- move prior examples to 'test' and add new validation examples

examples/Validate/check_cpu_memory.yaml

@@ -0,0 +1,36 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-cpu-memory
+spec:
+  rules:
+  - name: check-defined
+    resource:
+      kind: Deployment
+    validate:
+      message: "Resource requests and limits are required for CPU and memory"
+      pattern:
+      spec:
+        containers:
+        - name: "*"
+          resources:
+            limits:
+              memory: "?"
+              cpu: "?"
+            requests:
+              memory: "?"
+              cpu: "?"
+  - name: check-memory-in-range
+    resource:
+      kind: Deployment
+    validate:
+      message: "Memory request cannot be greater than 10Gi"
+      pattern:
+        spec:
+          containers:
+          - name: "*"
+            resources:
+              requests:
+                # If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern.
+                # The OR operator can combine the patterns with logical expressions and text patterns.
+                memory: "<10Gi|<1024Mi"

examples/Validate/check_hostpath.yaml

@@ -0,0 +1,15 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-host-path
+spec:
+  rules:
+  - name: check-host-path
+    resource:
+      kind: Pod
+    validate:
+      message: "Host path volumes are not allowed"
+      pattern:
+        volumes:
+        - name: "*"
+          hostPath: null

examples/Validate/check_image_version.yaml

@@ -0,0 +1,17 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: whitelist-registries
+spec:
+  rules:
+  - name: check-whitelist-registries
+    message: "Registry is not allowed"
+    resource:
+      kind: Deployment
+    validate:
+      pattern:
+        template:
+          spec:
+            containers:              
+              - image: "(*:latest)"       # select images which end with :latest            
+                imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always"

examples/Validate/check_nodeport.yaml

@@ -0,0 +1,14 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-host-path
+spec:
+  rules:
+  - name: check-host-path
+    resource:
+      kind: Service
+    validate:
+      message: "Node port services are not allowed"
+      pattern:
+        spec:
+          type: "!NodePort"

examples/Validate/check_probe_exists.yaml

@@ -0,0 +1,28 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-probe-exists
+spec:
+  rules:
+  - name: check-liveness-probe-exists
+    resource:
+      kind: StatefulSet
+    validate:
+      message: "a livenessProbe is required"
+      pattern:
+        containers:
+          # In this case every object in containers list will be checked for pattern
+          - name: "*"
+            livenessProbe:
+              periodSeconds: ?
+  - resource:
+      kind: Deployment
+    name: check-readiness-probe-exists
+    validate:
+      message: "a readinessProbe is required"
+      pattern:
+        containers:
+          # In this case every object in containers list will be checked for pattern
+          - name: "*"
+            readinessProbe:
+              periodSeconds: ?

examples/Validate/check_probe_intervals.yaml

@@ -0,0 +1,27 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-probe-intervals
+spec:
+  rules:
+  - name: check-probe-intervals
+    resource:
+      kind: Deployment
+    validate:
+      message: "livenessProbe must be > 10s"
+      pattern:
+        containers:
+          # In this case every object in containers list will be checked for pattern
+          - name: "*"
+            livenessProbe:
+              periodSeconds: ">10"
+  - resource:
+      kind: Deployment
+    validate:
+      pattern:
+        message: "readinessProbe must be > 10s"    
+        containers:
+          # In this case every object in containers list will be checked for pattern
+          - name: "*"
+            readinessProbe:
+              periodSeconds: ">10"

examples/Validate/check_whitelist_registries.yaml

@@ -0,0 +1,18 @@
+apiVersion: policy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-whitelist-registries
+spec:
+  rules:
+  - name: check-whitelist-registries
+    message: "Registry is not allowed"
+    resource:
+      kind: Deployment
+    validate:
+      pattern:
+        template:
+          spec:
+            containers:
+              # Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*"
+              # If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|".
+              image: https://private.registry.io* | https://hub.docker.io/nirmata/*