc58
commit 26996a288a
2 changed files with 50 additions and 2 deletions

View File

@@ -278,6 +278,29 @@
"max_surge": 1
}
}
},
{
"asset_id": "runtime-image:sealed-secrets-controller",
"source_index_digest": "sha256:74cd190f424b591dd82a234685c8c81d50b33af807e03470bc12b23d202e0106",
"platform_digest": "sha256:1827b36853e124ac0dd2554f7cd55c04952ecb7c38ff19a4a8d93d633811ed68",
"target_registry_digest": "sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363",
"push_ref": "registry.wooo.work/awoooi/runtime-mirror/sealed-secrets-controller:0.26.0-linux-amd64",
"runtime_ref": "192.168.0.110:5000/awoooi/runtime-mirror/sealed-secrets-controller@sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363",
"workload": {
"kind": "deployment",
"namespace": "kube-system",
"name": "sealed-secrets-controller",
"container": "sealed-secrets-controller"
},
"availability_guard": {
"minimum_ready_replicas": 1,
"maximum_effective_unavailable": 0,
"minimum_effective_surge": 1,
"enforced_strategy": {
"max_unavailable": 0,
"max_surge": 1
}
}
}
]
}

View File

@@ -81,7 +81,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
self.assertEqual(policy.work_item_id, "AIA-P0-006-02A")
self.assertEqual(policy.risk_level, "high")
self.assertEqual(len(policy.images), 17)
self.assertEqual(len(policy.images), 18)
self.assertNotIn("github.com", raw)
self.assertNotIn("ghcr.io", raw)
self.assertIn('"external_pull_allowed": false', raw)
@@ -106,7 +106,7 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
)
)
container_kinds = [image.workload.container_kind for image in policy.images]
self.assertEqual(container_kinds.count("container"), 14)
self.assertEqual(container_kinds.count("container"), 15)
self.assertEqual(container_kinds.count("init_container"), 3)
vpa = next(
@@ -176,6 +176,31 @@ class RuntimeImageMirrorControllerTest(unittest.TestCase):
),
)
sealed_secrets = next(
image
for image in policy.images
if image.asset_id == "runtime-image:sealed-secrets-controller"
)
self.assertEqual(
sealed_secrets.target_registry_digest,
"sha256:2692460ed95f213760550cb508c881e1490a2f0ce4affbed31a0bf900ebba363",
)
self.assertEqual(sealed_secrets.workload.namespace, "kube-system")
self.assertEqual(sealed_secrets.workload.name, "sealed-secrets-controller")
self.assertEqual(
sealed_secrets.workload.container, "sealed-secrets-controller"
)
self.assertEqual(
sealed_secrets.availability_guard,
controller.AvailabilityGuard(
minimum_ready_replicas=1,
maximum_effective_unavailable=0,
minimum_effective_surge=1,
enforced_max_unavailable=0,
enforced_max_surge=1,
),
)
def test_policy_loads_and_validates_init_container_kind(self) -> None:
image = self._image_with_container_kind("init_container")