mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 10:55:05 +00:00
Code Activity

update policy yaml

Browse source
This commit is contained in:
shivkumar dudhani 2019-07-25 14:57:44 -04:00
parent 7b942ec235
commit 073acbaa40
46 changed files with 406 additions and 341 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
examples/cli/policy_deployment.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: add-label
resource:
kinds :
- Deployment
selector :
matchLabels :
cli: test
match:
resources:
kinds :
- Deployment
selector :
matchLabels :
cli: test
mutate:
patches:
- path: /metadata/labels/isMutated
@ -20,12 +21,13 @@ spec :
op: replace
value: "nginx_is_mutated"
- name: check-image
resource:
kinds :
- Deployment
selector :
matchLabels :
cli: test
match:
resources:
kinds :
- Deployment
selector :
matchLabels :
cli: test
validate:
message: "The imagePullPolicy must be Always when using image nginx"
pattern:

20
examples/demo/1_image_pull_policy/policy.yaml
View file

@ -5,15 +5,17 @@ metadata:
spec:
rules:
- name: image-pull-policy
resource:
kinds:
- Deployment
# - StatefulSet
# name: "my-deployment"
# selector :
# matchLabels:
# app.type: prod
# namespace: "my-namespace"
match:
resources:
kinds:
- Deployment
exclude:
resources:
name: nginx-deployment1
selector :
matchLabels:
app: nginx1
namespace: "default"
mutate:
overlay:
spec:

11
examples/demo/2_allowed_registry/policy.yaml
View file

@ -5,11 +5,12 @@ metadata:
spec:
rules:
- name: check-registries
resource:
kinds:
- Deployment
- StatefulSet
namespace: default
match:
resources:
kinds:
- Deployment
- StatefulSet
namespace: default
validate:
message: "Registry is not allowed"
pattern:

17
examples/demo/3_network_policy/policy.yaml
View file

@ -5,22 +5,19 @@ metadata:
spec:
rules:
- name: "deny-ingress-traffic"
resource:
kinds:
- Namespace
name: "devtest"
match:
resources:
kinds:
- Namespace
name: "devtest"
generate:
kind: NetworkPolicy
name: deny-ingress-traffic
data:
spec:
podSelector:
matchLabels: {}
matchExpressions: []
policyTypes:
- Ingress
policyTypes:
- Ingress
metadata:
annotations: {}
labels:
policyname: "default"
# kind: ConfigMap

13
examples/demo/4_non_root/policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: validate-runAsNonRoot
resource:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
match:
resources:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
validate:
message: "security context 'runAsNonRoot' shoud be set to true"
pattern:

14
examples/demo/5_health_check/policy.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec:
rules:
- name: check-readinessProbe-exists
resource:
kinds :
- Pod
match:
resources:
kinds :
- Pod
validate:
message: "readinessProbe is required"
pattern:
@ -17,9 +18,10 @@ spec:
readinessProbe:
successThreshold: ">1"
- name: check-livenessProbe-exists
resource:
kinds :
- Pod
match:
resources:
kinds :
- Pod
validate:
message: "livenessProbe is required"
pattern:

17
examples/demo/6_qos/policy_qos.yaml
View file

@ -3,12 +3,13 @@ kind: Policy
metadata:
name: policy-qos
spec:
validationFailureAction: "audit"
# validationFailureAction: "audit"
rules:
- name: add-memory-limit
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
mutate:
overlay:
spec:
@ -21,10 +22,12 @@ spec:
limits:
# add memory limit if it is not exist
"+(memory)": "300Mi"
"+(cpu)": "100"
- name: check-cpu-memory-limits
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
validate:
message: "Resource limits are required for CPU and memory"
pattern:

13
examples/demo/7_container_security_context/policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: validate-user-privilege
resource:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
match:
resources:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
validate:
message: "validate container security contexts"
pattern:

26
examples/generate/policy_basic.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: "Basic clone config generator for all namespaces"
resource:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: ConfigMap
name: default-config
@ -18,12 +19,13 @@ spec :
namespace: default
name: config-template
- name: "Basic config generator for all namespaces"
resource:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: Secret
name: mongo-creds

26
examples/generate/policy_generate.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: "copy-comfigmap"
resource :
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : copied-cm
@ -18,12 +19,13 @@ spec:
namespace : default
name : game-config
- name: "zk-kafka-address"
resource:
kinds:
- Namespace
selector:
matchExpressions:
- {key: LabelForSelector, operator: In, values: [namespace2]}
match:
resources:
kinds:
- Namespace
selector:
matchExpressions:
- {key: LabelForSelector, operator: In, values: [namespace2]}
generate:
kind: ConfigMap
name: zk-kafka-address

9
examples/generate/policy_networkPolicy.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec:
rules:
- name: "deny-all-traffic"
resource:
kinds:
- Namespace
name: "*"
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: deny-all-traffic

7
examples/mutate/overlay/policy_imagePullPolicy.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec:
rules:
- name: set-image-pull-policy
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
mutate:
overlay:
spec:

13
examples/mutate/patches/policy_endpoints.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: pEP
resource:
kinds :
- Endpoints
selector:
matchLabels:
label : test
match:
resources:
kinds :
- Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"

14
examples/validate/check_cpu_memory.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec:
rules:
- name: check-defined
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
validate:
message: "Resource limits are required for CPU and memory"
pattern:
@ -22,9 +23,10 @@ spec:
cpu: "?*"
- name: check-cpu
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
validate:
message: "CPU request should be less than 4"
pattern:

7
examples/validate/check_hostpath.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec:
rules:
- name: check-host-path
resource:
kinds:
- Pod
match:
resources:
kinds:
- Pod
validate:
message: "Host path is not allowed"
pattern:

7
examples/validate/check_image_version.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec:
rules:
- name: image-pull-policy
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
validate:
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
pattern:

17
examples/validate/check_memory_requests_same_yaml.yaml
View file

@ -5,14 +5,15 @@ metadata :
spec :
rules:
- name: check-memory_requests_link_in_yaml
resource:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
match:
resources:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
pattern:
spec:

17
examples/validate/check_memory_requests_same_yaml_relative.yaml
View file

@ -5,14 +5,15 @@ metadata :
spec :
rules:
- name: check-memory_requests_link_in_yaml_relative
resource:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
match:
resources:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
pattern:
spec:

7
examples/validate/check_nodeport.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec:
rules:
- name: check-node-port
resource:
kinds:
- Service
match:
resources:
kinds:
- Service
validate:
message: "NodePort type is not allowed"
pattern:

11
examples/validate/check_not_root.yaml
View file

@ -5,11 +5,12 @@ metadata :
spec :
rules:
- name: check-non-root
resource:
kinds:
- Deployment
- StatefuleSet
- DaemonSet
match:
resources:
kinds:
- Deployment
- StatefuleSet
- DaemonSet
validate:
message: "Root user is not allowed"
pattern:

14
examples/validate/check_probe_exists.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec:
rules:
- name: check-liveness-probe-exists
resource:
kinds :
- StatefulSet
match:
resources:
kinds :
- StatefulSet
validate:
message: "a livenessProbe is required"
pattern:
@ -19,9 +20,10 @@ spec:
livenessProbe:
periodSeconds: ">0"
- name: check-readiness-probe-exists
resource:
kinds :
- StatefulSet
match:
resources:
kinds :
- StatefulSet
validate:
message: "a readinessProbe is required"
pattern:

14
examples/validate/check_probe_intervals.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec:
rules:
- name: check-probe-intervals
resource:
kinds :
- Deployment
match:
resources:
kinds :
- Deployment
validate:
message: "livenessProbe must be > 10s"
pattern:
@ -19,9 +20,10 @@ spec:
livenessProbe:
periodSeconds: ">10"
- name: check-probe-intervals
resource:
kinds :
- Deployment
match:
resources:
kinds :
- Deployment
validate:
message: "readinessProbe must be > 10s"
pattern:

9
examples/validate/check_registries.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec:
rules:
- name: check-registries
resource:
kinds:
- Deployment
- StatefulSet
match:
resources:
kinds:
- Deployment
- StatefulSet
validate:
message: "Registry is not allowed"
pattern:

36
test/ConfigMap/policy-CM.yaml
View file

@ -5,10 +5,11 @@ metadata :
spec :
rules:
- name: pCM1
resource:
kinds :
- ConfigMap
name: "game-config"
match:
resources:
kinds :
- ConfigMap
name: "game-config"
mutate:
overlay:
data:
@ -25,10 +26,11 @@ spec :
op : add
value : newValue
- name: pCM2
resource:
kinds :
- ConfigMap
name: "game-config"
match:
resources:
kinds :
- ConfigMap
name: "game-config"
mutate:
patches:
- path : "/data/secretData"
@ -37,10 +39,11 @@ spec :
op : replace
value : "data is replaced"
- name: pCM3
resource:
kinds :
- ConfigMap
name: "game-config"
match:
resources:
kinds :
- ConfigMap
name: "game-config"
mutate:
patches:
- path : "/data/secretData"
@ -52,10 +55,11 @@ spec :
data:
game.properties: "*enemies=aliens*"
- name: pCM4
resource:
kinds :
- ConfigMap
name: "game-config"
match:
resources:
kinds :
- ConfigMap
name: "game-config"
validate:
message: "This CM data is broken because it does not have ui.properties"
pattern:

13
test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec:
rules:
- name: "copyCM"
resource :
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : copied-cm

57
test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml
View file

@ -10,12 +10,13 @@ metadata :
spec :
rules:
- name: "patchNamespace2"
resource :
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
mutate:
patches:
- path: "/metadata/labels/isMutatedByPolicy"
@ -23,12 +24,13 @@ spec :
value: "true"
- name: "copyCM"
resource :
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : copied-cm
@ -37,12 +39,13 @@ spec :
name : game-config
- name: "generateCM"
resource :
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : generated-cm
@ -56,10 +59,11 @@ spec :
rsa.public.key=42
- name: "generateSecret"
resource :
kinds :
- Namespace
name: ns2
match:
resources:
kinds :
- Namespace
name: ns2
generate :
kind: Secret
name : generated-secrets
@ -73,10 +77,11 @@ spec :
foo2=bar2
- name: "copySecret"
resource :
kinds :
- Namespace
name: ns2
match:
resources:
kinds :
- Namespace
name: ns2
generate :
kind: Secret
name : copied-secrets

9
test/CronJob/policy-cronjob-wldcrd.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec:
rules:
- name: pCJ
resource:
kinds :
- CronJob
name: "?ell*"
match:
resources:
kinds :
- CronJob
name: "?ell*"
mutate:
patches:
- path: "/metadata/labels/isMutated"

9
test/DaemonSet/policy-daemonset.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec:
rules:
- name: "Patch and Volume validation"
resource:
kinds:
- DaemonSet
name: fluentd-elasticsearch
match:
resources:
kinds:
- DaemonSet
name: fluentd-elasticsearch
mutate:
patches:
- path: "/metadata/labels/isMutated"

8
test/Deployment/policy-deployment-any.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec :
rules:
- name: "First policy v2"
resource:
kinds :
- Deployment
match:
resources:
kinds :
- Deployment
mutate:
patches:
- path: /metadata/labels/isMutated
@ -16,7 +17,6 @@ spec :
- path: /metadata/labels/app
op: replace
value: "nginx_is_mutated"
validate:
message: "Because I like only mutated resources"
pattern:

13
test/Endpoint/policy-endpoints.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: pEP
resource:
kinds :
- Endpoints
selector:
matchLabels:
label : test
match:
resources:
kinds :
- Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"

13
test/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec :
rules:
- name: hpa1
resource:
kinds :
- HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
match:
resources:
kinds :
- HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"

13
test/Ingress/policy-ingress.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: ingress1
resource:
kinds :
- Ingress
selector:
matchLabels:
originalLabel: isHere
match:
resources:
kinds :
- Ingress
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"

18
test/Job/policy-job.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec :
rules:
- name: job2
resource:
kinds:
- Job
name: pi
match:
resources:
kinds:
- Job
name: pi
mutate:
overlay:
spec:
@ -20,10 +21,11 @@ spec :
- containerPort: 80
protocol: TCP
- name: job1
resource:
kinds:
- Job
name: pi
match:
resources:
kinds:
- Job
name: pi
mutate:
overlay:
metadata:

13
test/LimitRange/policy-limitrange.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: "rule"
resource:
kinds :
- LimitRange
selector:
matchLabels:
containerSize: minimal
match:
resources:
kinds :
- LimitRange
selector:
matchLabels:
containerSize: minimal
mutate:
patches:
- path : "/spec/limits/0/default/memory"

13
test/Namespace/policy-namespace.yaml
View file

@ -6,12 +6,13 @@ metadata :
spec :
rules:
- name: ns1
resource:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
mutate:
patches:
- path: "/metadata/labels/replaced"

13
test/NetworkPolicy/policy-network-policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: np1
resource:
kinds :
- NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
match:
resources:
kinds :
- NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"

11
test/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -5,11 +5,12 @@ metadata:
spec:
rules:
- name: pvc1
resource:
kinds :
- PersistentVolumeClaim
matchLabels:
originalLabel: isHere
match:
resources:
kinds :
- PersistentVolumeClaim
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/originalLabel"

9
test/PodDisruptionBudget/policy-pdb.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec:
rules:
- name: pdb1
resource:
kinds :
- PodDisruptionBudget
name: "game-pdb"
match:
resources:
kinds :
- PodDisruptionBudget
name: "game-pdb"
mutate:
patches:
- path: "/metadata/labels/isMutated"

13
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: podtemplate1
resource:
kinds :
- PodTemplate
selector:
matchLabels:
originalLabel: isHere
match:
resources:
kinds :
- PodTemplate
selector:
matchLabels:
originalLabel: isHere
mutate:
overlay:
template:

39
test/ResourceQuota/policy-quota-validation.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: "rule1"
resource:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many RAM"
pattern:
@ -18,12 +19,13 @@ spec :
hard:
memory: "8Gi|12Gi"
- name: "rule2"
resource:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many CPUs"
pattern:
@ -31,12 +33,13 @@ spec :
hard:
cpu: <3
- name: "rule3"
resource:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many PODs"
pattern:

13
test/ResourceQuota/policy-quota.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: "rule"
resource:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
mutate:
patches:
- path : "/spec/scopeSelector/matchExpressions/1"

9
test/Secret/policy-secret.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec:
rules:
- name: secret1
resource:
kinds :
- Secret
name: "mysecret"
match:
resources:
kinds :
- Secret
name: "mysecret"
mutate:
patches:
- path: "/metadata/labels/isMutated"

13
test/SecurityContext/policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: set-userID
resource:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
match:
resources:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
mutate:
overlay:
spec:

9
test/Service/policy-service.yaml
View file

@ -5,10 +5,11 @@ metadata :
spec :
rules:
- name: ps1
resource:
kinds:
- Service
name: "game-service*"
match:
resources:
kinds:
- Service
name: "game-service*"
mutate:
patches:
- path: "/metadata/labels/isMutated"

13
test/StatefulSet/policy-StatefulSet.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec:
rules:
- name: statefulset1
resource:
kinds :
- StatefulSet
selector:
matchLabels:
originalLabel: isHere
match:
resources:
kinds :
- StatefulSet
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/spec/template/metadata/labels/isMutated"

61
test/mix/policy.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec :
rules:
- name: add-label
resource:
kinds :
- Deployment
selector :
matchLabels :
cli: test
match:
resources:
kinds :
- Deployment
selector :
matchLabels :
cli: test
mutate:
patches:
- path: /metadata/labels/isMutated
@ -25,36 +26,39 @@ spec :
- (image): "*nginx*"
imagePullPolicy: "Always"
- name: add-label2
resource:
kinds :
- Deployment
selector :
matchLabels :
cli: test
match:
resources:
kinds :
- Deployment
selector :
matchLabels :
cli: test
mutate:
patches:
- path: /metadata/labels/app1
op: replace
value: "nginx_is_mutated"
- name: add-label3
resource:
kinds :
- Deployment
selector :
matchLabels :
cli: test
match:
resources:
kinds :
- Deployment
selector :
matchLabels :
cli: test
mutate:
patches:
- path: /metadata/labels/app2
op: add
value: "nginx_is_mutated2"
- name: check-image
resource:
kinds :
- Deployment
selector :
matchLabels :
cli: test
match:
resources:
kinds :
- Deployment
selector :
matchLabels :
cli: test
validate:
message: "The imagePullPolicy must be Always when using image nginx"
pattern:
@ -65,10 +69,11 @@ spec :
- (image): "*nginx*"
imagePullPolicy: "Always"
- name: check-registries
resource:
kinds:
- Deployment
- StatefulSet
match:
resources:
kinds:
- Deployment
- StatefulSet
validate:
message: "Registry is not allowed"
pattern: