mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-30 19:35:06 +00:00
Code Activity

add demo examples

Browse source
This commit is contained in:
shuting 2019-06-22 16:05:06 -07:00 committed by Shuting Zhao
parent 3ceca244c1
commit 5132f6497a
8 changed files with 180 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
demo/generate/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
kind: Namespace
apiVersion: v1
metadata:
name: "demo"

25
demo/generate/policy.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
name: "default"
spec:
rules:
- name: "deny-all-ingress-traffic"
resource:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: deny-all-traffic
data:
spec:
podSelector:
matchLabels: {}
matchExpressions: []
policyTypes:
- Ingress
metadata:
annotations: {}
labels:
policyname: "default"

13
demo/mutate_patch/ep.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Endpoints
metadata:
name: test-endpoint
labels:
label : test
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 443
protocol: TCP

23
demo/mutate_patch/policy_patch.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
rules:
- name: pEP
resource:
kinds :
- Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
# add a new label
- path: "metadata/labels/isMutate"
op: add
value: true
# replace port
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663

40
demo/qos/policy_qos.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
name: policy-qos
spec:
rules:
- name: add-memory-limit
resource:
kinds:
- Deployment
mutate:
overlay:
spec:
template:
spec:
containers:
# the wildcard * will match all containers in the list
- (name): "*"
resources:
limits:
# add memory limit if it is not exist
"+(memory)": "300Mi"
- name: check-cpu-memory-limits
resource:
kinds:
- Pod
validate:
message: "Resource limits are required for CPU and memory"
pattern:
spec:
template:
spec:
containers:
# match all contianers
- (name): "*"
resources:
limits:
# cpu and memory is required despite of the value
memory: "?*"
cpu: "?*"

28
demo/qos/qos.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: qos-demo
# labels:
# app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
resources:
limits:
cpu: "50m"
- name: ghost
image: ghost:latest
resources:
limits:
cpu: "50m"
memory: "500Mi"

26
demo/security_context/busybox.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: psp-demo
labels:
app.type: prod
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo

21
demo/security_context/policy.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
name: policy-security-context
spec:
rules:
- name: set-userID
resource:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
mutate:
overlay:
spec:
template:
spec:
securityContext:
runAsUser: 1000
fsGroup: 2000