mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
feat: add fix test cli command (#8213)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
deb200dfd6
commit
9f108b11cd
71 changed files with 1644 additions and 1217 deletions
21
cmd/cli/kubectl-kyverno/fix/command.go
Normal file
21
cmd/cli/kubectl-kyverno/fix/command.go
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
package fix
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix/test"
|
||||||
|
"github.com/spf13/cobra"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Command() *cobra.Command {
|
||||||
|
cmd := &cobra.Command{
|
||||||
|
Use: "fix",
|
||||||
|
Short: "Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.",
|
||||||
|
Example: "",
|
||||||
|
RunE: func(cmd *cobra.Command, args []string) error {
|
||||||
|
return cmd.Help()
|
||||||
|
},
|
||||||
|
}
|
||||||
|
cmd.AddCommand(
|
||||||
|
test.Command(),
|
||||||
|
)
|
||||||
|
return cmd
|
||||||
|
}
|
95
cmd/cli/kubectl-kyverno/fix/test/command.go
Normal file
95
cmd/cli/kubectl-kyverno/fix/test/command.go
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
package test
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
|
"github.com/spf13/cobra"
|
||||||
|
"sigs.k8s.io/yaml"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Command() *cobra.Command {
|
||||||
|
var fileName string
|
||||||
|
var save bool
|
||||||
|
cmd := &cobra.Command{
|
||||||
|
Use: "test",
|
||||||
|
Short: "Fix inconsistencies and deprecated usage in Kyverno test files.",
|
||||||
|
Example: "",
|
||||||
|
RunE: func(cmd *cobra.Command, args []string) error {
|
||||||
|
var testCases []testCase
|
||||||
|
for _, arg := range args {
|
||||||
|
tests, err := loadTests(arg, fileName)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
testCases = append(testCases, tests...)
|
||||||
|
}
|
||||||
|
for _, testCase := range testCases {
|
||||||
|
fmt.Printf("Processing test file (%s)...", testCase.path)
|
||||||
|
fmt.Println()
|
||||||
|
if testCase.err != nil {
|
||||||
|
fmt.Printf(" ERROR: loading test file (%s): %s", testCase.path, testCase.err)
|
||||||
|
fmt.Println()
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
test := testCase.test
|
||||||
|
needsSave := false
|
||||||
|
if test.Name == "" {
|
||||||
|
fmt.Println(" WARNING: name is not set")
|
||||||
|
test.Name = filepath.Base(testCase.path)
|
||||||
|
needsSave = true
|
||||||
|
}
|
||||||
|
if len(test.Policies) == 0 {
|
||||||
|
fmt.Println(" WARNING: test has no policies")
|
||||||
|
}
|
||||||
|
if len(test.Resources) == 0 {
|
||||||
|
fmt.Println(" WARNING: test has no policies")
|
||||||
|
}
|
||||||
|
for i := range test.Results {
|
||||||
|
result := &test.Results[i]
|
||||||
|
if result.Resource != "" && len(result.Resources) != 0 {
|
||||||
|
fmt.Println(" WARNING: test result should not use both `resource` and `resources` fields")
|
||||||
|
}
|
||||||
|
if result.Resource != "" {
|
||||||
|
fmt.Println(" WARNING: test result uses deprecated `resource` field, moving it into the `resources` field")
|
||||||
|
result.Resources = append(result.Resources, result.Resource)
|
||||||
|
result.Resource = ""
|
||||||
|
needsSave = true
|
||||||
|
}
|
||||||
|
if result.Status != "" && result.Result != "" {
|
||||||
|
fmt.Println(" ERROR: test result should not use both `status` and `result` fields")
|
||||||
|
}
|
||||||
|
if result.Status != "" && result.Result == "" {
|
||||||
|
fmt.Println(" WARNING: test result uses deprecated `status` field, moving it into the `result` field")
|
||||||
|
result.Result = result.Status
|
||||||
|
result.Status = ""
|
||||||
|
needsSave = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if save && needsSave {
|
||||||
|
fmt.Printf(" Saving test file (%s)...", testCase.path)
|
||||||
|
fmt.Println()
|
||||||
|
yamlBytes, err := yaml.Marshal(test)
|
||||||
|
if err != nil {
|
||||||
|
fmt.Printf(" ERROR: converting test to yaml: %s", err)
|
||||||
|
fmt.Println()
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if err := os.WriteFile(testCase.path, yamlBytes, os.ModePerm); err != nil {
|
||||||
|
fmt.Printf(" ERROR: saving test file (%s): %s", testCase.path, err)
|
||||||
|
fmt.Println()
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
fmt.Println(" OK")
|
||||||
|
}
|
||||||
|
fmt.Println()
|
||||||
|
}
|
||||||
|
fmt.Println("Done.")
|
||||||
|
return nil
|
||||||
|
},
|
||||||
|
}
|
||||||
|
cmd.Flags().StringVarP(&fileName, "file-name", "f", "kyverno-test.yaml", "Test filename")
|
||||||
|
cmd.Flags().BoolVar(&save, "save", false, "Save fixed file")
|
||||||
|
return cmd
|
||||||
|
}
|
61
cmd/cli/kubectl-kyverno/fix/test/load.go
Normal file
61
cmd/cli/kubectl-kyverno/fix/test/load.go
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
package test
|
||||||
|
|
||||||
|
import (
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
|
||||||
|
"k8s.io/apimachinery/pkg/util/yaml"
|
||||||
|
)
|
||||||
|
|
||||||
|
type testCase struct {
|
||||||
|
path string
|
||||||
|
test *api.Test
|
||||||
|
err error
|
||||||
|
}
|
||||||
|
|
||||||
|
func loadTests(dirPath string, fileName string) ([]testCase, error) {
|
||||||
|
return loadLocalTest(filepath.Clean(dirPath), fileName)
|
||||||
|
}
|
||||||
|
|
||||||
|
func loadLocalTest(path string, fileName string) ([]testCase, error) {
|
||||||
|
var tests []testCase
|
||||||
|
files, err := os.ReadDir(path)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
for _, file := range files {
|
||||||
|
if file.IsDir() {
|
||||||
|
ps, err := loadLocalTest(filepath.Join(path, file.Name()), fileName)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
tests = append(tests, ps...)
|
||||||
|
} else if file.Name() == fileName {
|
||||||
|
tests = append(tests, loadTest(path, file.Name()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return tests, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func loadTest(dirPath string, fileName string) testCase {
|
||||||
|
path := filepath.Join(dirPath, fileName)
|
||||||
|
yamlBytes, err := os.ReadFile(path) // #nosec G304
|
||||||
|
if err != nil {
|
||||||
|
return testCase{
|
||||||
|
path: path,
|
||||||
|
err: err,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
var test api.Test
|
||||||
|
if err := yaml.UnmarshalStrict(yamlBytes, &test); err != nil {
|
||||||
|
return testCase{
|
||||||
|
path: path,
|
||||||
|
err: err,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return testCase{
|
||||||
|
path: path,
|
||||||
|
test: &test,
|
||||||
|
}
|
||||||
|
}
|
|
@ -9,6 +9,7 @@ import (
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apply"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/create"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/docs"
|
||||||
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/fix"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/jp"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/oci"
|
||||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
|
||||||
|
@ -58,6 +59,9 @@ func registerCommands(cli *cobra.Command) {
|
||||||
version.Command(),
|
version.Command(),
|
||||||
)
|
)
|
||||||
if enableExperimental() {
|
if enableExperimental() {
|
||||||
cli.AddCommand(oci.Command())
|
cli.AddCommand(
|
||||||
|
fix.Command(),
|
||||||
|
oci.Command(),
|
||||||
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,10 +10,10 @@ type Test struct {
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
Policies []string `json:"policies"`
|
Policies []string `json:"policies"`
|
||||||
Resources []string `json:"resources"`
|
Resources []string `json:"resources"`
|
||||||
Variables string `json:"variables"`
|
Variables string `json:"variables,omitempty"`
|
||||||
UserInfo string `json:"userinfo"`
|
UserInfo string `json:"userinfo,omitempty"`
|
||||||
Results []TestResults `json:"results"`
|
Results []TestResults `json:"results"`
|
||||||
Values *Values `json:"values"`
|
Values *Values `json:"values,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type TestResults struct {
|
type TestResults struct {
|
||||||
|
@ -26,33 +26,33 @@ type TestResults struct {
|
||||||
// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
|
// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
|
||||||
// It's required in case policy is a validating admission policy.
|
// It's required in case policy is a validating admission policy.
|
||||||
// +optional
|
// +optional
|
||||||
IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy"`
|
IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"`
|
||||||
// Result mentions the result that the user is expecting.
|
// Result mentions the result that the user is expecting.
|
||||||
// Possible values are pass, fail and skip.
|
// Possible values are pass, fail and skip.
|
||||||
Result policyreportv1alpha2.PolicyResult `json:"result"`
|
Result policyreportv1alpha2.PolicyResult `json:"result"`
|
||||||
// Status mentions the status that the user is expecting.
|
// Status mentions the status that the user is expecting.
|
||||||
// Possible values are pass, fail and skip.
|
// Possible values are pass, fail and skip.
|
||||||
Status policyreportv1alpha2.PolicyResult `json:"status"`
|
Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
|
||||||
// Resource mentions the name of the resource on which the policy is to be applied.
|
// Resource mentions the name of the resource on which the policy is to be applied.
|
||||||
Resource string `json:"resource"`
|
Resource string `json:"resource,omitempty"`
|
||||||
// Resources gives us the list of resources on which the policy is going to be applied.
|
// Resources gives us the list of resources on which the policy is going to be applied.
|
||||||
Resources []string `json:"resources"`
|
Resources []string `json:"resources"`
|
||||||
// Kind mentions the kind of the resource on which the policy is to be applied.
|
// Kind mentions the kind of the resource on which the policy is to be applied.
|
||||||
Kind string `json:"kind"`
|
Kind string `json:"kind"`
|
||||||
// Namespace mentions the namespace of the policy which has namespace scope.
|
// Namespace mentions the namespace of the policy which has namespace scope.
|
||||||
Namespace string `json:"namespace"`
|
Namespace string `json:"namespace,omitempty"`
|
||||||
// PatchedResource takes a resource configuration file in yaml format from
|
// PatchedResource takes a resource configuration file in yaml format from
|
||||||
// the user to compare it against the Kyverno mutated resource configuration.
|
// the user to compare it against the Kyverno mutated resource configuration.
|
||||||
PatchedResource string `json:"patchedResource"`
|
PatchedResource string `json:"patchedResource,omitempty"`
|
||||||
// AutoGeneratedRule is internally set by the CLI command. It takes values either
|
|
||||||
// autogen or autogen-cronjob.
|
|
||||||
AutoGeneratedRule string `json:"auto_generated_rule"`
|
|
||||||
// GeneratedResource takes a resource configuration file in yaml format from
|
// GeneratedResource takes a resource configuration file in yaml format from
|
||||||
// the user to compare it against the Kyverno generated resource configuration.
|
// the user to compare it against the Kyverno generated resource configuration.
|
||||||
GeneratedResource string `json:"generatedResource"`
|
GeneratedResource string `json:"generatedResource,omitempty"`
|
||||||
// CloneSourceResource takes the resource configuration file in yaml format
|
// CloneSourceResource takes the resource configuration file in yaml format
|
||||||
// from the user which is meant to be cloned by the generate rule.
|
// from the user which is meant to be cloned by the generate rule.
|
||||||
CloneSourceResource string `json:"cloneSourceResource"`
|
CloneSourceResource string `json:"cloneSourceResource,omitempty"`
|
||||||
|
// AutoGeneratedRule is internally set by the CLI command. It takes values either
|
||||||
|
// autogen or autogen-cronjob.
|
||||||
|
AutoGeneratedRule string `json:"auto_generated_rule,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type ReportResult struct {
|
type ReportResult struct {
|
||||||
|
|
|
@ -31,6 +31,7 @@ To enable experimental commands, KYVERNO_EXPERIMENTAL should be configured with
|
||||||
* [kyverno completion](kyverno_completion.md) - Generate the autocompletion script for the specified shell
|
* [kyverno completion](kyverno_completion.md) - Generate the autocompletion script for the specified shell
|
||||||
* [kyverno create](kyverno_create.md) - Provides a command-line interface to help with the creation of various Kyverno resources.
|
* [kyverno create](kyverno_create.md) - Provides a command-line interface to help with the creation of various Kyverno resources.
|
||||||
* [kyverno docs](kyverno_docs.md) - Generates documentation.
|
* [kyverno docs](kyverno_docs.md) - Generates documentation.
|
||||||
|
* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
|
||||||
* [kyverno jp](kyverno_jp.md) - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
|
* [kyverno jp](kyverno_jp.md) - Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
|
||||||
* [kyverno oci](kyverno_oci.md) - Pulls/pushes images that include policie(s) from/to OCI registries.
|
* [kyverno oci](kyverno_oci.md) - Pulls/pushes images that include policie(s) from/to OCI registries.
|
||||||
* [kyverno test](kyverno_test.md) - Run tests from directory.
|
* [kyverno test](kyverno_test.md) - Run tests from directory.
|
||||||
|
|
37
docs/user/cli/kyverno_fix.md
Normal file
37
docs/user/cli/kyverno_fix.md
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
## kyverno fix
|
||||||
|
|
||||||
|
Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
|
||||||
|
|
||||||
|
```
|
||||||
|
kyverno fix [flags]
|
||||||
|
```
|
||||||
|
|
||||||
|
### Options
|
||||||
|
|
||||||
|
```
|
||||||
|
-h, --help help for fix
|
||||||
|
```
|
||||||
|
|
||||||
|
### Options inherited from parent commands
|
||||||
|
|
||||||
|
```
|
||||||
|
--add_dir_header If true, adds the file directory to the header of the log messages
|
||||||
|
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
|
||||||
|
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
|
||||||
|
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
|
||||||
|
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
|
||||||
|
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
|
||||||
|
--logtostderr log to standard error instead of files (default true)
|
||||||
|
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
|
||||||
|
--skip_headers If true, avoid header prefixes in the log messages
|
||||||
|
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
|
||||||
|
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
|
||||||
|
-v, --v Level number for the log level verbosity
|
||||||
|
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
|
||||||
|
```
|
||||||
|
|
||||||
|
### SEE ALSO
|
||||||
|
|
||||||
|
* [kyverno](kyverno.md) - Kubernetes Native Policy Management
|
||||||
|
* [kyverno fix test](kyverno_fix_test.md) - Fix inconsistencies and deprecated usage in Kyverno test files.
|
||||||
|
|
38
docs/user/cli/kyverno_fix_test.md
Normal file
38
docs/user/cli/kyverno_fix_test.md
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
## kyverno fix test
|
||||||
|
|
||||||
|
Fix inconsistencies and deprecated usage in Kyverno test files.
|
||||||
|
|
||||||
|
```
|
||||||
|
kyverno fix test [flags]
|
||||||
|
```
|
||||||
|
|
||||||
|
### Options
|
||||||
|
|
||||||
|
```
|
||||||
|
-f, --file-name string Test filename (default "kyverno-test.yaml")
|
||||||
|
-h, --help help for test
|
||||||
|
--save Save fixed file
|
||||||
|
```
|
||||||
|
|
||||||
|
### Options inherited from parent commands
|
||||||
|
|
||||||
|
```
|
||||||
|
--add_dir_header If true, adds the file directory to the header of the log messages
|
||||||
|
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
|
||||||
|
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
|
||||||
|
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
|
||||||
|
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
|
||||||
|
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
|
||||||
|
--logtostderr log to standard error instead of files (default true)
|
||||||
|
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
|
||||||
|
--skip_headers If true, avoid header prefixes in the log messages
|
||||||
|
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
|
||||||
|
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
|
||||||
|
-v, --v Level number for the log level verbosity
|
||||||
|
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
|
||||||
|
```
|
||||||
|
|
||||||
|
### SEE ALSO
|
||||||
|
|
||||||
|
* [kyverno fix](kyverno_fix.md) - Provides a command-line interface to fix inconsistencies and deprecated usage of Kyverno resources.
|
||||||
|
|
|
@ -1,21 +1,24 @@
|
||||||
name: test-registry
|
name: test-registry
|
||||||
policies:
|
policies:
|
||||||
- image-example.yaml
|
- image-example.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: images
|
- kind: Pod
|
||||||
rule: only-allow-trusted-images
|
policy: images
|
||||||
resource: test-pod-with-non-root-user-image
|
resources:
|
||||||
kind: Pod
|
- test-pod-with-non-root-user-image
|
||||||
status: pass
|
result: pass
|
||||||
- policy: images
|
rule: only-allow-trusted-images
|
||||||
rule: only-allow-trusted-images
|
- kind: Pod
|
||||||
resource: test-pod-with-trusted-registry
|
policy: images
|
||||||
kind: Pod
|
resources:
|
||||||
status: pass
|
- test-pod-with-trusted-registry
|
||||||
- policy: check-image-base
|
result: pass
|
||||||
rule: check-image-base-rule
|
rule: only-allow-trusted-images
|
||||||
resource: test-pod-with-trusted-registry
|
- kind: Pod
|
||||||
kind: Pod
|
policy: check-image-base
|
||||||
status: pass
|
resources:
|
||||||
|
- test-pod-with-trusted-registry
|
||||||
|
result: pass
|
||||||
|
rule: check-image-base-rule
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: policy-endpoints
|
name: policy-endpoints
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: policy-endpoints
|
- kind: Endpoints
|
||||||
rule: pEP
|
patchedResource: patchedresource.yaml
|
||||||
resource: test-endpoint
|
policy: policy-endpoints
|
||||||
patchedresource: patchedresource.yaml
|
resources:
|
||||||
kind: Endpoints
|
- test-endpoint
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: pEP
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: mutate-pods-spec
|
name: mutate-pods-spec
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: mutate-pods-spec
|
- kind: Deployment
|
||||||
rule: disable-servicelink-and-token
|
patchedResource: patchedresource.yaml
|
||||||
resource: nginx-deployment
|
policy: mutate-pods-spec
|
||||||
patchedresource: patchedresource.yaml
|
resources:
|
||||||
kind: Deployment
|
- nginx-deployment
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: disable-servicelink-and-token
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: validate-default-proc-mount
|
name: validate-default-proc-mount
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-default-proc-mount
|
- kind: Pod
|
||||||
rule: validate-default-proc-mount
|
policy: validate-default-proc-mount
|
||||||
resource: nginx-proc-mount
|
resources:
|
||||||
kind: Pod
|
- nginx-proc-mount
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: validate-default-proc-mount
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: validate-disallow-default-serviceaccount
|
name: validate-disallow-default-serviceaccount
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-disallow-default-serviceaccount
|
- kind: Pod
|
||||||
rule: prevent-mounting-default-serviceaccount
|
policy: validate-disallow-default-serviceaccount
|
||||||
resource: pod-with-default-sa
|
resources:
|
||||||
kind: Pod
|
- pod-with-default-sa
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: prevent-mounting-default-serviceaccount
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: check-probe-exists
|
name: check-probe-exists
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: check-probe-exists
|
- kind: Pod
|
||||||
rule: check-readinessProbe-exists
|
policy: check-probe-exists
|
||||||
resource: probe
|
resources:
|
||||||
kind: Pod
|
- probe
|
||||||
result: pass
|
result: pass
|
||||||
- policy: check-probe-exists
|
rule: check-readinessProbe-exists
|
||||||
rule: check-livenessProbe-exists
|
- kind: Pod
|
||||||
resource: probe
|
policy: check-probe-exists
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- probe
|
||||||
|
result: pass
|
||||||
|
rule: check-livenessProbe-exists
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: validate-selinux-options
|
name: validate-selinux-options
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-selinux-options
|
- kind: Pod
|
||||||
rule: validate-selinux-options
|
policy: validate-selinux-options
|
||||||
resource: busybox-selinux
|
resources:
|
||||||
kind: Pod
|
- busybox-selinux
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: validate-selinux-options
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: validate-volumes-whitelist
|
name: validate-volumes-whitelist
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-volumes-whitelist
|
- kind: Pod
|
||||||
rule: validate-volumes-whitelist
|
policy: validate-volumes-whitelist
|
||||||
resource: test-volumes
|
resources:
|
||||||
kind: Pod
|
- test-volumes
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: validate-volumes-whitelist
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: restrict-ingress-classes
|
name: restrict-ingress-classes
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: restrict-ingress-classes
|
- kind: Ingress
|
||||||
rule: validate-ingress
|
policy: restrict-ingress-classes
|
||||||
resource: test-ingress
|
resources:
|
||||||
kind: Ingress
|
- test-ingress
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: validate-ingress
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: test-exclude
|
name: test-exclude
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: restrict-labels
|
- kind: Namespace
|
||||||
rule: restrict-labels
|
policy: restrict-labels
|
||||||
resource: kyverno-system-tst
|
resources:
|
||||||
kind: Namespace
|
- kyverno-system-tst
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: restrict-labels
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: test-simple
|
name: test-simple
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: missing
|
- kind: Pod
|
||||||
rule: validate-image-tag
|
policy: missing
|
||||||
resource: test
|
resources:
|
||||||
kind: Pod
|
- test
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: validate-image-tag
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: test-simple
|
name: test-simple
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: validate-image-tag
|
policy: disallow-latest-tag
|
||||||
resource: missing
|
resources:
|
||||||
kind: Pod
|
- missing
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: validate-image-tag
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: test-simple
|
name: test-simple
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: missing
|
policy: disallow-latest-tag
|
||||||
resource: test
|
resources:
|
||||||
kind: Pod
|
- test
|
||||||
status: pass
|
result: pass
|
||||||
|
rule: missing
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: deny-all-traffic
|
name: deny-all-traffic
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: add-networkpolicy
|
- generatedResource: generatedResource.yaml
|
||||||
rule: default-deny
|
kind: Namespace
|
||||||
resource: hello-world-namespace
|
policy: add-networkpolicy
|
||||||
generatedResource: generatedResource.yaml
|
resources:
|
||||||
kind: Namespace
|
- hello-world-namespace
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: default-deny
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
name: add-quota
|
name: add-quota
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: add-ns-quota
|
- generatedResource: generatedResourceQuota.yaml
|
||||||
rule: generate-resourcequota
|
kind: Namespace
|
||||||
resource: hello-world-namespace
|
policy: add-ns-quota
|
||||||
generatedResource: generatedResourceQuota.yaml
|
resources:
|
||||||
kind: Namespace
|
- hello-world-namespace
|
||||||
result: pass
|
result: pass
|
||||||
- policy: add-ns-quota
|
rule: generate-resourcequota
|
||||||
rule: generate-limitrange
|
- generatedResource: generatedLimitRange.yaml
|
||||||
resource: hello-world-namespace
|
kind: Namespace
|
||||||
generatedResource: generatedLimitRange.yaml
|
policy: add-ns-quota
|
||||||
kind: Namespace
|
resources:
|
||||||
result: pass
|
- hello-world-namespace
|
||||||
|
result: pass
|
||||||
|
rule: generate-limitrange
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
name: pdb-test
|
name: pdb-test
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: create-default-pdb
|
- generatedResource: generatedResource.yaml
|
||||||
rule: create-default-pdb
|
kind: Deployment
|
||||||
resource: nginx-deployment
|
namespace: hello-world
|
||||||
generatedResource: generatedResource.yaml
|
policy: create-default-pdb
|
||||||
kind: Deployment
|
resources:
|
||||||
result: pass
|
- nginx-deployment
|
||||||
namespace: hello-world
|
result: pass
|
||||||
|
rule: create-default-pdb
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
name: multiple-resources
|
name: multiple-resources
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: test-policy
|
- generatedResource: generated-resource-1.yaml
|
||||||
rule: rule
|
kind: Deployment
|
||||||
resource: resource-a
|
policy: test-policy
|
||||||
generatedResource: generated-resource-1.yaml
|
resources:
|
||||||
kind: Deployment
|
- resource-a
|
||||||
result: pass
|
result: pass
|
||||||
- policy: test-policy
|
rule: rule
|
||||||
rule: rule
|
- generatedResource: generated-resource-2.yaml
|
||||||
resource: resource-b
|
kind: Deployment
|
||||||
generatedResource: generated-resource-2.yaml
|
policy: test-policy
|
||||||
kind: Deployment
|
resources:
|
||||||
result: pass
|
- resource-b
|
||||||
|
result: pass
|
||||||
|
rule: rule
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
name: sync-secrets
|
name: sync-secrets
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: sync-secrets
|
- cloneSourceResource: cloneSourceResource.yaml
|
||||||
rule: sync-image-pull-secret
|
generatedResource: generatedResource.yaml
|
||||||
resource: hello-world-namespace
|
kind: Namespace
|
||||||
generatedResource: generatedResource.yaml
|
policy: sync-secrets
|
||||||
cloneSourceResource: cloneSourceResource.yaml
|
resources:
|
||||||
kind: Namespace
|
- hello-world-namespace
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: sync-image-pull-secret
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: foreach-mutate
|
name: foreach-mutate
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: mutate-emptydir
|
- kind: Deployment
|
||||||
rule: setDefault
|
patchedResource: deploy-patched.yaml
|
||||||
resource: svc-sizelimit-test
|
policy: mutate-emptydir
|
||||||
patchedResource: deploy-patched.yaml
|
resources:
|
||||||
kind: Deployment
|
- svc-sizelimit-test
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: setDefault
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: foreach-mutate
|
name: foreach-mutate
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: add-default-resources
|
- kind: Pod
|
||||||
rule: add-default-requests
|
patchedResource: patched.yaml
|
||||||
resource: badpod
|
policy: add-default-resources
|
||||||
patchedResource: patched.yaml
|
resources:
|
||||||
kind: Pod
|
- badpod
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: add-default-requests
|
||||||
|
|
|
@ -1,19 +1,21 @@
|
||||||
name: foreach-mutate
|
name: foreach-mutate
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: foreach-json-patch
|
- kind: Pod
|
||||||
rule: add-security-context
|
patchedResource: patched-resource.yaml
|
||||||
resource: nginx
|
policy: foreach-json-patch
|
||||||
patchedResource: patched-resource.yaml
|
resources:
|
||||||
kind: Pod
|
- nginx
|
||||||
result: pass
|
result: pass
|
||||||
- policy: mutate-images
|
rule: add-security-context
|
||||||
rule: test
|
- kind: Pod
|
||||||
resource: mypod
|
patchedResource: pod-updated-image.yaml
|
||||||
patchedResource: pod-updated-image.yaml
|
policy: mutate-images
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- mypod
|
||||||
|
result: pass
|
||||||
|
rule: test
|
||||||
|
variables: values.yaml
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: foreach-mutate
|
name: foreach-mutate
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: replace-image-registry-containers
|
- kind: Pod
|
||||||
rule: set-default
|
patchedResource: pod-patched.yaml
|
||||||
resource: test-patched-image
|
policy: replace-image-registry-containers
|
||||||
patchedResource: pod-patched.yaml
|
resources:
|
||||||
kind: Pod
|
- test-patched-image
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: set-default
|
||||||
|
|
|
@ -1,28 +1,32 @@
|
||||||
name: validate-service-loadbalancer
|
name: validate-service-loadbalancer
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: add-safe-to-evict
|
- kind: Pod
|
||||||
rule: annotate-empty-dir
|
policy: add-safe-to-evict
|
||||||
resource: pod-without-emptydir-hostpath
|
resources:
|
||||||
kind: Pod
|
- pod-without-emptydir-hostpath
|
||||||
result: skip
|
result: skip
|
||||||
- policy: add-safe-to-evict
|
rule: annotate-empty-dir
|
||||||
rule: annotate-empty-dir
|
- kind: Pod
|
||||||
resource: pod-with-emptydir-hostpath
|
patchedResource: patchedResource.yaml
|
||||||
patchedResource: patchedResource.yaml
|
policy: add-safe-to-evict
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- pod-with-emptydir-hostpath
|
||||||
- policy: add-safe-to-evict
|
result: pass
|
||||||
rule: annotate-empty-dir
|
rule: annotate-empty-dir
|
||||||
resource: pod-with-emptydir-hostpath-1
|
- kind: Pod
|
||||||
patchedResource: patchedResourceWithVolume.yaml
|
patchedResource: patchedResourceWithVolume.yaml
|
||||||
kind: Pod
|
policy: add-safe-to-evict
|
||||||
result: pass
|
resources:
|
||||||
- policy: add-safe-to-evict
|
- pod-with-emptydir-hostpath-1
|
||||||
rule: annotate-empty-dir
|
result: pass
|
||||||
resource: pod-without-emptydir-hostpath-1
|
rule: annotate-empty-dir
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: skip
|
policy: add-safe-to-evict
|
||||||
|
resources:
|
||||||
|
- pod-without-emptydir-hostpath-1
|
||||||
|
result: skip
|
||||||
|
rule: annotate-empty-dir
|
||||||
|
|
|
@ -1,90 +1,103 @@
|
||||||
name: add-nodeselector
|
name: add-nodeselector
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: add-label
|
- kind: Pod
|
||||||
rule: add-label
|
namespace: practice
|
||||||
resource: resource-equal-to-patch-res-for-cp
|
patchedResource: patchedResource1.yaml
|
||||||
patchedResource: patchedResource1.yaml
|
policy: add-label
|
||||||
kind: Pod
|
resources:
|
||||||
namespace: practice
|
- resource-equal-to-patch-res-for-cp
|
||||||
result: skip
|
result: skip
|
||||||
- policy: add-label
|
rule: add-label
|
||||||
rule: add-label
|
- kind: Pod
|
||||||
resource: same-name-but-diff-namespace
|
namespace: testing
|
||||||
patchedResource: patchedResource2.yaml
|
patchedResource: patchedResource2.yaml
|
||||||
kind: Pod
|
policy: add-label
|
||||||
namespace: testing
|
resources:
|
||||||
result: pass
|
- same-name-but-diff-namespace
|
||||||
- policy: add-label
|
result: pass
|
||||||
rule: add-label
|
rule: add-label
|
||||||
resource: same-name-but-diff-namespace
|
- kind: Pod
|
||||||
patchedResource: patchedResource3.yaml
|
namespace: production
|
||||||
kind: Pod
|
patchedResource: patchedResource3.yaml
|
||||||
namespace: production
|
policy: add-label
|
||||||
result: pass
|
resources:
|
||||||
- policy: add-label
|
- same-name-but-diff-namespace
|
||||||
rule: add-label
|
result: pass
|
||||||
resource: mydeploy
|
rule: add-label
|
||||||
patchedResource: patchedResource4.yaml
|
- kind: Deployment
|
||||||
kind: Deployment
|
patchedResource: patchedResource4.yaml
|
||||||
result: pass
|
policy: add-label
|
||||||
- policy: add-label
|
resources:
|
||||||
rule: add-label
|
- mydeploy
|
||||||
resource: same-name-but-diff-kind
|
result: pass
|
||||||
patchedResource: patchedResource5.yaml
|
rule: add-label
|
||||||
kind: Service
|
- kind: Service
|
||||||
result: skip
|
patchedResource: patchedResource5.yaml
|
||||||
- policy: add-label
|
policy: add-label
|
||||||
rule: add-label
|
resources:
|
||||||
resource: same-name-but-diff-kind
|
- same-name-but-diff-kind
|
||||||
patchedResource: patchedResource6.yaml
|
result: skip
|
||||||
kind: Pod
|
rule: add-label
|
||||||
result: pass
|
- kind: Pod
|
||||||
- policy: add-ndots
|
patchedResource: patchedResource6.yaml
|
||||||
rule: add-ndots
|
policy: add-label
|
||||||
resource: resource-equal-to-patch-res-for-cp
|
resources:
|
||||||
namespace: practice
|
- same-name-but-diff-kind
|
||||||
patchedResource: patchedResource7.yaml
|
result: pass
|
||||||
kind: Pod
|
rule: add-label
|
||||||
result: skip
|
- kind: Pod
|
||||||
- policy: add-ndots
|
namespace: practice
|
||||||
rule: add-ndots
|
patchedResource: patchedResource7.yaml
|
||||||
resource: same-name-but-diff-namespace
|
policy: add-ndots
|
||||||
patchedResource: patchedResource8.yaml
|
resources:
|
||||||
namespace: testing
|
- resource-equal-to-patch-res-for-cp
|
||||||
kind: Pod
|
result: skip
|
||||||
result: pass
|
rule: add-ndots
|
||||||
- policy: add-ndots
|
- kind: Pod
|
||||||
rule: add-ndots
|
namespace: testing
|
||||||
resource: same-name-but-diff-namespace
|
patchedResource: patchedResource8.yaml
|
||||||
patchedResource: patchedResource9.yaml
|
policy: add-ndots
|
||||||
kind: Pod
|
resources:
|
||||||
namespace: production
|
- same-name-but-diff-namespace
|
||||||
result: skip
|
result: pass
|
||||||
- policy: add-ndots
|
rule: add-ndots
|
||||||
rule: add-ndots
|
- kind: Pod
|
||||||
resource: mydeploy
|
namespace: production
|
||||||
patchedResource: patchedResource10.yaml
|
patchedResource: patchedResource9.yaml
|
||||||
kind: Deployment
|
policy: add-ndots
|
||||||
result: skip
|
resources:
|
||||||
- policy: add-ndots
|
- same-name-but-diff-namespace
|
||||||
rule: add-ndots
|
result: skip
|
||||||
resource: same-name-but-diff-kind
|
rule: add-ndots
|
||||||
patchedResource: patchedResource5.yaml
|
- kind: Deployment
|
||||||
kind: Service
|
patchedResource: patchedResource10.yaml
|
||||||
result: skip
|
policy: add-ndots
|
||||||
- policy: add-ndots
|
resources:
|
||||||
rule: add-ndots
|
- mydeploy
|
||||||
resource: same-name-but-diff-kind
|
result: skip
|
||||||
patchedResource: patchedResource11.yaml
|
rule: add-ndots
|
||||||
kind: Pod
|
- kind: Service
|
||||||
result: skip
|
patchedResource: patchedResource5.yaml
|
||||||
- policy: example
|
policy: add-ndots
|
||||||
rule: object_from_lists
|
resources:
|
||||||
resource: example
|
- same-name-but-diff-kind
|
||||||
patchedResource: patched-resource.yaml
|
result: skip
|
||||||
kind: Pod
|
rule: add-ndots
|
||||||
result: pass
|
- kind: Pod
|
||||||
|
patchedResource: patchedResource11.yaml
|
||||||
|
policy: add-ndots
|
||||||
|
resources:
|
||||||
|
- same-name-but-diff-kind
|
||||||
|
result: skip
|
||||||
|
rule: add-ndots
|
||||||
|
- kind: Pod
|
||||||
|
patchedResource: patched-resource.yaml
|
||||||
|
policy: example
|
||||||
|
resources:
|
||||||
|
- example
|
||||||
|
result: pass
|
||||||
|
rule: object_from_lists
|
||||||
|
|
|
@ -1,20 +1,25 @@
|
||||||
name: add-default-resources-test
|
name: add-default-resources-test
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: variables.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: add-default-resources
|
- kind: Pod
|
||||||
rule: add-default-requests
|
patchedResource: patched-resource.yaml
|
||||||
resource: nginx-demo
|
policy: add-default-resources
|
||||||
patchedResource: patched-resource.yaml
|
resources:
|
||||||
kind: Pod
|
- nginx-demo
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: add-default-requests
|
||||||
values:
|
values:
|
||||||
|
globalValues: null
|
||||||
|
namespaceSelector: null
|
||||||
policies:
|
policies:
|
||||||
- name: add-default-resources
|
- name: add-default-resources
|
||||||
resources:
|
resources:
|
||||||
- name: nginx-demo
|
- name: nginx-demo
|
||||||
values:
|
values:
|
||||||
request.operation: CREATE
|
request.operation: CREATE
|
||||||
|
rules: null
|
||||||
|
subresources: null
|
||||||
|
variables: variables.yaml
|
||||||
|
|
|
@ -1,38 +1,43 @@
|
||||||
name: admission-user-info
|
name: admission-user-info
|
||||||
policies:
|
policies:
|
||||||
- disallow_latest_tag.yaml
|
- disallow_latest_tag.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
userinfo: user_info.yaml
|
|
||||||
|
|
||||||
results:
|
results:
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: require-image-tag
|
policy: disallow-latest-tag
|
||||||
resource: myapp-pod1
|
resources:
|
||||||
kind: Pod
|
- myapp-pod1
|
||||||
result: pass
|
result: pass
|
||||||
- policy: disallow-latest-tag
|
rule: require-image-tag
|
||||||
rule: require-image-tag
|
- kind: Pod
|
||||||
resource: myapp-pod2
|
policy: disallow-latest-tag
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- myapp-pod2
|
||||||
- policy: disallow-latest-tag
|
result: pass
|
||||||
rule: require-image-tag
|
rule: require-image-tag
|
||||||
resource: myapp-pod3
|
- kind: Pod
|
||||||
kind: Pod
|
policy: disallow-latest-tag
|
||||||
result: pass
|
resources:
|
||||||
- policy: disallow-latest-tag
|
- myapp-pod3
|
||||||
rule: validate-image-tag
|
result: pass
|
||||||
resource: myapp-pod1
|
rule: require-image-tag
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: pass
|
policy: disallow-latest-tag
|
||||||
- policy: disallow-latest-tag
|
resources:
|
||||||
rule: validate-image-tag
|
- myapp-pod1
|
||||||
resource: myapp-pod2
|
result: pass
|
||||||
kind: Pod
|
rule: validate-image-tag
|
||||||
result: pass
|
- kind: Pod
|
||||||
- policy: disallow-latest-tag
|
policy: disallow-latest-tag
|
||||||
rule: validate-image-tag
|
resources:
|
||||||
resource: myapp-pod3
|
- myapp-pod2
|
||||||
kind: Pod
|
result: pass
|
||||||
result: pass
|
rule: validate-image-tag
|
||||||
|
- kind: Pod
|
||||||
|
policy: disallow-latest-tag
|
||||||
|
resources:
|
||||||
|
- myapp-pod3
|
||||||
|
result: pass
|
||||||
|
rule: validate-image-tag
|
||||||
|
userinfo: user_info.yaml
|
||||||
|
|
|
@ -1,24 +1,27 @@
|
||||||
name: disallow-protected-namespaces
|
name: disallow-protected-namespaces
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: disallow-protected-namespaces
|
- kind: Pod
|
||||||
rule: disallow
|
namespace: namespace1
|
||||||
resource: test1
|
policy: disallow-protected-namespaces
|
||||||
kind: Pod
|
resources:
|
||||||
namespace: namespace1
|
- test1
|
||||||
result: fail
|
result: fail
|
||||||
- policy: disallow-protected-namespaces
|
rule: disallow
|
||||||
rule: disallow
|
- kind: Pod
|
||||||
resource: test2
|
namespace: namespace2
|
||||||
kind: Pod
|
policy: disallow-protected-namespaces
|
||||||
namespace: namespace2
|
resources:
|
||||||
result: fail
|
- test2
|
||||||
- policy: disallow-protected-namespaces
|
result: fail
|
||||||
rule: disallow
|
rule: disallow
|
||||||
resource: test3
|
- kind: Pod
|
||||||
kind: Pod
|
namespace: namespace3
|
||||||
namespace: namespace3
|
policy: disallow-protected-namespaces
|
||||||
result: skip
|
resources:
|
||||||
|
- test3
|
||||||
|
result: skip
|
||||||
|
rule: disallow
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
|
||||||
name: enforce-pod-name
|
name: enforce-pod-name
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: value.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: enforce-pod-name
|
- kind: Pod
|
||||||
rule: validate-name
|
namespace: test1
|
||||||
resource: test-nginx
|
policy: enforce-pod-name
|
||||||
kind: Pod
|
resources:
|
||||||
namespace: test1
|
- test-nginx
|
||||||
result: pass
|
result: pass
|
||||||
|
rule: validate-name
|
||||||
|
variables: value.yaml
|
||||||
|
|
|
@ -1,26 +1,30 @@
|
||||||
name: validate-service-loadbalancer
|
name: validate-service-loadbalancer
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-service-loadbalancer
|
- kind: Service
|
||||||
rule: check-loadbalancer-public
|
policy: validate-service-loadbalancer
|
||||||
resource: service-public-pass
|
resources:
|
||||||
kind: Service
|
- service-public-pass
|
||||||
result: pass
|
result: pass
|
||||||
- policy: validate-service-loadbalancer
|
rule: check-loadbalancer-public
|
||||||
rule: check-loadbalancer-public
|
- kind: Service
|
||||||
resource: service-public-2-pass
|
policy: validate-service-loadbalancer
|
||||||
kind: Service
|
resources:
|
||||||
result: pass
|
- service-public-2-pass
|
||||||
- policy: validate-service-loadbalancer
|
result: pass
|
||||||
rule: check-loadbalancer-public
|
rule: check-loadbalancer-public
|
||||||
resource: service-public-fail
|
- kind: Service
|
||||||
kind: Service
|
policy: validate-service-loadbalancer
|
||||||
result: fail
|
resources:
|
||||||
- policy: validate-service-loadbalancer
|
- service-public-fail
|
||||||
rule: check-loadbalancer-public
|
result: fail
|
||||||
resource: service-clusterip-skip
|
rule: check-loadbalancer-public
|
||||||
kind: Service
|
- kind: Service
|
||||||
result: skip
|
policy: validate-service-loadbalancer
|
||||||
|
resources:
|
||||||
|
- service-clusterip-skip
|
||||||
|
result: skip
|
||||||
|
rule: check-loadbalancer-public
|
||||||
|
|
|
@ -1,60 +1,54 @@
|
||||||
|
name: kyverno-test.yaml
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
# TEST: Pod with Labels Should Pass
|
- kind: Pod
|
||||||
- policy: require-common-labels
|
policy: require-common-labels
|
||||||
rule: check-for-labels
|
resources:
|
||||||
|
- pod-with-labels
|
||||||
result: pass
|
result: pass
|
||||||
kind: Pod
|
|
||||||
resource: pod-with-labels
|
|
||||||
|
|
||||||
# TEST: Pod Missing Labels Should Fail
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: Pod
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- pod-missing-labels
|
||||||
result: fail
|
result: fail
|
||||||
kind: Pod
|
|
||||||
resource: pod-missing-labels
|
|
||||||
|
|
||||||
# TEST: Deployment with Labels Should Pass
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: Deployment
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- deployment-with-labels
|
||||||
result: pass
|
result: pass
|
||||||
kind: Deployment
|
|
||||||
resource: deployment-with-labels
|
|
||||||
|
|
||||||
# TEST: Deployment with Labels Should Fail
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: Deployment
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- deployment-missing-labels
|
||||||
result: fail
|
result: fail
|
||||||
kind: Deployment
|
|
||||||
resource: deployment-missing-labels
|
|
||||||
|
|
||||||
# TEST: StatefulSet with Labels Should Pass
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: StatefulSet
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- StatefulSet-with-labels
|
||||||
result: pass
|
result: pass
|
||||||
kind: StatefulSet
|
|
||||||
resource: StatefulSet-with-labels
|
|
||||||
|
|
||||||
# TEST: StatefulSet with Labels Should fail
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: StatefulSet
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- StatefulSet-without-labels
|
||||||
result: fail
|
result: fail
|
||||||
kind: StatefulSet
|
|
||||||
resource: StatefulSet-without-labels
|
|
||||||
|
|
||||||
# TEST: Cronjob with Labels Should pass
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: CronJob
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- cronjob-with-labels
|
||||||
result: pass
|
result: pass
|
||||||
kind: CronJob
|
|
||||||
resource: cronjob-with-labels
|
|
||||||
|
|
||||||
# TEST: Cronjob without Labels Should fail
|
|
||||||
- policy: require-common-labels
|
|
||||||
rule: check-for-labels
|
rule: check-for-labels
|
||||||
|
- kind: CronJob
|
||||||
|
policy: require-common-labels
|
||||||
|
resources:
|
||||||
|
- cronjob-without-labels
|
||||||
result: fail
|
result: fail
|
||||||
kind: CronJob
|
rule: check-for-labels
|
||||||
resource: cronjob-without-labels
|
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: test-image-verify-signature
|
name: test-image-verify-signature
|
||||||
policies:
|
policies:
|
||||||
- policy.yml
|
- policy.yml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: check-image
|
- kind: Pod
|
||||||
rule: verify-signature
|
policy: check-image
|
||||||
resource: signed-first
|
resources:
|
||||||
kind: Pod
|
- signed-first
|
||||||
status: fail
|
result: fail
|
||||||
- policy: check-image
|
rule: verify-signature
|
||||||
rule: verify-signature
|
- kind: Pod
|
||||||
resource: unsigned-first
|
policy: check-image
|
||||||
kind: Pod
|
resources:
|
||||||
status: fail
|
- unsigned-first
|
||||||
|
result: fail
|
||||||
|
rule: verify-signature
|
||||||
|
|
|
@ -1,61 +1,72 @@
|
||||||
name: test-context-entries
|
name: test-context-entries
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: example
|
- kind: Pod
|
||||||
rule: defined-value
|
policy: example
|
||||||
resource: example
|
resources:
|
||||||
kind: Pod
|
- example
|
||||||
result: pass
|
result: pass
|
||||||
- policy: example
|
rule: defined-value
|
||||||
rule: defined-jmespath
|
- kind: Pod
|
||||||
resource: example
|
policy: example
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- example
|
||||||
- policy: example
|
result: pass
|
||||||
rule: defined-jmespath-with-default
|
rule: defined-jmespath
|
||||||
resource: example
|
- kind: Pod
|
||||||
kind: Pod
|
policy: example
|
||||||
result: pass
|
resources:
|
||||||
- policy: example
|
- example
|
||||||
rule: defined-value-with-variable
|
result: pass
|
||||||
resource: example
|
rule: defined-jmespath-with-default
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: pass
|
policy: example
|
||||||
- policy: example
|
resources:
|
||||||
rule: defined-jmespath-with-default-variable
|
- example
|
||||||
resource: example
|
result: pass
|
||||||
kind: Pod
|
rule: defined-value-with-variable
|
||||||
result: pass
|
- kind: Pod
|
||||||
- policy: example
|
policy: example
|
||||||
rule: defined-value-jmespath
|
resources:
|
||||||
resource: example
|
- example
|
||||||
kind: Pod
|
result: pass
|
||||||
result: pass
|
rule: defined-jmespath-with-default-variable
|
||||||
- policy: example
|
- kind: Pod
|
||||||
rule: defined-value-jmespath-variable
|
policy: example
|
||||||
resource: example
|
resources:
|
||||||
kind: Pod
|
- example
|
||||||
result: pass
|
result: pass
|
||||||
- policy: example
|
rule: defined-value-jmespath
|
||||||
rule: value-override
|
- kind: Pod
|
||||||
resource: example
|
policy: example
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- example
|
||||||
- policy: example
|
result: pass
|
||||||
rule: wildcard-match
|
rule: defined-value-jmespath-variable
|
||||||
resource: example
|
- kind: Pod
|
||||||
kind: Pod
|
policy: example
|
||||||
result: pass
|
resources:
|
||||||
- policy: example
|
- example
|
||||||
rule: items
|
result: pass
|
||||||
resource: example
|
rule: value-override
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: pass
|
policy: example
|
||||||
- policy: example
|
resources:
|
||||||
rule: unused-var
|
- example
|
||||||
resource: example
|
result: pass
|
||||||
kind: Pod
|
rule: wildcard-match
|
||||||
result: pass
|
- kind: Pod
|
||||||
|
policy: example
|
||||||
|
resources:
|
||||||
|
- example
|
||||||
|
result: pass
|
||||||
|
rule: items
|
||||||
|
- kind: Pod
|
||||||
|
policy: example
|
||||||
|
resources:
|
||||||
|
- example
|
||||||
|
result: pass
|
||||||
|
rule: unused-var
|
||||||
|
|
|
@ -1,17 +1,19 @@
|
||||||
name: block-images
|
name: block-images
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: block-images
|
- kind: Pod
|
||||||
rule: block-images
|
policy: block-images
|
||||||
resource: good-pod
|
resources:
|
||||||
kind: Pod
|
- good-pod
|
||||||
result: pass
|
result: pass
|
||||||
- policy: block-images
|
|
||||||
rule: block-images
|
rule: block-images
|
||||||
resource: bad-pod
|
- kind: Pod
|
||||||
kind: Pod
|
policy: block-images
|
||||||
|
resources:
|
||||||
|
- bad-pod
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: block-images
|
||||||
|
variables: values.yaml
|
||||||
|
|
|
@ -1,67 +1,78 @@
|
||||||
name: test-custom-funcs
|
name: test-custom-funcs
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: base64
|
- kind: Secret
|
||||||
rule: secret-value-must-match-label
|
policy: base64
|
||||||
resource: base64-test-match
|
resources:
|
||||||
kind: Secret
|
- base64-test-match
|
||||||
status: pass
|
result: pass
|
||||||
- policy: base64
|
rule: secret-value-must-match-label
|
||||||
rule: secret-value-must-match-label
|
- kind: Secret
|
||||||
resource: base64-test-no-match
|
policy: base64
|
||||||
kind: Secret
|
resources:
|
||||||
status: fail
|
- base64-test-no-match
|
||||||
- policy: pattern-match
|
result: fail
|
||||||
rule: label-must-match-pattern
|
rule: secret-value-must-match-label
|
||||||
resource: pattern-match-test-match
|
- kind: Namespace
|
||||||
kind: Namespace
|
policy: pattern-match
|
||||||
status: pass
|
resources:
|
||||||
- policy: pattern-match
|
- pattern-match-test-match
|
||||||
rule: label-must-match-pattern
|
result: pass
|
||||||
resource: pattern-match-test-no-match
|
rule: label-must-match-pattern
|
||||||
kind: Namespace
|
- kind: Namespace
|
||||||
status: fail
|
policy: pattern-match
|
||||||
- policy: path-canonicalize
|
resources:
|
||||||
rule: disallow-mount-containerd-sock
|
- pattern-match-test-no-match
|
||||||
resource: mount-containerd-sock
|
result: fail
|
||||||
kind: Pod
|
rule: label-must-match-pattern
|
||||||
status: fail
|
- kind: Pod
|
||||||
- policy: test-parse-json
|
policy: path-canonicalize
|
||||||
rule: test-json-parsing-jmespath
|
resources:
|
||||||
resource: valid-test
|
- mount-containerd-sock
|
||||||
kind: ConfigMap
|
result: fail
|
||||||
result: pass
|
rule: disallow-mount-containerd-sock
|
||||||
- policy: test-parse-json
|
- kind: ConfigMap
|
||||||
rule: test-json-parsing-jmespath
|
policy: test-parse-json
|
||||||
resource: invalid-test
|
resources:
|
||||||
kind: ConfigMap
|
- valid-test
|
||||||
result: fail
|
result: pass
|
||||||
- policy: test-parse-yaml
|
rule: test-json-parsing-jmespath
|
||||||
rule: test-yaml-parsing-jmespath
|
- kind: ConfigMap
|
||||||
resource: valid-yaml-test
|
policy: test-parse-json
|
||||||
kind: ConfigMap
|
resources:
|
||||||
result: pass
|
- invalid-test
|
||||||
- policy: test-parse-yaml
|
result: fail
|
||||||
rule: test-yaml-parsing-jmespath
|
rule: test-json-parsing-jmespath
|
||||||
resource: invalid-yaml-test
|
- kind: ConfigMap
|
||||||
kind: ConfigMap
|
policy: test-parse-yaml
|
||||||
result: fail
|
resources:
|
||||||
- policy: test-parse-yaml-array
|
- valid-yaml-test
|
||||||
rule: test-yaml-parsing-jmespath
|
result: pass
|
||||||
resource: valid-yaml-test
|
rule: test-yaml-parsing-jmespath
|
||||||
kind: ConfigMap
|
- kind: ConfigMap
|
||||||
result: pass
|
policy: test-parse-yaml
|
||||||
- policy: test-parse-yaml-array
|
resources:
|
||||||
rule: test-yaml-parsing-jmespath
|
- invalid-yaml-test
|
||||||
resource: invalid-yaml-test
|
result: fail
|
||||||
kind: ConfigMap
|
rule: test-yaml-parsing-jmespath
|
||||||
result: fail
|
- kind: ConfigMap
|
||||||
- policy: test-x509-decode
|
policy: test-parse-yaml-array
|
||||||
rule: test-x509-decode
|
resources:
|
||||||
resource: test-x509-configmap
|
- valid-yaml-test
|
||||||
kind: ConfigMap
|
result: pass
|
||||||
result: fail
|
rule: test-yaml-parsing-jmespath
|
||||||
|
- kind: ConfigMap
|
||||||
|
policy: test-parse-yaml-array
|
||||||
|
resources:
|
||||||
|
- invalid-yaml-test
|
||||||
|
result: fail
|
||||||
|
rule: test-yaml-parsing-jmespath
|
||||||
|
- kind: ConfigMap
|
||||||
|
policy: test-x509-decode
|
||||||
|
resources:
|
||||||
|
- test-x509-configmap
|
||||||
|
result: fail
|
||||||
|
rule: test-x509-decode
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: psp-check-supplemental-groups
|
name: psp-check-supplemental-groups
|
||||||
policies:
|
policies:
|
||||||
- check-supplemental-groups.yaml
|
- check-supplemental-groups.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: psp-check-supplemental-groups
|
- kind: Pod
|
||||||
rule: supplementalgroup-ranges
|
policy: psp-check-supplemental-groups
|
||||||
resource: badpod01
|
resources:
|
||||||
kind: Pod
|
- badpod01
|
||||||
result: fail
|
result: fail
|
||||||
- policy: psp-check-supplemental-groups
|
rule: supplementalgroup-ranges
|
||||||
rule: supplementalgroup-ranges
|
- kind: Pod
|
||||||
resource: goodpod01
|
policy: psp-check-supplemental-groups
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- goodpod01
|
||||||
|
result: pass
|
||||||
|
rule: supplementalgroup-ranges
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: test-simple
|
name: test-simple
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: check-deprecated-api
|
- kind: CronJob
|
||||||
rule: validate-v1-25-removal
|
policy: check-deprecated-api
|
||||||
resource: hello
|
resources:
|
||||||
kind: CronJob
|
- hello
|
||||||
status: skip
|
result: skip
|
||||||
- policy: check-deprecated-api
|
rule: validate-v1-25-removal
|
||||||
rule: validate-v1-25-removal
|
- kind: CronJob
|
||||||
resource: hello-fail
|
policy: check-deprecated-api
|
||||||
kind: CronJob
|
resources:
|
||||||
status: warn
|
- hello-fail
|
||||||
|
result: warn
|
||||||
|
rule: validate-v1-25-removal
|
||||||
|
|
|
@ -1,30 +1,40 @@
|
||||||
name: deny-exec-by-pod-label
|
name: deny-exec-by-pod-label
|
||||||
policies:
|
policies:
|
||||||
- deny-exec-by-pod-label.yaml
|
- deny-exec-by-pod-label.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: deny-exec-by-pod-label
|
- kind: PodExecOptions
|
||||||
rule: deny-exec-by-label
|
namespace: default
|
||||||
resource: execpod
|
policy: deny-exec-by-pod-label
|
||||||
namespace: default
|
resources:
|
||||||
kind: PodExecOptions
|
- execpod
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: deny-exec-by-label
|
||||||
values:
|
values:
|
||||||
policies:
|
|
||||||
- name: deny-exec-by-pod-label
|
|
||||||
rules:
|
|
||||||
- name: deny-exec-by-label
|
|
||||||
values:
|
|
||||||
podexeclabel: "false"
|
|
||||||
globalValues:
|
globalValues:
|
||||||
request.operation: CONNECT
|
request.operation: CONNECT
|
||||||
|
namespaceSelector: null
|
||||||
|
policies:
|
||||||
|
- name: deny-exec-by-pod-label
|
||||||
|
resources: null
|
||||||
|
rules:
|
||||||
|
- foreachValues: null
|
||||||
|
name: deny-exec-by-label
|
||||||
|
values:
|
||||||
|
podexeclabel: "false"
|
||||||
subresources:
|
subresources:
|
||||||
- subresource:
|
- parentResource:
|
||||||
name: "pods/exec"
|
kind: Pod
|
||||||
kind: "PodExecOptions"
|
name: pods
|
||||||
version: "v1"
|
namespaced: false
|
||||||
parentResource:
|
singularName: ""
|
||||||
name: "pods"
|
verbs: null
|
||||||
kind: "Pod"
|
version: v1
|
||||||
version: "v1"
|
subresource:
|
||||||
|
kind: PodExecOptions
|
||||||
|
name: pods/exec
|
||||||
|
namespaced: false
|
||||||
|
singularName: ""
|
||||||
|
verbs: null
|
||||||
|
version: v1
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: test-foreach-precondition
|
name: test-foreach-precondition
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: enforce-limits-fraction
|
- kind: Pod
|
||||||
rule: check-memory-requests-limits
|
policy: enforce-limits-fraction
|
||||||
resource: frontend1
|
resources:
|
||||||
kind: Pod
|
- frontend1
|
||||||
status: fail
|
result: fail
|
||||||
- policy: enforce-limits-fraction
|
rule: check-memory-requests-limits
|
||||||
rule: check-memory-requests-limits
|
- kind: Pod
|
||||||
resource: frontend2
|
policy: enforce-limits-fraction
|
||||||
kind: Pod
|
resources:
|
||||||
status: pass
|
- frontend2
|
||||||
|
result: pass
|
||||||
|
rule: check-memory-requests-limits
|
||||||
|
|
|
@ -1,56 +1,66 @@
|
||||||
name: test-foreach
|
name: test-foreach
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-empty-dir-mountpath
|
- kind: Pod
|
||||||
rule: check-mount-paths
|
policy: validate-empty-dir-mountpath
|
||||||
resource: test-pod
|
resources:
|
||||||
kind: Pod
|
- test-pod
|
||||||
status: pass
|
result: pass
|
||||||
- policy: validate-empty-dir-mountpath
|
rule: check-mount-paths
|
||||||
rule: check-mount-paths
|
- kind: Pod
|
||||||
resource: test-pod2
|
policy: validate-empty-dir-mountpath
|
||||||
kind: Pod
|
resources:
|
||||||
status: pass
|
- test-pod2
|
||||||
- policy: validate-empty-dir-resources
|
result: pass
|
||||||
rule: check-resources
|
rule: check-mount-paths
|
||||||
resource: test-pod-bad-mount
|
- kind: Pod
|
||||||
kind: Pod
|
policy: validate-empty-dir-resources
|
||||||
status: fail
|
resources:
|
||||||
- policy: validate-empty-dir-resources
|
- test-pod-bad-mount
|
||||||
rule: check-resources
|
result: fail
|
||||||
resource: test-pod
|
rule: check-resources
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
status: fail
|
policy: validate-empty-dir-resources
|
||||||
- policy: validate-empty-dir-resources
|
resources:
|
||||||
rule: check-resources
|
- test-pod
|
||||||
resource: test-pod-with-resources
|
result: fail
|
||||||
kind: Pod
|
rule: check-resources
|
||||||
status: pass
|
- kind: Pod
|
||||||
- policy: validate-empty-dir-resources
|
policy: validate-empty-dir-resources
|
||||||
rule: check-resources
|
resources:
|
||||||
resource: test-pod-with-gke-vol
|
- test-pod-with-resources
|
||||||
kind: Pod
|
result: pass
|
||||||
status: skip
|
rule: check-resources
|
||||||
- policy: validate-empty-dir-resources
|
- kind: Pod
|
||||||
rule: check-resources
|
policy: validate-empty-dir-resources
|
||||||
resource: test-pod-with-resources-multiple-ctnrs
|
resources:
|
||||||
kind: Pod
|
- test-pod-with-gke-vol
|
||||||
status: pass
|
result: skip
|
||||||
- policy: validate-image-list
|
rule: check-resources
|
||||||
rule: check-image
|
- kind: Pod
|
||||||
resource: test-pod
|
policy: validate-empty-dir-resources
|
||||||
kind: Pod
|
resources:
|
||||||
status: fail
|
- test-pod-with-resources-multiple-ctnrs
|
||||||
- policy: validate-image-list
|
result: pass
|
||||||
rule: check-image
|
rule: check-resources
|
||||||
resource: test-pod-ghcr
|
- kind: Pod
|
||||||
kind: Pod
|
policy: validate-image-list
|
||||||
status: fail
|
resources:
|
||||||
- policy: validate-image-list-error
|
- test-pod
|
||||||
rule: check-image
|
result: fail
|
||||||
resource: test-pod-ghcr
|
rule: check-image
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
status: error
|
policy: validate-image-list
|
||||||
|
resources:
|
||||||
|
- test-pod-ghcr
|
||||||
|
result: fail
|
||||||
|
rule: check-image
|
||||||
|
- kind: Pod
|
||||||
|
policy: validate-image-list-error
|
||||||
|
resources:
|
||||||
|
- test-pod-ghcr
|
||||||
|
result: error
|
||||||
|
rule: check-image
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
name: test-image-digest
|
name: test-image-digest
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: require-image-digest
|
- kind: Pod
|
||||||
rule: check-digest
|
namespace: test
|
||||||
resource: no-digest
|
policy: require-image-digest
|
||||||
kind: Pod
|
resources:
|
||||||
namespace: test
|
- no-digest
|
||||||
status: fail
|
result: fail
|
||||||
- policy: require-image-digest
|
rule: check-digest
|
||||||
rule: check-digest
|
- kind: Pod
|
||||||
resource: with-digest
|
namespace: test
|
||||||
kind: Pod
|
policy: require-image-digest
|
||||||
namespace: test
|
resources:
|
||||||
status: pass
|
- with-digest
|
||||||
|
result: pass
|
||||||
|
rule: check-digest
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: test-image-enforce-signatures
|
name: test-image-enforce-signatures
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: secure-images
|
- kind: Pod
|
||||||
rule: enforce-signatures
|
policy: secure-images
|
||||||
resource: tomcat
|
resources:
|
||||||
kind: Pod
|
- tomcat
|
||||||
status: fail
|
result: fail
|
||||||
|
rule: enforce-signatures
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: test-image-signature
|
name: test-image-signature
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: verify-signature
|
- kind: Pod
|
||||||
rule: check-static-key
|
policy: verify-signature
|
||||||
resource: signed
|
resources:
|
||||||
kind: Pod
|
- signed
|
||||||
status: pass
|
result: pass
|
||||||
- policy: verify-signature
|
rule: check-static-key
|
||||||
rule: check-static-key
|
- kind: Pod
|
||||||
resource: unsigned
|
policy: verify-signature
|
||||||
kind: Pod
|
resources:
|
||||||
status: fail
|
- unsigned
|
||||||
|
result: fail
|
||||||
|
rule: check-static-key
|
||||||
|
|
|
@ -1,26 +1,30 @@
|
||||||
name: test-image-verify-signature
|
name: test-image-verify-signature
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: check-image
|
- kind: Pod
|
||||||
rule: verify-signature
|
policy: check-image
|
||||||
resource: signed
|
resources:
|
||||||
kind: Pod
|
- signed
|
||||||
status: pass
|
result: pass
|
||||||
- policy: check-image
|
rule: verify-signature
|
||||||
rule: verify-signature
|
- kind: Pod
|
||||||
resource: unsigned
|
policy: check-image
|
||||||
kind: Pod
|
resources:
|
||||||
status: fail
|
- unsigned
|
||||||
- policy: check-data-volume-image
|
result: fail
|
||||||
rule: verify-signature
|
rule: verify-signature
|
||||||
resource: signed-registry-image-datavolume
|
- kind: DataVolume
|
||||||
kind: DataVolume
|
policy: check-data-volume-image
|
||||||
status: pass
|
resources:
|
||||||
- policy: check-data-volume-image
|
- signed-registry-image-datavolume
|
||||||
rule: verify-signature
|
result: pass
|
||||||
resource: unsigned-registry-image-datavolume
|
rule: verify-signature
|
||||||
kind: DataVolume
|
- kind: DataVolume
|
||||||
status: fail
|
policy: check-data-volume-image
|
||||||
|
resources:
|
||||||
|
- unsigned-registry-image-datavolume
|
||||||
|
result: fail
|
||||||
|
rule: verify-signature
|
||||||
|
|
|
@ -1,36 +1,42 @@
|
||||||
name: test-preconditions
|
name: test-preconditions
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: test-jmespath
|
- kind: Pod
|
||||||
rule: test-jmespath
|
policy: test-jmespath
|
||||||
resource: test-valid1
|
resources:
|
||||||
kind: Pod
|
- test-valid1
|
||||||
status: pass
|
result: pass
|
||||||
- policy: test-jmespath
|
rule: test-jmespath
|
||||||
rule: test-jmespath
|
- kind: Pod
|
||||||
resource: test-valid2
|
policy: test-jmespath
|
||||||
kind: Pod
|
resources:
|
||||||
status: pass
|
- test-valid2
|
||||||
- policy: test-jmespath
|
result: pass
|
||||||
rule: test-jmespath
|
rule: test-jmespath
|
||||||
resource: test-valid3
|
- kind: Pod
|
||||||
kind: Pod
|
policy: test-jmespath
|
||||||
status: pass
|
resources:
|
||||||
- policy: test-jmespath
|
- test-valid3
|
||||||
rule: test-jmespath
|
result: pass
|
||||||
resource: test-invalid
|
rule: test-jmespath
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
status: fail
|
policy: test-jmespath
|
||||||
- policy: namespace-validation
|
resources:
|
||||||
rule: namespace-validation
|
- test-invalid
|
||||||
resource: test-invalid
|
result: fail
|
||||||
kind: Namespace
|
rule: test-jmespath
|
||||||
status: fail
|
- kind: Namespace
|
||||||
- policy: namespace-validation
|
policy: namespace-validation
|
||||||
rule: namespace-validation
|
resources:
|
||||||
resource: test-valid
|
- test-invalid
|
||||||
kind: Namespace
|
result: fail
|
||||||
status: pass
|
rule: namespace-validation
|
||||||
|
- kind: Namespace
|
||||||
|
policy: namespace-validation
|
||||||
|
resources:
|
||||||
|
- test-valid
|
||||||
|
result: pass
|
||||||
|
rule: namespace-validation
|
||||||
|
|
|
@ -1,19 +1,21 @@
|
||||||
name: limit-configmap-for-sa
|
name: limit-configmap-for-sa
|
||||||
policies:
|
policies:
|
||||||
- limit_configmap_for_sa.yaml
|
- limit_configmap_for_sa.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: variables.yaml
|
|
||||||
userinfo: user_info.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: limit-configmap-for-sa
|
- kind: ConfigMap
|
||||||
rule: limit-configmap-for-sa-developer
|
namespace: any-namespace
|
||||||
resource: any-configmap-name-good
|
policy: limit-configmap-for-sa
|
||||||
kind: ConfigMap
|
resources:
|
||||||
namespace: any-namespace
|
- any-configmap-name-good
|
||||||
result: fail
|
result: fail
|
||||||
- policy: limit-configmap-for-sa
|
rule: limit-configmap-for-sa-developer
|
||||||
rule: limit-configmap-for-sa-developer
|
- kind: ConfigMap
|
||||||
resource: any-configmap-name-bad
|
policy: limit-configmap-for-sa
|
||||||
kind: ConfigMap
|
resources:
|
||||||
result: skip
|
- any-configmap-name-bad
|
||||||
|
result: skip
|
||||||
|
rule: limit-configmap-for-sa-developer
|
||||||
|
userinfo: user_info.yaml
|
||||||
|
variables: variables.yaml
|
||||||
|
|
|
@ -1,21 +1,24 @@
|
||||||
name: yaml-verification
|
name: yaml-verification
|
||||||
policies:
|
policies:
|
||||||
- policies.yaml
|
- policies.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: validate-yaml
|
- kind: Service
|
||||||
rule: validate-yaml
|
policy: validate-yaml
|
||||||
resource: test-service # no signature
|
resources:
|
||||||
kind: Service
|
- test-service
|
||||||
result: fail
|
result: fail
|
||||||
- policy: validate-yaml
|
rule: validate-yaml
|
||||||
rule: validate-yaml
|
- kind: Service
|
||||||
resource: test-service2 # one signature
|
policy: validate-yaml
|
||||||
kind: Service
|
resources:
|
||||||
result: pass
|
- test-service2
|
||||||
- policy: validate-yaml
|
result: pass
|
||||||
rule: validate-yaml-multi-sig
|
rule: validate-yaml
|
||||||
resource: test-service3 # multi signature
|
- kind: Service
|
||||||
kind: Service
|
policy: validate-yaml
|
||||||
result: pass
|
resources:
|
||||||
|
- test-service3
|
||||||
|
result: pass
|
||||||
|
rule: validate-yaml-multi-sig
|
||||||
|
|
|
@ -1,32 +1,36 @@
|
||||||
name: ondemand
|
name: ondemand
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: ondemand
|
- kind: Pod
|
||||||
rule: ondemand-nodeselector
|
namespace: user-space
|
||||||
resource: nodeselector-with-labels-on-mutation
|
patchedResource: patched-resource.yaml
|
||||||
patchedResource: patched-resource.yaml
|
policy: ondemand
|
||||||
namespace: user-space
|
resources:
|
||||||
kind: Pod
|
- nodeselector-with-labels-on-mutation
|
||||||
result: pass
|
result: pass
|
||||||
- policy: ondemand
|
rule: ondemand-nodeselector
|
||||||
rule: ondemand-managed_by
|
- kind: Pod
|
||||||
resource: nodeselector-with-labels-on-mutation
|
namespace: user-space
|
||||||
namespace: user-space
|
policy: ondemand
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- nodeselector-with-labels-on-mutation
|
||||||
- policy: ondemand
|
result: pass
|
||||||
rule: ondemand-nodeselector
|
rule: ondemand-managed_by
|
||||||
resource: nodeselector-without-labels-on-mutation
|
- kind: Pod
|
||||||
patchedResource: patched-resource1.yaml
|
namespace: user-foo
|
||||||
namespace: user-foo
|
patchedResource: patched-resource1.yaml
|
||||||
kind: Pod
|
policy: ondemand
|
||||||
result: skip
|
resources:
|
||||||
- policy: ondemand
|
- nodeselector-without-labels-on-mutation
|
||||||
rule: ondemand-managed_by
|
result: skip
|
||||||
resource: nodeselector-without-labels-on-mutation
|
rule: ondemand-nodeselector
|
||||||
namespace: user-foo
|
- kind: Pod
|
||||||
kind: Pod
|
namespace: user-foo
|
||||||
result: fail
|
policy: ondemand
|
||||||
|
resources:
|
||||||
|
- nodeselector-without-labels-on-mutation
|
||||||
|
result: fail
|
||||||
|
rule: ondemand-managed_by
|
||||||
|
|
|
@ -1,17 +1,18 @@
|
||||||
name: test-simple
|
name: test-simple
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: test-multiple-key
|
- kind: Pod
|
||||||
rule: test-multiple-key
|
policy: test-multiple-key
|
||||||
resource: test-resource-pass
|
resources:
|
||||||
kind: Pod
|
- test-resource-pass
|
||||||
status: pass
|
result: pass
|
||||||
- policy: test-multiple-key
|
rule: test-multiple-key
|
||||||
rule: test-multiple-key
|
- kind: Pod
|
||||||
resource: test-resource-fail
|
policy: test-multiple-key
|
||||||
kind: Pod
|
resources:
|
||||||
status: fail
|
- test-resource-fail
|
||||||
|
result: fail
|
||||||
|
rule: test-multiple-key
|
||||||
|
|
|
@ -1,17 +1,17 @@
|
||||||
name: exclude-namespaces-example
|
name: exclude-namespaces-example
|
||||||
policies:
|
policies:
|
||||||
- exclude_namespaces_dynamically.yaml
|
- exclude_namespaces_dynamically.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: exclude-namespaces-example
|
- kind: Pod
|
||||||
rule: exclude-namespaces-dynamically
|
policy: exclude-namespaces-example
|
||||||
resource: bad-pod01
|
resource: bad-pod01
|
||||||
kind: Pod
|
result: pass
|
||||||
result: pass
|
rule: exclude-namespaces-dynamically
|
||||||
- policy: exclude-namespaces-example
|
- kind: Pod
|
||||||
rule: exclude-namespaces-dynamically
|
policy: exclude-namespaces-example
|
||||||
resource: bad-pod02
|
resource: bad-pod02
|
||||||
kind: Pod
|
result: error
|
||||||
result: error
|
rule: exclude-namespaces-dynamically
|
||||||
|
variables: values.yaml
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: limit-duration
|
name: limit-duration
|
||||||
policies:
|
policies:
|
||||||
- limit-duration.yaml
|
- limit-duration.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: cert-manager-limit-duration
|
- kind: Certificate
|
||||||
rule: certificate-duration-max-100days
|
policy: cert-manager-limit-duration
|
||||||
resource: letsencrypt-crt
|
resources:
|
||||||
kind: Certificate
|
- letsencrypt-crt
|
||||||
result: skip
|
result: skip
|
||||||
- policy: cert-manager-limit-duration
|
rule: certificate-duration-max-100days
|
||||||
rule: certificate-duration-max-100days
|
- kind: Certificate
|
||||||
resource: acme-crt
|
policy: cert-manager-limit-duration
|
||||||
kind: Certificate
|
resources:
|
||||||
result: error
|
- acme-crt
|
||||||
|
result: error
|
||||||
|
rule: certificate-duration-max-100days
|
||||||
|
|
|
@ -1,11 +1,12 @@
|
||||||
name: check-kernel
|
name: check-kernel
|
||||||
policies:
|
policies:
|
||||||
- check_node_for_cve_2022_0185.yaml
|
- check_node_for_cve_2022_0185.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: check-kernel
|
- kind: Node
|
||||||
|
policy: check-kernel
|
||||||
|
resources:
|
||||||
|
- test-check-kernel-version
|
||||||
|
result: pass
|
||||||
rule: kernel-validate
|
rule: kernel-validate
|
||||||
resource: test-check-kernel-version
|
|
||||||
kind: Node
|
|
||||||
result: pass
|
|
|
@ -4,18 +4,21 @@ policies:
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
results:
|
results:
|
||||||
- policy: require-pod-probes
|
- kind: Pod
|
||||||
rule: require-pod-probes
|
policy: require-pod-probes
|
||||||
resource: pod-fail
|
resources:
|
||||||
kind: Pod
|
- pod-fail
|
||||||
result: fail
|
result: fail
|
||||||
- policy: require-pod-probes
|
|
||||||
rule: require-pod-probes
|
rule: require-pod-probes
|
||||||
resource: deployment-skip
|
- kind: Deployment
|
||||||
kind: Deployment
|
policy: require-pod-probes
|
||||||
|
resources:
|
||||||
|
- deployment-skip
|
||||||
|
result: skip
|
||||||
|
rule: require-pod-probes
|
||||||
|
- kind: CronJob
|
||||||
|
policy: require-pod-probes
|
||||||
|
resources:
|
||||||
|
- cronjob-skip
|
||||||
result: skip
|
result: skip
|
||||||
- policy: require-pod-probes
|
|
||||||
rule: require-pod-probes
|
rule: require-pod-probes
|
||||||
resource: cronjob-skip
|
|
||||||
kind: CronJob
|
|
||||||
result: skip
|
|
|
@ -1,17 +1,19 @@
|
||||||
name: disallow-naked-pods
|
name: disallow-naked-pods
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: disallow-naked-pods
|
- kind: Pod
|
||||||
rule: validate-naked-pods
|
policy: disallow-naked-pods
|
||||||
resource: blank-skip
|
resources:
|
||||||
kind: Pod
|
- blank-skip
|
||||||
result: skip
|
result: skip
|
||||||
- policy: disallow-naked-pods
|
|
||||||
rule: validate-naked-pods
|
rule: validate-naked-pods
|
||||||
resource: blank-fail
|
- kind: Pod
|
||||||
kind: Pod
|
policy: disallow-naked-pods
|
||||||
|
resources:
|
||||||
|
- blank-fail
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: validate-naked-pods
|
||||||
|
variables: values.yaml
|
||||||
|
|
|
@ -1,16 +1,18 @@
|
||||||
name: test-preconditions
|
name: test-preconditions
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: preconditions
|
- kind: Pod
|
||||||
rule: any-rule
|
policy: preconditions
|
||||||
resource: test-valid
|
resources:
|
||||||
kind: Pod
|
- test-valid
|
||||||
status: pass
|
result: pass
|
||||||
- policy: preconditions
|
rule: any-rule
|
||||||
rule: any-rule
|
- kind: Pod
|
||||||
resource: test-invalid
|
policy: preconditions
|
||||||
kind: Pod
|
resources:
|
||||||
status: fail
|
- test-invalid
|
||||||
|
result: fail
|
||||||
|
rule: any-rule
|
||||||
|
|
|
@ -1,27 +1,31 @@
|
||||||
name: unique-ingress-host
|
name: unique-ingress-host
|
||||||
policies:
|
policies:
|
||||||
- restrict_ingress_host.yaml
|
- restrict_ingress_host.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: unique-ingress-host
|
- kind: Ingress
|
||||||
rule: check-single-host
|
policy: unique-ingress-host
|
||||||
resource: ingress-kyverno-host
|
resources:
|
||||||
kind: Ingress
|
- ingress-kyverno-host
|
||||||
result: fail
|
result: fail
|
||||||
- policy: unique-ingress-host
|
rule: check-single-host
|
||||||
rule: check-single-host
|
- kind: Ingress
|
||||||
resource: ingress-foo-host
|
policy: unique-ingress-host
|
||||||
kind: Ingress
|
resources:
|
||||||
result: skip
|
- ingress-foo-host
|
||||||
- policy: unique-ingress-host
|
result: skip
|
||||||
rule: deny-multiple-hosts
|
rule: check-single-host
|
||||||
resource: ingress-kyverno-host
|
- kind: Ingress
|
||||||
kind: Ingress
|
policy: unique-ingress-host
|
||||||
result: skip
|
resources:
|
||||||
- policy: unique-ingress-host
|
- ingress-kyverno-host
|
||||||
rule: deny-multiple-hosts
|
result: skip
|
||||||
resource: ingress-foo-host
|
rule: deny-multiple-hosts
|
||||||
kind: Ingress
|
- kind: Ingress
|
||||||
result: fail
|
policy: unique-ingress-host
|
||||||
|
resources:
|
||||||
|
- ingress-foo-host
|
||||||
|
result: fail
|
||||||
|
rule: deny-multiple-hosts
|
||||||
|
variables: values.yaml
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
name: enforce-replicas-for-scale-subresource
|
name: enforce-replicas-for-scale-subresource
|
||||||
policies:
|
policies:
|
||||||
- enforce-replicas-for-scale-subresource.yml
|
- enforce-replicas-for-scale-subresource.yml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: enforce-replicas-for-scale-subresource
|
- kind: Scale
|
||||||
rule: validate-nginx-test
|
namespace: default
|
||||||
resource: nginx-test
|
policy: enforce-replicas-for-scale-subresource
|
||||||
namespace: default
|
resources:
|
||||||
kind: Scale
|
- nginx-test
|
||||||
result: fail
|
result: fail
|
||||||
|
rule: validate-nginx-test
|
||||||
|
variables: values.yaml
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
name: add-maintainer
|
name: add-maintainer
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: add-maintainer
|
- kind: Secret
|
||||||
rule: add-maintainer
|
patchedResource: patched-resource.yaml
|
||||||
resource: example
|
policy: add-maintainer
|
||||||
patchedResource: patched-resource.yaml
|
resources:
|
||||||
kind: Secret
|
- example
|
||||||
result: pass
|
result: pass
|
||||||
- policy: add-maintainer
|
rule: add-maintainer
|
||||||
rule: add-maintainer
|
- kind: Secret
|
||||||
resource: secrete-fail-example
|
patchedResource: patched-resource1.yaml
|
||||||
patchedResource: patched-resource1.yaml
|
policy: add-maintainer
|
||||||
kind: Secret
|
resources:
|
||||||
result: fail
|
- secrete-fail-example
|
||||||
|
result: fail
|
||||||
|
rule: add-maintainer
|
||||||
|
|
|
@ -1,95 +1,94 @@
|
||||||
name: test-simple
|
name: test-simple
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
variables: values.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: require-image-tag
|
namespace: test
|
||||||
resource: test-require-image-tag-pass
|
policy: disallow-latest-tag
|
||||||
kind: Pod
|
resource: test-require-image-tag-pass
|
||||||
namespace: test
|
result: pass
|
||||||
status: pass
|
rule: require-image-tag
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: require-image-tag
|
namespace: test
|
||||||
resource: test-require-image-tag-fail
|
policy: disallow-latest-tag
|
||||||
kind: Pod
|
resource: test-require-image-tag-fail
|
||||||
namespace: test
|
result: fail
|
||||||
status: fail
|
rule: require-image-tag
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: validate-image-tag
|
policy: disallow-latest-tag
|
||||||
resource: test-validate-image-tag-ignore
|
resource: test-validate-image-tag-ignore
|
||||||
kind: Pod
|
result: skip
|
||||||
status: skip
|
rule: validate-image-tag
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: validate-image-tag
|
namespace: test
|
||||||
resource: test-validate-image-tag-fail
|
policy: disallow-latest-tag
|
||||||
namespace: test
|
resource: test-validate-image-tag-fail
|
||||||
kind: Pod
|
result: fail
|
||||||
status: fail
|
rule: validate-image-tag
|
||||||
- policy: disallow-latest-tag
|
- kind: Pod
|
||||||
rule: validate-image-tag
|
namespace: test
|
||||||
resource: test-validate-image-tag-pass
|
policy: disallow-latest-tag
|
||||||
kind: Pod
|
resource: test-validate-image-tag-pass
|
||||||
namespace: test
|
result: pass
|
||||||
status: pass
|
rule: validate-image-tag
|
||||||
- policy: duration-test
|
- kind: Pod
|
||||||
rule: greater-than
|
namespace: test
|
||||||
resource: test-lifetime-fail
|
policy: duration-test
|
||||||
kind: Pod
|
resource: test-lifetime-fail
|
||||||
namespace: test
|
result: fail
|
||||||
status: fail
|
rule: greater-than
|
||||||
- policy: duration-test
|
- kind: Pod
|
||||||
rule: less-than
|
namespace: test
|
||||||
resource: test-lifetime-fail
|
policy: duration-test
|
||||||
kind: Pod
|
resource: test-lifetime-fail
|
||||||
namespace: test
|
result: pass
|
||||||
status: pass
|
rule: less-than
|
||||||
- policy: duration-test
|
- kind: Pod
|
||||||
rule: greater-equal-than
|
namespace: test
|
||||||
resource: test-lifetime-fail
|
policy: duration-test
|
||||||
kind: Pod
|
resource: test-lifetime-fail
|
||||||
namespace: test
|
result: fail
|
||||||
status: fail
|
rule: greater-equal-than
|
||||||
- policy: duration-test
|
- kind: Pod
|
||||||
rule: less-equal-than
|
namespace: test
|
||||||
resource: test-lifetime-fail
|
policy: duration-test
|
||||||
kind: Pod
|
resource: test-lifetime-fail
|
||||||
namespace: test
|
result: pass
|
||||||
status: pass
|
rule: less-equal-than
|
||||||
|
- kind: Pod
|
||||||
- policy: restrict-pod-counts
|
policy: restrict-pod-counts
|
||||||
rule: restrict-pod-count
|
resource: myapp-pod
|
||||||
resource: myapp-pod
|
result: fail
|
||||||
kind: Pod
|
rule: restrict-pod-count
|
||||||
status: fail
|
- kind: Pod
|
||||||
- policy: restrict-pod-counts
|
namespace: test
|
||||||
rule: restrict-pod-count
|
policy: restrict-pod-counts
|
||||||
resource: test-require-image-tag-pass
|
resource: test-require-image-tag-pass
|
||||||
kind: Pod
|
result: fail
|
||||||
namespace: test
|
rule: restrict-pod-count
|
||||||
status: fail
|
- kind: Pod
|
||||||
- policy: restrict-pod-counts
|
namespace: test
|
||||||
rule: restrict-pod-count
|
policy: restrict-pod-counts
|
||||||
resource: test-require-image-tag-fail
|
resource: test-require-image-tag-fail
|
||||||
kind: Pod
|
result: fail
|
||||||
namespace: test
|
rule: restrict-pod-count
|
||||||
status: fail
|
- kind: Pod
|
||||||
- policy: restrict-pod-counts
|
policy: restrict-pod-counts
|
||||||
rule: restrict-pod-count
|
resource: test-validate-image-tag-ignore
|
||||||
resource: test-validate-image-tag-ignore
|
result: fail
|
||||||
kind: Pod
|
rule: restrict-pod-count
|
||||||
status: fail
|
- kind: Pod
|
||||||
- policy: restrict-pod-counts
|
namespace: test
|
||||||
rule: restrict-pod-count
|
policy: restrict-pod-counts
|
||||||
resource: test-validate-image-tag-fail
|
resource: test-validate-image-tag-fail
|
||||||
kind: Pod
|
result: fail
|
||||||
namespace: test
|
rule: restrict-pod-count
|
||||||
status: fail
|
- kind: Pod
|
||||||
- policy: restrict-pod-counts
|
namespace: test
|
||||||
rule: restrict-pod-count
|
policy: restrict-pod-counts
|
||||||
resource: test-validate-image-tag-pass
|
resource: test-validate-image-tag-pass
|
||||||
kind: Pod
|
result: fail
|
||||||
namespace: test
|
rule: restrict-pod-count
|
||||||
status: fail
|
variables: values.yaml
|
||||||
|
|
|
@ -1,12 +1,13 @@
|
||||||
name: chained-variables
|
name: chained-variables
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resource.yaml
|
- resource.yaml
|
||||||
variables: variables.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: deny-something
|
- kind: Pod
|
||||||
|
policy: deny-something
|
||||||
|
resources:
|
||||||
|
- valid-pod
|
||||||
|
result: pass
|
||||||
rule: deny-everything
|
rule: deny-everything
|
||||||
resource: valid-pod
|
variables: variables.yaml
|
||||||
kind: Pod
|
|
||||||
result: pass
|
|
||||||
|
|
|
@ -1,77 +1,90 @@
|
||||||
name: test-variables
|
name: test-variables
|
||||||
policies:
|
policies:
|
||||||
- cm-variable-example.yaml
|
- cm-variable-example.yaml
|
||||||
- cm-multiple-example.yaml
|
- cm-multiple-example.yaml
|
||||||
- cm-array-example.yaml
|
- cm-array-example.yaml
|
||||||
- cm-blk-scalar-example.yaml
|
- cm-blk-scalar-example.yaml
|
||||||
- cm-globalval-example.yaml
|
- cm-globalval-example.yaml
|
||||||
- image-example.yaml
|
- image-example.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
variables: variables.yaml
|
|
||||||
results:
|
results:
|
||||||
- policy: cm-multiple-example
|
- kind: Pod
|
||||||
rule: example-configmap-lookup
|
policy: cm-multiple-example
|
||||||
resource: test-env-test
|
resources:
|
||||||
kind: Pod
|
- test-env-test
|
||||||
result: pass
|
result: pass
|
||||||
- policy: cm-multiple-example
|
rule: example-configmap-lookup
|
||||||
rule: example-configmap-lookup
|
- kind: Pod
|
||||||
resource: test-env-dev
|
policy: cm-multiple-example
|
||||||
kind: Pod
|
resources:
|
||||||
result: fail
|
- test-env-dev
|
||||||
- policy: cm-variable-example
|
result: fail
|
||||||
rule: example-configmap-lookup
|
rule: example-configmap-lookup
|
||||||
resource: test-env-test
|
- kind: Pod
|
||||||
kind: Pod
|
policy: cm-variable-example
|
||||||
result: pass
|
resources:
|
||||||
- policy: cm-variable-example
|
- test-env-test
|
||||||
rule: example-configmap-lookup
|
result: pass
|
||||||
resource: test-env-dev
|
rule: example-configmap-lookup
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: fail
|
policy: cm-variable-example
|
||||||
- policy: cm-array-example
|
resources:
|
||||||
rule: validate-role-annotation
|
- test-env-dev
|
||||||
resource: test-web
|
result: fail
|
||||||
kind: Pod
|
rule: example-configmap-lookup
|
||||||
result: fail
|
- kind: Pod
|
||||||
- policy: cm-array-example
|
policy: cm-array-example
|
||||||
rule: validate-role-annotation
|
resources:
|
||||||
resource: test-app
|
- test-web
|
||||||
kind: Pod
|
result: fail
|
||||||
result: pass
|
rule: validate-role-annotation
|
||||||
- policy: cm-blk-scalar-example
|
- kind: Pod
|
||||||
rule: validate-blk-role-annotation
|
policy: cm-array-example
|
||||||
resource: test-blk-web
|
resources:
|
||||||
kind: Pod
|
- test-app
|
||||||
result: fail
|
result: pass
|
||||||
- policy: cm-blk-scalar-example
|
rule: validate-role-annotation
|
||||||
rule: validate-blk-role-annotation
|
- kind: Pod
|
||||||
resource: test-blk-app
|
policy: cm-blk-scalar-example
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- test-blk-web
|
||||||
- policy: cm-globalval-example
|
result: fail
|
||||||
rule: validate-mode
|
rule: validate-blk-role-annotation
|
||||||
resource: test-global-dev
|
- kind: Pod
|
||||||
kind: Pod
|
policy: cm-blk-scalar-example
|
||||||
result: pass
|
resources:
|
||||||
- policy: cm-globalval-example
|
- test-blk-app
|
||||||
rule: validate-mode
|
result: pass
|
||||||
resource: test-global-prod
|
rule: validate-blk-role-annotation
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: fail
|
policy: cm-globalval-example
|
||||||
- policy: images
|
resources:
|
||||||
rule: only-allow-trusted-images
|
- test-global-dev
|
||||||
resource: test-pod-with-non-root-user-image
|
result: pass
|
||||||
kind: Pod
|
rule: validate-mode
|
||||||
status: pass
|
- kind: Pod
|
||||||
- policy: images
|
policy: cm-globalval-example
|
||||||
rule: only-allow-trusted-images
|
resources:
|
||||||
resource: test-pod-with-trusted-registry
|
- test-global-prod
|
||||||
kind: Pod
|
result: fail
|
||||||
status: pass
|
rule: validate-mode
|
||||||
- policy: images
|
- kind: Pod
|
||||||
rule: only-allow-trusted-images
|
policy: images
|
||||||
resource: test-pod-with-non-trusted-registry
|
resources:
|
||||||
kind: Pod
|
- test-pod-with-non-root-user-image
|
||||||
status: fail
|
result: pass
|
||||||
|
rule: only-allow-trusted-images
|
||||||
|
- kind: Pod
|
||||||
|
policy: images
|
||||||
|
resources:
|
||||||
|
- test-pod-with-trusted-registry
|
||||||
|
result: pass
|
||||||
|
rule: only-allow-trusted-images
|
||||||
|
- kind: Pod
|
||||||
|
policy: images
|
||||||
|
resources:
|
||||||
|
- test-pod-with-non-trusted-registry
|
||||||
|
result: fail
|
||||||
|
rule: only-allow-trusted-images
|
||||||
|
variables: variables.yaml
|
||||||
|
|
|
@ -1,31 +1,36 @@
|
||||||
name: wildcard-support-in-matchlabels
|
name: wildcard-support-in-matchlabels
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: wildcard-support-in-matchlabels
|
- kind: Pod
|
||||||
rule: wildcard-label
|
policy: wildcard-support-in-matchlabels
|
||||||
resource: my-service-1
|
resources:
|
||||||
kind: Pod
|
- my-service-1
|
||||||
result: pass
|
result: pass
|
||||||
- policy: wildcard-support-in-matchlabels
|
rule: wildcard-label
|
||||||
rule: label-end-with-test
|
- kind: Pod
|
||||||
resource: my-service-2
|
policy: wildcard-support-in-matchlabels
|
||||||
kind: Pod
|
resources:
|
||||||
result: pass
|
- my-service-2
|
||||||
- policy: wildcard-support-in-matchlabels
|
result: pass
|
||||||
rule: label-end-with-test
|
rule: label-end-with-test
|
||||||
resource: my-service-3
|
- kind: Pod
|
||||||
kind: Pod
|
policy: wildcard-support-in-matchlabels
|
||||||
result: skip
|
resources:
|
||||||
- policy: wildcard-support-in-matchlabels
|
- my-service-3
|
||||||
rule: label-start-with-test
|
result: skip
|
||||||
resource: my-service-4
|
rule: label-end-with-test
|
||||||
kind: Pod
|
- kind: Pod
|
||||||
result: pass
|
policy: wildcard-support-in-matchlabels
|
||||||
- policy: wildcard-support-in-matchlabels
|
resources:
|
||||||
rule: label-start-with-test
|
- my-service-4
|
||||||
resource: my-service-5
|
result: pass
|
||||||
kind: Pod
|
rule: label-start-with-test
|
||||||
result: skip
|
- kind: Pod
|
||||||
|
policy: wildcard-support-in-matchlabels
|
||||||
|
resources:
|
||||||
|
- my-service-5
|
||||||
|
result: skip
|
||||||
|
rule: label-start-with-test
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
name: wildcard-support-in-matchlabels
|
name: wildcard-support-in-matchlabels
|
||||||
policies:
|
policies:
|
||||||
- policy.yaml
|
- policy.yaml
|
||||||
resources:
|
resources:
|
||||||
- resources.yaml
|
- resources.yaml
|
||||||
results:
|
results:
|
||||||
- policy: mutate-wildcard
|
- kind: Pod
|
||||||
rule: mutate-wildcard
|
patchedResource: patchedResource.yaml
|
||||||
resource: wildcard-mutate
|
policy: mutate-wildcard
|
||||||
patchedResource: patchedResource.yaml
|
resources:
|
||||||
kind: Pod
|
- wildcard-mutate
|
||||||
result: pass
|
result: pass
|
||||||
- policy: mutate-wildcard
|
rule: mutate-wildcard
|
||||||
rule: mutate-wildcard
|
- kind: Pod
|
||||||
resource: wildcard-mutate-fail
|
patchedResource: patchedResource1.yaml
|
||||||
patchedResource: patchedResource1.yaml
|
policy: mutate-wildcard
|
||||||
kind: Pod
|
resources:
|
||||||
result: fail
|
- wildcard-mutate-fail
|
||||||
|
result: fail
|
||||||
|
rule: mutate-wildcard
|
||||||
|
|
Loading…
Add table
Reference in a new issue