-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yaml
79 lines (75 loc) · 3.26 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: K8s NetworkPolicy Verification
description: An action to verify connectivity compliance requirements, based on preset policies
author: NP-Guard project
branding:
icon: shield
color: green
inputs:
corporate-policies:
description: A space-separated list of corporate policy files to verify (either as GitHub URLs or paths under GitHub workspace)
required: true
deployment-path:
description: The path in the GitHub workspace where deployment yamls are
required: false
default: .
netpol-path:
description: The path in the GitHub workspace where the NetworkPolicy yamls are stored
required: false
default: .
output-format:
description: The format in which to output verifitaion results (either "md" or "txt")
required: false
default: md
outputs:
num-violated-policies:
description: The number of corporate policies which the cluster's connectivity graph violates
value: ${{ steps.output-results.outputs.num-violated-policies }}
policy-results-artifact:
description: The name of the artifact containing verification results for all policies
value: ${{ steps.output-results.outputs.policy-results-artifact }}
policy-results-file:
description: The name of the actual file in the artifact, which contains verification results for all policies
value: ${{ steps.output-results.outputs.policy-results-file-name }}
runs:
using: composite
steps:
- name: Prepare directory and command-line arguments
id: add-b-flag
shell: bash
run: |
mkdir -p ${{ github.workspace }}/netpol-verify-gh-action-output
chmod a+rw ${{ github.workspace }}/netpol-verify-gh-action-output
for policy in ${{ inputs.corporate-policies }}
do
export POLICIES_WITH_B="-b $policy $POLICIES_WITH_B"
done
echo "::set-output name=policies-with-b::$(echo $POLICIES_WITH_B)"
- name: Baseline requirements validation
uses: docker://ghcr.io/np-guard/baseline-rules-verifier:1.3.2
with:
args: >
${{ steps.add-b-flag.outputs.policies-with-b }}
-r /github/workspace/${{ inputs.deployment-path }}
/github/workspace/${{ inputs.netpol-path }}
--tmp_dir /tmp
--nca_path /nca
--format ${{ inputs.output-format }}
-o /github/workspace/netpol-verify-gh-action-output/netpol-verify-output.${{ inputs.output-format }}
--return_0
- name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: connectivity-policy-results
path: ${{ github.workspace }}/netpol-verify-gh-action-output/netpol-verify-output.${{ inputs.output-format }}
- name: Set outputs and clean
id: output-results
shell: bash
run: |
violated=$( tail -n1 ${{ github.workspace }}/netpol-verify-gh-action-output/netpol-verify-output.${{ inputs.output-format }} | cut -d' ' -f1 )
if [[ "$violated" == "All" ]]; then
violated=0
fi
echo "::set-output name=num-violated-policies::$violated"
echo "::set-output name=policy-results-artifact::connectivity-policy-results"
echo "::set-output name=policy-results-file-name::netpol-verify-output.${{ inputs.output-format }}"
rm -r ${{ github.workspace }}/netpol-verify-gh-action-output