mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 10:04:25 +00:00
Code Activity

support list of kind in resource, update the CRD openapischema & adapt the test and examples for the change

Browse source
This commit is contained in:
shivdudhani 2019-05-21 15:43:43 -07:00
parent a61a7c9c31
commit 31ce087504
33 changed files with 145 additions and 96 deletions

46
definitions/install.yaml
View file

@ -35,29 +35,31 @@ spec:
resource:
type: object
required:
- kind
- kinds
properties:
kind:
type: string
enum:
- ConfigMap
- CronJob
- DaemonSet
- Deployment
- Endpoints
- HorizontalPodAutoscaler
- Ingress
- Job
- LimitRange
- Namespace
- NetworkPolicy
- PersistentVolumeClaim
- PodDisruptionBudget
- PodTemplate
- ResourceQuota
- Secret
- Service
- StatefulSet
kinds:
type: array
items:
type: string
enum:
- ConfigMap
- CronJob
- DaemonSet
- Deployment
- Endpoints
- HorizontalPodAutoscaler
- Ingress
- Job
- LimitRange
- Namespace
- NetworkPolicy
- PersistentVolumeClaim
- PodDisruptionBudget
- PodTemplate
- ResourceQuota
- Secret
- Service
- StatefulSet
name:
type: string
selector:

8
examples/Validate/check_cpu_memory.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-cpu-memory
@ -6,7 +6,8 @@ spec:
rules:
- name: check-defined
resource:
kind: Deployment
kinds:
- Deployment
validate:
message: "Resource requests and limits are required for CPU and memory"
pattern:
@ -22,7 +23,8 @@ spec:
cpu: "?"
- name: check-memory-in-range
resource:
kind: Deployment
kinds:
- Deployment
validate:
message: "Memory request cannot be greater than 10Gi"
pattern:

5
examples/Validate/check_hostpath.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-host-path
@ -6,7 +6,8 @@ spec:
rules:
- name: check-host-path
resource:
kind: Pod
kinds:
- Pod
validate:
message: "Host path volumes are not allowed"
pattern:

5
examples/Validate/check_image_version.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: image-pull-policy
@ -7,7 +7,8 @@ spec:
- name: image-pull-policy
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
resource:
kind: Deployment
kinds:
- Deployment
overlay:
template:
spec:

5
examples/Validate/check_nodeport.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-host-path
@ -6,7 +6,8 @@ spec:
rules:
- name: check-host-path
resource:
kind: Service
kinds:
- Service
validate:
message: "Node port services are not allowed"
pattern:

14
examples/Validate/check_probe_exists.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-probe-exists
@ -6,7 +6,8 @@ spec:
rules:
- name: check-liveness-probe-exists
resource:
kind: StatefulSet
kinds:
- StatefulSet
validate:
message: "a livenessProbe is required"
pattern:
@ -14,10 +15,11 @@ spec:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ?
periodSeconds: "?"
- resource:
kind: Deployment
name: check-readiness-probe-exists
kinds:
- Deployment
name: check-readinessprobe-exists
validate:
message: "a readinessProbe is required"
pattern:
@ -25,4 +27,4 @@ spec:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ?
periodSeconds: "?"

9
examples/Validate/check_probe_intervals.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-probe-intervals
@ -6,7 +6,8 @@ spec:
rules:
- name: check-probe-intervals
resource:
kind: Deployment
kinds:
- Deployment
validate:
message: "livenessProbe must be > 10s"
pattern:
@ -16,7 +17,9 @@ spec:
livenessProbe:
periodSeconds: ">10"
- resource:
kind: Deployment
kinds:
- Deployment
name: check-readinessprobe-intervals
validate:
pattern:
message: "readinessProbe must be > 10s"

5
examples/Validate/check_whitelist_registries.yaml
View file

@ -1,4 +1,4 @@
apiVersion: policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-whitelist-registries
@ -7,7 +7,8 @@ spec:
- name: check-whitelist-registries
message: "Registry is not allowed"
resource:
kind: Deployment
kinds:
- Deployment
validate:
pattern:
template:

2
pkg/apis/policy/v1alpha1/types.go
View file

@ -33,7 +33,7 @@ type Rule struct {
// ResourceDescription describes the resource to which the PolicyRule will be applied.
type ResourceDescription struct {
Kind string `json:"kind"`
Kinds []string `json:"kinds"`
Name *string `json:"name"`
Selector *metav1.LabelSelector `json:"selector"`
}

8
pkg/apis/policy/v1alpha1/utils.go
View file

@ -22,13 +22,11 @@ func (r *Rule) Validate() error {
}
// Validate checks if all necesarry fields are present and have values. Also checks a Selector.
// Returns error if resource definition is invalid.
// Returns error if
// - kinds is not defined
func (pr *ResourceDescription) Validate() error {
// TBD: selector or name MUST be specified
if pr.Kind == "" {
if len(pr.Kinds) == 0 {
return errors.New("The Kind is not specified")
} else if pr.Name == nil && pr.Selector == nil {
return errors.New("Neither Name nor Selector is specified")
}
if pr.Selector != nil {

6
pkg/apis/policy/v1alpha1/utils_test.go
View file

@ -9,8 +9,8 @@ import (
var defaultResourceDescriptionName = "defaultResourceDescription"
var defaultResourceDescription = ResourceDescription{
Kind: "Deployment",
Name: &defaultResourceDescriptionName,
Kinds: []string{"Deployment"},
Name: &defaultResourceDescriptionName,
Selector: &metav1.LabelSelector{
MatchLabels: map[string]string{"LabelForSelector": "defaultResourceDescription"},
},
@ -43,7 +43,7 @@ func Test_ResourceDescription_EmptyKind(t *testing.T) {
func Test_ResourceDescription_EmptyNameAndSelector(t *testing.T) {
resourceDescription := ResourceDescription{
Kind: "Deployment",
Kinds: []string{"Deployment"},
}
err := resourceDescription.Validate()
assert.Assert(t, err != nil)

11
pkg/engine/utils.go
View file

@ -13,7 +13,7 @@ import (
// ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule
func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool {
if description.Kind != gvk.Kind {
if !findKind(description.Kinds, gvk.Kind) {
return false
}
@ -104,3 +104,12 @@ func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) {
}
return strings.Trim(regex[1], " "), true
}
func findKind(kinds []string, kindGVK string) bool {
for _, kind := range kinds {
if kind == kindGVK {
return true
}
}
return false
}

12
test/ConfigMap/policy-CM.yaml
View file

@ -6,7 +6,8 @@ spec :
rules:
- name: pCM1
resource:
kind : ConfigMap
kinds :
- ConfigMap
name: "game-config"
mutate:
patches:
@ -15,7 +16,8 @@ spec :
value : newValue
- name: pCM2
resource:
kind : ConfigMap
kinds :
- ConfigMap
name: "game-config"
mutate:
patches:
@ -26,7 +28,8 @@ spec :
value : "data is replaced"
- name: pCM3
resource:
kind : ConfigMap
kinds :
- ConfigMap
name: "game-config"
mutate:
patches:
@ -40,7 +43,8 @@ spec :
game.properties: "*enemies=aliens*"
- name: pCM4
resource:
kind : ConfigMap
kinds :
- ConfigMap
name: "game-config"
validate:
message: "This CM data is broken because it does not have ui.properties"

5
test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml
View file

@ -6,12 +6,13 @@ spec:
rules:
- name: "copyCM"
resource :
kind : Namespace
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
- kind: ConfigMap
name : copied-cm
copyFrom :
namespace : default

23
test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml
View file

@ -11,7 +11,8 @@ spec :
rules:
- name: "patchNamespace2"
resource :
kind : Namespace
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
@ -23,12 +24,13 @@ spec :
- name: "copyCM"
resource :
kind : Namespace
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
- kind: ConfigMap
name : copied-cm
copyFrom :
namespace : default
@ -38,12 +40,13 @@ spec :
- name: "generateCM"
resource :
kind : Namespace
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
- kind: ConfigMap
name : generated-cm
data :
secretData: "very sensitive data from cmg"
@ -56,10 +59,11 @@ spec :
- name: "generateSecret"
resource :
kind : Namespace
kinds :
- Namespace
name: ns2
generate :
kind: Secret
- kind: Secret
name : generated-secrets
data :
foo : bar
@ -72,10 +76,11 @@ spec :
- name: "copySecret"
resource :
kind : Namespace
kinds :
- Namespace
name: ns2
generate :
kind: Secret
- kind: Secret
name : copied-secrets
copyFrom :
namespace : default

7
test/CronJob/policy-cronjob-wldcrd.yaml
View file

@ -1,12 +1,13 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-cronjob
spec:
rules:
- name:
- name: "rule"
resource:
kind : CronJob
kinds :
- CronJob
name: "?ell*"
mutate:
patches:

3
test/DaemonSet/policy-daemonset.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: "Patch and Volume validation"
resource:
kind: DaemonSet
kinds:
- DaemonSet
name: fluentd-elasticsearch
mutate:
patches:

4
test/Deployment/policy-deployment-any.yaml
View file

@ -6,8 +6,8 @@ spec :
rules:
- name: "First policy v2"
resource:
kind : Deployment
name: nginx-*
kinds :
- Deployment
mutate:
patches:
- path: /metadata/labels/isMutated

5
test/Endpoint/policy-endpoints.yaml
View file

@ -4,9 +4,10 @@ metadata :
name : policy-endpoints
spec :
rules:
- name:
- name: "rule"
resource:
kind : Endpoints
kinds :
- Endpoints
selector:
matchLabels:
label : test

3
test/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -6,7 +6,8 @@ spec :
rules:
- name: hpa1
resource:
kind : HorizontalPodAutoscaler
kinds :
- HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere

3
test/Ingress/policy-ingress.yaml
View file

@ -6,7 +6,8 @@ spec :
rules:
- name: ingress1
resource:
kind : Ingress
kinds :
- Ingress
selector:
matchLabels:
originalLabel: isHere

3
test/Job/policy-job.yaml
View file

@ -6,7 +6,8 @@ spec :
rules:
- name: job1
resource:
kind: Job
kinds:
- Job
name: pi
mutate:
patches:

5
test/LimitRange/policy-limitrange.yaml
View file

@ -4,9 +4,10 @@ metadata :
name : policy-limitrange
spec :
rules:
- name:
- name: "rule"
resource:
kind : LimitRange
kinds :
- LimitRange
selector:
matchLabels:
containerSize: minimal

3
test/Namespace/policy-namespace.yaml
View file

@ -7,7 +7,8 @@ spec :
rules:
- name: ns1
resource:
kind : Namespace
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace"

3
test/NetworkPolicy/policy-network-policy.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: np1
resource:
kind : NetworkPolicy
kinds :
- NetworkPolicy
selector:
matchLabels:
originalLabel: isHere

3
test/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: pvc1
resource:
kind : PersistentVolumeClaim
kinds :
- PersistentVolumeClaim
matchLabels:
originalLabel: isHere
mutate:

3
test/PodDisruptionBudget/policy-pdb.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: pdb1
resource:
kind : PodDisruptionBudget
kinds :
- PodDisruptionBudget
name: "game-pdb"
mutate:
patches:

3
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: podtemplate1
resource:
kind : PodTemplate
kinds :
- PodTemplate
selector:
matchLabels:
originalLabel: isHere

15
test/ResourceQuota/policy-quota-validation.yaml
View file

@ -4,9 +4,10 @@ metadata :
name : policy-quota-low-test-validation
spec :
rules:
- name:
- name: "rule1"
resource:
kind : ResourceQuota
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
@ -16,9 +17,10 @@ spec :
spec:
hard:
memory: "8Gi|12Gi"
- name:
- name: "rule2"
resource:
kind : ResourceQuota
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
@ -28,9 +30,10 @@ spec :
spec:
hard:
cpu: <3
- name:
- name: "rule3"
resource:
kind : ResourceQuota
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low

5
test/ResourceQuota/policy-quota.yaml
View file

@ -4,9 +4,10 @@ metadata :
name : policy-quota-low-test
spec :
rules:
- name:
- name: "rule"
resource:
kind : ResourceQuota
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low

3
test/Secret/policy-secret.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: secret1
resource:
kind : Secret
kinds :
- Secret
name: "mysecret"
mutate:
patches:

3
test/Service/policy-service.yaml
View file

@ -6,7 +6,8 @@ spec :
rules:
- name: ps1
resource:
kind: Service
kinds:
- Service
name: "game-service*"
mutate:
patches:

3
test/StatefulSet/policy-StatefulSet.yaml
View file

@ -6,7 +6,8 @@ spec:
rules:
- name: statefulset1
resource:
kind : StatefulSet
kinds :
- StatefulSet
selector:
matchLabels:
originalLabel: isHere