add examples_not_tested

examples/demo/container_security_context/nginx.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: psp-demo-unprivileged
+  labels:
+    app.type: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: psp
+  template:
+    metadata:
+      labels:
+        app: psp
+    spec:
+      containers:
+      - name: sec-ctx-unprivileged
+        image: nginxinc/nginx-unprivileged
+        securityContext:
+          runAsNonRoot: true
+

examples/demo/container_security_context/policy.yaml

@@ -0,0 +1,25 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: container-security-context
+spec:
+  rules:
+  - name: set-userID
+    resource:
+      kinds:
+      - Deployment
+      selector :
+        matchLabels:
+          app.type: prod
+    validate:
+      message: "validate container security contexts"
+      pattern:
+        spec:
+          template:
+            spec:
+              containers:
+                securityContext:
+                  # privileged: false
+                  # allowPrivilegeEscalation: false
+                  # readOnlyRootFilesystem: true
+                  runAsNonRoot: true

examples/demo/pod_security_context/policy.yaml

@@ -0,0 +1,24 @@
+apiVersion : kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: pod-security-context
+spec:
+  rules:
+  - name: set-userID
+    resource:
+      kinds:
+      - Deployment
+      selector :
+        matchLabels:
+          app.type: prod
+    validate:
+      message: "secure pod"
+      pattern:
+        spec:
+          template:
+            spec:
+              hostNetwork: false
+              hostIPC: false
+              hostPID: false
+              securityContext:
+                runAsNonRoot: true

pkg/engine/overlay_new.go

@@ -0,0 +1,70 @@
+package engine
+
+import (
+	"reflect"
+)
+
+// func processoverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error) {
+
+// 	var resource interface{}
+// 	var appliedPatches [][]byte
+// 	err := json.Unmarshal(rawResource, &resource)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+
+// 	patches, err := mutateResourceWithOverlay(resource, *rule.Mutation.Overlay)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+// 	appliedPatches = append(appliedPatches, patches...)
+
+// 	return appliedPatches, err
+// }
+
+func applyoverlay(resource, overlay interface{}, path string) ([][]byte, error) {
+	var appliedPatches [][]byte
+	// resource item exists but has different type - replace
+	// all subtree within this path by overlay
+	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
+		patch, err := replaceSubtree(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patch)
+	}
+
+	return applyOverlayForSameTypes(resource, overlay, path)
+}
+
+func checkConditions(resource, overlay interface{}, path string) bool {
+
+	switch typedOverlay := overlay.(type) {
+	case map[string]interface{}:
+		typedResource := resource.(map[string]interface{})
+		if !checkConditionOnMap(typedResource, typedOverlay) {
+			return false
+		}
+	case []interface{}:
+		typedResource := resource.([]interface{})
+		if !checkConditionOnArray(typedResource, typedOverlay) {
+			return false
+		}
+	case string, float64, int64, bool:
+
+	default:
+		return false
+	}
+	return true
+}
+
+func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}) bool {
+	// _ := getAnchorsFromMap(overlayMap)
+
+	return false
+}
+
+func checkConditionOnArray(resource, overlay []interface{}) bool {
+	return false
+}