diff --git a/test/cli/registry/image-example.yaml b/test/cli/registry/image-example.yaml index 4d13aa6b2c..a8b31d924a 100644 --- a/test/cli/registry/image-example.yaml +++ b/test/cli/registry/image-example.yaml @@ -4,68 +4,76 @@ kind: ClusterPolicy metadata: name: images spec: - validationFailureAction: enforce + admission: true + background: true rules: - - name: only-allow-trusted-images - match: - resources: - kinds: - - Pod + - match: + any: + - resources: + kinds: + - Pod + name: only-allow-trusted-images preconditions: - - key: "{{request.operation}}" + all: + - key: '{{request.operation}}' operator: NotEquals value: DELETE validate: - message: "images with root user are not allowed" foreach: - - list: "request.object.spec.containers" - context: - - name: imageData - imageRegistry: - reference: "{{ element.image }}" + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData deny: conditions: all: - - key: "{{ imageData.configData.config.User || ''}}" - operator: Equals - value: "" - - key: "{{ imageData.registry }}" - operator: NotEquals - value: "ghcr.io" + - key: '{{ imageData.configData.config.User || ''''}}' + operator: Equals + value: "" + - key: '{{ imageData.registry }}' + operator: NotEquals + value: ghcr.io + list: request.object.spec.containers + message: images with root user are not allowed + validationFailureAction: Enforce --- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-image-base spec: - validationFailureAction: enforce + admission: true + background: true rules: - - name: check-image-base-rule - match: + - match: any: - resources: kinds: - Pod + name: check-image-base-rule preconditions: all: - - key: "{{request.operation}}" + - key: '{{request.operation}}' operator: NotEquals value: DELETE validate: - message: "Images must specify a source/base image from which they are built to be valid." foreach: - - list: "request.object.spec.containers" - context: - - name: imageData - imageRegistry: - reference: "{{ element.image }}" + - context: + - imageRegistry: + reference: '{{ element.image }}' + name: imageData - name: mobysource variable: - jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@) | sources[].ref | length(@) default: 0 + jmesPath: imageData.configData."moby.buildkit.buildinfo.v1" | base64_decode(@).parse_json(@) + | sources[].ref | length(@) deny: conditions: all: - - key: "{{ mobysource }}" - operator: Equals - value: 0 \ No newline at end of file + - key: '{{ mobysource }}' + operator: Equals + value: 0 + list: request.object.spec.containers + message: Images must specify a source/base image from which they are built to + be valid. + validationFailureAction: Enforce diff --git a/test/cli/test-fail/invalid-ns/policy.yaml b/test/cli/test-fail/invalid-ns/policy.yaml index 2d03751e75..054dfbb785 100644 --- a/test/cli/test-fail/invalid-ns/policy.yaml +++ b/test/cli/test-fail/invalid-ns/policy.yaml @@ -1,35 +1,39 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: restrict-labels + annotations: + policies.kyverno.io/category: Labels + policies.kyverno.io/description: This policy prevents the use of an label beginning + with a common key name (in this case "platform.das-schiff.telekom.de/owner | + owner"). This can be useful to ensure users either don't set reserved labels + or to force them to use a newer version of an label. + policies.kyverno.io/minversion: 1.3.0 + policies.kyverno.io/title: Restrict Labels on Namespaces labels: policy.schiff.telekom.de: enforced - annotations: - policies.kyverno.io/title: Restrict Labels on Namespaces - policies.kyverno.io/category: Labels - policies.kyverno.io/minversion: 1.3.0 - policies.kyverno.io/description: >- - This policy prevents the use of an label beginning with a common - key name (in this case "platform.das-schiff.telekom.de/owner | owner"). This can be useful to ensure users either - don't set reserved labels or to force them to - use a newer version of an label. + name: restrict-labels spec: - validationFailureAction: enforce + admission: true background: false rules: - - name: restrict-labels + - exclude: + any: + - clusterRoles: + - cluster-admin + resources: {} match: - resources: - kinds: - - Namespace - exclude: - clusterRoles: - - cluster-admin + any: + - resources: + kinds: + - Namespace + name: restrict-labels validate: - message: 'Every namespace has to have `platform.das-schiff.telekom.de/owner` label. It must not have value `das-schiff` which is reserved for system namespaces' + message: Every namespace has to have `platform.das-schiff.telekom.de/owner` + label. It must not have value `das-schiff` which is reserved for system namespaces pattern: metadata: labels: - platform.das-schiff.telekom.de/owner: "!das-schiff" - # For forward compatibility - =(schiff.telekom.de/owner): "!schiff" \ No newline at end of file + =(schiff.telekom.de/owner): '!schiff' + platform.das-schiff.telekom.de/owner: '!das-schiff' + validationFailureAction: Enforce diff --git a/test/cli/test-fail/missing-policy/policy.yaml b/test/cli/test-fail/missing-policy/policy.yaml index 91d2c6f673..0402a21916 100644 --- a/test/cli/test-fail/missing-policy/policy.yaml +++ b/test/cli/test-fail/missing-policy/policy.yaml @@ -1,39 +1,43 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag annotations: policies.kyverno.io/category: Best Practices - policies.kyverno.io/description: >- - The ':latest' tag is mutable and can lead to unexpected errors if the - image changes. A best practice is to use an immutable tag that maps to - a specific version of an application pod. + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application pod. ' + name: disallow-latest-tag spec: - validationFailureAction: audit + admission: true + background: true rules: - - name: require-image-tag - match: - resources: - kinds: - - Pod - namespaces: - - test + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - test + name: require-image-tag validate: - message: "An image tag is required." + message: An image tag is required. pattern: spec: containers: - - image: "*:*" - - name: validate-image-tag - match: - resources: - kinds: - - Pod - namespaces: - - test + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - test + name: validate-image-tag validate: - message: "Using a mutable image tag e.g. 'latest' is not allowed." + message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - - image: "!*:latest" + - image: '!*:latest' + validationFailureAction: Audit diff --git a/test/cli/test-fail/missing-resource/policy.yaml b/test/cli/test-fail/missing-resource/policy.yaml index 91d2c6f673..0402a21916 100644 --- a/test/cli/test-fail/missing-resource/policy.yaml +++ b/test/cli/test-fail/missing-resource/policy.yaml @@ -1,39 +1,43 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag annotations: policies.kyverno.io/category: Best Practices - policies.kyverno.io/description: >- - The ':latest' tag is mutable and can lead to unexpected errors if the - image changes. A best practice is to use an immutable tag that maps to - a specific version of an application pod. + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application pod. ' + name: disallow-latest-tag spec: - validationFailureAction: audit + admission: true + background: true rules: - - name: require-image-tag - match: - resources: - kinds: - - Pod - namespaces: - - test + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - test + name: require-image-tag validate: - message: "An image tag is required." + message: An image tag is required. pattern: spec: containers: - - image: "*:*" - - name: validate-image-tag - match: - resources: - kinds: - - Pod - namespaces: - - test + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - test + name: validate-image-tag validate: - message: "Using a mutable image tag e.g. 'latest' is not allowed." + message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - - image: "!*:latest" + - image: '!*:latest' + validationFailureAction: Audit diff --git a/test/cli/test-fail/missing-rule/policy.yaml b/test/cli/test-fail/missing-rule/policy.yaml index 91d2c6f673..0402a21916 100644 --- a/test/cli/test-fail/missing-rule/policy.yaml +++ b/test/cli/test-fail/missing-rule/policy.yaml @@ -1,39 +1,43 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: disallow-latest-tag annotations: policies.kyverno.io/category: Best Practices - policies.kyverno.io/description: >- - The ':latest' tag is mutable and can lead to unexpected errors if the - image changes. A best practice is to use an immutable tag that maps to - a specific version of an application pod. + policies.kyverno.io/description: 'The '':latest'' tag is mutable and can lead + to unexpected errors if the image changes. A best practice is to use an immutable + tag that maps to a specific version of an application pod. ' + name: disallow-latest-tag spec: - validationFailureAction: audit + admission: true + background: true rules: - - name: require-image-tag - match: - resources: - kinds: - - Pod - namespaces: - - test + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - test + name: require-image-tag validate: - message: "An image tag is required." + message: An image tag is required. pattern: spec: containers: - - image: "*:*" - - name: validate-image-tag - match: - resources: - kinds: - - Pod - namespaces: - - test + - image: '*:*' + - match: + any: + - resources: + kinds: + - Pod + namespaces: + - test + name: validate-image-tag validate: - message: "Using a mutable image tag e.g. 'latest' is not allowed." + message: Using a mutable image tag e.g. 'latest' is not allowed. pattern: spec: containers: - - image: "!*:latest" + - image: '!*:latest' + validationFailureAction: Audit diff --git a/test/cli/test-generate/add-network-policy/policy.yaml b/test/cli/test-generate/add-network-policy/policy.yaml index b0c296ecdb..2591e87b6c 100644 --- a/test/cli/test-generate/add-network-policy/policy.yaml +++ b/test/cli/test-generate/add-network-policy/policy.yaml @@ -1,37 +1,41 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: add-networkpolicy annotations: - policies.kyverno.io/title: Add Network Policy policies.kyverno.io/category: Multi-Tenancy + policies.kyverno.io/description: 'By default, Kubernetes allows communications + across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in + that supports NetworkPolicy must be used to restrict communications. A default + NetworkPolicy should be configured for each Namespace to default deny all ingress + and egress traffic to the Pods in the Namespace. Application teams can then + configure additional NetworkPolicy resources to allow desired traffic to application + Pods from select sources. This policy will create a new NetworkPolicy resource + named `default-deny` which will deny all traffic anytime a new Namespace is + created. ' policies.kyverno.io/subject: NetworkPolicy - policies.kyverno.io/description: >- - By default, Kubernetes allows communications across all Pods within a cluster. - The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict - communications. A default NetworkPolicy should be configured for each Namespace to - default deny all ingress and egress traffic to the Pods in the Namespace. Application - teams can then configure additional NetworkPolicy resources to allow desired traffic - to application Pods from select sources. This policy will create a new NetworkPolicy resource - named `default-deny` which will deny all traffic anytime a new Namespace is created. + policies.kyverno.io/title: Add Network Policy + name: add-networkpolicy spec: + admission: true + background: true rules: - - name: default-deny - match: - resources: - kinds: - - Namespace - generate: + - generate: apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - name: default-deny - namespace: "{{request.object.metadata.name}}" - synchronize: true data: spec: - # select all pods in the namespace podSelector: {} - # deny all traffic policyTypes: - Ingress - - Egress \ No newline at end of file + - Egress + kind: NetworkPolicy + name: default-deny + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: default-deny + validationFailureAction: Audit diff --git a/test/cli/test-generate/add-quota/policy.yaml b/test/cli/test-generate/add-quota/policy.yaml index 67868b1613..7d31290c19 100644 --- a/test/cli/test-generate/add-quota/policy.yaml +++ b/test/cli/test-generate/add-quota/policy.yaml @@ -1,48 +1,42 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: add-ns-quota annotations: - policies.kyverno.io/title: Add Quota policies.kyverno.io/category: Multi-Tenancy + policies.kyverno.io/description: 'To better control the number of resources that + can be created in a given Namespace and provide default resource consumption + limits for Pods, ResourceQuota and LimitRange resources are recommended. This + policy will generate ResourceQuota and LimitRange resources when a new Namespace + is created. ' policies.kyverno.io/subject: ResourceQuota, LimitRange - policies.kyverno.io/description: >- - To better control the number of resources that can be created in a given - Namespace and provide default resource consumption limits for Pods, - ResourceQuota and LimitRange resources are recommended. - This policy will generate ResourceQuota and LimitRange resources when - a new Namespace is created. + policies.kyverno.io/title: Add Quota + name: add-ns-quota spec: + admission: true + background: true rules: - - name: generate-resourcequota - match: - resources: - kinds: - - Namespace - generate: + - generate: apiVersion: v1 - kind: ResourceQuota - name: default-resourcequota - synchronize: true - namespace: "{{request.object.metadata.name}}" data: spec: hard: - requests.cpu: '4' - requests.memory: '16Gi' - limits.cpu: '4' - limits.memory: '16Gi' - - name: generate-limitrange - match: - resources: - kinds: - - Namespace - generate: - apiVersion: v1 - kind: LimitRange - name: default-limitrange + limits.cpu: "4" + limits.memory: 16Gi + requests.cpu: "4" + requests.memory: 16Gi + kind: ResourceQuota + name: default-resourcequota + namespace: '{{request.object.metadata.name}}' synchronize: true - namespace: "{{request.object.metadata.name}}" + match: + any: + - resources: + kinds: + - Namespace + name: generate-resourcequota + - generate: + apiVersion: v1 data: spec: limits: @@ -52,4 +46,15 @@ spec: defaultRequest: cpu: 200m memory: 256Mi - type: Container \ No newline at end of file + type: Container + kind: LimitRange + name: default-limitrange + namespace: '{{request.object.metadata.name}}' + synchronize: true + match: + any: + - resources: + kinds: + - Namespace + name: generate-limitrange + validationFailureAction: Audit diff --git a/test/cli/test-generate/sync-secrets/policy.yaml b/test/cli/test-generate/sync-secrets/policy.yaml index 2357ace270..6b86f808a9 100644 --- a/test/cli/test-generate/sync-secrets/policy.yaml +++ b/test/cli/test-generate/sync-secrets/policy.yaml @@ -1,31 +1,35 @@ +--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: sync-secrets annotations: - policies.kyverno.io/title: Sync Secrets policies.kyverno.io/category: Sample + policies.kyverno.io/description: 'Secrets like registry credentials often need + to exist in multiple Namespaces so Pods there have access. Manually duplicating + those Secrets is time consuming and error prone. This policy will copy a Secret + called `regcred` which exists in the `default` Namespace to new Namespaces when + they are created. It will also push updates to the copied Secrets should the + source Secret be changed. ' policies.kyverno.io/subject: Secret - policies.kyverno.io/description: >- - Secrets like registry credentials often need to exist in multiple - Namespaces so Pods there have access. Manually duplicating those Secrets - is time consuming and error prone. This policy will copy a - Secret called `regcred` which exists in the `default` Namespace to - new Namespaces when they are created. It will also push updates to - the copied Secrets should the source Secret be changed. + policies.kyverno.io/title: Sync Secrets + name: sync-secrets spec: + admission: true + background: true rules: - - name: sync-image-pull-secret - match: - resources: - kinds: - - Namespace - generate: + - generate: apiVersion: v1 + clone: + name: regcred + namespace: default kind: Secret name: regcred - namespace: "{{request.object.metadata.name}}" + namespace: '{{request.object.metadata.name}}' synchronize: true - clone: - namespace: default - name: regcred \ No newline at end of file + match: + any: + - resources: + kinds: + - Namespace + name: sync-image-pull-secret + validationFailureAction: Audit