From 0f7de18476265a37829d00f87e28a38c77a02035 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Wed, 9 Oct 2019 21:06:49 -0700 Subject: [PATCH] examples cleanup: move policies --- .../policy_validate_selinux_context.yaml | 3 +- examples/test/p1.yaml | 28 ------------------- {examples => test/cli}/cli/ghost.yaml | 0 {examples => test/cli}/cli/nginx.yaml | 0 {examples => test/cli}/cli/p1.yaml | 0 .../cli}/cli/policy_deployment.yaml | 0 {examples => test/cli}/cli/pv1.yaml | 0 .../policy_generate_networkPolicy.yaml | 0 .../scenarios}/policy_mutate_endpoint.yaml | 0 .../policy_mutate_imagePullPolicy.yaml | 0 .../policy_mutate_validate_qos.yaml | 0 ...icy_validate_containerSecurityContext.yaml | 0 .../policy_validate_healthChecks.yaml | 0 .../policy_validate_imageRegistries.yaml | 0 .../policy_validate_nonRootUser.yaml | 0 .../query/policy_validate_loadblancer.yaml | 16 +++++++++++ .../query/policy_validate_no_loadblancer.yaml | 16 +++++++++++ test/scenarios/query/resource_lb1.yaml | 12 ++++++++ test/scenarios/query/resource_lb2.yaml | 12 ++++++++ test/scenarios/query/resource_ns_test.yaml | 4 +++ .../resource_generate_networkPolicy.yaml | 0 .../resources/resource_mutate_endpoint.yaml | 0 .../resource_mutate_imagePullPolicy.yaml | 0 .../resource_mutate_validate_qos.yaml | 0 ...rce_validate_containerSecurityContext.yaml | 0 .../resource_validate_healthChecks.yaml | 0 .../resource_validate_imageRegistries.yaml | 0 .../resource_validate_nonRootUser.yaml | 0 .../test/scenario_mutate_endPpoint.yaml | 4 +-- .../test/scenario_mutate_imagePullPolicy.yaml | 4 +-- .../test/scenario_mutate_validate_qos.yaml | 4 +-- .../test/scenario_query_lb_count.yaml | 20 +++++++++++++ test/scenarios/test/scenario_query_no_lb.yaml | 20 +++++++++++++ ...rio_validate_containerSecurityContext.yaml | 4 +-- .../test/scenario_validate_healthChecks.yaml | 4 +-- .../scenario_validate_imageRegistries.yaml | 4 +-- .../validate/check_cpu_memory.yaml | 0 .../validate/check_hostpath.yaml | 0 .../validate/check_image_version.yaml | 0 .../check_memory_requests_same_yaml.yaml | 0 ...ck_memory_requests_same_yaml_relative.yaml | 0 .../validate/check_nodeport.yaml | 0 .../validate/check_not_root.yaml | 0 .../validate/check_probe_exists.yaml | 0 .../validate/check_probe_intervals.yaml | 0 .../validate/check_registries.yaml | 0 46 files changed, 114 insertions(+), 41 deletions(-) delete mode 100644 examples/test/p1.yaml rename {examples => test/cli}/cli/ghost.yaml (100%) rename {examples => test/cli}/cli/nginx.yaml (100%) rename {examples => test/cli}/cli/p1.yaml (100%) rename {examples => test/cli}/cli/policy_deployment.yaml (100%) rename {examples => test/cli}/cli/pv1.yaml (100%) rename {examples => test/scenarios}/policy_generate_networkPolicy.yaml (100%) rename {examples => test/scenarios}/policy_mutate_endpoint.yaml (100%) rename {examples => test/scenarios}/policy_mutate_imagePullPolicy.yaml (100%) rename {examples => test/scenarios}/policy_mutate_validate_qos.yaml (100%) rename {examples => test/scenarios}/policy_validate_containerSecurityContext.yaml (100%) rename {examples => test/scenarios}/policy_validate_healthChecks.yaml (100%) rename {examples => test/scenarios}/policy_validate_imageRegistries.yaml (100%) rename {examples => test/scenarios}/policy_validate_nonRootUser.yaml (100%) create mode 100644 test/scenarios/query/policy_validate_loadblancer.yaml create mode 100644 test/scenarios/query/policy_validate_no_loadblancer.yaml create mode 100644 test/scenarios/query/resource_lb1.yaml create mode 100644 test/scenarios/query/resource_lb2.yaml create mode 100644 test/scenarios/query/resource_ns_test.yaml rename {examples => test/scenarios}/resources/resource_generate_networkPolicy.yaml (100%) rename {examples => test/scenarios}/resources/resource_mutate_endpoint.yaml (100%) rename {examples => test/scenarios}/resources/resource_mutate_imagePullPolicy.yaml (100%) rename {examples => test/scenarios}/resources/resource_mutate_validate_qos.yaml (100%) rename {examples => test/scenarios}/resources/resource_validate_containerSecurityContext.yaml (100%) rename {examples => test/scenarios}/resources/resource_validate_healthChecks.yaml (100%) rename {examples => test/scenarios}/resources/resource_validate_imageRegistries.yaml (100%) rename {examples => test/scenarios}/resources/resource_validate_nonRootUser.yaml (100%) create mode 100644 test/scenarios/test/scenario_query_lb_count.yaml create mode 100644 test/scenarios/test/scenario_query_no_lb.yaml rename {examples => test}/validate/check_cpu_memory.yaml (100%) rename {examples => test}/validate/check_hostpath.yaml (100%) rename {examples => test}/validate/check_image_version.yaml (100%) rename {examples => test}/validate/check_memory_requests_same_yaml.yaml (100%) rename {examples => test}/validate/check_memory_requests_same_yaml_relative.yaml (100%) rename {examples => test}/validate/check_nodeport.yaml (100%) rename {examples => test}/validate/check_not_root.yaml (100%) rename {examples => test}/validate/check_probe_exists.yaml (100%) rename {examples => test}/validate/check_probe_intervals.yaml (100%) rename {examples => test}/validate/check_registries.yaml (100%) diff --git a/examples/best_practices/policy_validate_selinux_context.yaml b/examples/best_practices/policy_validate_selinux_context.yaml index 19aba13193..f135a5007a 100644 --- a/examples/best_practices/policy_validate_selinux_context.yaml +++ b/examples/best_practices/policy_validate_selinux_context.yaml @@ -17,6 +17,7 @@ spec: containers: - securityContext: seLinuxOptions: - level: "s0:c25,c968" + level: "*" +# level: "s0:c25,c968" # If SELinux security module is loaded on the host operating system, # we can make sure pods only have access to specified configured level \ No newline at end of file diff --git a/examples/test/p1.yaml b/examples/test/p1.yaml deleted file mode 100644 index 76c0b73197..0000000000 --- a/examples/test/p1.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: kyverno.io/v1alpha1 -kind: Policy -metadata: - name: check-resources -spec: - validationFailureAction: "audit" - rules: - - name: check-pod-resources - match: - resources: - kinds: - - Pod - validate: - message: "CPU and memory resource requests and limits are required" - pattern: - spec: - containers: - # 'name: *' selects all containers in the pod - - name: "*" - resources: - requests: - # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters. - # Using them together e.g. '?*' requires at least one character. - memory: "?*" - cpu: "?*" - limits: - memory: "?*" - cpu: "?*" \ No newline at end of file diff --git a/examples/cli/ghost.yaml b/test/cli/cli/ghost.yaml similarity index 100% rename from examples/cli/ghost.yaml rename to test/cli/cli/ghost.yaml diff --git a/examples/cli/nginx.yaml b/test/cli/cli/nginx.yaml similarity index 100% rename from examples/cli/nginx.yaml rename to test/cli/cli/nginx.yaml diff --git a/examples/cli/p1.yaml b/test/cli/cli/p1.yaml similarity index 100% rename from examples/cli/p1.yaml rename to test/cli/cli/p1.yaml diff --git a/examples/cli/policy_deployment.yaml b/test/cli/cli/policy_deployment.yaml similarity index 100% rename from examples/cli/policy_deployment.yaml rename to test/cli/cli/policy_deployment.yaml diff --git a/examples/cli/pv1.yaml b/test/cli/cli/pv1.yaml similarity index 100% rename from examples/cli/pv1.yaml rename to test/cli/cli/pv1.yaml diff --git a/examples/policy_generate_networkPolicy.yaml b/test/scenarios/policy_generate_networkPolicy.yaml similarity index 100% rename from examples/policy_generate_networkPolicy.yaml rename to test/scenarios/policy_generate_networkPolicy.yaml diff --git a/examples/policy_mutate_endpoint.yaml b/test/scenarios/policy_mutate_endpoint.yaml similarity index 100% rename from examples/policy_mutate_endpoint.yaml rename to test/scenarios/policy_mutate_endpoint.yaml diff --git a/examples/policy_mutate_imagePullPolicy.yaml b/test/scenarios/policy_mutate_imagePullPolicy.yaml similarity index 100% rename from examples/policy_mutate_imagePullPolicy.yaml rename to test/scenarios/policy_mutate_imagePullPolicy.yaml diff --git a/examples/policy_mutate_validate_qos.yaml b/test/scenarios/policy_mutate_validate_qos.yaml similarity index 100% rename from examples/policy_mutate_validate_qos.yaml rename to test/scenarios/policy_mutate_validate_qos.yaml diff --git a/examples/policy_validate_containerSecurityContext.yaml b/test/scenarios/policy_validate_containerSecurityContext.yaml similarity index 100% rename from examples/policy_validate_containerSecurityContext.yaml rename to test/scenarios/policy_validate_containerSecurityContext.yaml diff --git a/examples/policy_validate_healthChecks.yaml b/test/scenarios/policy_validate_healthChecks.yaml similarity index 100% rename from examples/policy_validate_healthChecks.yaml rename to test/scenarios/policy_validate_healthChecks.yaml diff --git a/examples/policy_validate_imageRegistries.yaml b/test/scenarios/policy_validate_imageRegistries.yaml similarity index 100% rename from examples/policy_validate_imageRegistries.yaml rename to test/scenarios/policy_validate_imageRegistries.yaml diff --git a/examples/policy_validate_nonRootUser.yaml b/test/scenarios/policy_validate_nonRootUser.yaml similarity index 100% rename from examples/policy_validate_nonRootUser.yaml rename to test/scenarios/policy_validate_nonRootUser.yaml diff --git a/test/scenarios/query/policy_validate_loadblancer.yaml b/test/scenarios/query/policy_validate_loadblancer.yaml new file mode 100644 index 0000000000..ec768316e5 --- /dev/null +++ b/test/scenarios/query/policy_validate_loadblancer.yaml @@ -0,0 +1,16 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: query1 +spec: + rules: + - name: Max one service of type LoadBalancer in namespace test + match: + resources: + kinds: + - Service + namespaces: + - test + query: + query: "length([?spec.type=='LoadBalancer'])" + expectedResult: "<=1" \ No newline at end of file diff --git a/test/scenarios/query/policy_validate_no_loadblancer.yaml b/test/scenarios/query/policy_validate_no_loadblancer.yaml new file mode 100644 index 0000000000..76d6892032 --- /dev/null +++ b/test/scenarios/query/policy_validate_no_loadblancer.yaml @@ -0,0 +1,16 @@ +apiVersion : kyverno.io/v1alpha1 +kind: ClusterPolicy +metadata: + name: query1 +spec: + rules: + - name: No service of type LoadBalancer in namespace test + match: + resources: + kinds: + - Service + namespaces: + - test + query: + query: "length([?spec.type=='LoadBalancer'])" + expectedResult: 0 \ No newline at end of file diff --git a/test/scenarios/query/resource_lb1.yaml b/test/scenarios/query/resource_lb1.yaml new file mode 100644 index 0000000000..479d6be8c5 --- /dev/null +++ b/test/scenarios/query/resource_lb1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: lb1 + namespace: test +spec: + selector: + app: app + ports: + - port: 8765 # random + targetPort: 9376 # random + type: LoadBalancer \ No newline at end of file diff --git a/test/scenarios/query/resource_lb2.yaml b/test/scenarios/query/resource_lb2.yaml new file mode 100644 index 0000000000..2a11fa7f6e --- /dev/null +++ b/test/scenarios/query/resource_lb2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: lb2 + namespace: test +spec: + selector: + app: app + ports: + - port: 8765 # random + targetPort: 9376 # random + type: LoadBalancer \ No newline at end of file diff --git a/test/scenarios/query/resource_ns_test.yaml b/test/scenarios/query/resource_ns_test.yaml new file mode 100644 index 0000000000..2c9b266c72 --- /dev/null +++ b/test/scenarios/query/resource_ns_test.yaml @@ -0,0 +1,4 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: "test" \ No newline at end of file diff --git a/examples/resources/resource_generate_networkPolicy.yaml b/test/scenarios/resources/resource_generate_networkPolicy.yaml similarity index 100% rename from examples/resources/resource_generate_networkPolicy.yaml rename to test/scenarios/resources/resource_generate_networkPolicy.yaml diff --git a/examples/resources/resource_mutate_endpoint.yaml b/test/scenarios/resources/resource_mutate_endpoint.yaml similarity index 100% rename from examples/resources/resource_mutate_endpoint.yaml rename to test/scenarios/resources/resource_mutate_endpoint.yaml diff --git a/examples/resources/resource_mutate_imagePullPolicy.yaml b/test/scenarios/resources/resource_mutate_imagePullPolicy.yaml similarity index 100% rename from examples/resources/resource_mutate_imagePullPolicy.yaml rename to test/scenarios/resources/resource_mutate_imagePullPolicy.yaml diff --git a/examples/resources/resource_mutate_validate_qos.yaml b/test/scenarios/resources/resource_mutate_validate_qos.yaml similarity index 100% rename from examples/resources/resource_mutate_validate_qos.yaml rename to test/scenarios/resources/resource_mutate_validate_qos.yaml diff --git a/examples/resources/resource_validate_containerSecurityContext.yaml b/test/scenarios/resources/resource_validate_containerSecurityContext.yaml similarity index 100% rename from examples/resources/resource_validate_containerSecurityContext.yaml rename to test/scenarios/resources/resource_validate_containerSecurityContext.yaml diff --git a/examples/resources/resource_validate_healthChecks.yaml b/test/scenarios/resources/resource_validate_healthChecks.yaml similarity index 100% rename from examples/resources/resource_validate_healthChecks.yaml rename to test/scenarios/resources/resource_validate_healthChecks.yaml diff --git a/examples/resources/resource_validate_imageRegistries.yaml b/test/scenarios/resources/resource_validate_imageRegistries.yaml similarity index 100% rename from examples/resources/resource_validate_imageRegistries.yaml rename to test/scenarios/resources/resource_validate_imageRegistries.yaml diff --git a/examples/resources/resource_validate_nonRootUser.yaml b/test/scenarios/resources/resource_validate_nonRootUser.yaml similarity index 100% rename from examples/resources/resource_validate_nonRootUser.yaml rename to test/scenarios/resources/resource_validate_nonRootUser.yaml diff --git a/test/scenarios/test/scenario_mutate_endPpoint.yaml b/test/scenarios/test/scenario_mutate_endPpoint.yaml index b0a890f276..44a01fb35a 100644 --- a/test/scenarios/test/scenario_mutate_endPpoint.yaml +++ b/test/scenarios/test/scenario_mutate_endPpoint.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/policy_mutate_endpoint.yaml - resource: examples/resources/resource_mutate_endpoint.yaml + policy: test/scenarios/policy_mutate_endpoint.yaml + resource: test/scenarios/resources/resource_mutate_endpoint.yaml expected: mutation: patchedresource: test/output/output_mutate_endpoint.yaml diff --git a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml index b20806091a..9f0ba40b80 100644 --- a/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml +++ b/test/scenarios/test/scenario_mutate_imagePullPolicy.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/policy_mutate_imagePullPolicy.yaml - resource: examples/resources/resource_mutate_imagePullPolicy.yaml + policy: test/scenarios/policy_mutate_imagePullPolicy.yaml + resource: test/scenarios/resources/resource_mutate_imagePullPolicy.yaml expected: mutation: patchedresource: test/output/output_mutate_imagePullPolicy.yaml diff --git a/test/scenarios/test/scenario_mutate_validate_qos.yaml b/test/scenarios/test/scenario_mutate_validate_qos.yaml index 383d001750..e47cc9555e 100644 --- a/test/scenarios/test/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/test/scenario_mutate_validate_qos.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/policy_mutate_validate_qos.yaml - resource: examples/resources/resource_mutate_validate_qos.yaml + policy: test/scenarios/policy_mutate_validate_qos.yaml + resource: test/scenarios/resources/resource_mutate_validate_qos.yaml expected: mutation: patchedresource: test/output/output_mutate_validate_qos.yaml diff --git a/test/scenarios/test/scenario_query_lb_count.yaml b/test/scenarios/test/scenario_query_lb_count.yaml new file mode 100644 index 0000000000..d1dd596718 --- /dev/null +++ b/test/scenarios/test/scenario_query_lb_count.yaml @@ -0,0 +1,20 @@ +# file path relative to project root +input: + policy: test/scenarios/policy_validate_loadblancer.yaml + resource: test/scenarios/resource_lb1.yaml + loadresources: + - examples/query/resource_ns_test.yaml +expected: + query: + policyresponse: + policy: query1 + resource: + kind: Service + apiVersion: v1 + namespace: test + name: lb1 + rules: + - name: Max one service of type LoadBalancer in namespace test + type: Query + success: true + message: "Query rule Max one service of type LoadBalancer in namespace test success. (recieved) 1 == (expected) <=1" \ No newline at end of file diff --git a/test/scenarios/test/scenario_query_no_lb.yaml b/test/scenarios/test/scenario_query_no_lb.yaml new file mode 100644 index 0000000000..639b284402 --- /dev/null +++ b/test/scenarios/test/scenario_query_no_lb.yaml @@ -0,0 +1,20 @@ +# file path relative to project root +input: + policy: test/scenarios/policy_validate_no_loadblancer.yaml + resource: test/scenarios/resource_lb1.yaml + loadresources: + - test/scenarios/resource_ns_test.yaml +expected: + query: + policyresponse: + policy: query1 + resource: + kind: Service + apiVersion: v1 + namespace: test + name: lb1 + rules: + - name: No service of type LoadBalancer in namespace test + type: Query + success: false + message: "Query rule No service of type LoadBalancer in namespace test failed, (recieved) 1!=(expected) 0" \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml index e5dd3df274..c327206ad6 100644 --- a/test/scenarios/test/scenario_validate_containerSecurityContext.yaml +++ b/test/scenarios/test/scenario_validate_containerSecurityContext.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/policy_validate_containerSecurityContext.yaml - resource: examples/resources/resource_validate_containerSecurityContext.yaml + policy: test/scenarios/policy_validate_containerSecurityContext.yaml + resource: test/scenarios/resources/resource_validate_containerSecurityContext.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_healthChecks.yaml b/test/scenarios/test/scenario_validate_healthChecks.yaml index ce5ab021e7..2bb0cfb4e7 100644 --- a/test/scenarios/test/scenario_validate_healthChecks.yaml +++ b/test/scenarios/test/scenario_validate_healthChecks.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/policy_validate_healthChecks.yaml - resource: examples/resources/resource_validate_healthChecks.yaml + policy: test/scenarios/policy_validate_healthChecks.yaml + resource: test/scenarios/resources/resource_validate_healthChecks.yaml expected: validation: policyresponse: diff --git a/test/scenarios/test/scenario_validate_imageRegistries.yaml b/test/scenarios/test/scenario_validate_imageRegistries.yaml index ec774a6698..90792130e6 100644 --- a/test/scenarios/test/scenario_validate_imageRegistries.yaml +++ b/test/scenarios/test/scenario_validate_imageRegistries.yaml @@ -1,7 +1,7 @@ # file path relative to project root input: - policy: examples/policy_validate_imageRegistries.yaml - resource: examples/resources/resource_validate_imageRegistries.yaml + policy: test/scenarios/policy_validate_imageRegistries.yaml + resource: test/scenarios/resources/resource_validate_imageRegistries.yaml expected: validation: policyresponse: diff --git a/examples/validate/check_cpu_memory.yaml b/test/validate/check_cpu_memory.yaml similarity index 100% rename from examples/validate/check_cpu_memory.yaml rename to test/validate/check_cpu_memory.yaml diff --git a/examples/validate/check_hostpath.yaml b/test/validate/check_hostpath.yaml similarity index 100% rename from examples/validate/check_hostpath.yaml rename to test/validate/check_hostpath.yaml diff --git a/examples/validate/check_image_version.yaml b/test/validate/check_image_version.yaml similarity index 100% rename from examples/validate/check_image_version.yaml rename to test/validate/check_image_version.yaml diff --git a/examples/validate/check_memory_requests_same_yaml.yaml b/test/validate/check_memory_requests_same_yaml.yaml similarity index 100% rename from examples/validate/check_memory_requests_same_yaml.yaml rename to test/validate/check_memory_requests_same_yaml.yaml diff --git a/examples/validate/check_memory_requests_same_yaml_relative.yaml b/test/validate/check_memory_requests_same_yaml_relative.yaml similarity index 100% rename from examples/validate/check_memory_requests_same_yaml_relative.yaml rename to test/validate/check_memory_requests_same_yaml_relative.yaml diff --git a/examples/validate/check_nodeport.yaml b/test/validate/check_nodeport.yaml similarity index 100% rename from examples/validate/check_nodeport.yaml rename to test/validate/check_nodeport.yaml diff --git a/examples/validate/check_not_root.yaml b/test/validate/check_not_root.yaml similarity index 100% rename from examples/validate/check_not_root.yaml rename to test/validate/check_not_root.yaml diff --git a/examples/validate/check_probe_exists.yaml b/test/validate/check_probe_exists.yaml similarity index 100% rename from examples/validate/check_probe_exists.yaml rename to test/validate/check_probe_exists.yaml diff --git a/examples/validate/check_probe_intervals.yaml b/test/validate/check_probe_intervals.yaml similarity index 100% rename from examples/validate/check_probe_intervals.yaml rename to test/validate/check_probe_intervals.yaml diff --git a/examples/validate/check_registries.yaml b/test/validate/check_registries.yaml similarity index 100% rename from examples/validate/check_registries.yaml rename to test/validate/check_registries.yaml