mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
add safe-to-evict annotation
This commit is contained in:
parent
24fdf69908
commit
35bed4bc6a
8 changed files with 83 additions and 10 deletions
|
@ -53,16 +53,16 @@ For conditional anchors, the child element is considered to be part of the "if"
|
|||
|
||||
````yaml
|
||||
pattern:
|
||||
metadata:
|
||||
labels:
|
||||
allow-docker: true
|
||||
spec:
|
||||
metadata:
|
||||
labels:
|
||||
allow-docker: true
|
||||
(volumes):
|
||||
(hostPath):
|
||||
path: "/var/run/docker.sock"
|
||||
````
|
||||
|
||||
This reads as "If a hostPath volume exists and the path it equals /var/run/docker.sock, then a label "allow-docker" must be specified with a value of true."
|
||||
This reads as "If a hostPath volume exists and the path equals /var/run/docker.sock, then a label "allow-docker" must be specified with a value of true."
|
||||
|
||||
For equality anchors, a child element is considered to be part of the "then" clause. Consider this pattern:
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ package testrunner
|
|||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"flag"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
ospath "path"
|
||||
|
@ -283,9 +284,8 @@ func compareResourceSpec(t *testing.T, resource engine.ResourceSpec, expectedRes
|
|||
func compareRules(t *testing.T, rule engine.RuleResponse, expectedRule engine.RuleResponse) {
|
||||
// name
|
||||
if rule.Name != expectedRule.Name {
|
||||
t.Errorf("rule name: expected %s, recieved %s", expectedRule.Name, rule.Name)
|
||||
t.Errorf("rule name: expected %s, recieved %+v", expectedRule.Name, rule.Name)
|
||||
// as the rule names dont match no need to compare the rest of the information
|
||||
return
|
||||
}
|
||||
// type
|
||||
if rule.Type != expectedRule.Type {
|
||||
|
@ -443,11 +443,15 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
|
|||
}
|
||||
|
||||
func testScenario(t *testing.T, path string) {
|
||||
//load scenario
|
||||
flag.Parse()
|
||||
flag.Set("v", "10")
|
||||
flag.Set("logtostderr", "true")
|
||||
|
||||
scenario, err := loadScenario(t, path)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
return
|
||||
}
|
||||
|
||||
runScenario(t, scenario)
|
||||
}
|
||||
|
|
|
@ -123,6 +123,6 @@ func Test_validate_disallow_docker_sock_mount(t *testing.T) {
|
|||
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_disallow_helm_tiller(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml")
|
||||
func Test_mutate_add_safe_to_evict_annotation(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml")
|
||||
}
|
||||
|
|
22
samples/best_practices/add_safe-to-evict_annotation.yaml
Normal file
22
samples/best_practices/add_safe-to-evict_annotation.yaml
Normal file
|
@ -0,0 +1,22 @@
|
|||
apiVersion: "kyverno.io/v1alpha1"
|
||||
kind: "ClusterPolicy"
|
||||
metadata:
|
||||
name: "annotate-emptyDir"
|
||||
annotations:
|
||||
policies.kyverno.io/category: AutoScaling
|
||||
policies.kyverno.io/description:
|
||||
spec:
|
||||
rules:
|
||||
- name: "add-safe-to-evict-annotation"
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- "Pod"
|
||||
mutate:
|
||||
overlay:
|
||||
metadata:
|
||||
annotations:
|
||||
+(cluster-autoscaler.kubernetes.io/safe-to-evict): true
|
||||
spec:
|
||||
volumes:
|
||||
- (emptyDir): {}
|
14
test/output/pod-with-emptydir.yaml
Normal file
14
test/output/pod-with-emptydir.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod-with-emptydir
|
||||
spec:
|
||||
containers:
|
||||
- image: k8s.gcr.io/test-webserver
|
||||
name: test-container
|
||||
volumeMounts:
|
||||
- mountPath: /cache
|
||||
name: cache-volume
|
||||
volumes:
|
||||
- name: cache-volume
|
||||
emptyDir: {}
|
14
test/resources/pod-with-emptydir.yaml
Normal file
14
test/resources/pod-with-emptydir.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: pod-with-emptydir
|
||||
spec:
|
||||
containers:
|
||||
- image: k8s.gcr.io/test-webserver
|
||||
name: test-container
|
||||
volumeMounts:
|
||||
- mountPath: /cache
|
||||
name: cache-volume
|
||||
volumes:
|
||||
- name: cache-volume
|
||||
emptyDir: {}
|
|
@ -1,4 +1,4 @@
|
|||
# file path relative to project root
|
||||
# file path is relative to project root
|
||||
input:
|
||||
policy: test/policy/mutate/policy_mutate_validate_qos.yaml
|
||||
resource: test/resources/resource_mutate_validate_qos.yaml
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
# file path is relative to project root
|
||||
input:
|
||||
policy: samples/best_practices/add_safe-to-evict_annotation.yaml
|
||||
resource: test/resources/pod-with-emptydir.yaml
|
||||
expected:
|
||||
mutation:
|
||||
patchedresource: test/output/pod-with-emptydir.yaml
|
||||
policyresponse:
|
||||
policy: annotate-emptyDir
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: pod-with-emptydir
|
||||
rules:
|
||||
- name: add-safe-to-evict-annotation
|
||||
type: Mutation
|
||||
success: true
|
||||
message: "succesfully processed overlay"
|
Loading…
Add table
Reference in a new issue