add demo example

2025-03-30 19:35:06 +00:00 · 2019-07-17 13:31:00 -07:00 · 2019-07-17 13:31:00 -07:00 · 24b5acdc73
commit 24b5acdc73
parent 59b9cab18b
12 changed files with 191 additions and 36 deletions
--- a/examples/demo/allowed_registry/nginx.yaml
+++ b/examples/demo/allowed_registry/nginx.yaml
@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+    cli: test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        # image: nginx
+        image: nirmata/nginx
--- a/examples/demo/allowed_registry/policy.yaml
+++ b/examples/demo/allowed_registry/policy.yaml
@ -0,0 +1,22 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-registries
+spec:
+  rules:
+  - name: check-registries
+    resource:
+      kinds:
+      - Deployment
+      - StatefulSet
+    validate:
+      message: "Registry is not allowed"
+      pattern:
+        spec:
+          template:
+            spec:
+              containers:
+              - name: "*"
+                # Check allowed registries
+                image: "*nirmata*"
+                # image: "*nirmata* | https://private.registry.io/*"
--- a/examples/demo/health_check/pod.yaml
+++ b/examples/demo/health_check/pod.yaml
@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    test: probe
+  name: probe
+spec:
+  containers:
+  - name: readiness
+    image: k8s.gcr.io/busybox
+    args:
+    - /bin/sh
+    - -c
+    - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
+    readinessProbe:
+      periodSeconds: 5
+      exec:
+        command:
+        - cat
+        - /tmp/healthy
+  - name: liveness
+    image: k8s.gcr.io/liveness
+    args:
+    - /server
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: 8080
+        httpHeaders:
+        - name: Custom-Header
+          value: Awesome
+      periodSeconds: 3
--- a/examples/demo/health_check/policy.yaml
+++ b/examples/demo/health_check/policy.yaml
@ -0,0 +1,33 @@
+apiVersion : kyverno.io/v1alpha1
+kind : Policy
+metadata :
+  name: check-probe-exists
+spec:
+  rules:
+  - name: check-readinessProbe-exists
+    resource:
+      kinds :
+      - Pod
+    validate:
+      message: "a readinessProbe is required"
+      pattern:
+        spec:
+          containers:
+          - (name): "readiness"
+            readinessProbe:
+              periodSeconds: ">0"
+  - name: check-livenessProbe-exists
+    resource:
+      kinds :
+      - Pod
+    validate:
+      message: "a livenessProbe is required"
+      pattern:
+        spec:
+          containers:
+          - (name): "liveness"
+            livenessProbe:
+              httpGet:
+                path: "?*"
+                port: "*"
+                scheme: "?*"
--- a/examples/demo/image_pull_policy/nginx.yaml
+++ b/examples/demo/image_pull_policy/nginx.yaml
@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+    cli: test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        # imagePullPolicy: IfNotPresent
--- a/examples/demo/image_pull_policy/policy.yaml
+++ b/examples/demo/image_pull_policy/policy.yaml
@ -0,0 +1,20 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: image-pull-policy
+spec:
+  rules:
+  - name: image-pull-policy
+    resource:
+      kinds:
+      - Deployment
+    mutate:
+      overlay:
+        spec:
+          template:
+            spec:
+              containers:
+              # select images which end with :latest
+              - (image): "*latest"
+                # require that the imagePullPolicy is "IfNotPresent"  
+                imagePullPolicy: IfNotPresent
--- a/examples/demo/mutate_patch/ep.yaml
+++ b/examples/demo/mutate_patch/ep.yaml
@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: demo-endpoint
-  labels:
-    label : test
-subsets:
- addresses:
-  - ip: 192.168.10.171
-  ports:
-  - name: secure-connection
-    port: 443
-    protocol: TCP
--- a/examples/demo/mutate_patch/policy_patch.yaml
+++ b/examples/demo/mutate_patch/policy_patch.yaml
@ -1,23 +0,0 @@
-apiVersion : kyverno.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-endpoints
-spec :
-  rules:
-    - name: demo-ep
-      resource:
-        kinds : 
-        - Endpoints
-        selector:
-          matchLabels:
-            label : test
-      mutate:
-        patches:
-          # add a new label
-          - path: /metadata/labels/app.type
-            op: add
-            value: dev
-          # replace port 
-          - path : /subsets/0/ports/0/port
-            op : replace
-            value: 9663
--- a/examples/demo/non_root/nginx.yaml
+++ b/examples/demo/non_root/nginx.yaml
@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: psp-demo-unprivileged
+  labels:
+    app.type: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: psp
+  template:
+    metadata:
+      labels:
+        app: psp
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: sec-ctx-unprivileged
+        image: nginxinc/nginx-unprivileged
--- a/examples/demo/non_root/policy.yaml
+++ b/examples/demo/non_root/policy.yaml
@ -0,0 +1,21 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: policy-security-context
+spec:
+  rules:
+  - name: validate-runAsNonRoot
+    resource:
+      kinds:
+      - Deployment
+      selector :
+        matchLabels:
+          app.type: prod
+    validate:
+      message: "security context 'runAsNonRoot' shoud be set to true"
+      pattern:
+        spec:
+          template:
+            spec:
+              securityContext:
+                runAsNonRoot: true
--- a/examples/demo/security_context/nginx.yaml
+++ b/examples/demo/security_context/nginx.yaml
--- a/examples/demo/security_context/policy.yaml
+++ b/examples/demo/security_context/policy.yaml