From 25b60590ca94a56cde15e3b389262af588c10077 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 00:09:45 -0700 Subject: [PATCH] - add validation example - update docs for validation --- documentation/installation.md | 2 + documentation/testing-policies.md | 3 ++ documentation/writing-policies-generate.md | 2 +- documentation/writing-policies-mutate.md | 2 +- documentation/writing-policies-validate.md | 61 +++++++++++++++++++++- documentation/writing-policies.md | 3 ++ examples/Validate/check_not_root.yaml | 17 ++++++ 7 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 examples/Validate/check_not_root.yaml diff --git a/documentation/installation.md b/documentation/installation.md index 9705f93c47..0aa98a49cd 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -25,4 +25,6 @@ To run Kyverno in a development environment see: https://github.com/nirmata/kyve To write and test policies without installing Kyverno in a Kubernetes cluster you can try the [Kyverno CLI](documentation/testing-policies-cli.md). + +--- *Read Next >> [Writing Policies](/documentation/writing-policies.md)* \ No newline at end of file diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md index eeae9071ee..25ff0a309d 100644 --- a/documentation/testing-policies.md +++ b/documentation/testing-policies.md @@ -11,3 +11,6 @@ + +--- + diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 47d91804b8..81151b52d7 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -5,6 +5,6 @@ - +--- *Read Next >> [Testing Policies](/documentation/testing-policies.md)* diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index f67fb288c7..d972c5a735 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -5,5 +5,5 @@ - +--- *Read Next >> [Generate](/documentation/writing-policies-generate.md)* diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index d1ff1d2247..afdd33b438 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -3,8 +3,65 @@ # Validate Configurations +A validation rule is expressed as an overlay pattern that expresses the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern: + +1. Validation will fail if a field is defined in the pattern and if the field does not exist in the configuration. +2. Undefined fields are treated as wildcards. +3. A validation pattern field with the wildcard value '*' will match zero or more alphanumeric characters. Empty values or missing fields are matched. +4. A validation pattern field with the wildcard value '?' will match any single alphanumeric character. Empty or missing fields are not matched. +5. A validation pattern field with the wildcard value '*?' will match any alphanumeric characters and requires the field to be present with non-empty values. +6. A validation pattern field with the value `null` requires that the field not be defined or have a null value. +6. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'. +7. Validation of child values is only performed if the parent matches the pattern. + +## Patterns + +### Wildcards +1. `*` - matches zero or more alphanumeric characters +2. `?` - maatches a single alphanumeric character + +### Operators + +| Operator | Meaning | +|------------|---------------------------| +| `>` | greater than | +| `<` | less than | +| `>=` | greater than or equals to | +| `<=` | less than or equals to | +| `!` | not equals | +| `|` | logical or | +| `&` | logical and | + +There is no operator for `equals` as providing a field value in the pattern requires equality to the value. + +## Example + +````yaml + +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : validation-example +spec : + rules: + - resource: + # Kind specifies one or more resource types to match + kind: Deployment, StatefuleSet, DaemonSet + # Name is optional and can use wildcards + name: * + # Selector is optional + selector: + validate: + # Message is optional + message: "The label app is required" + pattern: + spec: + selector: + matchLabels: + app: ?* + +```` - - +--- *Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* \ No newline at end of file diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index eb22385006..7c8a9bc337 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -37,5 +37,8 @@ spec : ... ```` +Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **validate**, **mutate**, or **generate** child node. + +--- *Read Next >> [Validate](/documentation/writing-policies-validate.md)* \ No newline at end of file diff --git a/examples/Validate/check_not_root.yaml b/examples/Validate/check_not_root.yaml new file mode 100644 index 0000000000..12685e4e22 --- /dev/null +++ b/examples/Validate/check_not_root.yaml @@ -0,0 +1,17 @@ +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : check-non-root +spec : + rules: + - name: check-non-root + resource: + kind: Deployment, StatefuleSet, DaemonSet + validate: + message: "Root user is not allowed" + pattern: + spec: + template: + spec: + securityContext: + runAsNotRoot: true