From 0e80e5110c07e7368a2d0f0f31b645ff0f155ac6 Mon Sep 17 00:00:00 2001 From: Anton Kostenko Date: Wed, 22 May 2019 15:31:22 +0300 Subject: [PATCH] update axamples according to spec --- examples/Validate/check_cpu_memory.yaml | 36 ++++++++++--------- examples/Validate/check_hostpath.yaml | 2 +- examples/Validate/check_image_version.yaml | 16 +++++---- examples/Validate/check_nodeport.yaml | 4 +-- examples/Validate/check_probe_exists.yaml | 34 ++++++++++-------- examples/Validate/check_probe_intervals.yaml | 33 ++++++++++------- .../Validate/check_whitelist_registries.yaml | 18 +++++----- 7 files changed, 82 insertions(+), 61 deletions(-) diff --git a/examples/Validate/check_cpu_memory.yaml b/examples/Validate/check_cpu_memory.yaml index 61ab1d2b70..6b34bd4d1d 100644 --- a/examples/Validate/check_cpu_memory.yaml +++ b/examples/Validate/check_cpu_memory.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-cpu-memory @@ -10,16 +10,18 @@ spec: validate: message: "Resource requests and limits are required for CPU and memory" pattern: - spec: - containers: - - name: "*" - resources: - limits: - memory: "?" - cpu: "?" - requests: - memory: "?" - cpu: "?" + spec: + template: + spec: + containers: + - name: "*" + resources: + limits: + memory: "*" + cpu: "*" + requests: + memory: "*" + cpu: "*" - name: check-memory-in-range resource: kind: Deployment @@ -27,10 +29,12 @@ spec: message: "Memory request cannot be greater than 10Gi" pattern: spec: - containers: - - name: "*" - resources: - requests: + template: + spec: + containers: + - name: "*" + resources: + requests: # If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern. # The OR operator can combine the patterns with logical expressions and text patterns. - memory: "<10Gi|<1024Mi" \ No newline at end of file + memory: "<10Gi|<10240Mi" diff --git a/examples/Validate/check_hostpath.yaml b/examples/Validate/check_hostpath.yaml index 8ebe1d7817..0666281e4f 100644 --- a/examples/Validate/check_hostpath.yaml +++ b/examples/Validate/check_hostpath.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-host-path diff --git a/examples/Validate/check_image_version.yaml b/examples/Validate/check_image_version.yaml index e71335499e..9820753832 100644 --- a/examples/Validate/check_image_version.yaml +++ b/examples/Validate/check_image_version.yaml @@ -1,16 +1,18 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: image-pull-policy spec: rules: - name: image-pull-policy - message: "Image tag ':latest' requires imagePullPolicy 'Always'" resource: kind: Deployment - overlay: - template: + validate: #overlay? + message: "Image tag ':latest' requires imagePullPolicy 'Always'" + pattern: spec: - containers: - - image: "(*:latest)" # select images which end with :latest - imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always" \ No newline at end of file + template: + spec: + containers: + - (image): "*latest" # select images which end with :latest + imagePullPolicy: Always # ensure that the imagePullPolicy is "Always" diff --git a/examples/Validate/check_nodeport.yaml b/examples/Validate/check_nodeport.yaml index 1a5fd25c05..7badf98427 100644 --- a/examples/Validate/check_nodeport.yaml +++ b/examples/Validate/check_nodeport.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-host-path @@ -11,4 +11,4 @@ spec: message: "Node port services are not allowed" pattern: spec: - type: "!NodePort" \ No newline at end of file + type: "!=NodePort" diff --git a/examples/Validate/check_probe_exists.yaml b/examples/Validate/check_probe_exists.yaml index d055455bf5..5a8d5803f4 100644 --- a/examples/Validate/check_probe_exists.yaml +++ b/examples/Validate/check_probe_exists.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-probe-exists @@ -10,19 +10,25 @@ spec: validate: message: "a livenessProbe is required" pattern: - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - livenessProbe: - periodSeconds: ? - - resource: - kind: Deployment - name: check-readiness-probe-exists + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + livenessProbe: + periodSeconds: ">0" + - name: check-readiness-probe-exists + resource: + kind: StatefulSet validate: message: "a readinessProbe is required" pattern: - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - readinessProbe: - periodSeconds: ? + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + readinessProbe: + periodSeconds: ">0" diff --git a/examples/Validate/check_probe_intervals.yaml b/examples/Validate/check_probe_intervals.yaml index 77bc50b9ce..d664e94de5 100644 --- a/examples/Validate/check_probe_intervals.yaml +++ b/examples/Validate/check_probe_intervals.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-probe-intervals @@ -10,18 +10,25 @@ spec: validate: message: "livenessProbe must be > 10s" pattern: - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - livenessProbe: - periodSeconds: ">10" - - resource: + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + livenessProbe: + periodSeconds: ">10" + - name: check-probe-intervals + resource: kind: Deployment validate: + message: "readinessProbe must be > 10s" pattern: - message: "readinessProbe must be > 10s" - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - readinessProbe: - periodSeconds: ">10" + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + readinessProbe: + periodSeconds: ">10" diff --git a/examples/Validate/check_whitelist_registries.yaml b/examples/Validate/check_whitelist_registries.yaml index 79aceab2e0..7ffe42ee72 100644 --- a/examples/Validate/check_whitelist_registries.yaml +++ b/examples/Validate/check_whitelist_registries.yaml @@ -1,18 +1,20 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-whitelist-registries spec: rules: - name: check-whitelist-registries - message: "Registry is not allowed" resource: kind: Deployment validate: + message: "Registry is not allowed" pattern: - template: - spec: - containers: - # Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*" - # If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|". - image: https://private.registry.io* | https://hub.docker.io/nirmata/* + spec: + template: + spec: + containers: + # Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*" + # If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|". + - name: "*" + image: "https://private.registry.io*|https://hub.docker.io/nirmata/*"