rebase with master

definitions/install.yaml

@@ -184,7 +184,7 @@ spec:
       containers:
         - name: kyverno
           image: nirmata/kyverno:latest
-          args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"]
+          args: ["--filterKind","Node,Event,APIService,Policy,TokenReview,SubjectAccessReview"]
           ports:
           - containerPort: 443
           securityContext:

examples/demo/1_image_pull_policy/nginx.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+    cli: test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        # imagePullPolicy: IfNotPresent

examples/demo/1_image_pull_policy/policy.yaml

@@ -0,0 +1,26 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: image-pull-policy
+spec:
+  rules:
+  - name: image-pull-policy
+    resource:
+      kinds:
+      - Deployment
+      # - StatefulSet
+      # name: "my-deployment"
+      # selector :
+      #   matchLabels:
+      #     app.type: prod
+      # namespace: "my-namespace"
+    mutate:
+      overlay:
+        spec:
+          template:
+            spec:
+              containers:
+              # select images which end with :latest
+              - (image): "*latest"
+                # require that the imagePullPolicy is "IfNotPresent"  
+                imagePullPolicy: IfNotPresent

examples/demo/2_allowed_registry/nginx.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+    cli: test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        # image: nginx
+        image: nirmata/nginx

examples/demo/2_allowed_registry/policy.yaml

@@ -0,0 +1,22 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-registries
+spec:
+  rules:
+  - name: check-registries
+    resource:
+      kinds:
+      - Deployment
+      - StatefulSet
+      namespace: default
+    validate:
+      message: "Registry is not allowed"
+      pattern:
+        spec:
+          template:
+            spec:
+              containers:
+              - name: "*"
+                # Check allowed registries
+                image: "*nirmata* | https://private.registry.io/*"

examples/demo/3_network_policy/policy.yaml

@@ -8,7 +8,7 @@ spec:
     resource: 
       kinds:
        - Namespace
-      name: "*"
+      name: "devtest"
     generate: 
       kind: NetworkPolicy
       name: deny-ingress-traffic
@@ -22,4 +22,9 @@ spec:
         metadata:
           annotations: {}
           labels:
-            policyname: "default"
+            policyname: "default"
+      # kind: ConfigMap
+      # name: default-config
+      # clone:
+      #   namespace: default
+      #   name: config-template

examples/demo/4_non_root/nginx.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: psp-demo-unprivileged
+  labels:
+    app.type: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: psp
+  template:
+    metadata:
+      labels:
+        app: psp
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: sec-ctx-unprivileged
+        image: nginxinc/nginx-unprivileged

examples/demo/4_non_root/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: policy-security-context
+spec:
+  rules:
+  - name: validate-runAsNonRoot
+    resource:
+      kinds:
+      - Deployment
+      selector :
+        matchLabels:
+          app.type: prod
+    validate:
+      message: "security context 'runAsNonRoot' shoud be set to true"
+      pattern:
+        spec:
+          template:
+            spec:
+              securityContext:
+                runAsNonRoot: true

examples/demo/5_health_check/pod.yaml

@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    test: probe
+  name: probe
+spec:
+  containers:
+  - name: readiness
+    image: k8s.gcr.io/busybox
+    args:
+    - /bin/sh
+    - -c
+    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    readinessProbe:
+      # successThreshold: 3
+      exec:
+        command:
+        - cat
+        - /tmp/healthy
+  - name: liveness
+    image: k8s.gcr.io/liveness
+    args:
+    - /server
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: 8080
+        httpHeaders:
+        - name: Custom-Header
+          value: Awesome
+      periodSeconds: 3

examples/demo/5_health_check/policy.yaml

@@ -0,0 +1,33 @@
+apiVersion : kyverno.io/v1alpha1
+kind : Policy
+metadata :
+  name: check-probe-exists
+spec:
+  rules:
+  - name: check-readinessProbe-exists
+    resource:
+      kinds :
+      - Pod
+    validate:
+      message: "readinessProbe is required"
+      pattern:
+        spec:
+          containers:
+          - (name): "readiness"
+            readinessProbe:
+              successThreshold: ">1"
+  - name: check-livenessProbe-exists
+    resource:
+      kinds :
+      - Pod
+    validate:
+      message: "livenessProbe is required"
+      pattern:
+        spec:
+          containers:
+          - (name): "liveness"
+            livenessProbe:
+              httpGet:
+                path: "?*"
+                port: "*"
+                scheme: "?*"

examples/demo/6_qos/qos.yaml

@@ -17,4 +17,4 @@ spec:
         image: nginx:latest
         resources:
           limits:
-            cpu: "50m"
+            cpu: "50m"

examples/demo/7_container_security_context/nginx.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: psp-demo-unprivileged
+  labels:
+    app.type: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: psp
+  template:
+    metadata:
+      labels:
+        app: psp
+    spec:
+      containers:
+      - name: sec-ctx-unprivileged
+        image: nginxinc/nginx-unprivileged
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: true

examples/demo/7_container_security_context/policy.yaml

@@ -0,0 +1,26 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: container-security-context
+spec:
+  rules:
+  - name: validate-user-privilege
+    resource:
+      kinds:
+      - Deployment
+      selector :
+        matchLabels:
+          app.type: prod
+    validate:
+      message: "validate container security contexts"
+      pattern:
+        spec:
+          template:
+            spec:
+              containers:
+              - securityContext:
+                  runAsNonRoot: true
+                  allowPrivilegeEscalation: false
+                  # fields can be customized
+                  # privileged: false
+                  # readOnlyRootFilesystem: true

examples/demo/mutate_patch/ep.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: demo-endpoint
-  labels:
-    label : test
-subsets:
-- addresses:
-  - ip: 192.168.10.171
-  ports:
-  - name: secure-connection
-    port: 443
-    protocol: TCP

examples/demo/mutate_patch/policy_patch.yaml

@@ -1,24 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-endpoints
-spec :
-  rules:
-    - name: demo-ep
-      resource:
-        kinds : 
-        - Endpoints
-        selector:
-          matchLabels:
-            label : test
-        name: demo-endpoint
-      mutate:
-        patches:
-          # add a new label
-          - path: /metadata/labels/app.type
-            op: add
-            value: dev
-          # replace port 
-          - path : /subsets/0/ports/0/port
-            op : replace
-            value: 9663

pkg/engine/overlay_new.go

@@ -0,0 +1,70 @@
+package engine
+
+import (
+	"reflect"
+)
+
+// func processoverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error) {
+
+// 	var resource interface{}
+// 	var appliedPatches [][]byte
+// 	err := json.Unmarshal(rawResource, &resource)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+
+// 	patches, err := mutateResourceWithOverlay(resource, *rule.Mutation.Overlay)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+// 	appliedPatches = append(appliedPatches, patches...)
+
+// 	return appliedPatches, err
+// }
+
+func applyoverlay(resource, overlay interface{}, path string) ([][]byte, error) {
+	var appliedPatches [][]byte
+	// resource item exists but has different type - replace
+	// all subtree within this path by overlay
+	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
+		patch, err := replaceSubtree(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patch)
+	}
+
+	return applyOverlayForSameTypes(resource, overlay, path)
+}
+
+func checkConditions(resource, overlay interface{}, path string) bool {
+
+	switch typedOverlay := overlay.(type) {
+	case map[string]interface{}:
+		typedResource := resource.(map[string]interface{})
+		if !checkConditionOnMap(typedResource, typedOverlay) {
+			return false
+		}
+	case []interface{}:
+		typedResource := resource.([]interface{})
+		if !checkConditionOnArray(typedResource, typedOverlay) {
+			return false
+		}
+	case string, float64, int64, bool:
+
+	default:
+		return false
+	}
+	return true
+}
+
+func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}) bool {
+	// _ := getAnchorsFromMap(overlayMap)
+
+	return false
+}
+
+func checkConditionOnArray(resource, overlay []interface{}) bool {
+	return false
+}