mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

update axamples according to spec

Browse source
This commit is contained in:
Anton Kostenko 2019-05-22 15:31:22 +03:00
parent cdffb89c38
commit 0e80e5110c
7 changed files with 82 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
examples/Validate/check_cpu_memory.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-cpu-memory
@ -10,16 +10,18 @@ spec:
validate:
message: "Resource requests and limits are required for CPU and memory"
pattern:
spec:
containers:
- name: "*"
resources:
limits:
memory: "?"
cpu: "?"
requests:
memory: "?"
cpu: "?"
spec:
template:
spec:
containers:
- name: "*"
resources:
limits:
memory: "*"
cpu: "*"
requests:
memory: "*"
cpu: "*"
- name: check-memory-in-range
resource:
kind: Deployment
@ -27,10 +29,12 @@ spec:
message: "Memory request cannot be greater than 10Gi"
pattern:
spec:
containers:
- name: "*"
resources:
requests:
template:
spec:
containers:
- name: "*"
resources:
requests:
# If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern.
# The OR operator can combine the patterns with logical expressions and text patterns.
memory: "<10Gi|<1024Mi"
memory: "<10Gi|<10240Mi"

2
examples/Validate/check_hostpath.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-host-path

16
examples/Validate/check_image_version.yaml
View file

@ -1,16 +1,18 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: image-pull-policy
spec:
rules:
- name: image-pull-policy
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
resource:
kind: Deployment
overlay:
template:
validate: #overlay?
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
pattern:
spec:
containers:
- image: "(*:latest)" # select images which end with :latest
imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always"
template:
spec:
containers:
- (image): "*latest" # select images which end with :latest
imagePullPolicy: Always # ensure that the imagePullPolicy is "Always"

4
examples/Validate/check_nodeport.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-host-path
@ -11,4 +11,4 @@ spec:
message: "Node port services are not allowed"
pattern:
spec:
type: "!NodePort"
type: "!=NodePort"

34
examples/Validate/check_probe_exists.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-probe-exists
@ -10,19 +10,25 @@ spec:
validate:
message: "a livenessProbe is required"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ?
- resource:
kind: Deployment
name: check-readiness-probe-exists
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">0"
- name: check-readiness-probe-exists
resource:
kind: StatefulSet
validate:
message: "a readinessProbe is required"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ?
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">0"

33
examples/Validate/check_probe_intervals.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-probe-intervals
@ -10,18 +10,25 @@ spec:
validate:
message: "livenessProbe must be > 10s"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">10"
- resource:
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">10"
- name: check-probe-intervals
resource:
kind: Deployment
validate:
message: "readinessProbe must be > 10s"
pattern:
message: "readinessProbe must be > 10s"
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">10"
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">10"

18
examples/Validate/check_whitelist_registries.yaml
View file

@ -1,18 +1,20 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-whitelist-registries
spec:
rules:
- name: check-whitelist-registries
message: "Registry is not allowed"
resource:
kind: Deployment
validate:
message: "Registry is not allowed"
pattern:
template:
spec:
containers:
# Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*"
# If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|".
image: https://private.registry.io* | https://hub.docker.io/nirmata/*
spec:
template:
spec:
containers:
# Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*"
# If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|".
- name: "*"
image: "https://private.registry.io*|https://hub.docker.io/nirmata/*"