diff --git a/test/ConfigMap/CM.yaml b/test/ConfigMap/CM.yaml new file mode 100644 index 0000000000..80f31212ae --- /dev/null +++ b/test/ConfigMap/CM.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-config + namespace: default +data: + secretData: "very sensitive data" + secretDatatoreplace: "data is not changed" + game.properties: | + enemies=aliens + lives=3 + ui.properties: | + color.good=purple + color.bad=yellow diff --git a/test/ConfigMap/policy-CM.yaml b/test/ConfigMap/policy-CM.yaml new file mode 100644 index 0000000000..843ff23f7e --- /dev/null +++ b/test/ConfigMap/policy-CM.yaml @@ -0,0 +1,49 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-cm +spec : + rules: + - name: pCM1 + resource: + kind : ConfigMap + name: "game-config" + mutate: + patches: + - path : "/data/newKey" + op : add + value : newValue + - name: pCM2 + resource: + kind : ConfigMap + name: "game-config" + mutate: + patches: + - path : "/data/secretData" + op : remove + - path : "/data/secretDatatoreplace" + op : replace + value : "data is replaced" + - name: pCM3 + resource: + kind : ConfigMap + name: "game-config" + mutate: + patches: + - path : "/data/secretData" + op : add + value : newData + validate: + message: "There is only one enemy" + pattern: + data: + game.properties: "*enemies=aliens*" + - name: pCM4 + resource: + kind : ConfigMap + name: "game-config" + validate: + message: "This CM data is broken because it does not have ui.properties" + pattern: + data: + ui.properties: "*" diff --git a/test/CronJob/cronjobs.yaml b/test/CronJob/cronjobs.yaml new file mode 100644 index 0000000000..8e5dd00c37 --- /dev/null +++ b/test/CronJob/cronjobs.yaml @@ -0,0 +1,62 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello + labels : + label : "original" +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hellow + labels : + label : "original" +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: 12hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello23 + labels: + label: "original" +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hel32lo + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure diff --git a/test/CronJob/policy-cronjob-wldcrd.yaml b/test/CronJob/policy-cronjob-wldcrd.yaml new file mode 100644 index 0000000000..4ef1598c35 --- /dev/null +++ b/test/CronJob/policy-cronjob-wldcrd.yaml @@ -0,0 +1,37 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-cronjob +spec: + rules: + - name: + resource: + kind : CronJob + name: "?ell*" + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/spec/schedule" + op : replace + value : "* */1 * * *" + - path: "/metadata/labels/label" + op: add + value: "not_original" + - path: "/metadata/labels/label234e3" + op: remove + validate: + message: "This resource is broken" + pattern: + metadata: + labels: + label: "not_original" + spec: + jobTemplate: + spec: + template: + spec: + containers: + - name: "h*" + image: busybox diff --git a/test/DaemonSet/policy-daemonset.yaml b/test/DaemonSet/policy-daemonset.yaml new file mode 100644 index 0000000000..47912c2795 --- /dev/null +++ b/test/DaemonSet/policy-daemonset.yaml @@ -0,0 +1,27 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-daemonset +spec: + rules: + - name: "Patch and Volume validation" + resource: + kind: DaemonSet + name: fluentd-elasticsearch + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path: "/metadata/labels/originalLabel" + op: remove + validate: + message: "This daemonset is broken" + pattern: + spec: + template: + spec: + containers: + volumeMounts: + - name: varlibdockercontainers + readOnly: false diff --git a/test/Deployment/policy-deployment-any.yaml b/test/Deployment/policy-deployment-any.yaml new file mode 100644 index 0000000000..6a43ec225d --- /dev/null +++ b/test/Deployment/policy-deployment-any.yaml @@ -0,0 +1,25 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-deployment +spec : + rules: + - name: "First policy v2" + resource: + kind : Deployment + name: nginx-* + mutate: + patches: + - path: /metadata/labels/isMutated + op: add + value: "true" + - path: /metadata/labels/app + op: replace + value: "nginx_is_mutated" + + validate: + message: "Because I like only mutated resources" + pattern: + metadata: + labels: + app: "*mutated" diff --git a/test/Endpoint/endpoints.yaml b/test/Endpoint/endpoints.yaml new file mode 100644 index 0000000000..958d931482 --- /dev/null +++ b/test/Endpoint/endpoints.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: test-endpoint + labels: + label : test +subsets: +- addresses: + - ip: 192.168.10.171 + ports: + - name: secure-connection + port: 443 + protocol: TCP diff --git a/test/Endpoint/policy-endpoints.yaml b/test/Endpoint/policy-endpoints.yaml new file mode 100644 index 0000000000..335573c6ba --- /dev/null +++ b/test/Endpoint/policy-endpoints.yaml @@ -0,0 +1,32 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-endpoints +spec : + rules: + - name: + resource: + kind : Endpoints + selector: + matchLabels: + label : test + mutate: + patches: + - path : "/subsets/0/ports/0/port" + op : replace + value: 9663 + - path : "/subsets/0" + op: add + value: + addresses: + - ip: "192.168.10.171" + ports: + - name: load-balancer-connection + port: 80 + protocol: UDP + validate: + message: "This resource has wrong IP" + pattern: + subsets: + - addresses: + - ip: "192.168.10.171|192.168.10.172" diff --git a/test/HorizontalPodAutoscaler/hpa.yaml b/test/HorizontalPodAutoscaler/hpa.yaml new file mode 100644 index 0000000000..75dd3b6467 --- /dev/null +++ b/test/HorizontalPodAutoscaler/hpa.yaml @@ -0,0 +1,22 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: wildfly-example + labels: + originalLabel: isHere +spec: + scaleTargetRef: + apiVersion: extensions/v1beta1 + kind: Deployment + name: wildfly-example + minReplicas: 1 + maxReplicas: 5 + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 + - type: Resource + resource: + name: memory + targetAverageValue: 1000Mi diff --git a/test/Ingress/policy-ingress.yaml b/test/Ingress/policy-ingress.yaml new file mode 100644 index 0000000000..e0c2abb1a7 --- /dev/null +++ b/test/Ingress/policy-ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata : + name : policy-ingress +spec : + rules: + - name: ingress1 + resource: + kind : Ingress + selector: + matchLabels: + originalLabel: isHere + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/spec/rules/0/http/paths/0/path" + op : replace + value: "/mutatedpath" + validate: + message: "Ingress allowed only for prod services" + pattern: + spec: + rules: + - http: + paths: + - path: "*" + backend: + serviceName: "*prod" diff --git a/test/NetworkPolicy/policy-network-policy.yaml b/test/NetworkPolicy/policy-network-policy.yaml new file mode 100644 index 0000000000..3e105c687b --- /dev/null +++ b/test/NetworkPolicy/policy-network-policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-network-policy +spec: + rules: + - name: np1 + resource: + kind : NetworkPolicy + selector: + matchLabels: + originalLabel: isHere + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/spec/ingress/0/from/0/ipBlock/cidr" + op : replace + value: "172.17.128.0/17" + validate: + message: "This network policy does not meet security criteria" + pattern: + spec: + ingress: + - from: + - ipBlock: + except: + - 172.17.129.0/24 diff --git a/test/ResourceQuota/policy-quota-validation.yaml b/test/ResourceQuota/policy-quota-validation.yaml new file mode 100644 index 0000000000..fcf59a5173 --- /dev/null +++ b/test/ResourceQuota/policy-quota-validation.yaml @@ -0,0 +1,42 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-quota-low-test-validation +spec : + rules: + - name: + resource: + kind : ResourceQuota + selector: + matchLabels: + quota: low + validate: + message: "This RQ requests too many RAM" + pattern: + spec: + hard: + memory: "8Gi|12Gi" + - name: + resource: + kind : ResourceQuota + selector: + matchLabels: + quota: low + validate: + message: "This RQ requests too many CPUs" + pattern: + spec: + hard: + cpu: <3 + - name: + resource: + kind : ResourceQuota + selector: + matchLabels: + quota: low + validate: + message: "This RQ requests too many PODs" + pattern: + spec: + hard: + pods: 1|2|3|4 diff --git a/test/Secret/policy-secret.yaml b/test/Secret/policy-secret.yaml new file mode 100644 index 0000000000..aeae51ad14 --- /dev/null +++ b/test/Secret/policy-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-secrets +spec: + rules: + - name: secret1 + resource: + kind : Secret + name: "mysecret" + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path: "/metadata/labels/originalLabel" + op: remove + - path : "/data/newPass" + op : add + value : "bmV3UmFuZG9tUGFzcwo=" + - path : "/data/password" + op : replace + value : "Y29tcHJvbWlzZWQK" + validate: + message: "This type of secrets does not meet security criteria" + pattern: + type: "Opaque" diff --git a/test/Secret/secret.yaml b/test/Secret/secret.yaml new file mode 100644 index 0000000000..930487bde9 --- /dev/null +++ b/test/Secret/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mysecret + labels: + originalLabel : isHere + +type: Opaque +data: + username: TmlybWF0YQ== + password: aXNDb29s diff --git a/test/Service/policy-service.yaml b/test/Service/policy-service.yaml new file mode 100644 index 0000000000..c92f4c6d21 --- /dev/null +++ b/test/Service/policy-service.yaml @@ -0,0 +1,31 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-service +spec : + rules: + - name: ps1 + resource: + kind: Service + name: "game-service*" + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/metadata/labels/secretLabel" + op : replace + value : "weKnow" + - path : "/metadata/labels/originalLabel" + op : remove + - path: "/spec/selector/app" + op: replace + value: "mutedApp" + validate: + message: "This service has wrong port" + pattern: + spec: + ports: + - name: "http" + protocol: TCP + port: 80|8080 diff --git a/test/Service/service.yaml b/test/Service/service.yaml new file mode 100644 index 0000000000..9ebda125a1 --- /dev/null +++ b/test/Service/service.yaml @@ -0,0 +1,15 @@ +kind: Service +apiVersion: v1 +metadata: + name: game-service + labels: + originalLabel : isHere + secretLabel : thisIsMySecret +spec: + selector: + app: MyApp + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 9376