From 31ce0875047c8474172a6351bc6d162fad727714 Mon Sep 17 00:00:00 2001 From: shivdudhani Date: Tue, 21 May 2019 15:43:43 -0700 Subject: [PATCH 1/3] support list of kind in resource, update the CRD openapischema & adapt the test and examples for the change --- definitions/install.yaml | 46 ++++++++++--------- examples/Validate/check_cpu_memory.yaml | 8 ++-- examples/Validate/check_hostpath.yaml | 5 +- examples/Validate/check_image_version.yaml | 5 +- examples/Validate/check_nodeport.yaml | 5 +- examples/Validate/check_probe_exists.yaml | 14 +++--- examples/Validate/check_probe_intervals.yaml | 9 ++-- .../Validate/check_whitelist_registries.yaml | 5 +- pkg/apis/policy/v1alpha1/types.go | 2 +- pkg/apis/policy/v1alpha1/utils.go | 8 ++-- pkg/apis/policy/v1alpha1/utils_test.go | 6 +-- pkg/engine/utils.go | 11 ++++- test/ConfigMap/policy-CM.yaml | 12 +++-- .../policy-cm-test.yaml | 5 +- .../policy-namespace-patch-cmgCG-sgCG.yaml | 23 ++++++---- test/CronJob/policy-cronjob-wldcrd.yaml | 7 +-- test/DaemonSet/policy-daemonset.yaml | 3 +- test/Deployment/policy-deployment-any.yaml | 4 +- test/Endpoint/policy-endpoints.yaml | 5 +- test/HorizontalPodAutoscaler/policy-hpa.yaml | 3 +- test/Ingress/policy-ingress.yaml | 3 +- test/Job/policy-job.yaml | 3 +- test/LimitRange/policy-limitrange.yaml | 5 +- test/Namespace/policy-namespace.yaml | 3 +- test/NetworkPolicy/policy-network-policy.yaml | 3 +- test/PersistentVolumeClaim/policy-PVC.yaml | 3 +- test/PodDisruptionBudget/policy-pdb.yaml | 3 +- test/PodTemplate/policy-PodTemplate.yaml | 3 +- .../policy-quota-validation.yaml | 15 +++--- test/ResourceQuota/policy-quota.yaml | 5 +- test/Secret/policy-secret.yaml | 3 +- test/Service/policy-service.yaml | 3 +- test/StatefulSet/policy-StatefulSet.yaml | 3 +- 33 files changed, 145 insertions(+), 96 deletions(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index f23e12fad3..dd83e9fdb2 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -35,29 +35,31 @@ spec: resource: type: object required: - - kind + - kinds properties: - kind: - type: string - enum: - - ConfigMap - - CronJob - - DaemonSet - - Deployment - - Endpoints - - HorizontalPodAutoscaler - - Ingress - - Job - - LimitRange - - Namespace - - NetworkPolicy - - PersistentVolumeClaim - - PodDisruptionBudget - - PodTemplate - - ResourceQuota - - Secret - - Service - - StatefulSet + kinds: + type: array + items: + type: string + enum: + - ConfigMap + - CronJob + - DaemonSet + - Deployment + - Endpoints + - HorizontalPodAutoscaler + - Ingress + - Job + - LimitRange + - Namespace + - NetworkPolicy + - PersistentVolumeClaim + - PodDisruptionBudget + - PodTemplate + - ResourceQuota + - Secret + - Service + - StatefulSet name: type: string selector: diff --git a/examples/Validate/check_cpu_memory.yaml b/examples/Validate/check_cpu_memory.yaml index 61ab1d2b70..88b800d27d 100644 --- a/examples/Validate/check_cpu_memory.yaml +++ b/examples/Validate/check_cpu_memory.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-cpu-memory @@ -6,7 +6,8 @@ spec: rules: - name: check-defined resource: - kind: Deployment + kinds: + - Deployment validate: message: "Resource requests and limits are required for CPU and memory" pattern: @@ -22,7 +23,8 @@ spec: cpu: "?" - name: check-memory-in-range resource: - kind: Deployment + kinds: + - Deployment validate: message: "Memory request cannot be greater than 10Gi" pattern: diff --git a/examples/Validate/check_hostpath.yaml b/examples/Validate/check_hostpath.yaml index 8ebe1d7817..db91e4c35a 100644 --- a/examples/Validate/check_hostpath.yaml +++ b/examples/Validate/check_hostpath.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-host-path @@ -6,7 +6,8 @@ spec: rules: - name: check-host-path resource: - kind: Pod + kinds: + - Pod validate: message: "Host path volumes are not allowed" pattern: diff --git a/examples/Validate/check_image_version.yaml b/examples/Validate/check_image_version.yaml index e71335499e..3529c1cd26 100644 --- a/examples/Validate/check_image_version.yaml +++ b/examples/Validate/check_image_version.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: image-pull-policy @@ -7,7 +7,8 @@ spec: - name: image-pull-policy message: "Image tag ':latest' requires imagePullPolicy 'Always'" resource: - kind: Deployment + kinds: + - Deployment overlay: template: spec: diff --git a/examples/Validate/check_nodeport.yaml b/examples/Validate/check_nodeport.yaml index 1a5fd25c05..0277405364 100644 --- a/examples/Validate/check_nodeport.yaml +++ b/examples/Validate/check_nodeport.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-host-path @@ -6,7 +6,8 @@ spec: rules: - name: check-host-path resource: - kind: Service + kinds: + - Service validate: message: "Node port services are not allowed" pattern: diff --git a/examples/Validate/check_probe_exists.yaml b/examples/Validate/check_probe_exists.yaml index d055455bf5..7a1e30edcc 100644 --- a/examples/Validate/check_probe_exists.yaml +++ b/examples/Validate/check_probe_exists.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-probe-exists @@ -6,7 +6,8 @@ spec: rules: - name: check-liveness-probe-exists resource: - kind: StatefulSet + kinds: + - StatefulSet validate: message: "a livenessProbe is required" pattern: @@ -14,10 +15,11 @@ spec: # In this case every object in containers list will be checked for pattern - name: "*" livenessProbe: - periodSeconds: ? + periodSeconds: "?" - resource: - kind: Deployment - name: check-readiness-probe-exists + kinds: + - Deployment + name: check-readinessprobe-exists validate: message: "a readinessProbe is required" pattern: @@ -25,4 +27,4 @@ spec: # In this case every object in containers list will be checked for pattern - name: "*" readinessProbe: - periodSeconds: ? + periodSeconds: "?" diff --git a/examples/Validate/check_probe_intervals.yaml b/examples/Validate/check_probe_intervals.yaml index 77bc50b9ce..c2e25aa78e 100644 --- a/examples/Validate/check_probe_intervals.yaml +++ b/examples/Validate/check_probe_intervals.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-probe-intervals @@ -6,7 +6,8 @@ spec: rules: - name: check-probe-intervals resource: - kind: Deployment + kinds: + - Deployment validate: message: "livenessProbe must be > 10s" pattern: @@ -16,7 +17,9 @@ spec: livenessProbe: periodSeconds: ">10" - resource: - kind: Deployment + kinds: + - Deployment + name: check-readinessprobe-intervals validate: pattern: message: "readinessProbe must be > 10s" diff --git a/examples/Validate/check_whitelist_registries.yaml b/examples/Validate/check_whitelist_registries.yaml index 79aceab2e0..6875dd3ea2 100644 --- a/examples/Validate/check_whitelist_registries.yaml +++ b/examples/Validate/check_whitelist_registries.yaml @@ -1,4 +1,4 @@ -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: check-whitelist-registries @@ -7,7 +7,8 @@ spec: - name: check-whitelist-registries message: "Registry is not allowed" resource: - kind: Deployment + kinds: + - Deployment validate: pattern: template: diff --git a/pkg/apis/policy/v1alpha1/types.go b/pkg/apis/policy/v1alpha1/types.go index 0e4374494c..12c0f7c9dd 100644 --- a/pkg/apis/policy/v1alpha1/types.go +++ b/pkg/apis/policy/v1alpha1/types.go @@ -33,7 +33,7 @@ type Rule struct { // ResourceDescription describes the resource to which the PolicyRule will be applied. type ResourceDescription struct { - Kind string `json:"kind"` + Kinds []string `json:"kinds"` Name *string `json:"name"` Selector *metav1.LabelSelector `json:"selector"` } diff --git a/pkg/apis/policy/v1alpha1/utils.go b/pkg/apis/policy/v1alpha1/utils.go index 65719ba360..3fe4bf570b 100644 --- a/pkg/apis/policy/v1alpha1/utils.go +++ b/pkg/apis/policy/v1alpha1/utils.go @@ -22,13 +22,11 @@ func (r *Rule) Validate() error { } // Validate checks if all necesarry fields are present and have values. Also checks a Selector. -// Returns error if resource definition is invalid. +// Returns error if +// - kinds is not defined func (pr *ResourceDescription) Validate() error { - // TBD: selector or name MUST be specified - if pr.Kind == "" { + if len(pr.Kinds) == 0 { return errors.New("The Kind is not specified") - } else if pr.Name == nil && pr.Selector == nil { - return errors.New("Neither Name nor Selector is specified") } if pr.Selector != nil { diff --git a/pkg/apis/policy/v1alpha1/utils_test.go b/pkg/apis/policy/v1alpha1/utils_test.go index 2d050ce3dc..867cfd729e 100644 --- a/pkg/apis/policy/v1alpha1/utils_test.go +++ b/pkg/apis/policy/v1alpha1/utils_test.go @@ -9,8 +9,8 @@ import ( var defaultResourceDescriptionName = "defaultResourceDescription" var defaultResourceDescription = ResourceDescription{ - Kind: "Deployment", - Name: &defaultResourceDescriptionName, + Kinds: []string{"Deployment"}, + Name: &defaultResourceDescriptionName, Selector: &metav1.LabelSelector{ MatchLabels: map[string]string{"LabelForSelector": "defaultResourceDescription"}, }, @@ -43,7 +43,7 @@ func Test_ResourceDescription_EmptyKind(t *testing.T) { func Test_ResourceDescription_EmptyNameAndSelector(t *testing.T) { resourceDescription := ResourceDescription{ - Kind: "Deployment", + Kinds: []string{"Deployment"}, } err := resourceDescription.Validate() assert.Assert(t, err != nil) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index f13f501f4d..0ba32f8949 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -13,7 +13,7 @@ import ( // ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool { - if description.Kind != gvk.Kind { + if !findKind(description.Kinds, gvk.Kind) { return false } @@ -104,3 +104,12 @@ func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) { } return strings.Trim(regex[1], " "), true } + +func findKind(kinds []string, kindGVK string) bool { + for _, kind := range kinds { + if kind == kindGVK { + return true + } + } + return false +} diff --git a/test/ConfigMap/policy-CM.yaml b/test/ConfigMap/policy-CM.yaml index 843ff23f7e..e48ad9d4fa 100644 --- a/test/ConfigMap/policy-CM.yaml +++ b/test/ConfigMap/policy-CM.yaml @@ -6,7 +6,8 @@ spec : rules: - name: pCM1 resource: - kind : ConfigMap + kinds : + - ConfigMap name: "game-config" mutate: patches: @@ -15,7 +16,8 @@ spec : value : newValue - name: pCM2 resource: - kind : ConfigMap + kinds : + - ConfigMap name: "game-config" mutate: patches: @@ -26,7 +28,8 @@ spec : value : "data is replaced" - name: pCM3 resource: - kind : ConfigMap + kinds : + - ConfigMap name: "game-config" mutate: patches: @@ -40,7 +43,8 @@ spec : game.properties: "*enemies=aliens*" - name: pCM4 resource: - kind : ConfigMap + kinds : + - ConfigMap name: "game-config" validate: message: "This CM data is broken because it does not have ui.properties" diff --git a/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml b/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml index 3a0ce26477..84af6b62fb 100644 --- a/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml +++ b/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml @@ -6,12 +6,13 @@ spec: rules: - name: "copyCM" resource : - kind : Namespace + kinds : + - Namespace selector: matchLabels: LabelForSelector : "namespace2" generate : - kind: ConfigMap + - kind: ConfigMap name : copied-cm copyFrom : namespace : default diff --git a/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml b/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml index 56e21a4598..07ee04a2b8 100644 --- a/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml +++ b/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml @@ -11,7 +11,8 @@ spec : rules: - name: "patchNamespace2" resource : - kind : Namespace + kinds : + - Namespace selector: matchLabels: LabelForSelector : "namespace2" @@ -23,12 +24,13 @@ spec : - name: "copyCM" resource : - kind : Namespace + kinds : + - Namespace selector: matchLabels: LabelForSelector : "namespace2" generate : - kind: ConfigMap + - kind: ConfigMap name : copied-cm copyFrom : namespace : default @@ -38,12 +40,13 @@ spec : - name: "generateCM" resource : - kind : Namespace + kinds : + - Namespace selector: matchLabels: LabelForSelector : "namespace2" generate : - kind: ConfigMap + - kind: ConfigMap name : generated-cm data : secretData: "very sensitive data from cmg" @@ -56,10 +59,11 @@ spec : - name: "generateSecret" resource : - kind : Namespace + kinds : + - Namespace name: ns2 generate : - kind: Secret + - kind: Secret name : generated-secrets data : foo : bar @@ -72,10 +76,11 @@ spec : - name: "copySecret" resource : - kind : Namespace + kinds : + - Namespace name: ns2 generate : - kind: Secret + - kind: Secret name : copied-secrets copyFrom : namespace : default diff --git a/test/CronJob/policy-cronjob-wldcrd.yaml b/test/CronJob/policy-cronjob-wldcrd.yaml index 4ef1598c35..1078139d1e 100644 --- a/test/CronJob/policy-cronjob-wldcrd.yaml +++ b/test/CronJob/policy-cronjob-wldcrd.yaml @@ -1,12 +1,13 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-cronjob spec: rules: - - name: + - name: "rule" resource: - kind : CronJob + kinds : + - CronJob name: "?ell*" mutate: patches: diff --git a/test/DaemonSet/policy-daemonset.yaml b/test/DaemonSet/policy-daemonset.yaml index 47912c2795..62087e21d0 100644 --- a/test/DaemonSet/policy-daemonset.yaml +++ b/test/DaemonSet/policy-daemonset.yaml @@ -6,7 +6,8 @@ spec: rules: - name: "Patch and Volume validation" resource: - kind: DaemonSet + kinds: + - DaemonSet name: fluentd-elasticsearch mutate: patches: diff --git a/test/Deployment/policy-deployment-any.yaml b/test/Deployment/policy-deployment-any.yaml index 6a43ec225d..1b3b407e10 100644 --- a/test/Deployment/policy-deployment-any.yaml +++ b/test/Deployment/policy-deployment-any.yaml @@ -6,8 +6,8 @@ spec : rules: - name: "First policy v2" resource: - kind : Deployment - name: nginx-* + kinds : + - Deployment mutate: patches: - path: /metadata/labels/isMutated diff --git a/test/Endpoint/policy-endpoints.yaml b/test/Endpoint/policy-endpoints.yaml index 335573c6ba..55b2b826e9 100644 --- a/test/Endpoint/policy-endpoints.yaml +++ b/test/Endpoint/policy-endpoints.yaml @@ -4,9 +4,10 @@ metadata : name : policy-endpoints spec : rules: - - name: + - name: "rule" resource: - kind : Endpoints + kinds : + - Endpoints selector: matchLabels: label : test diff --git a/test/HorizontalPodAutoscaler/policy-hpa.yaml b/test/HorizontalPodAutoscaler/policy-hpa.yaml index 840c41fc46..a7fe847b9d 100644 --- a/test/HorizontalPodAutoscaler/policy-hpa.yaml +++ b/test/HorizontalPodAutoscaler/policy-hpa.yaml @@ -6,7 +6,8 @@ spec : rules: - name: hpa1 resource: - kind : HorizontalPodAutoscaler + kinds : + - HorizontalPodAutoscaler selector: matchLabels: originalLabel: isHere diff --git a/test/Ingress/policy-ingress.yaml b/test/Ingress/policy-ingress.yaml index e0c2abb1a7..e8eb03b690 100644 --- a/test/Ingress/policy-ingress.yaml +++ b/test/Ingress/policy-ingress.yaml @@ -6,7 +6,8 @@ spec : rules: - name: ingress1 resource: - kind : Ingress + kinds : + - Ingress selector: matchLabels: originalLabel: isHere diff --git a/test/Job/policy-job.yaml b/test/Job/policy-job.yaml index eb023a8bf4..58660646fd 100644 --- a/test/Job/policy-job.yaml +++ b/test/Job/policy-job.yaml @@ -6,7 +6,8 @@ spec : rules: - name: job1 resource: - kind: Job + kinds: + - Job name: pi mutate: patches: diff --git a/test/LimitRange/policy-limitrange.yaml b/test/LimitRange/policy-limitrange.yaml index 79d3c7bf45..c7bc58eac5 100644 --- a/test/LimitRange/policy-limitrange.yaml +++ b/test/LimitRange/policy-limitrange.yaml @@ -4,9 +4,10 @@ metadata : name : policy-limitrange spec : rules: - - name: + - name: "rule" resource: - kind : LimitRange + kinds : + - LimitRange selector: matchLabels: containerSize: minimal diff --git a/test/Namespace/policy-namespace.yaml b/test/Namespace/policy-namespace.yaml index 9ef999212f..5697b22a43 100644 --- a/test/Namespace/policy-namespace.yaml +++ b/test/Namespace/policy-namespace.yaml @@ -7,7 +7,8 @@ spec : rules: - name: ns1 resource: - kind : Namespace + kinds : + - Namespace selector: matchLabels: LabelForSelector : "namespace" diff --git a/test/NetworkPolicy/policy-network-policy.yaml b/test/NetworkPolicy/policy-network-policy.yaml index 3e105c687b..084bda2762 100644 --- a/test/NetworkPolicy/policy-network-policy.yaml +++ b/test/NetworkPolicy/policy-network-policy.yaml @@ -6,7 +6,8 @@ spec: rules: - name: np1 resource: - kind : NetworkPolicy + kinds : + - NetworkPolicy selector: matchLabels: originalLabel: isHere diff --git a/test/PersistentVolumeClaim/policy-PVC.yaml b/test/PersistentVolumeClaim/policy-PVC.yaml index 4a05f586af..47e3c9ace6 100644 --- a/test/PersistentVolumeClaim/policy-PVC.yaml +++ b/test/PersistentVolumeClaim/policy-PVC.yaml @@ -6,7 +6,8 @@ spec: rules: - name: pvc1 resource: - kind : PersistentVolumeClaim + kinds : + - PersistentVolumeClaim matchLabels: originalLabel: isHere mutate: diff --git a/test/PodDisruptionBudget/policy-pdb.yaml b/test/PodDisruptionBudget/policy-pdb.yaml index 736d0199d4..9af46f5fd0 100644 --- a/test/PodDisruptionBudget/policy-pdb.yaml +++ b/test/PodDisruptionBudget/policy-pdb.yaml @@ -6,7 +6,8 @@ spec: rules: - name: pdb1 resource: - kind : PodDisruptionBudget + kinds : + - PodDisruptionBudget name: "game-pdb" mutate: patches: diff --git a/test/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml index dbe7b01e2a..c3c789e082 100644 --- a/test/PodTemplate/policy-PodTemplate.yaml +++ b/test/PodTemplate/policy-PodTemplate.yaml @@ -6,7 +6,8 @@ spec: rules: - name: podtemplate1 resource: - kind : PodTemplate + kinds : + - PodTemplate selector: matchLabels: originalLabel: isHere diff --git a/test/ResourceQuota/policy-quota-validation.yaml b/test/ResourceQuota/policy-quota-validation.yaml index fcf59a5173..e813d7fb07 100644 --- a/test/ResourceQuota/policy-quota-validation.yaml +++ b/test/ResourceQuota/policy-quota-validation.yaml @@ -4,9 +4,10 @@ metadata : name : policy-quota-low-test-validation spec : rules: - - name: + - name: "rule1" resource: - kind : ResourceQuota + kinds : + - ResourceQuota selector: matchLabels: quota: low @@ -16,9 +17,10 @@ spec : spec: hard: memory: "8Gi|12Gi" - - name: + - name: "rule2" resource: - kind : ResourceQuota + kinds : + - ResourceQuota selector: matchLabels: quota: low @@ -28,9 +30,10 @@ spec : spec: hard: cpu: <3 - - name: + - name: "rule3" resource: - kind : ResourceQuota + kinds : + - ResourceQuota selector: matchLabels: quota: low diff --git a/test/ResourceQuota/policy-quota.yaml b/test/ResourceQuota/policy-quota.yaml index 89248787fe..e845eb56fb 100644 --- a/test/ResourceQuota/policy-quota.yaml +++ b/test/ResourceQuota/policy-quota.yaml @@ -4,9 +4,10 @@ metadata : name : policy-quota-low-test spec : rules: - - name: + - name: "rule" resource: - kind : ResourceQuota + kinds : + - ResourceQuota selector: matchLabels: quota: low diff --git a/test/Secret/policy-secret.yaml b/test/Secret/policy-secret.yaml index aeae51ad14..315c374754 100644 --- a/test/Secret/policy-secret.yaml +++ b/test/Secret/policy-secret.yaml @@ -6,7 +6,8 @@ spec: rules: - name: secret1 resource: - kind : Secret + kinds : + - Secret name: "mysecret" mutate: patches: diff --git a/test/Service/policy-service.yaml b/test/Service/policy-service.yaml index c92f4c6d21..8d2feb2200 100644 --- a/test/Service/policy-service.yaml +++ b/test/Service/policy-service.yaml @@ -6,7 +6,8 @@ spec : rules: - name: ps1 resource: - kind: Service + kinds: + - Service name: "game-service*" mutate: patches: diff --git a/test/StatefulSet/policy-StatefulSet.yaml b/test/StatefulSet/policy-StatefulSet.yaml index f9277c6016..71ab13295b 100644 --- a/test/StatefulSet/policy-StatefulSet.yaml +++ b/test/StatefulSet/policy-StatefulSet.yaml @@ -6,7 +6,8 @@ spec: rules: - name: statefulset1 resource: - kind : StatefulSet + kinds : + - StatefulSet selector: matchLabels: originalLabel: isHere From 15ce519cb993da179b68235fa446c0b0c64c5ed4 Mon Sep 17 00:00:00 2001 From: shivdudhani Date: Tue, 21 May 2019 15:49:48 -0700 Subject: [PATCH 2/3] update the example for CLI --- examples/CLI/deployment/policy-deployment.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/CLI/deployment/policy-deployment.yaml b/examples/CLI/deployment/policy-deployment.yaml index ef8ab8b9bf..0bc65723c6 100644 --- a/examples/CLI/deployment/policy-deployment.yaml +++ b/examples/CLI/deployment/policy-deployment.yaml @@ -6,7 +6,8 @@ spec : rules: - name: deployment-policy resource: - kind : Deployment + kinds : + - Deployment selector : matchLabels : cli: test From 857aa81f3e6f743c3cfff6c3a17bbd2bb98d8e25 Mon Sep 17 00:00:00 2001 From: shivdudhani Date: Wed, 22 May 2019 10:53:01 -0700 Subject: [PATCH 3/3] update the project name in api version and test --- examples/Validate/check_cpu_memory.yaml | 2 +- examples/Validate/check_hostpath.yaml | 2 +- examples/Validate/check_image_version.yaml | 2 +- examples/Validate/check_nodeport.yaml | 2 +- examples/Validate/check_probe_exists.yaml | 2 +- examples/Validate/check_probe_intervals.yaml | 2 +- examples/Validate/check_whitelist_registries.yaml | 2 +- pkg/engine/validation_test.go | 4 ++-- test/Ingress/policy-ingress.yaml | 2 +- test/Job/policy-job.yaml | 2 +- test/LimitRange/policy-limitrange.yaml | 2 +- test/Namespace/policy-namespace.yaml | 2 +- test/NetworkPolicy/policy-network-policy.yaml | 2 +- test/PersistentVolumeClaim/policy-PVC.yaml | 2 +- test/PodDisruptionBudget/policy-pdb.yaml | 2 +- test/PodTemplate/policy-PodTemplate.yaml | 2 +- test/ResourceQuota/policy-quota-validation.yaml | 2 +- test/ResourceQuota/policy-quota.yaml | 2 +- test/Secret/policy-secret.yaml | 2 +- test/Service/policy-service.yaml | 2 +- test/StatefulSet/policy-StatefulSet.yaml | 2 +- 21 files changed, 22 insertions(+), 22 deletions(-) diff --git a/examples/Validate/check_cpu_memory.yaml b/examples/Validate/check_cpu_memory.yaml index 88b800d27d..f4a418296a 100644 --- a/examples/Validate/check_cpu_memory.yaml +++ b/examples/Validate/check_cpu_memory.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: check-cpu-memory diff --git a/examples/Validate/check_hostpath.yaml b/examples/Validate/check_hostpath.yaml index db91e4c35a..35dd08225b 100644 --- a/examples/Validate/check_hostpath.yaml +++ b/examples/Validate/check_hostpath.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: check-host-path diff --git a/examples/Validate/check_image_version.yaml b/examples/Validate/check_image_version.yaml index 3529c1cd26..15c8cb2d9a 100644 --- a/examples/Validate/check_image_version.yaml +++ b/examples/Validate/check_image_version.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: image-pull-policy diff --git a/examples/Validate/check_nodeport.yaml b/examples/Validate/check_nodeport.yaml index 0277405364..c2456f00e3 100644 --- a/examples/Validate/check_nodeport.yaml +++ b/examples/Validate/check_nodeport.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: check-host-path diff --git a/examples/Validate/check_probe_exists.yaml b/examples/Validate/check_probe_exists.yaml index 7a1e30edcc..442525a423 100644 --- a/examples/Validate/check_probe_exists.yaml +++ b/examples/Validate/check_probe_exists.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: check-probe-exists diff --git a/examples/Validate/check_probe_intervals.yaml b/examples/Validate/check_probe_intervals.yaml index c2e25aa78e..15f93e4a88 100644 --- a/examples/Validate/check_probe_intervals.yaml +++ b/examples/Validate/check_probe_intervals.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: check-probe-intervals diff --git a/examples/Validate/check_whitelist_registries.yaml b/examples/Validate/check_whitelist_registries.yaml index 6875dd3ea2..386fe92cda 100644 --- a/examples/Validate/check_whitelist_registries.yaml +++ b/examples/Validate/check_whitelist_registries.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: check-whitelist-registries diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index e0b031d216..84d94632f0 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -358,7 +358,7 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) { } func TestValidate_ServiceTest(t *testing.T) { - rawPolicy := []byte(`{ "apiVersion": "kubepolicy.nirmata.io/v1alpha1", "kind": "Policy", "metadata": { "name": "policy-service" }, "spec": { "rules": [ { "name": "ps1", "resource": { "kind": "Service", "name": "game-service*" }, "mutate": { "patches": [ { "path": "/metadata/labels/isMutated", "op": "add", "value": "true" }, { "path": "/metadata/labels/secretLabel", "op": "replace", "value": "weKnow" }, { "path": "/metadata/labels/originalLabel", "op": "remove" }, { "path": "/spec/selector/app", "op": "replace", "value": "mutedApp" } ] }, "validate": { "message": "This resource is broken", "pattern": { "spec": { "ports": [ { "name": "hs", "protocol": 32 } ] } } } } ] } }`) + rawPolicy := []byte(`{ "apiVersion": "kyverno.nirmata.io/v1alpha1", "kind": "Policy", "metadata": { "name": "policy-service" }, "spec": { "rules": [ { "name": "ps1", "resource": { "kind": "Service", "name": "game-service*" }, "mutate": { "patches": [ { "path": "/metadata/labels/isMutated", "op": "add", "value": "true" }, { "path": "/metadata/labels/secretLabel", "op": "replace", "value": "weKnow" }, { "path": "/metadata/labels/originalLabel", "op": "remove" }, { "path": "/spec/selector/app", "op": "replace", "value": "mutedApp" } ] }, "validate": { "message": "This resource is broken", "pattern": { "spec": { "ports": [ { "name": "hs", "protocol": 32 } ] } } } } ] } }`) rawResource := []byte(`{ "kind": "Service", "apiVersion": "v1", "metadata": { "name": "game-service", "labels": { "originalLabel": "isHere", "secretLabel": "thisIsMySecret" } }, "spec": { "selector": { "app": "MyApp" }, "ports": [ { "name": "http", "protocol": "TCP", "port": 80, "targetPort": 9376 } ] } }`) var policy kubepolicy.Policy @@ -372,7 +372,7 @@ func TestValidate_ServiceTest(t *testing.T) { } func TestValidate_MapHasFloats(t *testing.T) { - rawPolicy := []byte(`{ "apiVersion": "kubepolicy.nirmata.io/v1alpha1", "kind": "Policy", "metadata": { "name": "policy-deployment-changed" }, "spec": { "rules": [ { "name": "First policy v2", "resource": { "kind": "Deployment", "name": "nginx-*" }, "mutate": { "patches": [ { "path": "/metadata/labels/isMutated", "op": "add", "value": "true" }, { "path": "/metadata/labels/app", "op": "replace", "value": "nginx_is_mutated" } ] }, "validate": { "message": "replicas number is wrong", "pattern": { "metadata": { "labels": { "app": "*" } }, "spec": { "replicas": 3 } } } } ] } }`) + rawPolicy := []byte(`{ "apiVersion": "kyverno.nirmata.io/v1alpha1", "kind": "Policy", "metadata": { "name": "policy-deployment-changed" }, "spec": { "rules": [ { "name": "First policy v2", "resource": { "kind": "Deployment", "name": "nginx-*" }, "mutate": { "patches": [ { "path": "/metadata/labels/isMutated", "op": "add", "value": "true" }, { "path": "/metadata/labels/app", "op": "replace", "value": "nginx_is_mutated" } ] }, "validate": { "message": "replicas number is wrong", "pattern": { "metadata": { "labels": { "app": "*" } }, "spec": { "replicas": 3 } } } } ] } }`) rawResource := []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "name": "nginx-deployment", "labels": { "app": "nginx" } }, "spec": { "replicas": 3, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:1.7.9", "ports": [ { "containerPort": 80 } ] } ] } } } }`) var policy kubepolicy.Policy diff --git a/test/Ingress/policy-ingress.yaml b/test/Ingress/policy-ingress.yaml index e8eb03b690..220f741df6 100644 --- a/test/Ingress/policy-ingress.yaml +++ b/test/Ingress/policy-ingress.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata : name : policy-ingress diff --git a/test/Job/policy-job.yaml b/test/Job/policy-job.yaml index 58660646fd..a9ef3e035d 100644 --- a/test/Job/policy-job.yaml +++ b/test/Job/policy-job.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-job-perl-bigint diff --git a/test/LimitRange/policy-limitrange.yaml b/test/LimitRange/policy-limitrange.yaml index c7bc58eac5..ccc8fee490 100644 --- a/test/LimitRange/policy-limitrange.yaml +++ b/test/LimitRange/policy-limitrange.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-limitrange diff --git a/test/Namespace/policy-namespace.yaml b/test/Namespace/policy-namespace.yaml index 5697b22a43..1f8657f579 100644 --- a/test/Namespace/policy-namespace.yaml +++ b/test/Namespace/policy-namespace.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata : name : policy-namespace diff --git a/test/NetworkPolicy/policy-network-policy.yaml b/test/NetworkPolicy/policy-network-policy.yaml index 084bda2762..2c7d415ddc 100644 --- a/test/NetworkPolicy/policy-network-policy.yaml +++ b/test/NetworkPolicy/policy-network-policy.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-network-policy diff --git a/test/PersistentVolumeClaim/policy-PVC.yaml b/test/PersistentVolumeClaim/policy-PVC.yaml index 47e3c9ace6..7d45d2ae50 100644 --- a/test/PersistentVolumeClaim/policy-PVC.yaml +++ b/test/PersistentVolumeClaim/policy-PVC.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-pvc diff --git a/test/PodDisruptionBudget/policy-pdb.yaml b/test/PodDisruptionBudget/policy-pdb.yaml index 9af46f5fd0..dce6c993e0 100644 --- a/test/PodDisruptionBudget/policy-pdb.yaml +++ b/test/PodDisruptionBudget/policy-pdb.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-pdb diff --git a/test/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml index c3c789e082..bd19ba6d0f 100644 --- a/test/PodTemplate/policy-PodTemplate.yaml +++ b/test/PodTemplate/policy-PodTemplate.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: test-podtemplate diff --git a/test/ResourceQuota/policy-quota-validation.yaml b/test/ResourceQuota/policy-quota-validation.yaml index e813d7fb07..5fe16379b2 100644 --- a/test/ResourceQuota/policy-quota-validation.yaml +++ b/test/ResourceQuota/policy-quota-validation.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-quota-low-test-validation diff --git a/test/ResourceQuota/policy-quota.yaml b/test/ResourceQuota/policy-quota.yaml index e845eb56fb..fe131c5a74 100644 --- a/test/ResourceQuota/policy-quota.yaml +++ b/test/ResourceQuota/policy-quota.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-quota-low-test diff --git a/test/Secret/policy-secret.yaml b/test/Secret/policy-secret.yaml index 315c374754..8e008d040c 100644 --- a/test/Secret/policy-secret.yaml +++ b/test/Secret/policy-secret.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-secrets diff --git a/test/Service/policy-service.yaml b/test/Service/policy-service.yaml index 8d2feb2200..c3ba48b24b 100644 --- a/test/Service/policy-service.yaml +++ b/test/Service/policy-service.yaml @@ -1,4 +1,4 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 +apiVersion : kyverno.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-service diff --git a/test/StatefulSet/policy-StatefulSet.yaml b/test/StatefulSet/policy-StatefulSet.yaml index 71ab13295b..9da7967d7a 100644 --- a/test/StatefulSet/policy-StatefulSet.yaml +++ b/test/StatefulSet/policy-StatefulSet.yaml @@ -1,4 +1,4 @@ -apiVersion: kubepolicy.nirmata.io/v1alpha1 +apiVersion: kyverno.nirmata.io/v1alpha1 kind: Policy metadata: name: policy-statefulset