From 073acbaa40c24f241def19272278f937860d8b4a Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 25 Jul 2019 14:57:44 -0400 Subject: [PATCH] update policy yaml --- examples/cli/policy_deployment.yaml | 26 ++++---- examples/demo/1_image_pull_policy/policy.yaml | 20 +++--- examples/demo/2_allowed_registry/policy.yaml | 11 ++-- examples/demo/3_network_policy/policy.yaml | 17 +++--- examples/demo/4_non_root/policy.yaml | 13 ++-- examples/demo/5_health_check/policy.yaml | 14 +++-- examples/demo/6_qos/policy_qos.yaml | 17 +++--- .../7_container_security_context/policy.yaml | 13 ++-- examples/generate/policy_basic.yaml | 26 ++++---- examples/generate/policy_generate.yaml | 26 ++++---- examples/generate/policy_networkPolicy.yaml | 9 +-- .../overlay/policy_imagePullPolicy.yaml | 7 ++- examples/mutate/patches/policy_endpoints.yaml | 13 ++-- examples/validate/check_cpu_memory.yaml | 14 +++-- examples/validate/check_hostpath.yaml | 7 ++- examples/validate/check_image_version.yaml | 7 ++- .../check_memory_requests_same_yaml.yaml | 17 +++--- ...ck_memory_requests_same_yaml_relative.yaml | 17 +++--- examples/validate/check_nodeport.yaml | 7 ++- examples/validate/check_not_root.yaml | 11 ++-- examples/validate/check_probe_exists.yaml | 14 +++-- examples/validate/check_probe_intervals.yaml | 14 +++-- examples/validate/check_registries.yaml | 9 +-- test/ConfigMap/policy-CM.yaml | 36 ++++++----- .../policy-cm-test.yaml | 13 ++-- .../policy-namespace-patch-cmgCG-sgCG.yaml | 57 +++++++++-------- test/CronJob/policy-cronjob-wldcrd.yaml | 9 +-- test/DaemonSet/policy-daemonset.yaml | 9 +-- test/Deployment/policy-deployment-any.yaml | 8 +-- test/Endpoint/policy-endpoints.yaml | 13 ++-- test/HorizontalPodAutoscaler/policy-hpa.yaml | 13 ++-- test/Ingress/policy-ingress.yaml | 13 ++-- test/Job/policy-job.yaml | 18 +++--- test/LimitRange/policy-limitrange.yaml | 13 ++-- test/Namespace/policy-namespace.yaml | 13 ++-- test/NetworkPolicy/policy-network-policy.yaml | 13 ++-- test/PersistentVolumeClaim/policy-PVC.yaml | 11 ++-- test/PodDisruptionBudget/policy-pdb.yaml | 9 +-- test/PodTemplate/policy-PodTemplate.yaml | 13 ++-- .../policy-quota-validation.yaml | 39 ++++++------ test/ResourceQuota/policy-quota.yaml | 13 ++-- test/Secret/policy-secret.yaml | 9 +-- test/SecurityContext/policy.yaml | 13 ++-- test/Service/policy-service.yaml | 9 +-- test/StatefulSet/policy-StatefulSet.yaml | 13 ++-- test/mix/policy.yaml | 61 ++++++++++--------- 46 files changed, 406 insertions(+), 341 deletions(-) diff --git a/examples/cli/policy_deployment.yaml b/examples/cli/policy_deployment.yaml index 064b68bb4d..c974ffb8af 100644 --- a/examples/cli/policy_deployment.yaml +++ b/examples/cli/policy_deployment.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: add-label - resource: - kinds : - - Deployment - selector : - matchLabels : - cli: test + match: + resources: + kinds : + - Deployment + selector : + matchLabels : + cli: test mutate: patches: - path: /metadata/labels/isMutated @@ -20,12 +21,13 @@ spec : op: replace value: "nginx_is_mutated" - name: check-image - resource: - kinds : - - Deployment - selector : - matchLabels : - cli: test + match: + resources: + kinds : + - Deployment + selector : + matchLabels : + cli: test validate: message: "The imagePullPolicy must be Always when using image nginx" pattern: diff --git a/examples/demo/1_image_pull_policy/policy.yaml b/examples/demo/1_image_pull_policy/policy.yaml index 6da37a961e..617ff192dd 100644 --- a/examples/demo/1_image_pull_policy/policy.yaml +++ b/examples/demo/1_image_pull_policy/policy.yaml @@ -5,15 +5,17 @@ metadata: spec: rules: - name: image-pull-policy - resource: - kinds: - - Deployment - # - StatefulSet - # name: "my-deployment" - # selector : - # matchLabels: - # app.type: prod - # namespace: "my-namespace" + match: + resources: + kinds: + - Deployment + exclude: + resources: + name: nginx-deployment1 + selector : + matchLabels: + app: nginx1 + namespace: "default" mutate: overlay: spec: diff --git a/examples/demo/2_allowed_registry/policy.yaml b/examples/demo/2_allowed_registry/policy.yaml index 4964e434d9..6992edbb58 100644 --- a/examples/demo/2_allowed_registry/policy.yaml +++ b/examples/demo/2_allowed_registry/policy.yaml @@ -5,11 +5,12 @@ metadata: spec: rules: - name: check-registries - resource: - kinds: - - Deployment - - StatefulSet - namespace: default + match: + resources: + kinds: + - Deployment + - StatefulSet + namespace: default validate: message: "Registry is not allowed" pattern: diff --git a/examples/demo/3_network_policy/policy.yaml b/examples/demo/3_network_policy/policy.yaml index c68090abf6..374e3a71ad 100644 --- a/examples/demo/3_network_policy/policy.yaml +++ b/examples/demo/3_network_policy/policy.yaml @@ -5,22 +5,19 @@ metadata: spec: rules: - name: "deny-ingress-traffic" - resource: - kinds: - - Namespace - name: "devtest" + match: + resources: + kinds: + - Namespace + name: "devtest" generate: kind: NetworkPolicy name: deny-ingress-traffic data: spec: - podSelector: - matchLabels: {} - matchExpressions: [] - policyTypes: - - Ingress + policyTypes: + - Ingress metadata: - annotations: {} labels: policyname: "default" # kind: ConfigMap diff --git a/examples/demo/4_non_root/policy.yaml b/examples/demo/4_non_root/policy.yaml index 3ea11b319e..904c1fecd3 100644 --- a/examples/demo/4_non_root/policy.yaml +++ b/examples/demo/4_non_root/policy.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: validate-runAsNonRoot - resource: - kinds: - - Deployment - selector : - matchLabels: - app.type: prod + match: + resources: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod validate: message: "security context 'runAsNonRoot' shoud be set to true" pattern: diff --git a/examples/demo/5_health_check/policy.yaml b/examples/demo/5_health_check/policy.yaml index e2c199d12e..4f91c8fc24 100644 --- a/examples/demo/5_health_check/policy.yaml +++ b/examples/demo/5_health_check/policy.yaml @@ -5,9 +5,10 @@ metadata : spec: rules: - name: check-readinessProbe-exists - resource: - kinds : - - Pod + match: + resources: + kinds : + - Pod validate: message: "readinessProbe is required" pattern: @@ -17,9 +18,10 @@ spec: readinessProbe: successThreshold: ">1" - name: check-livenessProbe-exists - resource: - kinds : - - Pod + match: + resources: + kinds : + - Pod validate: message: "livenessProbe is required" pattern: diff --git a/examples/demo/6_qos/policy_qos.yaml b/examples/demo/6_qos/policy_qos.yaml index 03d7bd9444..352772a8ea 100644 --- a/examples/demo/6_qos/policy_qos.yaml +++ b/examples/demo/6_qos/policy_qos.yaml @@ -3,12 +3,13 @@ kind: Policy metadata: name: policy-qos spec: - validationFailureAction: "audit" +# validationFailureAction: "audit" rules: - name: add-memory-limit - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment mutate: overlay: spec: @@ -21,10 +22,12 @@ spec: limits: # add memory limit if it is not exist "+(memory)": "300Mi" + "+(cpu)": "100" - name: check-cpu-memory-limits - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment validate: message: "Resource limits are required for CPU and memory" pattern: diff --git a/examples/demo/7_container_security_context/policy.yaml b/examples/demo/7_container_security_context/policy.yaml index fc434ec0dc..df56be4d2d 100755 --- a/examples/demo/7_container_security_context/policy.yaml +++ b/examples/demo/7_container_security_context/policy.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: validate-user-privilege - resource: - kinds: - - Deployment - selector : - matchLabels: - app.type: prod + match: + resources: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod validate: message: "validate container security contexts" pattern: diff --git a/examples/generate/policy_basic.yaml b/examples/generate/policy_basic.yaml index 8e8c7e2286..21014b7099 100644 --- a/examples/generate/policy_basic.yaml +++ b/examples/generate/policy_basic.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: "Basic clone config generator for all namespaces" - resource: - kinds: - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds: + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" generate: kind: ConfigMap name: default-config @@ -18,12 +19,13 @@ spec : namespace: default name: config-template - name: "Basic config generator for all namespaces" - resource: - kinds: - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds: + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" generate: kind: Secret name: mongo-creds diff --git a/examples/generate/policy_generate.yaml b/examples/generate/policy_generate.yaml index 964d79eee7..a0d2837896 100644 --- a/examples/generate/policy_generate.yaml +++ b/examples/generate/policy_generate.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: "copy-comfigmap" - resource : - kinds : - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds : + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" generate : kind: ConfigMap name : copied-cm @@ -18,12 +19,13 @@ spec: namespace : default name : game-config - name: "zk-kafka-address" - resource: - kinds: - - Namespace - selector: - matchExpressions: - - {key: LabelForSelector, operator: In, values: [namespace2]} + match: + resources: + kinds: + - Namespace + selector: + matchExpressions: + - {key: LabelForSelector, operator: In, values: [namespace2]} generate: kind: ConfigMap name: zk-kafka-address diff --git a/examples/generate/policy_networkPolicy.yaml b/examples/generate/policy_networkPolicy.yaml index b62d0273f3..d75f762ce1 100644 --- a/examples/generate/policy_networkPolicy.yaml +++ b/examples/generate/policy_networkPolicy.yaml @@ -5,10 +5,11 @@ metadata: spec: rules: - name: "deny-all-traffic" - resource: - kinds: - - Namespace - name: "*" + match: + resources: + kinds: + - Namespace + name: "*" generate: kind: NetworkPolicy name: deny-all-traffic diff --git a/examples/mutate/overlay/policy_imagePullPolicy.yaml b/examples/mutate/overlay/policy_imagePullPolicy.yaml index 46537f9cd7..0040e5c390 100644 --- a/examples/mutate/overlay/policy_imagePullPolicy.yaml +++ b/examples/mutate/overlay/policy_imagePullPolicy.yaml @@ -5,9 +5,10 @@ metadata: spec: rules: - name: set-image-pull-policy - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment mutate: overlay: spec: diff --git a/examples/mutate/patches/policy_endpoints.yaml b/examples/mutate/patches/policy_endpoints.yaml index 4e36eda51d..0ddfa6bb06 100644 --- a/examples/mutate/patches/policy_endpoints.yaml +++ b/examples/mutate/patches/policy_endpoints.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: pEP - resource: - kinds : - - Endpoints - selector: - matchLabels: - label : test + match: + resources: + kinds : + - Endpoints + selector: + matchLabels: + label : test mutate: patches: - path : "/subsets/0/ports/0/port" diff --git a/examples/validate/check_cpu_memory.yaml b/examples/validate/check_cpu_memory.yaml index 19db8adf1c..d3da8679ed 100644 --- a/examples/validate/check_cpu_memory.yaml +++ b/examples/validate/check_cpu_memory.yaml @@ -5,9 +5,10 @@ metadata: spec: rules: - name: check-defined - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment validate: message: "Resource limits are required for CPU and memory" pattern: @@ -22,9 +23,10 @@ spec: cpu: "?*" - name: check-cpu - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment validate: message: "CPU request should be less than 4" pattern: diff --git a/examples/validate/check_hostpath.yaml b/examples/validate/check_hostpath.yaml index 04f6874a29..dae7419647 100644 --- a/examples/validate/check_hostpath.yaml +++ b/examples/validate/check_hostpath.yaml @@ -5,9 +5,10 @@ metadata: spec: rules: - name: check-host-path - resource: - kinds: - - Pod + match: + resources: + kinds: + - Pod validate: message: "Host path is not allowed" pattern: diff --git a/examples/validate/check_image_version.yaml b/examples/validate/check_image_version.yaml index 1988389e67..9d70a2af6d 100644 --- a/examples/validate/check_image_version.yaml +++ b/examples/validate/check_image_version.yaml @@ -5,9 +5,10 @@ metadata: spec: rules: - name: image-pull-policy - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment validate: message: "Image tag ':latest' requires imagePullPolicy 'Always'" pattern: diff --git a/examples/validate/check_memory_requests_same_yaml.yaml b/examples/validate/check_memory_requests_same_yaml.yaml index 1630888c4f..c3306bdb55 100644 --- a/examples/validate/check_memory_requests_same_yaml.yaml +++ b/examples/validate/check_memory_requests_same_yaml.yaml @@ -5,14 +5,15 @@ metadata : spec : rules: - name: check-memory_requests_link_in_yaml - resource: - # Kind specifies one or more resource types to match - kinds: - - Deployment - # Name is optional and can use wildcards - name: "*" - # Selector is optional - selector: + match: + resources: + # Kind specifies one or more resource types to match + kinds: + - Deployment + # Name is optional and can use wildcards + name: "*" + # Selector is optional + selector: validate: pattern: spec: diff --git a/examples/validate/check_memory_requests_same_yaml_relative.yaml b/examples/validate/check_memory_requests_same_yaml_relative.yaml index cfd11a9a14..4ed45481ad 100644 --- a/examples/validate/check_memory_requests_same_yaml_relative.yaml +++ b/examples/validate/check_memory_requests_same_yaml_relative.yaml @@ -5,14 +5,15 @@ metadata : spec : rules: - name: check-memory_requests_link_in_yaml_relative - resource: - # Kind specifies one or more resource types to match - kinds: - - Deployment - # Name is optional and can use wildcards - name: "*" - # Selector is optional - selector: + match: + resources: + # Kind specifies one or more resource types to match + kinds: + - Deployment + # Name is optional and can use wildcards + name: "*" + # Selector is optional + selector: validate: pattern: spec: diff --git a/examples/validate/check_nodeport.yaml b/examples/validate/check_nodeport.yaml index 771fc4b6a6..0238bf1717 100644 --- a/examples/validate/check_nodeport.yaml +++ b/examples/validate/check_nodeport.yaml @@ -5,9 +5,10 @@ metadata: spec: rules: - name: check-node-port - resource: - kinds: - - Service + match: + resources: + kinds: + - Service validate: message: "NodePort type is not allowed" pattern: diff --git a/examples/validate/check_not_root.yaml b/examples/validate/check_not_root.yaml index 93234636e6..38fc522434 100644 --- a/examples/validate/check_not_root.yaml +++ b/examples/validate/check_not_root.yaml @@ -5,11 +5,12 @@ metadata : spec : rules: - name: check-non-root - resource: - kinds: - - Deployment - - StatefuleSet - - DaemonSet + match: + resources: + kinds: + - Deployment + - StatefuleSet + - DaemonSet validate: message: "Root user is not allowed" pattern: diff --git a/examples/validate/check_probe_exists.yaml b/examples/validate/check_probe_exists.yaml index b877ee4c9c..ca22098dd6 100644 --- a/examples/validate/check_probe_exists.yaml +++ b/examples/validate/check_probe_exists.yaml @@ -5,9 +5,10 @@ metadata : spec: rules: - name: check-liveness-probe-exists - resource: - kinds : - - StatefulSet + match: + resources: + kinds : + - StatefulSet validate: message: "a livenessProbe is required" pattern: @@ -19,9 +20,10 @@ spec: livenessProbe: periodSeconds: ">0" - name: check-readiness-probe-exists - resource: - kinds : - - StatefulSet + match: + resources: + kinds : + - StatefulSet validate: message: "a readinessProbe is required" pattern: diff --git a/examples/validate/check_probe_intervals.yaml b/examples/validate/check_probe_intervals.yaml index aae19e016a..5e201e455c 100644 --- a/examples/validate/check_probe_intervals.yaml +++ b/examples/validate/check_probe_intervals.yaml @@ -5,9 +5,10 @@ metadata : spec: rules: - name: check-probe-intervals - resource: - kinds : - - Deployment + match: + resources: + kinds : + - Deployment validate: message: "livenessProbe must be > 10s" pattern: @@ -19,9 +20,10 @@ spec: livenessProbe: periodSeconds: ">10" - name: check-probe-intervals - resource: - kinds : - - Deployment + match: + resources: + kinds : + - Deployment validate: message: "readinessProbe must be > 10s" pattern: diff --git a/examples/validate/check_registries.yaml b/examples/validate/check_registries.yaml index 84fc7b379a..0d6d835b33 100644 --- a/examples/validate/check_registries.yaml +++ b/examples/validate/check_registries.yaml @@ -5,10 +5,11 @@ metadata: spec: rules: - name: check-registries - resource: - kinds: - - Deployment - - StatefulSet + match: + resources: + kinds: + - Deployment + - StatefulSet validate: message: "Registry is not allowed" pattern: diff --git a/test/ConfigMap/policy-CM.yaml b/test/ConfigMap/policy-CM.yaml index cb2ca05534..9d544ce595 100644 --- a/test/ConfigMap/policy-CM.yaml +++ b/test/ConfigMap/policy-CM.yaml @@ -5,10 +5,11 @@ metadata : spec : rules: - name: pCM1 - resource: - kinds : - - ConfigMap - name: "game-config" + match: + resources: + kinds : + - ConfigMap + name: "game-config" mutate: overlay: data: @@ -25,10 +26,11 @@ spec : op : add value : newValue - name: pCM2 - resource: - kinds : - - ConfigMap - name: "game-config" + match: + resources: + kinds : + - ConfigMap + name: "game-config" mutate: patches: - path : "/data/secretData" @@ -37,10 +39,11 @@ spec : op : replace value : "data is replaced" - name: pCM3 - resource: - kinds : - - ConfigMap - name: "game-config" + match: + resources: + kinds : + - ConfigMap + name: "game-config" mutate: patches: - path : "/data/secretData" @@ -52,10 +55,11 @@ spec : data: game.properties: "*enemies=aliens*" - name: pCM4 - resource: - kinds : - - ConfigMap - name: "game-config" + match: + resources: + kinds : + - ConfigMap + name: "game-config" validate: message: "This CM data is broken because it does not have ui.properties" pattern: diff --git a/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml b/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml index fa4f831fff..5181a8ac59 100644 --- a/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml +++ b/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml @@ -5,12 +5,13 @@ metadata : spec: rules: - name: "copyCM" - resource : - kinds : - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds : + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" generate : kind: ConfigMap name : copied-cm diff --git a/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml b/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml index dd19f398af..028211174a 100644 --- a/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml +++ b/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml @@ -10,12 +10,13 @@ metadata : spec : rules: - name: "patchNamespace2" - resource : - kinds : - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds : + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" mutate: patches: - path: "/metadata/labels/isMutatedByPolicy" @@ -23,12 +24,13 @@ spec : value: "true" - name: "copyCM" - resource : - kinds : - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds : + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" generate : kind: ConfigMap name : copied-cm @@ -37,12 +39,13 @@ spec : name : game-config - name: "generateCM" - resource : - kinds : - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace2" + match: + resources: + kinds : + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace2" generate : kind: ConfigMap name : generated-cm @@ -56,10 +59,11 @@ spec : rsa.public.key=42 - name: "generateSecret" - resource : - kinds : - - Namespace - name: ns2 + match: + resources: + kinds : + - Namespace + name: ns2 generate : kind: Secret name : generated-secrets @@ -73,10 +77,11 @@ spec : foo2=bar2 - name: "copySecret" - resource : - kinds : - - Namespace - name: ns2 + match: + resources: + kinds : + - Namespace + name: ns2 generate : kind: Secret name : copied-secrets diff --git a/test/CronJob/policy-cronjob-wldcrd.yaml b/test/CronJob/policy-cronjob-wldcrd.yaml index c19f7f2f07..88c2fab58a 100644 --- a/test/CronJob/policy-cronjob-wldcrd.yaml +++ b/test/CronJob/policy-cronjob-wldcrd.yaml @@ -5,10 +5,11 @@ metadata: spec: rules: - name: pCJ - resource: - kinds : - - CronJob - name: "?ell*" + match: + resources: + kinds : + - CronJob + name: "?ell*" mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/DaemonSet/policy-daemonset.yaml b/test/DaemonSet/policy-daemonset.yaml index 63e41ef074..06006be9f8 100644 --- a/test/DaemonSet/policy-daemonset.yaml +++ b/test/DaemonSet/policy-daemonset.yaml @@ -5,10 +5,11 @@ metadata: spec: rules: - name: "Patch and Volume validation" - resource: - kinds: - - DaemonSet - name: fluentd-elasticsearch + match: + resources: + kinds: + - DaemonSet + name: fluentd-elasticsearch mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/Deployment/policy-deployment-any.yaml b/test/Deployment/policy-deployment-any.yaml index bca752014a..cd4af82adc 100644 --- a/test/Deployment/policy-deployment-any.yaml +++ b/test/Deployment/policy-deployment-any.yaml @@ -5,9 +5,10 @@ metadata : spec : rules: - name: "First policy v2" - resource: - kinds : - - Deployment + match: + resources: + kinds : + - Deployment mutate: patches: - path: /metadata/labels/isMutated @@ -16,7 +17,6 @@ spec : - path: /metadata/labels/app op: replace value: "nginx_is_mutated" - validate: message: "Because I like only mutated resources" pattern: diff --git a/test/Endpoint/policy-endpoints.yaml b/test/Endpoint/policy-endpoints.yaml index 93a0592442..7d60751712 100644 --- a/test/Endpoint/policy-endpoints.yaml +++ b/test/Endpoint/policy-endpoints.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: pEP - resource: - kinds : - - Endpoints - selector: - matchLabels: - label : test + match: + resources: + kinds : + - Endpoints + selector: + matchLabels: + label : test mutate: patches: - path : "/subsets/0/ports/0/port" diff --git a/test/HorizontalPodAutoscaler/policy-hpa.yaml b/test/HorizontalPodAutoscaler/policy-hpa.yaml index fbdad6b56f..6d68986e66 100644 --- a/test/HorizontalPodAutoscaler/policy-hpa.yaml +++ b/test/HorizontalPodAutoscaler/policy-hpa.yaml @@ -5,12 +5,13 @@ metadata: spec : rules: - name: hpa1 - resource: - kinds : - - HorizontalPodAutoscaler - selector: - matchLabels: - originalLabel: isHere + match: + resources: + kinds : + - HorizontalPodAutoscaler + selector: + matchLabels: + originalLabel: isHere mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/Ingress/policy-ingress.yaml b/test/Ingress/policy-ingress.yaml index 99d757f82b..f5bf7a3e5d 100644 --- a/test/Ingress/policy-ingress.yaml +++ b/test/Ingress/policy-ingress.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: ingress1 - resource: - kinds : - - Ingress - selector: - matchLabels: - originalLabel: isHere + match: + resources: + kinds : + - Ingress + selector: + matchLabels: + originalLabel: isHere mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/Job/policy-job.yaml b/test/Job/policy-job.yaml index ff9e9d5732..bc02c48cb7 100644 --- a/test/Job/policy-job.yaml +++ b/test/Job/policy-job.yaml @@ -5,10 +5,11 @@ metadata: spec : rules: - name: job2 - resource: - kinds: - - Job - name: pi + match: + resources: + kinds: + - Job + name: pi mutate: overlay: spec: @@ -20,10 +21,11 @@ spec : - containerPort: 80 protocol: TCP - name: job1 - resource: - kinds: - - Job - name: pi + match: + resources: + kinds: + - Job + name: pi mutate: overlay: metadata: diff --git a/test/LimitRange/policy-limitrange.yaml b/test/LimitRange/policy-limitrange.yaml index 7c56c47ca2..03d0a43084 100644 --- a/test/LimitRange/policy-limitrange.yaml +++ b/test/LimitRange/policy-limitrange.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: "rule" - resource: - kinds : - - LimitRange - selector: - matchLabels: - containerSize: minimal + match: + resources: + kinds : + - LimitRange + selector: + matchLabels: + containerSize: minimal mutate: patches: - path : "/spec/limits/0/default/memory" diff --git a/test/Namespace/policy-namespace.yaml b/test/Namespace/policy-namespace.yaml index 72e27c0e80..2d863ec5fb 100644 --- a/test/Namespace/policy-namespace.yaml +++ b/test/Namespace/policy-namespace.yaml @@ -6,12 +6,13 @@ metadata : spec : rules: - name: ns1 - resource: - kinds : - - Namespace - selector: - matchLabels: - LabelForSelector : "namespace" + match: + resources: + kinds : + - Namespace + selector: + matchLabels: + LabelForSelector : "namespace" mutate: patches: - path: "/metadata/labels/replaced" diff --git a/test/NetworkPolicy/policy-network-policy.yaml b/test/NetworkPolicy/policy-network-policy.yaml index 3029a17a76..f1fc67381b 100644 --- a/test/NetworkPolicy/policy-network-policy.yaml +++ b/test/NetworkPolicy/policy-network-policy.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: np1 - resource: - kinds : - - NetworkPolicy - selector: - matchLabels: - originalLabel: isHere + match: + resources: + kinds : + - NetworkPolicy + selector: + matchLabels: + originalLabel: isHere mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/PersistentVolumeClaim/policy-PVC.yaml b/test/PersistentVolumeClaim/policy-PVC.yaml index b8247b0b01..7020f1e504 100644 --- a/test/PersistentVolumeClaim/policy-PVC.yaml +++ b/test/PersistentVolumeClaim/policy-PVC.yaml @@ -5,11 +5,12 @@ metadata: spec: rules: - name: pvc1 - resource: - kinds : - - PersistentVolumeClaim - matchLabels: - originalLabel: isHere + match: + resources: + kinds : + - PersistentVolumeClaim + matchLabels: + originalLabel: isHere mutate: patches: - path: "/metadata/labels/originalLabel" diff --git a/test/PodDisruptionBudget/policy-pdb.yaml b/test/PodDisruptionBudget/policy-pdb.yaml index 74c48fcfe3..aeb9c7670c 100644 --- a/test/PodDisruptionBudget/policy-pdb.yaml +++ b/test/PodDisruptionBudget/policy-pdb.yaml @@ -5,10 +5,11 @@ metadata: spec: rules: - name: pdb1 - resource: - kinds : - - PodDisruptionBudget - name: "game-pdb" + match: + resources: + kinds : + - PodDisruptionBudget + name: "game-pdb" mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml index 232be6c499..8dbaa12530 100644 --- a/test/PodTemplate/policy-PodTemplate.yaml +++ b/test/PodTemplate/policy-PodTemplate.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: podtemplate1 - resource: - kinds : - - PodTemplate - selector: - matchLabels: - originalLabel: isHere + match: + resources: + kinds : + - PodTemplate + selector: + matchLabels: + originalLabel: isHere mutate: overlay: template: diff --git a/test/ResourceQuota/policy-quota-validation.yaml b/test/ResourceQuota/policy-quota-validation.yaml index 2431f31a50..1b1ae0cdfe 100644 --- a/test/ResourceQuota/policy-quota-validation.yaml +++ b/test/ResourceQuota/policy-quota-validation.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: "rule1" - resource: - kinds : - - ResourceQuota - selector: - matchLabels: - quota: low + match: + resources: + kinds : + - ResourceQuota + selector: + matchLabels: + quota: low validate: message: "This RQ requests too many RAM" pattern: @@ -18,12 +19,13 @@ spec : hard: memory: "8Gi|12Gi" - name: "rule2" - resource: - kinds : - - ResourceQuota - selector: - matchLabels: - quota: low + match: + resources: + kinds : + - ResourceQuota + selector: + matchLabels: + quota: low validate: message: "This RQ requests too many CPUs" pattern: @@ -31,12 +33,13 @@ spec : hard: cpu: <3 - name: "rule3" - resource: - kinds : - - ResourceQuota - selector: - matchLabels: - quota: low + match: + resources: + kinds : + - ResourceQuota + selector: + matchLabels: + quota: low validate: message: "This RQ requests too many PODs" pattern: diff --git a/test/ResourceQuota/policy-quota.yaml b/test/ResourceQuota/policy-quota.yaml index 19f9730811..a26cddde57 100644 --- a/test/ResourceQuota/policy-quota.yaml +++ b/test/ResourceQuota/policy-quota.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: "rule" - resource: - kinds : - - ResourceQuota - selector: - matchLabels: - quota: low + match: + resources: + kinds : + - ResourceQuota + selector: + matchLabels: + quota: low mutate: patches: - path : "/spec/scopeSelector/matchExpressions/1" diff --git a/test/Secret/policy-secret.yaml b/test/Secret/policy-secret.yaml index f09b152e64..cdcf66d52a 100644 --- a/test/Secret/policy-secret.yaml +++ b/test/Secret/policy-secret.yaml @@ -5,10 +5,11 @@ metadata: spec: rules: - name: secret1 - resource: - kinds : - - Secret - name: "mysecret" + match: + resources: + kinds : + - Secret + name: "mysecret" mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/SecurityContext/policy.yaml b/test/SecurityContext/policy.yaml index a86742886a..845edcef2c 100644 --- a/test/SecurityContext/policy.yaml +++ b/test/SecurityContext/policy.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: set-userID - resource: - kinds: - - Deployment - selector : - matchLabels: - app.type: prod + match: + resources: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod mutate: overlay: spec: diff --git a/test/Service/policy-service.yaml b/test/Service/policy-service.yaml index 4cb99a1509..2e7e3fb51b 100644 --- a/test/Service/policy-service.yaml +++ b/test/Service/policy-service.yaml @@ -5,10 +5,11 @@ metadata : spec : rules: - name: ps1 - resource: - kinds: - - Service - name: "game-service*" + match: + resources: + kinds: + - Service + name: "game-service*" mutate: patches: - path: "/metadata/labels/isMutated" diff --git a/test/StatefulSet/policy-StatefulSet.yaml b/test/StatefulSet/policy-StatefulSet.yaml index 00b31b3225..30cba5fa18 100644 --- a/test/StatefulSet/policy-StatefulSet.yaml +++ b/test/StatefulSet/policy-StatefulSet.yaml @@ -5,12 +5,13 @@ metadata: spec: rules: - name: statefulset1 - resource: - kinds : - - StatefulSet - selector: - matchLabels: - originalLabel: isHere + match: + resources: + kinds : + - StatefulSet + selector: + matchLabels: + originalLabel: isHere mutate: patches: - path: "/spec/template/metadata/labels/isMutated" diff --git a/test/mix/policy.yaml b/test/mix/policy.yaml index 11266825c0..7ae2268081 100644 --- a/test/mix/policy.yaml +++ b/test/mix/policy.yaml @@ -5,12 +5,13 @@ metadata : spec : rules: - name: add-label - resource: - kinds : - - Deployment - selector : - matchLabels : - cli: test + match: + resources: + kinds : + - Deployment + selector : + matchLabels : + cli: test mutate: patches: - path: /metadata/labels/isMutated @@ -25,36 +26,39 @@ spec : - (image): "*nginx*" imagePullPolicy: "Always" - name: add-label2 - resource: - kinds : - - Deployment - selector : - matchLabels : - cli: test + match: + resources: + kinds : + - Deployment + selector : + matchLabels : + cli: test mutate: patches: - path: /metadata/labels/app1 op: replace value: "nginx_is_mutated" - name: add-label3 - resource: - kinds : - - Deployment - selector : - matchLabels : - cli: test + match: + resources: + kinds : + - Deployment + selector : + matchLabels : + cli: test mutate: patches: - path: /metadata/labels/app2 op: add value: "nginx_is_mutated2" - name: check-image - resource: - kinds : - - Deployment - selector : - matchLabels : - cli: test + match: + resources: + kinds : + - Deployment + selector : + matchLabels : + cli: test validate: message: "The imagePullPolicy must be Always when using image nginx" pattern: @@ -65,10 +69,11 @@ spec : - (image): "*nginx*" imagePullPolicy: "Always" - name: check-registries - resource: - kinds: - - Deployment - - StatefulSet + match: + resources: + kinds: + - Deployment + - StatefulSet validate: message: "Registry is not allowed" pattern: