add safe-to-evict annotation

2025-03-28 10:28:36 +00:00 · 2019-11-04 17:55:13 -08:00 · 2019-11-04 17:55:13 -08:00 · 35bed4bc6a
commit 35bed4bc6a
parent 24fdf69908
8 changed files with 83 additions and 10 deletions
--- a/documentation/writing-policies-validate.md
+++ b/documentation/writing-policies-validate.md
@ -53,16 +53,16 @@ For conditional anchors, the child element is considered to be part of the "if"

 ````yaml
  pattern:
+    metadata:
+      labels:
+        allow-docker: true
    spec:
-      metadata:
-        labels:
-          allow-docker: true
      (volumes):
        (hostPath):
          path: "/var/run/docker.sock"
 ````

-This reads as "If a hostPath volume exists and the path it equals /var/run/docker.sock, then a label "allow-docker" must be specified with a value of true."
+This reads as "If a hostPath volume exists and the path equals /var/run/docker.sock, then a label "allow-docker" must be specified with a value of true."

 For equality anchors, a child element is considered to be part of the "then" clause. Consider this pattern:

--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@ -3,6 +3,7 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
+	"flag"
 	"io/ioutil"
 	"os"
 	ospath "path"
@ -283,9 +284,8 @@ func compareResourceSpec(t *testing.T, resource engine.ResourceSpec, expectedRes
 func compareRules(t *testing.T, rule engine.RuleResponse, expectedRule engine.RuleResponse) {
 	// name
 	if rule.Name != expectedRule.Name {
-		t.Errorf("rule name: expected %s, recieved %s", expectedRule.Name, rule.Name)
+		t.Errorf("rule name: expected %s, recieved %+v", expectedRule.Name, rule.Name)
 		// as the rule names dont match no need to compare the rest of the information
-		return
 	}
 	// type
 	if rule.Type != expectedRule.Type {
@ -443,11 +443,15 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy {
 }

 func testScenario(t *testing.T, path string) {
-	//load scenario
+	flag.Parse()
+	flag.Set("v", "10")
+	flag.Set("logtostderr", "true")
+
 	scenario, err := loadScenario(t, path)
 	if err != nil {
 		t.Error(err)
 		return
 	}
+
 	runScenario(t, scenario)
 }
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -123,6 +123,6 @@ func Test_validate_disallow_docker_sock_mount(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_docker_sock_mount.yaml")
 }

-func Test_validate_disallow_helm_tiller(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_disallow_helm_tiller.yaml")
+func Test_mutate_add_safe_to_evict_annotation(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml")
 }
--- a/samples/best_practices/add_safe-to-evict_annotation.yaml
+++ b/samples/best_practices/add_safe-to-evict_annotation.yaml
@ -0,0 +1,22 @@
+apiVersion: "kyverno.io/v1alpha1"
+kind: "ClusterPolicy"
+metadata: 
+  name: "annotate-emptyDir"
+  annotations:
+    policies.kyverno.io/category: AutoScaling
+    policies.kyverno.io/description: 
+spec: 
+  rules: 
+  - name: "add-safe-to-evict-annotation"
+    match: 
+      resources: 
+        kinds: 
+        - "Pod"
+    mutate: 
+      overlay:
+        metadata:
+          annotations:
+            +(cluster-autoscaler.kubernetes.io/safe-to-evict): true
+        spec:          
+          volumes: 
+          - (emptyDir): {}
--- a/test/output/pod-with-emptydir.yaml
+++ b/test/output/pod-with-emptydir.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-emptydir
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+  volumes:
+  - name: cache-volume
+    emptyDir: {}
--- a/test/resources/pod-with-emptydir.yaml
+++ b/test/resources/pod-with-emptydir.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-emptydir
+spec:
+  containers:
+  - image: k8s.gcr.io/test-webserver
+    name: test-container
+    volumeMounts:
+    - mountPath: /cache
+      name: cache-volume
+  volumes:
+  - name: cache-volume
+    emptyDir: {}
--- a/test/scenarios/other/scenario_mutate_validate_qos.yaml
+++ b/test/scenarios/other/scenario_mutate_validate_qos.yaml
@ -1,4 +1,4 @@
-# file path relative to project root
+# file path is relative to project root
 input:
  policy: test/policy/mutate/policy_mutate_validate_qos.yaml
  resource: test/resources/resource_mutate_validate_qos.yaml
--- a/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml
+++ b/test/scenarios/samples/best_practices/scenario_mutate_safe-to-evict.yaml
@ -0,0 +1,19 @@
+# file path is relative to project root
+input:
+  policy: samples/best_practices/add_safe-to-evict_annotation.yaml
+  resource: test/resources/pod-with-emptydir.yaml
+expected:
+  mutation:
+    patchedresource: test/output/pod-with-emptydir.yaml
+    policyresponse:
+      policy: annotate-emptyDir
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: pod-with-emptydir
+      rules:
+        - name: add-safe-to-evict-annotation
+          type: Mutation
+          success: true
+          message: "succesfully processed overlay"