mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
clean up
This commit is contained in:
parent
6ea58eb09b
commit
a4a0a27472
11 changed files with 0 additions and 283 deletions
|
@ -1,19 +0,0 @@
|
||||||
# file path relative to project root
|
|
||||||
input:
|
|
||||||
policy: test/scenarios/mutate/policy_mutate_pod_disable_automountingapicred.yaml
|
|
||||||
resource: test/scenarios/mutate/resource_mutate_pod_disable_automountingapicred.yaml
|
|
||||||
expected:
|
|
||||||
mutation:
|
|
||||||
patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
|
|
||||||
policyresponse:
|
|
||||||
policy: mutate-pod-disable-automoutingapicred
|
|
||||||
resource:
|
|
||||||
kind: Pod
|
|
||||||
apiVersion: v1
|
|
||||||
namespace: ''
|
|
||||||
name: myapp-pod
|
|
||||||
rules:
|
|
||||||
- name: pod-disable-automoutingapicred
|
|
||||||
type: Mutation
|
|
||||||
message: "succesfully process overlay"
|
|
||||||
success: true
|
|
|
@ -1,40 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: check-cpu-memory
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: check-defined
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
validate:
|
|
||||||
message: "Resource limits are required for CPU and memory"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "?*"
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
memory: "?*"
|
|
||||||
cpu: "?*"
|
|
||||||
|
|
||||||
- name: check-cpu
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
validate:
|
|
||||||
message: "CPU request should be less than 4"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: "<4m"
|
|
|
@ -1,19 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: check-host-path
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: check-host-path
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Pod
|
|
||||||
validate:
|
|
||||||
message: "Host path is not allowed"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
volumes:
|
|
||||||
- name: "*"
|
|
||||||
hostPath:
|
|
||||||
path: ""
|
|
|
@ -1,22 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: image-pull-policy
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: image-pull-policy
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
validate:
|
|
||||||
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
# select images which end with :latest
|
|
||||||
- (image): "*latest"
|
|
||||||
# require that the imagePullPolicy is "Always"
|
|
||||||
imagePullPolicy: Always
|
|
|
@ -1,26 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind : ClusterPolicy
|
|
||||||
metadata :
|
|
||||||
name : validation-example2
|
|
||||||
spec :
|
|
||||||
rules:
|
|
||||||
- name: check-memory_requests_link_in_yaml
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
# Kind specifies one or more resource types to match
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
# Name is optional and can use wildcards
|
|
||||||
name: "*"
|
|
||||||
# Selector is optional
|
|
||||||
selector:
|
|
||||||
validate:
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: "$(<=/spec/containers/0/resources/limits/memory)"
|
|
||||||
limits:
|
|
||||||
memory: "2048Mi"
|
|
|
@ -1,26 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind : ClusterPolicy
|
|
||||||
metadata :
|
|
||||||
name : validation-example2
|
|
||||||
spec :
|
|
||||||
rules:
|
|
||||||
- name: check-memory_requests_link_in_yaml_relative
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
# Kind specifies one or more resource types to match
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
# Name is optional and can use wildcards
|
|
||||||
name: "*"
|
|
||||||
# Selector is optional
|
|
||||||
selector:
|
|
||||||
validate:
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- (name): "*"
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
memory: "$(<=./../../lim(its/mem)ory)"
|
|
||||||
lim(its:
|
|
||||||
mem)ory: "2048Mi"
|
|
|
@ -1,16 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: check-node-port
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: check-node-port
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Service
|
|
||||||
validate:
|
|
||||||
message: "NodePort type is not allowed"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
type: "!NodePort"
|
|
|
@ -1,21 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind : ClusterPolicy
|
|
||||||
metadata :
|
|
||||||
name : check-non-root
|
|
||||||
spec :
|
|
||||||
rules:
|
|
||||||
- name: check-non-root
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
- StatefuleSet
|
|
||||||
- DaemonSet
|
|
||||||
validate:
|
|
||||||
message: "Root user is not allowed"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
securityContext:
|
|
||||||
runAsNonRoot: true
|
|
|
@ -1,36 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind : ClusterPolicy
|
|
||||||
metadata :
|
|
||||||
name: check-probe-exists
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: check-liveness-probe-exists
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds :
|
|
||||||
- StatefulSet
|
|
||||||
validate:
|
|
||||||
message: "a livenessProbe is required"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
livenessProbe:
|
|
||||||
periodSeconds: ">0"
|
|
||||||
- name: check-readiness-probe-exists
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds :
|
|
||||||
- StatefulSet
|
|
||||||
validate:
|
|
||||||
message: "a readinessProbe is required"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
readinessProbe:
|
|
||||||
periodSeconds: ">0"
|
|
|
@ -1,36 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind : ClusterPolicy
|
|
||||||
metadata :
|
|
||||||
name: check-probe-intervals
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: check-probe-intervals
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds :
|
|
||||||
- Deployment
|
|
||||||
validate:
|
|
||||||
message: "livenessProbe must be > 10s"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
livenessProbe:
|
|
||||||
periodSeconds: ">10"
|
|
||||||
- name: check-probe-intervals
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds :
|
|
||||||
- Deployment
|
|
||||||
validate:
|
|
||||||
message: "readinessProbe must be > 10s"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
readinessProbe:
|
|
||||||
periodSeconds: ">10"
|
|
|
@ -1,22 +0,0 @@
|
||||||
apiVersion : kyverno.io/v1alpha1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: check-registries
|
|
||||||
spec:
|
|
||||||
rules:
|
|
||||||
- name: check-registries
|
|
||||||
match:
|
|
||||||
resources:
|
|
||||||
kinds:
|
|
||||||
- Deployment
|
|
||||||
- StatefulSet
|
|
||||||
validate:
|
|
||||||
message: "Registry is not allowed"
|
|
||||||
pattern:
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: "*"
|
|
||||||
# Check allowed registries
|
|
||||||
image: "*/nirmata/* | https://private.registry.io/*"
|
|
Loading…
Add table
Reference in a new issue