mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge branch '26-PolicyUseCasesForTesting' into develop

Browse source
This commit is contained in:
Jim Bugwadia 2019-05-21 09:15:13 -07:00
commit c057a74066
70 changed files with 791 additions and 481 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
examples/ConfigMap/policy-ConfigMap.yaml
View file

@ -1,20 +0,0 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name: policy-configmap-test
spec:
rules:
- name: "Policy ConfigMap sample rule"
resource:
kind : ConfigMap
name: "game-config"
mutate:
patches:
- path: "/data/newKey"
op: add
value: newValue
- path: "/data/secretData"
op: remove
- path: "/data/secretDatatoreplace"
op: replace
value: "data is replaced"

21
examples/CronJob/cronjob.yaml
View file

@ -1,21 +0,0 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure

20
examples/CronJob/policy-CronJob.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-cronjob
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : CronJob
name: "hello"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/schedule"
op : replace
value : "* */1 * * *"

21
examples/DaemonSet/policy-ds.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-daemonset
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : DaemonSet
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/template/spec/containers/0/image"
op : replace
value: "k8s.gcr.io/fluentd-elasticsearch:latest"

34
examples/Deployment/ghost-deployment.yaml
View file

@ -1,34 +0,0 @@
kind: "Deployment"
apiVersion: "extensions/v1beta1"
metadata:
name: "ghost"
labels:
nirmata.io/deployment.name: "ghost"
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
spec:
replicas: 1
revisionHistoryLimit: 5
selector:
matchLabels:
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
strategy:
type: "RollingUpdate"
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
nirmata.io/deployment.name: "ghost"
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
spec:
containers:
- name: "ghost"
image: "ghost:2.9.1-alpine"
ports:
- containerPort: 8080
protocol: "TCP"

24
examples/Deployment/policy-deployment-ghost.yaml
View file

@ -1,24 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment-ghost
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Deployment
selector :
matchLabels :
nirmata.io/deployment.name: "ghost"
patch:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: "/spec/strategy/rollingUpdate/maxSurge"
op: add
value: 5
- path: "/spec/template/spec/containers/0/ports/0"
op: replace
value:
containerPort: 2368
protocol: TCP

20
examples/Deployment/policy-deployment.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Deployment
name: nginx-deployment
patch:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: /metadata/labels/app
op: replace
value: "nginx_is_mutated"

25
examples/Endpoints/policy-endpoints.yaml
View file

@ -1,25 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Endpoints
selector:
matchLabels:
label : test
patch:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP

20
examples/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-hpa
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels"
op: add
value:
isMutated: "true"
- op: replace
path: "/spec/metrics/1/resource/targetAverageValue"
value: "959Mi"

19
examples/Ingress/policy-ingess.yaml
View file

@ -1,19 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-ingress
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Ingress
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/rules/0/http/paths/0/path"
op : replace
value: "/mutatedpath"

17
examples/Job/policy-job.yaml
View file

@ -1,17 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-job-perl-bigint
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Job
name: pi
patch:
- path : "/spec/template/spec/containers/0/command"
op : add
value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ]
- path : "/spec/backoffLimit"
op: add
value: 10

16
examples/LimitRange/policy-limitrange.yaml
View file

@ -1,16 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-limitrange
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : LimitRange
selector:
matchLabels:
containerSize: minimal
patch:
- path : "/spec/limits/0/default/memory"
op : replace
value: "384Mi"

8
examples/Namespace/namespace.yaml
View file

@ -1,8 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: "namespace-not-modified"
labels:
LabelForSelector : "namespace"
replaced : "no"

25
examples/Namespace/policy-namespace-by-name.yaml
View file

@ -1,25 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-namespace
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Namespace
name : "namespace-not-modified"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/name"
op: replace
value: "modified-namespace"

27
examples/Namespace/policy-namespace.yaml
View file

@ -1,27 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-namespace
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
patch:
- path: "/metadata/labels/replaced"
op: add
value: "yes"
- path: "/metadata/name"
op: replace
value: "modified-namespace-name"

21
examples/NetworkPolicy/policy-networkpolicy.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-network-policy
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/ingress/0/from/0/ipBlock/cidr"
op : replace
value: "172.17.128.0/17"

17
examples/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -1,17 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-pvc
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : PersistentVolumeClaim
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/resources/requests/storage"
op : replace
value: "6Gi"

17
examples/PodDisruptionBudget/policy-pdb.yaml
View file

@ -1,17 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-pdb
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : PodDisruptionBudget
name: "game-pdb"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/minAvailable"
op : replace
value: "5%"

21
examples/PodTemplate/policy-PodTemplate.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : test-podtemplate
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : PodTemplate
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/app"
op : replace
value : mutedApp
- path: "/template/spec/containers/0/name"
op : replace
value : my-mutated-app
- path: "/metadata/labels/originalLabel"
op : remove

24
examples/StatefulSet/policy-StatefulSet.yaml
View file

@ -1,24 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-statefulset
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : StatefulSet
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/spec/template/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/metadata/labels/originalLabel"
op : remove
- path : "/spec/serviceName"
op : replace
value : "not-a-nginx"

36
examples/Validate/check_cpu_memory.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-cpu-memory
spec:
rules:
- name: check-defined
resource:
kind: Deployment
validate:
message: "Resource requests and limits are required for CPU and memory"
pattern:
spec:
containers:
- name: "*"
resources:
limits:
memory: "?"
cpu: "?"
requests:
memory: "?"
cpu: "?"
- name: check-memory-in-range
resource:
kind: Deployment
validate:
message: "Memory request cannot be greater than 10Gi"
pattern:
spec:
containers:
- name: "*"
resources:
requests:
# If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern.
# The OR operator can combine the patterns with logical expressions and text patterns.
memory: "<10Gi|<1024Mi"

15
examples/Validate/check_hostpath.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-host-path
spec:
rules:
- name: check-host-path
resource:
kind: Pod
validate:
message: "Host path volumes are not allowed"
pattern:
volumes:
- name: "*"
hostPath: null

16
examples/Validate/check_image_version.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: image-pull-policy
spec:
rules:
- name: image-pull-policy
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
resource:
kind: Deployment
overlay:
template:
spec:
containers:
- image: "(*:latest)" # select images which end with :latest
imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always"

14
examples/Validate/check_nodeport.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-host-path
spec:
rules:
- name: check-host-path
resource:
kind: Service
validate:
message: "Node port services are not allowed"
pattern:
spec:
type: "!NodePort"

28
examples/Validate/check_probe_exists.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-probe-exists
spec:
rules:
- name: check-liveness-probe-exists
resource:
kind: StatefulSet
validate:
message: "a livenessProbe is required"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ?
- resource:
kind: Deployment
name: check-readiness-probe-exists
validate:
message: "a readinessProbe is required"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ?

27
examples/Validate/check_probe_intervals.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-probe-intervals
spec:
rules:
- name: check-probe-intervals
resource:
kind: Deployment
validate:
message: "livenessProbe must be > 10s"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">10"
- resource:
kind: Deployment
validate:
pattern:
message: "readinessProbe must be > 10s"
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">10"

18
examples/Validate/check_whitelist_registries.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: policy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: check-whitelist-registries
spec:
rules:
- name: check-whitelist-registries
message: "Registry is not allowed"
resource:
kind: Deployment
validate:
pattern:
template:
spec:
containers:
# Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*"
# If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|".
image: https://private.registry.io* | https://hub.docker.io/nirmata/*

0
examples/ConfigMap/configMap.yaml → test/ConfigMap/CM.yaml
View file

49
test/ConfigMap/policy-CM.yaml Normal file
View file

@ -0,0 +1,49 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-cm
spec :
rules:
- name: pCM1
resource:
kind : ConfigMap
name: "game-config"
mutate:
patches:
- path : "/data/newKey"
op : add
value : newValue
- name: pCM2
resource:
kind : ConfigMap
name: "game-config"
mutate:
patches:
- path : "/data/secretData"
op : remove
- path : "/data/secretDatatoreplace"
op : replace
value : "data is replaced"
- name: pCM3
resource:
kind : ConfigMap
name: "game-config"
mutate:
patches:
- path : "/data/secretData"
op : add
value : newData
validate:
message: "There is only one enemy"
pattern:
data:
game.properties: "*enemies=aliens*"
- name: pCM4
resource:
kind : ConfigMap
name: "game-config"
validate:
message: "This CM data is broken because it does not have ui.properties"
pattern:
data:
ui.properties: "*"

0
examples/ConfigMapGenerator-SecretGenerator/configMap.yaml → test/ConfigMapGenerator-SecretGenerator/configMap.yaml
View file

0
examples/ConfigMapGenerator-SecretGenerator/namespace.yaml → test/ConfigMapGenerator-SecretGenerator/namespace.yaml
View file

0
examples/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml → test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml
View file

0
examples/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml → test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml
View file

0
examples/ConfigMapGenerator-SecretGenerator/secrets.yaml → test/ConfigMapGenerator-SecretGenerator/secrets.yaml
View file

62
test/CronJob/cronjobs.yaml Normal file
View file

@ -0,0 +1,62 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hellow
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: 12hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello23
labels:
label: "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hel32lo
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure

37
test/CronJob/policy-cronjob-wldcrd.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-cronjob
spec:
rules:
- name:
resource:
kind : CronJob
name: "?ell*"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/schedule"
op : replace
value : "* */1 * * *"
- path: "/metadata/labels/label"
op: add
value: "not_original"
- path: "/metadata/labels/label234e3"
op: remove
validate:
message: "This resource is broken"
pattern:
metadata:
labels:
label: "not_original"
spec:
jobTemplate:
spec:
template:
spec:
containers:
- name: "h*"
image: busybox

2
examples/DaemonSet/DaemonSet.yaml → test/DaemonSet/DaemonSet.yaml
View file

@ -40,4 +40,4 @@ spec:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
path: /var/lib/docker/containers

27
test/DaemonSet/policy-daemonset.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-daemonset
spec:
rules:
- name: "Patch and Volume validation"
resource:
kind: DaemonSet
name: fluentd-elasticsearch
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
validate:
message: "This daemonset is broken"
pattern:
spec:
template:
spec:
containers:
volumeMounts:
- name: varlibdockercontainers
readOnly: false

0
examples/Deployment/nginx-deployment.yaml → test/Deployment/nginx-deployment.yaml
View file

25
test/Deployment/policy-deployment-any.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment
spec :
rules:
- name: "First policy v2"
resource:
kind : Deployment
name: nginx-*
mutate:
patches:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: /metadata/labels/app
op: replace
value: "nginx_is_mutated"
validate:
message: "Because I like only mutated resources"
pattern:
metadata:
labels:
app: "*mutated"

2
examples/Endpoints/endpoints.yaml → test/Endpoint/endpoints.yaml
View file

@ -10,4 +10,4 @@ subsets:
ports:
- name: secure-connection
port: 443
protocol: TCP
protocol: TCP

32
test/Endpoint/policy-endpoints.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
rules:
- name:
resource:
kind : Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP
validate:
message: "This resource has wrong IP"
pattern:
subsets:
- addresses:
- ip: "192.168.10.171|192.168.10.172"

2
examples/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml → test/HorizontalPodAutoscaler/hpa.yaml
View file

@ -2,6 +2,8 @@ apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: wildfly-example
labels:
originalLabel: isHere
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1

30
test/HorizontalPodAutoscaler/policy-hpa.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-hpa
spec :
rules:
- name: hpa1
resource:
kind : HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- op: replace
path: "/spec/metrics/1/resource/targetAverageValue"
value: "959Mi"
validate:
message: "There is wrong resorce request or apiVersion"
pattern:
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
# metrics:
# - type: Resource
# resource:
# name: cpu|memory

0
examples/Ingress/ingress.yaml → test/Ingress/ingress.yaml
View file

30
test/Ingress/policy-ingress.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name : policy-ingress
spec :
rules:
- name: ingress1
resource:
kind : Ingress
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/rules/0/http/paths/0/path"
op : replace
value: "/mutatedpath"
validate:
message: "Ingress allowed only for prod services"
pattern:
spec:
rules:
- http:
paths:
- path: "*"
backend:
serviceName: "*prod"

1
examples/Job/job.yaml → test/Job/job.yaml
View file

@ -11,4 +11,3 @@ spec:
command: ["perl"]
restartPolicy: Never
backoffLimit: 4

25
test/Job/policy-job.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-job-perl-bigint
spec :
rules:
- name: job1
resource:
kind: Job
name: pi
mutate:
patches:
- path : "/spec/template/spec/containers/0/command"
op : add
value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ]
- path : "/spec/backoffLimit"
op: add
value: 10
validate:
message: "This job should not be restarted"
pattern:
spec:
template:
spec:
restartPolicy: Never

1
examples/LimitRange/limitrange.yaml → test/LimitRange/limitrange.yaml
View file

@ -8,6 +8,7 @@ spec:
limits:
- default:
memory: 512Mi
cpu: 10m
defaultRequest:
memory: 256Mi
type: Container

24
test/LimitRange/policy-limitrange.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-limitrange
spec :
rules:
- name:
resource:
kind : LimitRange
selector:
matchLabels:
containerSize: minimal
mutate:
patches:
- path : "/spec/limits/0/memory"
op : replace
value: "384Mi"
validate:
message: "The CPU value is incorrect"
pattern:
spec:
limits:
- default:
cpu: 9m

7
test/Namespace/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
kind: Namespace
apiVersion: v1
metadata:
name: namespace-not-modified
labels:
LabelForSelector : "namespace"
replaced : "no"

21
test/Namespace/policy-namespace.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name : policy-namespace
spec :
rules:
- name: ns1
resource:
kind : Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
mutate:
patches:
- path: "/metadata/labels/replaced"
op: add
value: "yes"
- path: "/metadata/name"
op: replace
value: "modified-namespace"

0
examples/NetworkPolicy/networkpolicy.yaml → test/NetworkPolicy/networkpolicy.yaml
View file

29
test/NetworkPolicy/policy-network-policy.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-network-policy
spec:
rules:
- name: np1
resource:
kind : NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/ingress/0/from/0/ipBlock/cidr"
op : replace
value: "172.17.128.0/17"
validate:
message: "This network policy does not meet security criteria"
pattern:
spec:
ingress:
- from:
- ipBlock:
except:
- 172.17.129.0/24

0
examples/PersistentVolumeClaim/PVC.yaml → test/PersistentVolumeClaim/PVC.yaml
View file

24
test/PersistentVolumeClaim/policy-PVC.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-pvc
spec:
rules:
- name: pvc1
resource:
kind : PersistentVolumeClaim
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/resources/requests/storage"
op : replace
value: "6Gi"
validate:
message: "I don't like this pvc"
pattern:
spec:
accessModes:
- ReadWrite

0
examples/PodDisruptionBudget/pdb.yaml → test/PodDisruptionBudget/pdb.yaml
View file

25
test/PodDisruptionBudget/policy-pdb.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-pdb
spec:
rules:
- name: pdb1
resource:
kind : PodDisruptionBudget
name: "game-pdb"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/minAvailable"
op : replace
value: "5%"
validate:
message: "This PDB has the wrong selector"
pattern:
spec:
selector:
matchLabels:
app: "zoo*"

12
examples/PodTemplate/PodTemplate.yaml → test/PodTemplate/PodTemplate.yaml
View file

@ -1,16 +1,16 @@
apiVersion: v1
kind: PodTemplate
metadata:
metadata:
name: nginx-test
labels:
labels:
app: nginx
originalLabel: isHere
template:
spec:
containers:
template:
spec:
containers:
- name: redis
image: redis
ports:
ports:
- containerPort: 80
protocol: TCP
restartPolicy: Always

32
test/PodTemplate/policy-PodTemplate.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: test-podtemplate
spec:
rules:
- name: podtemplate1
resource:
kind : PodTemplate
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/app"
op : replace
value : mutedApp
- path: "/template/spec/containers/0/name"
op : replace
value : mongodb
- path: "/template/spec/containers/0/image"
op : replace
value : mongodb
validate:
message: "Port 80 is not for redis"
pattern:
template:
spec:
containers:
- name: "!redis"
ports:
- containerPort: 80

47
examples/README.md → test/README.md
View file

@ -29,37 +29,38 @@ test-endpoint 192.168.10.171:443 6s
```
We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources.
```
> kubectl delete -f test/endpoints.yaml
> kubectl delete -f test/endpoints.yaml
endpoints "test-endpoint" deleted
```
We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`):
```
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Endpoints
selector:
matchLabels:
label : test
patch:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: additional-connection
port: 80
protocol: UDP
- name:
resource:
kind : Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP
```
This policy does 2 patches:
@ -68,9 +69,9 @@ This policy does 2 patches:
Let's apply this policy and create the endpoints again to see the changes:
```
> kubectl create -f examples/Endpoints/policy-endpoints.yaml
> kubectl create -f examples/Endpoints/policy-endpoints.yaml
policy.policy.nirmata.io/policy-endpoints created
> kubectl create -f examples/Endpoints/endpoints.yaml
> kubectl create -f examples/Endpoints/endpoints.yaml
endpoints/test-endpoint created
> kubectl get -f examples/Endpoints/endpoints.yaml
NAME ENDPOINTS AGE

42
test/ResourceQuota/policy-quota-validation.yaml Normal file
View file

@ -0,0 +1,42 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-quota-low-test-validation
spec :
rules:
- name:
resource:
kind : ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many RAM"
pattern:
spec:
hard:
memory: "8Gi|12Gi"
- name:
resource:
kind : ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many CPUs"
pattern:
spec:
hard:
cpu: <3
- name:
resource:
kind : ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many PODs"
pattern:
spec:
hard:
pods: 1|2|3|4

16
examples/ResourceQuota/policy-quota.yaml → test/ResourceQuota/policy-quota.yaml
View file

@ -1,19 +1,20 @@
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-quota-low-test
spec :
failurePolicy: stopOnError
rules:
- resource:
- name:
resource:
kind : ResourceQuota
selector:
matchLabels:
quota: low
patch:
mutate:
patches:
- path : "/spec/scopeSelector/matchExpressions/1"
op : add
value :
value :
operator : In
scopeName: PriorityClass
values: ["low-medium"]
@ -25,4 +26,7 @@ spec :
"pods": "10",
"limits.memory": "12Gi",
"requests.nvidia.com/gpu": "8"
}
}
- path : "/metadata/labels/quota-soft"
op : replace
value : replaced

0
examples/ResourceQuota/quota.yaml → test/ResourceQuota/quota.yaml
View file

21
examples/Secrets/policy-secrets.yaml → test/Secret/policy-secret.yaml
View file

@ -1,14 +1,15 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-secrets
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-secrets
spec:
rules:
- resource:
- name: secret1
resource:
kind : Secret
name: "mysecret"
patch:
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
@ -20,3 +21,7 @@ spec :
- path : "/data/password"
op : replace
value : "Y29tcHJvbWlzZWQK"
validate:
message: "This type of secrets does not meet security criteria"
pattern:
type: "Opaque"

4
examples/Secrets/secrets.yaml → test/Secret/secret.yaml
View file

@ -7,5 +7,5 @@ metadata:
type: Opaque
data:
username: QXByaW9yaXQK
password: cXVlc3QxIQo=
username: TmlybWF0YQ==
password: aXNDb29s

20
examples/Services/policy-Service.yaml → test/Service/policy-service.yaml
View file

@ -1,14 +1,15 @@
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-service
spec :
failurePolicy: stopOnError
rules:
- resource:
- name: ps1
resource:
kind: Service
name: game-service
patch:
name: "game-service*"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
@ -20,4 +21,11 @@ spec :
- path: "/spec/selector/app"
op: replace
value: "mutedApp"
validate:
message: "This service has wrong port"
pattern:
spec:
ports:
- name: "http"
protocol: TCP
port: 80|8080

2
examples/Services/Services.yaml → test/Service/service.yaml
View file

@ -4,14 +4,12 @@ metadata:
name: game-service
labels:
originalLabel : isHere
secretLabel : thisIsMySecret
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376

13
examples/StatefulSet/StatefulSet.yaml → test/StatefulSet/StatefulSet.yaml
View file

@ -2,32 +2,29 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: game-web
labels:
originalLabel : isHere
spec:
selector:
matchLabels:
app: nginx-but-no # has to match .spec.template.metadata.labels
serviceName: "nginx-but-no"
app: nginxo # has to match .spec.template.metadata.labels
serviceName: "nginxo"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginx-but-no # has to match .spec.selector.matchLabels
app: nginxo # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx-but-no
- name: nginxo
image: k8s.gcr.io/nginx-but-no-slim:0.8
ports:
- containerPort: 8780
name: webp
volumeMounts:
- name: www
mountPath: /usr/share/nginx-but-no/html
mountPath: /usr/share/nginxo/html
volumeClaimTemplates:
- metadata:
name: www

37
test/StatefulSet/policy-StatefulSet.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-statefulset
spec:
rules:
- name: statefulset1
resource:
kind : StatefulSet
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/spec/template/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/metadata/labels/originalLabel"
op : remove
- path : "/spec/serviceName"
op : replace
value : "not-a-nginx"
validate:
message: "This SS is broken"
pattern:
spec:
replicas: ">20"
volumeClaimTemplates:
- metadata:
name: www
spec:
resources:
requests:
storage: "<50Gi"