updated policies

updated policies according to new policy structure for testing

test/ConfigMap/CM.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: game-config
+  namespace: default
+data:
+  secretData: "very sensitive data"
+  secretDatatoreplace: "data is not changed"
+  game.properties: |
+    enemies=aliens
+    lives=3
+  ui.properties: |
+    color.good=purple
+    color.bad=yellow

test/ConfigMap/policy-CM.yaml

@@ -0,0 +1,49 @@
+apiVersion : kubepolicy.nirmata.io/v1alpha1
+kind : Policy
+metadata :
+  name : policy-cm
+spec :
+  rules:
+    - name: pCM1
+      resource:
+        kind : ConfigMap
+        name: "game-config"
+      mutate:
+        patches:
+        - path : "/data/newKey"
+          op : add
+          value : newValue
+    - name: pCM2
+      resource:
+        kind : ConfigMap
+        name: "game-config"
+      mutate:
+        patches:
+        - path : "/data/secretData"
+          op : remove
+        - path : "/data/secretDatatoreplace"
+          op : replace
+          value : "data is replaced"
+    - name: pCM3
+      resource:
+        kind : ConfigMap
+        name: "game-config"
+      mutate:
+        patches:
+        - path : "/data/secretData"
+          op : add
+          value : newData
+      validate:
+        message: "There is only one enemy"
+        pattern:
+          data:
+            game.properties: "*enemies=aliens*"
+    - name: pCM4
+      resource:
+        kind : ConfigMap
+        name: "game-config"
+      validate:
+        message: "This CM data is broken because it does not have ui.properties"
+        pattern:
+          data:
+            ui.properties: "*"

test/CronJob/cronjobs.yaml

@@ -0,0 +1,62 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: hello
+  labels :
+    label : "original"
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hello
+            image: busybox
+            args:
+            - /bin/sh
+            - -c
+            - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: hellow
+  labels :
+    label : "original"
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: 12hello
+            image: busybox
+            args:
+            - /bin/sh
+            - -c
+            - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: hello23
+  labels:
+      label: "original"
+spec:
+  schedule: "*/1 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: hel32lo
+            image: busybox
+            args:
+            - /bin/sh
+            - -c
+            - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure

test/CronJob/policy-cronjob-wldcrd.yaml

@@ -0,0 +1,37 @@
+apiVersion: kubepolicy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: policy-cronjob
+spec:
+  rules:
+    - name:
+      resource:
+        kind : CronJob
+        name: "?ell*"
+      mutate:
+        patches:
+          - path: "/metadata/labels/isMutated"
+            op: add
+            value: "true"
+          - path : "/spec/schedule"
+            op : replace
+            value : "* */1 * * *"
+          - path: "/metadata/labels/label"
+            op: add
+            value: "not_original"
+          - path: "/metadata/labels/label234e3"
+            op: remove
+      validate:
+        message: "This resource is broken"
+        pattern:
+          metadata:
+            labels:
+              label: "not_original"
+          spec:
+            jobTemplate:
+              spec:
+                template:
+                  spec:
+                    containers:
+                    - name: "h*"
+                      image: busybox

test/DaemonSet/policy-daemonset.yaml

@@ -0,0 +1,27 @@
+apiVersion: kubepolicy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: policy-daemonset
+spec:
+  rules:
+    - name: "Patch and Volume validation"
+      resource:
+        kind: DaemonSet
+        name: fluentd-elasticsearch
+      mutate:
+        patches:
+        - path: "/metadata/labels/isMutated"
+          op: add
+          value: "true"
+        - path: "/metadata/labels/originalLabel"
+          op: remove
+      validate:
+        message: "This daemonset is broken"
+        pattern:
+          spec:
+            template:
+              spec:
+                containers:
+                  volumeMounts:
+                  - name: varlibdockercontainers
+                    readOnly: false

test/Deployment/policy-deployment-any.yaml

@@ -0,0 +1,25 @@
+apiVersion : kubepolicy.nirmata.io/v1alpha1
+kind : Policy
+metadata :
+  name : policy-deployment
+spec :
+  rules:
+    - name: "First policy v2"
+      resource:
+        kind : Deployment
+        name: nginx-*
+      mutate:
+        patches:
+        - path: /metadata/labels/isMutated
+          op: add
+          value: "true"
+        - path: /metadata/labels/app
+          op: replace
+          value: "nginx_is_mutated"
+
+      validate:
+        message: "Because I like only mutated resources"
+        pattern:
+          metadata:
+            labels:
+              app: "*mutated"

test/Endpoint/endpoints.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: test-endpoint
+  labels:
+    label : test
+subsets:
+- addresses:
+  - ip: 192.168.10.171
+  ports:
+  - name: secure-connection
+    port: 443
+    protocol: TCP

test/Endpoint/policy-endpoints.yaml

@@ -0,0 +1,32 @@
+apiVersion : kubepolicy.nirmata.io/v1alpha1
+kind : Policy
+metadata :
+  name : policy-endpoints
+spec :
+  rules:
+    - name:
+      resource:
+        kind : Endpoints
+        selector:
+          matchLabels:
+            label : test
+      mutate:
+        patches:
+          - path : "/subsets/0/ports/0/port"
+            op : replace
+            value: 9663
+          - path : "/subsets/0"
+            op: add
+            value:
+              addresses:
+              - ip: "192.168.10.171"
+              ports:
+              - name: load-balancer-connection
+                port: 80
+                protocol: UDP
+      validate:
+        message: "This resource has wrong IP"
+        pattern:
+          subsets:
+          - addresses:
+            - ip: "192.168.10.171|192.168.10.172"

test/HorizontalPodAutoscaler/hpa.yaml

@@ -0,0 +1,22 @@
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: wildfly-example
+  labels:
+    originalLabel: isHere
+spec:
+  scaleTargetRef:
+    apiVersion: extensions/v1beta1
+    kind: Deployment
+    name: wildfly-example
+  minReplicas: 1
+  maxReplicas: 5
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      targetAverageUtilization: 80
+  - type: Resource
+    resource:
+      name: memory
+      targetAverageValue: 1000Mi

test/Ingress/policy-ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: kubepolicy.nirmata.io/v1alpha1
+kind: Policy
+metadata :
+  name : policy-ingress
+spec :
+  rules:
+    - name: ingress1
+      resource:
+        kind : Ingress
+        selector:
+          matchLabels:
+            originalLabel: isHere
+      mutate:
+        patches:
+        - path: "/metadata/labels/isMutated"
+          op: add
+          value: "true"
+        - path : "/spec/rules/0/http/paths/0/path"
+          op : replace
+          value: "/mutatedpath"
+      validate:
+        message: "Ingress allowed only for prod services"
+        pattern:
+          spec:
+            rules:
+            - http:
+               paths:
+                - path: "*"
+                  backend:
+                    serviceName: "*prod"

test/NetworkPolicy/policy-network-policy.yaml

@@ -0,0 +1,29 @@
+apiVersion: kubepolicy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: policy-network-policy
+spec:
+  rules:
+    - name: np1
+      resource:
+        kind : NetworkPolicy
+        selector:
+          matchLabels:
+            originalLabel: isHere
+      mutate:
+        patches:
+        - path: "/metadata/labels/isMutated"
+          op: add
+          value: "true"
+        - path : "/spec/ingress/0/from/0/ipBlock/cidr"
+          op : replace
+          value: "172.17.128.0/17"
+      validate:
+        message: "This network policy does not meet security criteria"
+        pattern:
+          spec:
+            ingress:
+            - from:
+              - ipBlock:
+                  except:
+                  - 172.17.129.0/24

test/ResourceQuota/policy-quota-validation.yaml

@@ -0,0 +1,42 @@
+apiVersion : kubepolicy.nirmata.io/v1alpha1
+kind : Policy
+metadata :
+  name : policy-quota-low-test-validation
+spec :
+  rules:
+    - name:
+      resource:
+        kind : ResourceQuota
+        selector:
+          matchLabels:
+            quota: low
+      validate:
+        message: "This RQ requests too many RAM"
+        pattern:
+          spec:
+            hard:
+              memory: "8Gi|12Gi"
+    - name:
+      resource:
+        kind : ResourceQuota
+        selector:
+          matchLabels:
+            quota: low
+      validate:
+        message: "This RQ requests too many CPUs"
+        pattern:
+          spec:
+            hard:
+              cpu: <3
+    - name:
+      resource:
+        kind : ResourceQuota
+        selector:
+          matchLabels:
+            quota: low
+      validate:
+        message: "This RQ requests too many PODs"
+        pattern:
+          spec:
+            hard:
+              pods: 1|2|3|4

test/Secret/policy-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: kubepolicy.nirmata.io/v1alpha1
+kind: Policy
+metadata:
+  name: policy-secrets
+spec:
+  rules:
+    - name: secret1
+      resource:
+        kind : Secret
+        name: "mysecret"
+      mutate:
+        patches:
+        - path: "/metadata/labels/isMutated"
+          op: add
+          value: "true"
+        - path: "/metadata/labels/originalLabel"
+          op: remove
+        - path : "/data/newPass"
+          op : add
+          value : "bmV3UmFuZG9tUGFzcwo="
+        - path : "/data/password"
+          op : replace
+          value : "Y29tcHJvbWlzZWQK"
+      validate:
+        message: "This type of secrets does not meet security criteria"
+        pattern:
+          type: "Opaque"

test/Secret/secret.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+  labels:
+    originalLabel : isHere
+
+type: Opaque
+data:
+  username: TmlybWF0YQ==
+  password: aXNDb29s

test/Service/policy-service.yaml

@@ -0,0 +1,31 @@
+apiVersion : kubepolicy.nirmata.io/v1alpha1
+kind : Policy
+metadata :
+  name : policy-service
+spec :
+  rules:
+    - name: ps1
+      resource:
+        kind: Service
+        name: "game-service*"
+      mutate:
+        patches:
+        - path: "/metadata/labels/isMutated"
+          op: add
+          value: "true"
+        - path : "/metadata/labels/secretLabel"
+          op : replace
+          value : "weKnow"
+        - path : "/metadata/labels/originalLabel"
+          op : remove
+        - path: "/spec/selector/app"
+          op: replace
+          value: "mutedApp"
+      validate:
+        message: "This service has wrong port"
+        pattern:
+          spec:
+            ports:
+            - name: "http"
+              protocol: TCP
+              port: 80|8080

test/Service/service.yaml

@@ -0,0 +1,15 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: game-service
+  labels:
+    originalLabel : isHere
+    secretLabel : thisIsMySecret
+spec:
+  selector:
+    app: MyApp
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 9376