mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 18:38:40 +00:00
Migrate all mutate e2e tests to kuttl and expand (#5491)
* add jmespath-logic test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add simple-conditional test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add variables-in-keys test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add patchesjson6902-simple Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add foreach-patchStrategicMerge-preconditions test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add patchStrategicMerge-global test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add patchStrategicMerge-global-addifnotpresent test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add patchesJson6902-replace test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * adjust "basic" mutate existing test to prep for e2e migrations Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add basic-create test (mutate existing) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add basic-delete test (mutate existing) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add basic-create-policy test (mutate existing) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add basic-create-patchesJson6902 test (mutate existing) Signed-off-by: Chip Zoller <chipzoller@gmail.com> * change name to avoid deletion race Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Chip Zoller
GitHub
parent
6f1bd5fff2
commit
21da0f335e
98 changed files with 1293 additions and 5 deletions
|
|
@ -14,6 +14,7 @@ testDirs:
|
|||
# - ./test/conformance/kuttl/generate/policy/standard/data/nosync
|
||||
- ./test/conformance/kuttl/generate/clusterpolicy/cornercases
|
||||
# Mutate tests
|
||||
- ./test/conformance/kuttl/mutate/e2e
|
||||
- ./test/conformance/kuttl/mutate/clusterpolicy/standard
|
||||
- ./test/conformance/kuttl/mutate/clusterpolicy/standard/existing
|
||||
- ./test/conformance/kuttl/mutate/clusterpolicy/cornercases
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-post-mutation
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-4
|
||||
labels:
|
||||
app-type: corp
|
||||
annotations:
|
||||
cloud.platformzero.com/serviceClass: "xl2"
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret-4
|
||||
namespace: staging-4
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-post-mutation
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: mutate-secret-on-configmap-update
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- dictionary-4
|
||||
namespaces:
|
||||
- staging-4
|
||||
mutate:
|
||||
targets:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: test-secret-4
|
||||
namespace: "{{ request.object.metadata.namespace }}"
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/metadata/labels/env"
|
||||
value: "{{ request.object.metadata.namespace }}"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: dictionary-4
|
||||
namespace: staging-4
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret-4
|
||||
namespace: staging-4
|
||||
labels:
|
||||
env: staging-4
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic test for the mutate existing capability, using a JSON patch, which ensures that creating a triggering resource results in the correct mutation of a different resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
When the `dictionary-4` ConfigMap is created, this should result in the mutation of the Secret named `test-secret-4` within the same Namespace to add the label `env` with value set to the name of the triggering resource's Namespace, `staging-4`. If the Secret is mutated so that the label `env: staging-4` is present, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-3
|
||||
labels:
|
||||
app-type: corp
|
||||
annotations:
|
||||
cloud.platformzero.com/serviceClass: "xl2"
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret-3
|
||||
namespace: staging-3
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: dictionary-3
|
||||
namespace: staging-3
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-post-mutation-create-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-post-mutation-create-policy
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: mutate-secret-on-policy-create
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- dictionary-3
|
||||
namespaces:
|
||||
- staging-3
|
||||
mutate:
|
||||
targets:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: test-secret-3
|
||||
namespace: "{{ request.object.metadata.namespace }}"
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: "{{ request.object.metadata.name }}"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret-3
|
||||
namespace: staging-3
|
||||
labels:
|
||||
foo: dictionary-3
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic test for the mutate existing capability which ensures that creating of a Kyverno ClusterPolicy causes immediate mutation of downstream targets by setting `mutateExistingOnPolicyUpdate: true`.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
When the ClusterPolicy is created, at that time it should mutate the `test-secret-3` Secret in the `staging-3` Namespace to add a label with key `foo` the value of which should be the name of the defined triggering resource, `dictionary-3`. If this mutation is done, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging
|
||||
labels:
|
||||
app-type: corp
|
||||
annotations:
|
||||
cloud.platformzero.com/serviceClass: "xl2"
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secret-1
|
||||
namespace: staging
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-existing-secret
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: mutate-secret-on-configmap-create
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- dictionary-1
|
||||
namespaces:
|
||||
- staging
|
||||
mutate:
|
||||
targets:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: secret-1
|
||||
namespace: "{{ request.object.metadata.namespace }}"
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: dictionary-1
|
||||
namespace: staging
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic test for the mutate existing capability which ensures that creating a triggering resource results in the correct mutation of a different resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
When the `dictionary-1` ConfigMap is created, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-post-mutation-delete-trigger
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: staging-2
|
||||
labels:
|
||||
app-type: corp
|
||||
annotations:
|
||||
cloud.platformzero.com/serviceClass: "xl2"
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: bar
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: dictionary-2
|
||||
namespace: staging-2
|
||||
---
|
||||
apiVersion: v1
|
||||
data:
|
||||
foo: YmFy
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret-2
|
||||
namespace: staging-2
|
||||
type: Opaque
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-post-mutation-delete-trigger
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: mutate-secret-on-configmap-delete
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- dictionary-2
|
||||
namespaces:
|
||||
- staging-2
|
||||
preconditions:
|
||||
any:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: Equals
|
||||
value: DELETE
|
||||
mutate:
|
||||
targets:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: test-secret-2
|
||||
namespace: "{{ request.object.metadata.namespace }}"
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: "{{ request.object.metadata.name }}"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
delete:
|
||||
- apiVersion: v1
|
||||
kind: ConfigMap
|
||||
name: dictionary-2
|
||||
namespace: staging-2
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: test-secret-2
|
||||
namespace: staging-2
|
||||
labels:
|
||||
foo: dictionary-2
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic test for the mutate existing capability which ensures that specifically deleting a triggering resource, via a precondition, results in the correct mutation of a different resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
When the `dictionary-2` ConfigMap is deleted, this should result in the mutation of the Secret named `test-secret-2` within the same Namespace to add the label `foo` with value set to the name or `dictionary-2` in this case. If the Secret is mutated so that the label `foo: dictionary-2` is present, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-existing-secret
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -27,10 +27,11 @@ type: Opaque
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: "mutate-existing-secret"
|
||||
name: mutate-existing-secret
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: false
|
||||
rules:
|
||||
- name: "mutate-secret-on-configmap-event"
|
||||
- name: mutate-secret-on-configmap-event
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secret-1
|
||||
namespace: staging
|
||||
labels:
|
||||
foo: bar
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a basic test for the mutate existing capability which ensures that modifying (updating) a triggering resource results in the correct mutation of a different resource.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
When the `dictionary-1` ConfigMap is updated, this should result in the mutation of the Secret named `secret-1` within the same Namespace to add the label `foo: bar`. If the Secret is mutated so that the label `foo: bar` is present, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
commands:
|
||||
- command: kubectl delete -f 01-manifests.yaml --force --wait=true --ignore-not-found=true
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
# Title
|
||||
|
||||
This is a test for mutation of existing resources.
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a migrated test from e2e. It tests that preconditions inside a foreach loop are substituted properly. Preconditions, in this case, use predefined variables from image registries and so this is a secondary aspect to the test.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The containers with images from `docker.io` should be mutated so the value of the `image` field with respect to the registry is replaced with `my-private-registry`. Therefore, the input image `nginx:1.14.2` (which implicitly is equal to `docker.io/nginx:1.14.2`) is mutated so the output is `my-private-registry/nginx:1.14.2`. If this occurs, the test passes. If this is not done, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: replace-docker-hub
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
apiVersion : kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: replace-docker-hub
|
||||
spec:
|
||||
rules:
|
||||
- name: replace-docker-hub
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.operation}}"
|
||||
operator: AnyIn
|
||||
value:
|
||||
- CREATE
|
||||
- UPDATE
|
||||
mutate:
|
||||
foreach:
|
||||
- list: "request.object.spec.containers"
|
||||
preconditions:
|
||||
all:
|
||||
- key: '{{images.containers."{{element.name}}".registry}}'
|
||||
operator: Equals
|
||||
value: 'docker.io'
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
containers:
|
||||
- name: "{{ element.name }}"
|
||||
image: 'my-private-registry/{{images.containers."{{element.name}}".path}}:{{images.containers."{{element.name}}".tag}}'
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: nginx
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: my-private-registry/nginx:1.14.2
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: nginx
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:1.14.2
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- manifests.yaml
|
||||
assert:
|
||||
- policy-one-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-mutated.yaml
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-policy
|
||||
spec:
|
||||
rules:
|
||||
- name: gen-role
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
context:
|
||||
- name: labelValue
|
||||
apiCall:
|
||||
urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps"
|
||||
jmesPath: "items[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0]"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
+(kyverno.key/copy-me): "{{ labelValue }}"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource-two.yaml
|
||||
assert:
|
||||
- resource-two-mutated.yaml
|
||||
11
test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md
Normal file
11
test/conformance/kuttl/mutate/e2e/jmespath-logic/README.md
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is test migrated from e2e which roughly tests that mutations are successful when the value of key being mutated contains both a context variable as well as a context variable plus additional JMESPath filtering in that variable reference. The test migrated here to kuttl represents a condensed version of the original test to eliminate minor redundancy.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The mutated ConfigMap should have a label written to it `kyverno.key/copy-me: sample-value`. If this is so, the test passes. If it is not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: mutate-jmespath
|
||||
---
|
||||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-policy
|
||||
spec:
|
||||
rules:
|
||||
- name: gen-role
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
context:
|
||||
- name: labelValue
|
||||
apiCall:
|
||||
urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}/configmaps"
|
||||
jmesPath: "items[*]"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
+(kyverno.key/copy-me): "{{ labelValue[?metadata.name == 'source'].metadata.labels.\"kyverno.key/copy-me\" | [0] }}"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: source
|
||||
namespace: mutate-jmespath
|
||||
labels:
|
||||
kyverno.key/copy-me: sample-value
|
||||
data:
|
||||
data.yaml: |
|
||||
some: data
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-policy
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
kyverno.key/copy-from: source
|
||||
kyverno.key/copy-me: sample-value
|
||||
name: target
|
||||
namespace: mutate-jmespath
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
labels:
|
||||
kyverno.key/copy-from: source
|
||||
kyverno.key/copy-me: sample-value
|
||||
name: targettwo
|
||||
namespace: mutate-jmespath
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: targettwo
|
||||
namespace: mutate-jmespath
|
||||
labels:
|
||||
kyverno.key/copy-from: source
|
||||
data:
|
||||
data.yaml: |
|
||||
some: data
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: target
|
||||
namespace: mutate-jmespath
|
||||
labels:
|
||||
kyverno.key/copy-from: source
|
||||
data:
|
||||
data.yaml: |
|
||||
some: data
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource01.yaml
|
||||
assert:
|
||||
- resource01-mutated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource02.yaml
|
||||
assert:
|
||||
- resource02-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a migration from e2e. It tests for a combination of the global anchor plus the add-if-not-present anchor in a patchStrategicMerge mutate policy with two rules.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
Two tests are conducted. In the first, if a Pod contains an emptyDir volume, it should have an annotation added. In the second, the Pod has a hostPath volume and should also receive an annotation. If either one of these Pods does not have the annotation `cluster-autoscaler.kubernetes.io/safe-to-evict: "true"` added the test fails. If this annotation is present, the test passes.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-safe-to-evict
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-safe-to-evict
|
||||
spec:
|
||||
rules:
|
||||
- name: annotate-empty-dir
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
|
||||
spec:
|
||||
volumes:
|
||||
- <(emptyDir): {}
|
||||
- name: annotate-host-path
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
+(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
|
||||
spec:
|
||||
volumes:
|
||||
- hostPath:
|
||||
<(path): "*"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod-with-emptydir
|
||||
namespace: default
|
||||
annotations:
|
||||
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod-with-emptydir
|
||||
namespace: default
|
||||
labels:
|
||||
foo: bar
|
||||
spec:
|
||||
containers:
|
||||
- image: nginx
|
||||
name: nginx
|
||||
volumeMounts:
|
||||
- mountPath: /cache
|
||||
name: cache-volume
|
||||
volumes:
|
||||
- name: cache-volume
|
||||
emptyDir: {}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod-with-hostpath
|
||||
namespace: default
|
||||
annotations:
|
||||
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod-with-hostpath
|
||||
namespace: default
|
||||
labels:
|
||||
foo: bar
|
||||
spec:
|
||||
containers:
|
||||
- image: nginx
|
||||
name: nginx
|
||||
volumeMounts:
|
||||
- mountPath: /usr/share/nginx/html
|
||||
name: test-volume
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /var/local/aaa
|
||||
type: DirectoryOrCreate
|
||||
name: test-volume
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a migrated test from e2e. It checks that the global anchor works in tandem with a patchStrategicMerge policy.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If a container image is prefaced with `registry.corp.com` then it should be mutated to add an imagePullSecret named `regcred`. If this is done, the test passes. If this is not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: set-image-pull-secret
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: set-image-pull-secret
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- name: set-image-pull-secret
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
containers:
|
||||
- <(image): "registry.corp.com/*"
|
||||
imagePullSecrets:
|
||||
- name: regcred
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: nginx
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: registry.corp.com/nginx:1.14.2
|
||||
imagePullSecrets:
|
||||
- name: regcred
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: nginx
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: registry.corp.com/nginx:1.14.2
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a migrated test from e2e. It checks that a simple JSON patch `replace` operation works with a variable from AdmissionReview as a component of the `value` field.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
An Ingress's first rule should have the value of the `host` field appended to it `mycompany.com`. If this value has been replaced properly, the test passes. If not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-ingress-host
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-ingress-host
|
||||
spec:
|
||||
rules:
|
||||
- name: mutate-rules-host
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Ingress
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: replace
|
||||
path: /spec/rules/0/host
|
||||
value: "{{request.object.spec.rules[0].host}}.mycompany.com"
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: kuard-v1
|
||||
namespace: default
|
||||
labels:
|
||||
app: kuard
|
||||
spec:
|
||||
rules:
|
||||
- host: kuard.mycompany.com
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: kuard
|
||||
port:
|
||||
number: 8080
|
||||
path: /
|
||||
pathType: ImplementationSpecific
|
||||
tls:
|
||||
- hosts:
|
||||
- kuard
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: kuard-v1
|
||||
namespace: default
|
||||
labels:
|
||||
app: kuard
|
||||
spec:
|
||||
rules:
|
||||
- host: kuard
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
service:
|
||||
name: kuard
|
||||
port:
|
||||
number: 8080
|
||||
path: /
|
||||
pathType: ImplementationSpecific
|
||||
tls:
|
||||
- hosts:
|
||||
- kuard
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a migrated test from e2e. It checks that simple JSON patches function properly when mutating array slices.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
If the Pod has a second environment variable added with the name `K8S_IMAGE` with value equal to `docker.io/busybox:1.11` then the test succeeds. If it does not, the test fails. Note that there is an initContainer present which based upon the policy definition should NOT be mutated.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-image-as-env-var
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: add-image-as-env-var
|
||||
# env array needs to exist (least one env var is present)
|
||||
spec:
|
||||
background: false
|
||||
schemaValidation: false
|
||||
rules:
|
||||
# One Pod
|
||||
- name: pod-containers-1-inject-image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.object.spec.containers[] | length(@)}}"
|
||||
operator: GreaterThanOrEquals
|
||||
value: 1
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/spec/containers/0/env/-"
|
||||
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
|
||||
# Two or more Pods
|
||||
- name: pod-containers-2-inject-image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.object.spec.containers[] | length(@)}}"
|
||||
operator: GreaterThanOrEquals
|
||||
value: 2
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/spec/containers/1/env/-"
|
||||
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"}
|
||||
# Deployment with one Pod
|
||||
- name: deploy-containers-1-inject-image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.object.spec.template.spec.containers[] | length(@)}}"
|
||||
operator: GreaterThanOrEquals
|
||||
value: 1
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[0].image}}"}
|
||||
# Deployment with two or more Pods
|
||||
- name: deploy-containers-2-inject-image
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{request.object.spec.template.spec.containers[] | length(@)}}"
|
||||
operator: GreaterThanOrEquals
|
||||
value: 2
|
||||
mutate:
|
||||
patchesJson6902: |-
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/1/env/-"
|
||||
value: {"name":"K8S_IMAGE","value":"{{request.object.spec.template.spec.containers[1].image}}"}
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: foo-patchesjson6902-simple
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- sleep infinity
|
||||
env:
|
||||
- name: FOO
|
||||
value: bar
|
||||
- name: K8S_IMAGE
|
||||
value: docker.io/busybox:1.11
|
||||
image: busybox:1.11
|
||||
name: busybox
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- SETUID
|
||||
initContainers:
|
||||
- command:
|
||||
- sleep infinity
|
||||
image: nginx:1.14
|
||||
name: nginx
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- SETUID
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: foo-patchesjson6902-simple
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- command:
|
||||
- sleep infinity
|
||||
env:
|
||||
- name: FOO
|
||||
value: bar
|
||||
image: busybox:1.11
|
||||
name: busybox
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- SETUID
|
||||
initContainers:
|
||||
- command:
|
||||
- sleep infinity
|
||||
image: nginx:1.14
|
||||
name: nginx
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- SETUID
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- pod1.yaml
|
||||
assert:
|
||||
- pod1-mutated.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- pod2.yaml
|
||||
assert:
|
||||
- pod2-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a test migrated from e2e. It tests that simple conditional anchors (multiple) are working properly using a patchStrategicMerge mutation rule.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
For a Pod with only `containers[]`, the `securityContext.runAsNonRoot=true` should be written to each container as well as to the `spec`. For a Pod with an added `initContainers[]` entry, the same should occur for the initContainer as well. If both of these happen as expected, the test passes. If any one does not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
labels:
|
||||
app: foo
|
||||
name: foo
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- image: abc:1.28
|
||||
name: busybox
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: foo
|
||||
namespace: default
|
||||
labels:
|
||||
app: foo
|
||||
spec:
|
||||
containers:
|
||||
- image: abc:1.28
|
||||
name: busybox
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
labels:
|
||||
app: foo
|
||||
name: footwo
|
||||
namespace: default
|
||||
spec:
|
||||
containers:
|
||||
- image: abc:1.28
|
||||
name: busybox
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
initContainers:
|
||||
- image: bcd:1.29
|
||||
name: nginx
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: footwo
|
||||
namespace: default
|
||||
labels:
|
||||
app: foo
|
||||
spec:
|
||||
containers:
|
||||
- image: abc:1.28
|
||||
name: busybox
|
||||
initContainers:
|
||||
- image: bcd:1.29
|
||||
name: nginx
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: set-runasnonroot-true
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: set-runasnonroot-true
|
||||
spec:
|
||||
rules:
|
||||
- name: set-runasnonroot-true
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
initContainers:
|
||||
- (name): "*"
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
containers:
|
||||
- (name): "*"
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-ready.yaml
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- resource.yaml
|
||||
assert:
|
||||
- resource-mutated.yaml
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This is a migrated test from e2e. It tests that variable substitution is occurring properly in the key of a patchStrategicMerge rule.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The annotation `fluentbit.io/exclude-busybox: "true"` is expected to be written to the Deployment. If it is, the test passes. If it is not, the test fails.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
N/A
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: structured-logs-sidecar
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: structured-logs-sidecar
|
||||
spec:
|
||||
background: false
|
||||
rules:
|
||||
- name: add-annotations
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
annotations:
|
||||
structured-logs: "true"
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
annotations:
|
||||
"fluentbit.io/exclude-{{request.object.spec.template.spec.containers[0].name}}": "true"
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: busybox
|
||||
namespace: default
|
||||
annotations:
|
||||
structured-logs: "true"
|
||||
fluentbit.io/exclude-busybox: "true"
|
||||
labels:
|
||||
color: red
|
||||
animal: bear
|
||||
food: pizza
|
||||
car: jeep
|
||||
env: qa
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: busybox
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: busybox
|
||||
spec:
|
||||
containers:
|
||||
- image: busybox:1.28
|
||||
name: busybox
|
||||
command: ["sleep", "9999"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
- image: busybox:1.28
|
||||
name: busybox1
|
||||
command: ["sleep", "9999"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 20Mi
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: busybox
|
||||
namespace: default
|
||||
annotations:
|
||||
structured-logs: "true"
|
||||
labels:
|
||||
color: red
|
||||
animal: bear
|
||||
food: pizza
|
||||
car: jeep
|
||||
env: qa
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: busybox
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: busybox
|
||||
spec:
|
||||
containers:
|
||||
- image: busybox:1.28
|
||||
name: busybox
|
||||
command: ["sleep", "9999"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
- image: busybox:1.28
|
||||
name: busybox1
|
||||
command: ["sleep", "9999"]
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 10Mi
|
||||
limits:
|
||||
cpu: 100m
|
||||
memory: 20Mi
|
||||
Loading…
Add table
Reference in a new issue