From 24b5acdc73c6ff92453e4debc44abee24603a250 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 17 Jul 2019 13:31:00 -0700 Subject: [PATCH 1/6] add demo example --- examples/demo/allowed_registry/nginx.yaml | 21 ++++++++++++ examples/demo/allowed_registry/policy.yaml | 22 +++++++++++++ examples/demo/health_check/pod.yaml | 32 ++++++++++++++++++ examples/demo/health_check/policy.yaml | 33 +++++++++++++++++++ examples/demo/image_pull_policy/nginx.yaml | 21 ++++++++++++ examples/demo/image_pull_policy/policy.yaml | 20 +++++++++++ examples/demo/mutate_patch/ep.yaml | 13 -------- examples/demo/mutate_patch/policy_patch.yaml | 23 ------------- examples/demo/non_root/nginx.yaml | 21 ++++++++++++ examples/demo/non_root/policy.yaml | 21 ++++++++++++ .../SecurityContext}/nginx.yaml | 0 .../SecurityContext}/policy.yaml | 0 12 files changed, 191 insertions(+), 36 deletions(-) create mode 100644 examples/demo/allowed_registry/nginx.yaml create mode 100644 examples/demo/allowed_registry/policy.yaml create mode 100644 examples/demo/health_check/pod.yaml create mode 100644 examples/demo/health_check/policy.yaml create mode 100644 examples/demo/image_pull_policy/nginx.yaml create mode 100644 examples/demo/image_pull_policy/policy.yaml delete mode 100644 examples/demo/mutate_patch/ep.yaml delete mode 100644 examples/demo/mutate_patch/policy_patch.yaml create mode 100644 examples/demo/non_root/nginx.yaml create mode 100644 examples/demo/non_root/policy.yaml rename {examples/demo/security_context => test/SecurityContext}/nginx.yaml (100%) rename {examples/demo/security_context => test/SecurityContext}/policy.yaml (100%) diff --git a/examples/demo/allowed_registry/nginx.yaml b/examples/demo/allowed_registry/nginx.yaml new file mode 100644 index 0000000000..a0329d80f4 --- /dev/null +++ b/examples/demo/allowed_registry/nginx.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx + cli: test +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + # image: nginx + image: nirmata/nginx diff --git a/examples/demo/allowed_registry/policy.yaml b/examples/demo/allowed_registry/policy.yaml new file mode 100644 index 0000000000..0b97272c41 --- /dev/null +++ b/examples/demo/allowed_registry/policy.yaml @@ -0,0 +1,22 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: check-registries +spec: + rules: + - name: check-registries + resource: + kinds: + - Deployment + - StatefulSet + validate: + message: "Registry is not allowed" + pattern: + spec: + template: + spec: + containers: + - name: "*" + # Check allowed registries + image: "*nirmata*" + # image: "*nirmata* | https://private.registry.io/*" diff --git a/examples/demo/health_check/pod.yaml b/examples/demo/health_check/pod.yaml new file mode 100644 index 0000000000..d9a912c99c --- /dev/null +++ b/examples/demo/health_check/pod.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + test: probe + name: probe +spec: + containers: + - name: readiness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 + readinessProbe: + periodSeconds: 5 + exec: + command: + - cat + - /tmp/healthy + - name: liveness + image: k8s.gcr.io/liveness + args: + - /server + livenessProbe: + httpGet: + path: /healthz + port: 8080 + httpHeaders: + - name: Custom-Header + value: Awesome + periodSeconds: 3 \ No newline at end of file diff --git a/examples/demo/health_check/policy.yaml b/examples/demo/health_check/policy.yaml new file mode 100644 index 0000000000..eda5a4bfd2 --- /dev/null +++ b/examples/demo/health_check/policy.yaml @@ -0,0 +1,33 @@ +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name: check-probe-exists +spec: + rules: + - name: check-readinessProbe-exists + resource: + kinds : + - Pod + validate: + message: "a readinessProbe is required" + pattern: + spec: + containers: + - (name): "readiness" + readinessProbe: + periodSeconds: ">0" + - name: check-livenessProbe-exists + resource: + kinds : + - Pod + validate: + message: "a livenessProbe is required" + pattern: + spec: + containers: + - (name): "liveness" + livenessProbe: + httpGet: + path: "?*" + port: "*" + scheme: "?*" diff --git a/examples/demo/image_pull_policy/nginx.yaml b/examples/demo/image_pull_policy/nginx.yaml new file mode 100644 index 0000000000..c3bdbed5d6 --- /dev/null +++ b/examples/demo/image_pull_policy/nginx.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx + cli: test +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest + # imagePullPolicy: IfNotPresent diff --git a/examples/demo/image_pull_policy/policy.yaml b/examples/demo/image_pull_policy/policy.yaml new file mode 100644 index 0000000000..51297741de --- /dev/null +++ b/examples/demo/image_pull_policy/policy.yaml @@ -0,0 +1,20 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: image-pull-policy +spec: + rules: + - name: image-pull-policy + resource: + kinds: + - Deployment + mutate: + overlay: + spec: + template: + spec: + containers: + # select images which end with :latest + - (image): "*latest" + # require that the imagePullPolicy is "IfNotPresent" + imagePullPolicy: IfNotPresent diff --git a/examples/demo/mutate_patch/ep.yaml b/examples/demo/mutate_patch/ep.yaml deleted file mode 100644 index f932126c22..0000000000 --- a/examples/demo/mutate_patch/ep.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Endpoints -metadata: - name: demo-endpoint - labels: - label : test -subsets: -- addresses: - - ip: 192.168.10.171 - ports: - - name: secure-connection - port: 443 - protocol: TCP diff --git a/examples/demo/mutate_patch/policy_patch.yaml b/examples/demo/mutate_patch/policy_patch.yaml deleted file mode 100644 index c67f9ef752..0000000000 --- a/examples/demo/mutate_patch/policy_patch.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind : Policy -metadata : - name : policy-endpoints -spec : - rules: - - name: demo-ep - resource: - kinds : - - Endpoints - selector: - matchLabels: - label : test - mutate: - patches: - # add a new label - - path: /metadata/labels/app.type - op: add - value: dev - # replace port - - path : /subsets/0/ports/0/port - op : replace - value: 9663 \ No newline at end of file diff --git a/examples/demo/non_root/nginx.yaml b/examples/demo/non_root/nginx.yaml new file mode 100644 index 0000000000..41c00d3066 --- /dev/null +++ b/examples/demo/non_root/nginx.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psp-demo-unprivileged + labels: + app.type: prod +spec: + replicas: 1 + selector: + matchLabels: + app: psp + template: + metadata: + labels: + app: psp + spec: + securityContext: + runAsNonRoot: true + containers: + - name: sec-ctx-unprivileged + image: nginxinc/nginx-unprivileged diff --git a/examples/demo/non_root/policy.yaml b/examples/demo/non_root/policy.yaml new file mode 100644 index 0000000000..3ea11b319e --- /dev/null +++ b/examples/demo/non_root/policy.yaml @@ -0,0 +1,21 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: policy-security-context +spec: + rules: + - name: validate-runAsNonRoot + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "security context 'runAsNonRoot' shoud be set to true" + pattern: + spec: + template: + spec: + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/examples/demo/security_context/nginx.yaml b/test/SecurityContext/nginx.yaml similarity index 100% rename from examples/demo/security_context/nginx.yaml rename to test/SecurityContext/nginx.yaml diff --git a/examples/demo/security_context/policy.yaml b/test/SecurityContext/policy.yaml similarity index 100% rename from examples/demo/security_context/policy.yaml rename to test/SecurityContext/policy.yaml From 27f893df538dfc8c300771be60e81d45d7ceba60 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 17 Jul 2019 13:33:05 -0700 Subject: [PATCH 2/6] add examples_not_tested --- .../container_security_context/nginx.yaml | 22 ++++++ .../container_security_context/policy.yaml | 25 +++++++ .../demo/pod_security_context/policy.yaml | 24 +++++++ pkg/engine/overlay_new.go | 70 +++++++++++++++++++ 4 files changed, 141 insertions(+) create mode 100755 examples/demo/container_security_context/nginx.yaml create mode 100755 examples/demo/container_security_context/policy.yaml create mode 100755 examples/demo/pod_security_context/policy.yaml create mode 100755 pkg/engine/overlay_new.go diff --git a/examples/demo/container_security_context/nginx.yaml b/examples/demo/container_security_context/nginx.yaml new file mode 100755 index 0000000000..3f395ff407 --- /dev/null +++ b/examples/demo/container_security_context/nginx.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: psp-demo-unprivileged + labels: + app.type: prod +spec: + replicas: 1 + selector: + matchLabels: + app: psp + template: + metadata: + labels: + app: psp + spec: + containers: + - name: sec-ctx-unprivileged + image: nginxinc/nginx-unprivileged + securityContext: + runAsNonRoot: true + diff --git a/examples/demo/container_security_context/policy.yaml b/examples/demo/container_security_context/policy.yaml new file mode 100755 index 0000000000..0dac2ddbe0 --- /dev/null +++ b/examples/demo/container_security_context/policy.yaml @@ -0,0 +1,25 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: container-security-context +spec: + rules: + - name: set-userID + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "validate container security contexts" + pattern: + spec: + template: + spec: + containers: + securityContext: + # privileged: false + # allowPrivilegeEscalation: false + # readOnlyRootFilesystem: true + runAsNonRoot: true \ No newline at end of file diff --git a/examples/demo/pod_security_context/policy.yaml b/examples/demo/pod_security_context/policy.yaml new file mode 100755 index 0000000000..5a8408f1d2 --- /dev/null +++ b/examples/demo/pod_security_context/policy.yaml @@ -0,0 +1,24 @@ +apiVersion : kyverno.io/v1alpha1 +kind: Policy +metadata: + name: pod-security-context +spec: + rules: + - name: set-userID + resource: + kinds: + - Deployment + selector : + matchLabels: + app.type: prod + validate: + message: "secure pod" + pattern: + spec: + template: + spec: + hostNetwork: false + hostIPC: false + hostPID: false + securityContext: + runAsNonRoot: true \ No newline at end of file diff --git a/pkg/engine/overlay_new.go b/pkg/engine/overlay_new.go new file mode 100755 index 0000000000..8f807212f1 --- /dev/null +++ b/pkg/engine/overlay_new.go @@ -0,0 +1,70 @@ +package engine + +import ( + "reflect" +) + +// func processoverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error) { + +// var resource interface{} +// var appliedPatches [][]byte +// err := json.Unmarshal(rawResource, &resource) +// if err != nil { +// return nil, err +// } + +// patches, err := mutateResourceWithOverlay(resource, *rule.Mutation.Overlay) +// if err != nil { +// return nil, err +// } +// appliedPatches = append(appliedPatches, patches...) + +// return appliedPatches, err +// } + +func applyoverlay(resource, overlay interface{}, path string) ([][]byte, error) { + var appliedPatches [][]byte + // resource item exists but has different type - replace + // all subtree within this path by overlay + if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { + patch, err := replaceSubtree(overlay, path) + if err != nil { + return nil, err + } + + appliedPatches = append(appliedPatches, patch) + } + + return applyOverlayForSameTypes(resource, overlay, path) +} + +func checkConditions(resource, overlay interface{}, path string) bool { + + switch typedOverlay := overlay.(type) { + case map[string]interface{}: + typedResource := resource.(map[string]interface{}) + if !checkConditionOnMap(typedResource, typedOverlay) { + return false + } + case []interface{}: + typedResource := resource.([]interface{}) + if !checkConditionOnArray(typedResource, typedOverlay) { + return false + } + case string, float64, int64, bool: + + default: + return false + } + return true +} + +func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}) bool { + // _ := getAnchorsFromMap(overlayMap) + + return false +} + +func checkConditionOnArray(resource, overlay []interface{}) bool { + return false +} From 6b45bdc585058af9a39d6e9bffe84f48d4fcf925 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 17 Jul 2019 17:09:18 -0700 Subject: [PATCH 3/6] update examples --- definitions/install.yaml | 2 +- examples/demo/container_security_context/nginx.yaml | 2 +- examples/demo/container_security_context/policy.yaml | 11 ++++++----- .../demo/{generate => network_policy}/namespace.yaml | 0 .../demo/{generate => network_policy}/policy.yaml | 0 5 files changed, 8 insertions(+), 7 deletions(-) rename examples/demo/{generate => network_policy}/namespace.yaml (100%) rename examples/demo/{generate => network_policy}/policy.yaml (100%) diff --git a/definitions/install.yaml b/definitions/install.yaml index 8e83c014cd..8ed3b6cf67 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -178,7 +178,7 @@ spec: containers: - name: kyverno image: nirmata/kyverno:latest - args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"] + args: ["--filterKind","Node,Event,APIService,Policy,TokenReview,SubjectAccessReview"] ports: - containerPort: 443 securityContext: diff --git a/examples/demo/container_security_context/nginx.yaml b/examples/demo/container_security_context/nginx.yaml index 3f395ff407..811f167bac 100755 --- a/examples/demo/container_security_context/nginx.yaml +++ b/examples/demo/container_security_context/nginx.yaml @@ -19,4 +19,4 @@ spec: image: nginxinc/nginx-unprivileged securityContext: runAsNonRoot: true - + allowPrivilegeEscalation: true diff --git a/examples/demo/container_security_context/policy.yaml b/examples/demo/container_security_context/policy.yaml index 0dac2ddbe0..fc434ec0dc 100755 --- a/examples/demo/container_security_context/policy.yaml +++ b/examples/demo/container_security_context/policy.yaml @@ -4,7 +4,7 @@ metadata: name: container-security-context spec: rules: - - name: set-userID + - name: validate-user-privilege resource: kinds: - Deployment @@ -18,8 +18,9 @@ spec: template: spec: containers: - securityContext: + - securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + # fields can be customized # privileged: false - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - runAsNonRoot: true \ No newline at end of file + # readOnlyRootFilesystem: true \ No newline at end of file diff --git a/examples/demo/generate/namespace.yaml b/examples/demo/network_policy/namespace.yaml similarity index 100% rename from examples/demo/generate/namespace.yaml rename to examples/demo/network_policy/namespace.yaml diff --git a/examples/demo/generate/policy.yaml b/examples/demo/network_policy/policy.yaml similarity index 100% rename from examples/demo/generate/policy.yaml rename to examples/demo/network_policy/policy.yaml From 933ed19b7aed0d1bd3e1bf411cb31ffb75d4abfe Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 18 Jul 2019 00:43:56 -0700 Subject: [PATCH 4/6] add number to each example --- .../nginx.yaml | 0 .../policy.yaml | 6 ++++ .../nginx.yaml | 0 .../policy.yaml | 4 +-- .../namespace.yaml | 0 .../policy.yaml | 9 +++-- .../demo/{non_root => 4_non_root}/nginx.yaml | 0 .../demo/{non_root => 4_non_root}/policy.yaml | 0 .../{health_check => 5_health_check}/pod.yaml | 2 +- .../policy.yaml | 6 ++-- examples/demo/{qos => 6_qos}/policy_qos.yaml | 34 +++++++++---------- examples/demo/{qos => 6_qos}/qos.yaml | 0 .../nginx.yaml | 0 .../policy.yaml | 0 14 files changed, 36 insertions(+), 25 deletions(-) rename examples/demo/{image_pull_policy => 1_image_pull_policy}/nginx.yaml (100%) rename examples/demo/{image_pull_policy => 1_image_pull_policy}/policy.yaml (75%) rename examples/demo/{allowed_registry => 2_allowed_registry}/nginx.yaml (100%) rename examples/demo/{allowed_registry => 2_allowed_registry}/policy.yaml (79%) rename examples/demo/{network_policy => 3_network_policy}/namespace.yaml (100%) rename examples/demo/{network_policy => 3_network_policy}/policy.yaml (70%) rename examples/demo/{non_root => 4_non_root}/nginx.yaml (100%) rename examples/demo/{non_root => 4_non_root}/policy.yaml (100%) rename examples/demo/{health_check => 5_health_check}/pod.yaml (95%) rename examples/demo/{health_check => 5_health_check}/policy.yaml (82%) rename examples/demo/{qos => 6_qos}/policy_qos.yaml (92%) rename examples/demo/{qos => 6_qos}/qos.yaml (100%) rename examples/demo/{container_security_context => 7_container_security_context}/nginx.yaml (100%) rename examples/demo/{container_security_context => 7_container_security_context}/policy.yaml (100%) diff --git a/examples/demo/image_pull_policy/nginx.yaml b/examples/demo/1_image_pull_policy/nginx.yaml similarity index 100% rename from examples/demo/image_pull_policy/nginx.yaml rename to examples/demo/1_image_pull_policy/nginx.yaml diff --git a/examples/demo/image_pull_policy/policy.yaml b/examples/demo/1_image_pull_policy/policy.yaml similarity index 75% rename from examples/demo/image_pull_policy/policy.yaml rename to examples/demo/1_image_pull_policy/policy.yaml index 51297741de..6da37a961e 100644 --- a/examples/demo/image_pull_policy/policy.yaml +++ b/examples/demo/1_image_pull_policy/policy.yaml @@ -8,6 +8,12 @@ spec: resource: kinds: - Deployment + # - StatefulSet + # name: "my-deployment" + # selector : + # matchLabels: + # app.type: prod + # namespace: "my-namespace" mutate: overlay: spec: diff --git a/examples/demo/allowed_registry/nginx.yaml b/examples/demo/2_allowed_registry/nginx.yaml similarity index 100% rename from examples/demo/allowed_registry/nginx.yaml rename to examples/demo/2_allowed_registry/nginx.yaml diff --git a/examples/demo/allowed_registry/policy.yaml b/examples/demo/2_allowed_registry/policy.yaml similarity index 79% rename from examples/demo/allowed_registry/policy.yaml rename to examples/demo/2_allowed_registry/policy.yaml index 0b97272c41..4964e434d9 100644 --- a/examples/demo/allowed_registry/policy.yaml +++ b/examples/demo/2_allowed_registry/policy.yaml @@ -9,6 +9,7 @@ spec: kinds: - Deployment - StatefulSet + namespace: default validate: message: "Registry is not allowed" pattern: @@ -18,5 +19,4 @@ spec: containers: - name: "*" # Check allowed registries - image: "*nirmata*" - # image: "*nirmata* | https://private.registry.io/*" + image: "*nirmata* | https://private.registry.io/*" diff --git a/examples/demo/network_policy/namespace.yaml b/examples/demo/3_network_policy/namespace.yaml similarity index 100% rename from examples/demo/network_policy/namespace.yaml rename to examples/demo/3_network_policy/namespace.yaml diff --git a/examples/demo/network_policy/policy.yaml b/examples/demo/3_network_policy/policy.yaml similarity index 70% rename from examples/demo/network_policy/policy.yaml rename to examples/demo/3_network_policy/policy.yaml index ed2465c7fd..c68090abf6 100644 --- a/examples/demo/network_policy/policy.yaml +++ b/examples/demo/3_network_policy/policy.yaml @@ -8,7 +8,7 @@ spec: resource: kinds: - Namespace - name: "*" + name: "devtest" generate: kind: NetworkPolicy name: deny-ingress-traffic @@ -22,4 +22,9 @@ spec: metadata: annotations: {} labels: - policyname: "default" \ No newline at end of file + policyname: "default" + # kind: ConfigMap + # name: default-config + # clone: + # namespace: default + # name: config-template \ No newline at end of file diff --git a/examples/demo/non_root/nginx.yaml b/examples/demo/4_non_root/nginx.yaml similarity index 100% rename from examples/demo/non_root/nginx.yaml rename to examples/demo/4_non_root/nginx.yaml diff --git a/examples/demo/non_root/policy.yaml b/examples/demo/4_non_root/policy.yaml similarity index 100% rename from examples/demo/non_root/policy.yaml rename to examples/demo/4_non_root/policy.yaml diff --git a/examples/demo/health_check/pod.yaml b/examples/demo/5_health_check/pod.yaml similarity index 95% rename from examples/demo/health_check/pod.yaml rename to examples/demo/5_health_check/pod.yaml index d9a912c99c..f5f0004d3a 100644 --- a/examples/demo/health_check/pod.yaml +++ b/examples/demo/5_health_check/pod.yaml @@ -13,7 +13,7 @@ spec: - -c - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 readinessProbe: - periodSeconds: 5 + # successThreshold: 3 exec: command: - cat diff --git a/examples/demo/health_check/policy.yaml b/examples/demo/5_health_check/policy.yaml similarity index 82% rename from examples/demo/health_check/policy.yaml rename to examples/demo/5_health_check/policy.yaml index eda5a4bfd2..0550b16fe6 100644 --- a/examples/demo/health_check/policy.yaml +++ b/examples/demo/5_health_check/policy.yaml @@ -9,19 +9,19 @@ spec: kinds : - Pod validate: - message: "a readinessProbe is required" + message: "readinessProbe is required" pattern: spec: containers: - (name): "readiness" readinessProbe: - periodSeconds: ">0" + successThreshold: ">1" - name: check-livenessProbe-exists resource: kinds : - Pod validate: - message: "a livenessProbe is required" + message: "livenessProbe is required" pattern: spec: containers: diff --git a/examples/demo/qos/policy_qos.yaml b/examples/demo/6_qos/policy_qos.yaml similarity index 92% rename from examples/demo/qos/policy_qos.yaml rename to examples/demo/6_qos/policy_qos.yaml index 49aabe72bd..d7598499ab 100644 --- a/examples/demo/qos/policy_qos.yaml +++ b/examples/demo/6_qos/policy_qos.yaml @@ -4,22 +4,6 @@ metadata: name: policy-qos spec: rules: - - name: add-memory-limit - resource: - kinds: - - Deployment - mutate: - overlay: - spec: - template: - spec: - containers: - # the wildcard * will match all containers in the list - - (name): "*" - resources: - limits: - # add memory limit if it is not exist - "+(memory)": "300Mi" - name: check-cpu-memory-limits resource: kinds: @@ -37,4 +21,20 @@ spec: limits: # cpu and memory are required memory: "?*" - cpu: "?*" \ No newline at end of file + cpu: "?*" + - name: add-memory-limit + resource: + kinds: + - Deployment + mutate: + overlay: + spec: + template: + spec: + containers: + # the wildcard * will match all containers in the list + - (name): "*" + resources: + limits: + # add memory limit if it is not exist + "+(memory)": "300Mi" \ No newline at end of file diff --git a/examples/demo/qos/qos.yaml b/examples/demo/6_qos/qos.yaml similarity index 100% rename from examples/demo/qos/qos.yaml rename to examples/demo/6_qos/qos.yaml diff --git a/examples/demo/container_security_context/nginx.yaml b/examples/demo/7_container_security_context/nginx.yaml similarity index 100% rename from examples/demo/container_security_context/nginx.yaml rename to examples/demo/7_container_security_context/nginx.yaml diff --git a/examples/demo/container_security_context/policy.yaml b/examples/demo/7_container_security_context/policy.yaml similarity index 100% rename from examples/demo/container_security_context/policy.yaml rename to examples/demo/7_container_security_context/policy.yaml From d6ea21d4e08ec41539f42b553e0a05ce0f4acf30 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 18 Jul 2019 15:37:34 -0700 Subject: [PATCH 5/6] Delete policy.yaml --- .../demo/pod_security_context/policy.yaml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100755 examples/demo/pod_security_context/policy.yaml diff --git a/examples/demo/pod_security_context/policy.yaml b/examples/demo/pod_security_context/policy.yaml deleted file mode 100755 index 5a8408f1d2..0000000000 --- a/examples/demo/pod_security_context/policy.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion : kyverno.io/v1alpha1 -kind: Policy -metadata: - name: pod-security-context -spec: - rules: - - name: set-userID - resource: - kinds: - - Deployment - selector : - matchLabels: - app.type: prod - validate: - message: "secure pod" - pattern: - spec: - template: - spec: - hostNetwork: false - hostIPC: false - hostPID: false - securityContext: - runAsNonRoot: true \ No newline at end of file From 707b83d0afcd5837b33599b478c43ff15b3502e2 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 18 Jul 2019 16:20:38 -0700 Subject: [PATCH 6/6] update examples/demo --- examples/demo/6_qos/policy_qos.yaml | 33 +++++++++++++++-------------- examples/demo/6_qos/qos.yaml | 6 ------ 2 files changed, 17 insertions(+), 22 deletions(-) diff --git a/examples/demo/6_qos/policy_qos.yaml b/examples/demo/6_qos/policy_qos.yaml index d7598499ab..ca005e05d2 100644 --- a/examples/demo/6_qos/policy_qos.yaml +++ b/examples/demo/6_qos/policy_qos.yaml @@ -3,6 +3,7 @@ kind: Policy metadata: name: policy-qos spec: + validationFailureAction: "report" rules: - name: check-cpu-memory-limits resource: @@ -22,19 +23,19 @@ spec: # cpu and memory are required memory: "?*" cpu: "?*" - - name: add-memory-limit - resource: - kinds: - - Deployment - mutate: - overlay: - spec: - template: - spec: - containers: - # the wildcard * will match all containers in the list - - (name): "*" - resources: - limits: - # add memory limit if it is not exist - "+(memory)": "300Mi" \ No newline at end of file + # - name: add-memory-limit + # resource: + # kinds: + # - Deployment + # mutate: + # overlay: + # spec: + # template: + # spec: + # containers: + # # the wildcard * will match all containers in the list + # - (name): "*" + # resources: + # limits: + # # add memory limit if it is not exist + # "+(memory)": "300Mi" \ No newline at end of file diff --git a/examples/demo/6_qos/qos.yaml b/examples/demo/6_qos/qos.yaml index 0b8018b673..d998bdfbc3 100644 --- a/examples/demo/6_qos/qos.yaml +++ b/examples/demo/6_qos/qos.yaml @@ -18,9 +18,3 @@ spec: resources: limits: cpu: "50m" - - name: ghost - image: ghost:latest - resources: - limits: - cpu: "50m" - memory: "500Mi"