mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update policy yaml

Browse source
This commit is contained in:
shivkumar dudhani 2019-07-25 14:57:44 -04:00
parent 7b942ec235
commit 073acbaa40
46 changed files with 406 additions and 341 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
examples/cli/policy_deployment.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: add-label - name: add-label
resource: match:
kinds : resources:
- Deployment kinds :
selector : - Deployment
matchLabels : selector :
cli: test matchLabels :
cli: test
mutate: mutate:
patches: patches:
- path: /metadata/labels/isMutated - path: /metadata/labels/isMutated
@ -20,12 +21,13 @@ spec :
op: replace op: replace
value: "nginx_is_mutated" value: "nginx_is_mutated"
- name: check-image - name: check-image
resource: match:
kinds : resources:
- Deployment kinds :
selector : - Deployment
matchLabels : selector :
cli: test matchLabels :
cli: test
validate: validate:
message: "The imagePullPolicy must be Always when using image nginx" message: "The imagePullPolicy must be Always when using image nginx"
pattern: pattern:

20
examples/demo/1_image_pull_policy/policy.yaml
View file

@ -5,15 +5,17 @@ metadata:
spec: spec:
rules: rules:
- name: image-pull-policy - name: image-pull-policy
resource: match:
kinds: resources:
- Deployment kinds:
# - StatefulSet - Deployment
# name: "my-deployment" exclude:
# selector : resources:
# matchLabels: name: nginx-deployment1
# app.type: prod selector :
# namespace: "my-namespace" matchLabels:
app: nginx1
namespace: "default"
mutate: mutate:
overlay: overlay:
spec: spec:

11
examples/demo/2_allowed_registry/policy.yaml
View file

@ -5,11 +5,12 @@ metadata:
spec: spec:
rules: rules:
- name: check-registries - name: check-registries
resource: match:
kinds: resources:
- Deployment kinds:
- StatefulSet - Deployment
namespace: default - StatefulSet
namespace: default
validate: validate:
message: "Registry is not allowed" message: "Registry is not allowed"
pattern: pattern:

17
examples/demo/3_network_policy/policy.yaml
View file

@ -5,22 +5,19 @@ metadata:
spec: spec:
rules: rules:
- name: "deny-ingress-traffic" - name: "deny-ingress-traffic"
resource: match:
kinds: resources:
- Namespace kinds:
name: "devtest" - Namespace
name: "devtest"
generate: generate:
kind: NetworkPolicy kind: NetworkPolicy
name: deny-ingress-traffic name: deny-ingress-traffic
data: data:
spec: spec:
podSelector: policyTypes:
matchLabels: {} - Ingress
matchExpressions: []
policyTypes:
- Ingress
metadata: metadata:
annotations: {}
labels: labels:
policyname: "default" policyname: "default"
# kind: ConfigMap # kind: ConfigMap

13
examples/demo/4_non_root/policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: validate-runAsNonRoot - name: validate-runAsNonRoot
resource: match:
kinds: resources:
- Deployment kinds:
selector : - Deployment
matchLabels: selector :
app.type: prod matchLabels:
app.type: prod
validate: validate:
message: "security context 'runAsNonRoot' shoud be set to true" message: "security context 'runAsNonRoot' shoud be set to true"
pattern: pattern:

14
examples/demo/5_health_check/policy.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec: spec:
rules: rules:
- name: check-readinessProbe-exists - name: check-readinessProbe-exists
resource: match:
kinds : resources:
- Pod kinds :
- Pod
validate: validate:
message: "readinessProbe is required" message: "readinessProbe is required"
pattern: pattern:
@ -17,9 +18,10 @@ spec:
readinessProbe: readinessProbe:
successThreshold: ">1" successThreshold: ">1"
- name: check-livenessProbe-exists - name: check-livenessProbe-exists
resource: match:
kinds : resources:
- Pod kinds :
- Pod
validate: validate:
message: "livenessProbe is required" message: "livenessProbe is required"
pattern: pattern:

17
examples/demo/6_qos/policy_qos.yaml
View file

@ -3,12 +3,13 @@ kind: Policy
metadata: metadata:
name: policy-qos name: policy-qos
spec: spec:
validationFailureAction: "audit" # validationFailureAction: "audit"
rules: rules:
- name: add-memory-limit - name: add-memory-limit
resource: match:
kinds: resources:
- Deployment kinds:
- Deployment
mutate: mutate:
overlay: overlay:
spec: spec:
@ -21,10 +22,12 @@ spec:
limits: limits:
# add memory limit if it is not exist # add memory limit if it is not exist
"+(memory)": "300Mi" "+(memory)": "300Mi"
"+(cpu)": "100"
- name: check-cpu-memory-limits - name: check-cpu-memory-limits
resource: match:
kinds: resources:
- Deployment kinds:
- Deployment
validate: validate:
message: "Resource limits are required for CPU and memory" message: "Resource limits are required for CPU and memory"
pattern: pattern:

13
examples/demo/7_container_security_context/policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: validate-user-privilege - name: validate-user-privilege
resource: match:
kinds: resources:
- Deployment kinds:
selector : - Deployment
matchLabels: selector :
app.type: prod matchLabels:
app.type: prod
validate: validate:
message: "validate container security contexts" message: "validate container security contexts"
pattern: pattern:

26
examples/generate/policy_basic.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: "Basic clone config generator for all namespaces" - name: "Basic clone config generator for all namespaces"
resource: match:
kinds: resources:
- Namespace kinds:
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
generate: generate:
kind: ConfigMap kind: ConfigMap
name: default-config name: default-config
@ -18,12 +19,13 @@ spec :
namespace: default namespace: default
name: config-template name: config-template
- name: "Basic config generator for all namespaces" - name: "Basic config generator for all namespaces"
resource: match:
kinds: resources:
- Namespace kinds:
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
generate: generate:
kind: Secret kind: Secret
name: mongo-creds name: mongo-creds

26
examples/generate/policy_generate.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: "copy-comfigmap" - name: "copy-comfigmap"
resource : match:
kinds : resources:
- Namespace kinds :
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
generate : generate :
kind: ConfigMap kind: ConfigMap
name : copied-cm name : copied-cm
@ -18,12 +19,13 @@ spec:
namespace : default namespace : default
name : game-config name : game-config
- name: "zk-kafka-address" - name: "zk-kafka-address"
resource: match:
kinds: resources:
- Namespace kinds:
selector: - Namespace
matchExpressions: selector:
- {key: LabelForSelector, operator: In, values: [namespace2]} matchExpressions:
- {key: LabelForSelector, operator: In, values: [namespace2]}
generate: generate:
kind: ConfigMap kind: ConfigMap
name: zk-kafka-address name: zk-kafka-address

9
examples/generate/policy_networkPolicy.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec: spec:
rules: rules:
- name: "deny-all-traffic" - name: "deny-all-traffic"
resource: match:
kinds: resources:
- Namespace kinds:
name: "*" - Namespace
name: "*"
generate: generate:
kind: NetworkPolicy kind: NetworkPolicy
name: deny-all-traffic name: deny-all-traffic

7
examples/mutate/overlay/policy_imagePullPolicy.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec: spec:
rules: rules:
- name: set-image-pull-policy - name: set-image-pull-policy
resource: match:
kinds: resources:
- Deployment kinds:
- Deployment
mutate: mutate:
overlay: overlay:
spec: spec:

13
examples/mutate/patches/policy_endpoints.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: pEP - name: pEP
resource: match:
kinds : resources:
- Endpoints kinds :
selector: - Endpoints
matchLabels: selector:
label : test matchLabels:
label : test
mutate: mutate:
patches: patches:
- path : "/subsets/0/ports/0/port" - path : "/subsets/0/ports/0/port"

14
examples/validate/check_cpu_memory.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec: spec:
rules: rules:
- name: check-defined - name: check-defined
resource: match:
kinds: resources:
- Deployment kinds:
- Deployment
validate: validate:
message: "Resource limits are required for CPU and memory" message: "Resource limits are required for CPU and memory"
pattern: pattern:
@ -22,9 +23,10 @@ spec:
cpu: "?*" cpu: "?*"
- name: check-cpu - name: check-cpu
resource: match:
kinds: resources:
- Deployment kinds:
- Deployment
validate: validate:
message: "CPU request should be less than 4" message: "CPU request should be less than 4"
pattern: pattern:

7
examples/validate/check_hostpath.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec: spec:
rules: rules:
- name: check-host-path - name: check-host-path
resource: match:
kinds: resources:
- Pod kinds:
- Pod
validate: validate:
message: "Host path is not allowed" message: "Host path is not allowed"
pattern: pattern:

7
examples/validate/check_image_version.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec: spec:
rules: rules:
- name: image-pull-policy - name: image-pull-policy
resource: match:
kinds: resources:
- Deployment kinds:
- Deployment
validate: validate:
message: "Image tag ':latest' requires imagePullPolicy 'Always'" message: "Image tag ':latest' requires imagePullPolicy 'Always'"
pattern: pattern:

17
examples/validate/check_memory_requests_same_yaml.yaml
View file

@ -5,14 +5,15 @@ metadata :
spec : spec :
rules: rules:
- name: check-memory_requests_link_in_yaml - name: check-memory_requests_link_in_yaml
resource: match:
# Kind specifies one or more resource types to match resources:
kinds: # Kind specifies one or more resource types to match
- Deployment kinds:
# Name is optional and can use wildcards - Deployment
name: "*" # Name is optional and can use wildcards
# Selector is optional name: "*"
selector: # Selector is optional
selector:
validate: validate:
pattern: pattern:
spec: spec:

17
examples/validate/check_memory_requests_same_yaml_relative.yaml
View file

@ -5,14 +5,15 @@ metadata :
spec : spec :
rules: rules:
- name: check-memory_requests_link_in_yaml_relative - name: check-memory_requests_link_in_yaml_relative
resource: match:
# Kind specifies one or more resource types to match resources:
kinds: # Kind specifies one or more resource types to match
- Deployment kinds:
# Name is optional and can use wildcards - Deployment
name: "*" # Name is optional and can use wildcards
# Selector is optional name: "*"
selector: # Selector is optional
selector:
validate: validate:
pattern: pattern:
spec: spec:

7
examples/validate/check_nodeport.yaml
View file

@ -5,9 +5,10 @@ metadata:
spec: spec:
rules: rules:
- name: check-node-port - name: check-node-port
resource: match:
kinds: resources:
- Service kinds:
- Service
validate: validate:
message: "NodePort type is not allowed" message: "NodePort type is not allowed"
pattern: pattern:

11
examples/validate/check_not_root.yaml
View file

@ -5,11 +5,12 @@ metadata :
spec : spec :
rules: rules:
- name: check-non-root - name: check-non-root
resource: match:
kinds: resources:
- Deployment kinds:
- StatefuleSet - Deployment
- DaemonSet - StatefuleSet
- DaemonSet
validate: validate:
message: "Root user is not allowed" message: "Root user is not allowed"
pattern: pattern:

14
examples/validate/check_probe_exists.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec: spec:
rules: rules:
- name: check-liveness-probe-exists - name: check-liveness-probe-exists
resource: match:
kinds : resources:
- StatefulSet kinds :
- StatefulSet
validate: validate:
message: "a livenessProbe is required" message: "a livenessProbe is required"
pattern: pattern:
@ -19,9 +20,10 @@ spec:
livenessProbe: livenessProbe:
periodSeconds: ">0" periodSeconds: ">0"
- name: check-readiness-probe-exists - name: check-readiness-probe-exists
resource: match:
kinds : resources:
- StatefulSet kinds :
- StatefulSet
validate: validate:
message: "a readinessProbe is required" message: "a readinessProbe is required"
pattern: pattern:

14
examples/validate/check_probe_intervals.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec: spec:
rules: rules:
- name: check-probe-intervals - name: check-probe-intervals
resource: match:
kinds : resources:
- Deployment kinds :
- Deployment
validate: validate:
message: "livenessProbe must be > 10s" message: "livenessProbe must be > 10s"
pattern: pattern:
@ -19,9 +20,10 @@ spec:
livenessProbe: livenessProbe:
periodSeconds: ">10" periodSeconds: ">10"
- name: check-probe-intervals - name: check-probe-intervals
resource: match:
kinds : resources:
- Deployment kinds :
- Deployment
validate: validate:
message: "readinessProbe must be > 10s" message: "readinessProbe must be > 10s"
pattern: pattern:

9
examples/validate/check_registries.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec: spec:
rules: rules:
- name: check-registries - name: check-registries
resource: match:
kinds: resources:
- Deployment kinds:
- StatefulSet - Deployment
- StatefulSet
validate: validate:
message: "Registry is not allowed" message: "Registry is not allowed"
pattern: pattern:

36
test/ConfigMap/policy-CM.yaml
View file

@ -5,10 +5,11 @@ metadata :
spec : spec :
rules: rules:
- name: pCM1 - name: pCM1
resource: match:
kinds : resources:
- ConfigMap kinds :
name: "game-config" - ConfigMap
name: "game-config"
mutate: mutate:
overlay: overlay:
data: data:
@ -25,10 +26,11 @@ spec :
op : add op : add
value : newValue value : newValue
- name: pCM2 - name: pCM2
resource: match:
kinds : resources:
- ConfigMap kinds :
name: "game-config" - ConfigMap
name: "game-config"
mutate: mutate:
patches: patches:
- path : "/data/secretData" - path : "/data/secretData"
@ -37,10 +39,11 @@ spec :
op : replace op : replace
value : "data is replaced" value : "data is replaced"
- name: pCM3 - name: pCM3
resource: match:
kinds : resources:
- ConfigMap kinds :
name: "game-config" - ConfigMap
name: "game-config"
mutate: mutate:
patches: patches:
- path : "/data/secretData" - path : "/data/secretData"
@ -52,10 +55,11 @@ spec :
data: data:
game.properties: "*enemies=aliens*" game.properties: "*enemies=aliens*"
- name: pCM4 - name: pCM4
resource: match:
kinds : resources:
- ConfigMap kinds :
name: "game-config" - ConfigMap
name: "game-config"
validate: validate:
message: "This CM data is broken because it does not have ui.properties" message: "This CM data is broken because it does not have ui.properties"
pattern: pattern:

13
test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec: spec:
rules: rules:
- name: "copyCM" - name: "copyCM"
resource : match:
kinds : resources:
- Namespace kinds :
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
generate : generate :
kind: ConfigMap kind: ConfigMap
name : copied-cm name : copied-cm

57
test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml
View file

@ -10,12 +10,13 @@ metadata :
spec : spec :
rules: rules:
- name: "patchNamespace2" - name: "patchNamespace2"
resource : match:
kinds : resources:
- Namespace kinds :
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutatedByPolicy" - path: "/metadata/labels/isMutatedByPolicy"
@ -23,12 +24,13 @@ spec :
value: "true" value: "true"
- name: "copyCM" - name: "copyCM"
resource : match:
kinds : resources:
- Namespace kinds :
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
generate : generate :
kind: ConfigMap kind: ConfigMap
name : copied-cm name : copied-cm
@ -37,12 +39,13 @@ spec :
name : game-config name : game-config
- name: "generateCM" - name: "generateCM"
resource : match:
kinds : resources:
- Namespace kinds :
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace2" matchLabels:
LabelForSelector : "namespace2"
generate : generate :
kind: ConfigMap kind: ConfigMap
name : generated-cm name : generated-cm
@ -56,10 +59,11 @@ spec :
rsa.public.key=42 rsa.public.key=42
- name: "generateSecret" - name: "generateSecret"
resource : match:
kinds : resources:
- Namespace kinds :
name: ns2 - Namespace
name: ns2
generate : generate :
kind: Secret kind: Secret
name : generated-secrets name : generated-secrets
@ -73,10 +77,11 @@ spec :
foo2=bar2 foo2=bar2
- name: "copySecret" - name: "copySecret"
resource : match:
kinds : resources:
- Namespace kinds :
name: ns2 - Namespace
name: ns2
generate : generate :
kind: Secret kind: Secret
name : copied-secrets name : copied-secrets

9
test/CronJob/policy-cronjob-wldcrd.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec: spec:
rules: rules:
- name: pCJ - name: pCJ
resource: match:
kinds : resources:
- CronJob kinds :
name: "?ell*" - CronJob
name: "?ell*"
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

9
test/DaemonSet/policy-daemonset.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec: spec:
rules: rules:
- name: "Patch and Volume validation" - name: "Patch and Volume validation"
resource: match:
kinds: resources:
- DaemonSet kinds:
name: fluentd-elasticsearch - DaemonSet
name: fluentd-elasticsearch
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

8
test/Deployment/policy-deployment-any.yaml
View file

@ -5,9 +5,10 @@ metadata :
spec : spec :
rules: rules:
- name: "First policy v2" - name: "First policy v2"
resource: match:
kinds : resources:
- Deployment kinds :
- Deployment
mutate: mutate:
patches: patches:
- path: /metadata/labels/isMutated - path: /metadata/labels/isMutated
@ -16,7 +17,6 @@ spec :
- path: /metadata/labels/app - path: /metadata/labels/app
op: replace op: replace
value: "nginx_is_mutated" value: "nginx_is_mutated"
validate: validate:
message: "Because I like only mutated resources" message: "Because I like only mutated resources"
pattern: pattern:

13
test/Endpoint/policy-endpoints.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: pEP - name: pEP
resource: match:
kinds : resources:
- Endpoints kinds :
selector: - Endpoints
matchLabels: selector:
label : test matchLabels:
label : test
mutate: mutate:
patches: patches:
- path : "/subsets/0/ports/0/port" - path : "/subsets/0/ports/0/port"

13
test/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec : spec :
rules: rules:
- name: hpa1 - name: hpa1
resource: match:
kinds : resources:
- HorizontalPodAutoscaler kinds :
selector: - HorizontalPodAutoscaler
matchLabels: selector:
originalLabel: isHere matchLabels:
originalLabel: isHere
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

13
test/Ingress/policy-ingress.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: ingress1 - name: ingress1
resource: match:
kinds : resources:
- Ingress kinds :
selector: - Ingress
matchLabels: selector:
originalLabel: isHere matchLabels:
originalLabel: isHere
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

18
test/Job/policy-job.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec : spec :
rules: rules:
- name: job2 - name: job2
resource: match:
kinds: resources:
- Job kinds:
name: pi - Job
name: pi
mutate: mutate:
overlay: overlay:
spec: spec:
@ -20,10 +21,11 @@ spec :
- containerPort: 80 - containerPort: 80
protocol: TCP protocol: TCP
- name: job1 - name: job1
resource: match:
kinds: resources:
- Job kinds:
name: pi - Job
name: pi
mutate: mutate:
overlay: overlay:
metadata: metadata:

13
test/LimitRange/policy-limitrange.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: "rule" - name: "rule"
resource: match:
kinds : resources:
- LimitRange kinds :
selector: - LimitRange
matchLabels: selector:
containerSize: minimal matchLabels:
containerSize: minimal
mutate: mutate:
patches: patches:
- path : "/spec/limits/0/default/memory" - path : "/spec/limits/0/default/memory"

13
test/Namespace/policy-namespace.yaml
View file

@ -6,12 +6,13 @@ metadata :
spec : spec :
rules: rules:
- name: ns1 - name: ns1
resource: match:
kinds : resources:
- Namespace kinds :
selector: - Namespace
matchLabels: selector:
LabelForSelector : "namespace" matchLabels:
LabelForSelector : "namespace"
mutate: mutate:
patches: patches:
- path: "/metadata/labels/replaced" - path: "/metadata/labels/replaced"

13
test/NetworkPolicy/policy-network-policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: np1 - name: np1
resource: match:
kinds : resources:
- NetworkPolicy kinds :
selector: - NetworkPolicy
matchLabels: selector:
originalLabel: isHere matchLabels:
originalLabel: isHere
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

11
test/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -5,11 +5,12 @@ metadata:
spec: spec:
rules: rules:
- name: pvc1 - name: pvc1
resource: match:
kinds : resources:
- PersistentVolumeClaim kinds :
matchLabels: - PersistentVolumeClaim
originalLabel: isHere matchLabels:
originalLabel: isHere
mutate: mutate:
patches: patches:
- path: "/metadata/labels/originalLabel" - path: "/metadata/labels/originalLabel"

9
test/PodDisruptionBudget/policy-pdb.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec: spec:
rules: rules:
- name: pdb1 - name: pdb1
resource: match:
kinds : resources:
- PodDisruptionBudget kinds :
name: "game-pdb" - PodDisruptionBudget
name: "game-pdb"
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

13
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: podtemplate1 - name: podtemplate1
resource: match:
kinds : resources:
- PodTemplate kinds :
selector: - PodTemplate
matchLabels: selector:
originalLabel: isHere matchLabels:
originalLabel: isHere
mutate: mutate:
overlay: overlay:
template: template:

39
test/ResourceQuota/policy-quota-validation.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: "rule1" - name: "rule1"
resource: match:
kinds : resources:
- ResourceQuota kinds :
selector: - ResourceQuota
matchLabels: selector:
quota: low matchLabels:
quota: low
validate: validate:
message: "This RQ requests too many RAM" message: "This RQ requests too many RAM"
pattern: pattern:
@ -18,12 +19,13 @@ spec :
hard: hard:
memory: "8Gi|12Gi" memory: "8Gi|12Gi"
- name: "rule2" - name: "rule2"
resource: match:
kinds : resources:
- ResourceQuota kinds :
selector: - ResourceQuota
matchLabels: selector:
quota: low matchLabels:
quota: low
validate: validate:
message: "This RQ requests too many CPUs" message: "This RQ requests too many CPUs"
pattern: pattern:
@ -31,12 +33,13 @@ spec :
hard: hard:
cpu: <3 cpu: <3
- name: "rule3" - name: "rule3"
resource: match:
kinds : resources:
- ResourceQuota kinds :
selector: - ResourceQuota
matchLabels: selector:
quota: low matchLabels:
quota: low
validate: validate:
message: "This RQ requests too many PODs" message: "This RQ requests too many PODs"
pattern: pattern:

13
test/ResourceQuota/policy-quota.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: "rule" - name: "rule"
resource: match:
kinds : resources:
- ResourceQuota kinds :
selector: - ResourceQuota
matchLabels: selector:
quota: low matchLabels:
quota: low
mutate: mutate:
patches: patches:
- path : "/spec/scopeSelector/matchExpressions/1" - path : "/spec/scopeSelector/matchExpressions/1"

9
test/Secret/policy-secret.yaml
View file

@ -5,10 +5,11 @@ metadata:
spec: spec:
rules: rules:
- name: secret1 - name: secret1
resource: match:
kinds : resources:
- Secret kinds :
name: "mysecret" - Secret
name: "mysecret"
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

13
test/SecurityContext/policy.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: set-userID - name: set-userID
resource: match:
kinds: resources:
- Deployment kinds:
selector : - Deployment
matchLabels: selector :
app.type: prod matchLabels:
app.type: prod
mutate: mutate:
overlay: overlay:
spec: spec:

9
test/Service/policy-service.yaml
View file

@ -5,10 +5,11 @@ metadata :
spec : spec :
rules: rules:
- name: ps1 - name: ps1
resource: match:
kinds: resources:
- Service kinds:
name: "game-service*" - Service
name: "game-service*"
mutate: mutate:
patches: patches:
- path: "/metadata/labels/isMutated" - path: "/metadata/labels/isMutated"

13
test/StatefulSet/policy-StatefulSet.yaml
View file

@ -5,12 +5,13 @@ metadata:
spec: spec:
rules: rules:
- name: statefulset1 - name: statefulset1
resource: match:
kinds : resources:
- StatefulSet kinds :
selector: - StatefulSet
matchLabels: selector:
originalLabel: isHere matchLabels:
originalLabel: isHere
mutate: mutate:
patches: patches:
- path: "/spec/template/metadata/labels/isMutated" - path: "/spec/template/metadata/labels/isMutated"

61
test/mix/policy.yaml
View file

@ -5,12 +5,13 @@ metadata :
spec : spec :
rules: rules:
- name: add-label - name: add-label
resource: match:
kinds : resources:
- Deployment kinds :
selector : - Deployment
matchLabels : selector :
cli: test matchLabels :
cli: test
mutate: mutate:
patches: patches:
- path: /metadata/labels/isMutated - path: /metadata/labels/isMutated
@ -25,36 +26,39 @@ spec :
- (image): "*nginx*" - (image): "*nginx*"
imagePullPolicy: "Always" imagePullPolicy: "Always"
- name: add-label2 - name: add-label2
resource: match:
kinds : resources:
- Deployment kinds :
selector : - Deployment
matchLabels : selector :
cli: test matchLabels :
cli: test
mutate: mutate:
patches: patches:
- path: /metadata/labels/app1 - path: /metadata/labels/app1
op: replace op: replace
value: "nginx_is_mutated" value: "nginx_is_mutated"
- name: add-label3 - name: add-label3
resource: match:
kinds : resources:
- Deployment kinds :
selector : - Deployment
matchLabels : selector :
cli: test matchLabels :
cli: test
mutate: mutate:
patches: patches:
- path: /metadata/labels/app2 - path: /metadata/labels/app2
op: add op: add
value: "nginx_is_mutated2" value: "nginx_is_mutated2"
- name: check-image - name: check-image
resource: match:
kinds : resources:
- Deployment kinds :
selector : - Deployment
matchLabels : selector :
cli: test matchLabels :
cli: test
validate: validate:
message: "The imagePullPolicy must be Always when using image nginx" message: "The imagePullPolicy must be Always when using image nginx"
pattern: pattern:
@ -65,10 +69,11 @@ spec :
- (image): "*nginx*" - (image): "*nginx*"
imagePullPolicy: "Always" imagePullPolicy: "Always"
- name: check-registries - name: check-registries
resource: match:
kinds: resources:
- Deployment kinds:
- StatefulSet - Deployment
- StatefulSet
validate: validate:
message: "Registry is not allowed" message: "Registry is not allowed"
pattern: pattern: