From 092fa3aa0a1a63d5c14f6330db567234aacec262 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Fri, 17 May 2019 14:18:10 -0700 Subject: [PATCH 1/4] - move prior examples to 'test' and add new validation examples --- examples/Validate/check_cpu_memory.yaml | 36 +++++++++++++++++++ examples/Validate/check_hostpath.yaml | 15 ++++++++ examples/Validate/check_image_version.yaml | 17 +++++++++ examples/Validate/check_nodeport.yaml | 14 ++++++++ examples/Validate/check_probe_exists.yaml | 28 +++++++++++++++ examples/Validate/check_probe_intervals.yaml | 27 ++++++++++++++ .../Validate/check_whitelist_registries.yaml | 18 ++++++++++ {examples => test}/ConfigMap/configMap.yaml | 0 .../ConfigMap/policy-ConfigMap.yaml | 0 .../configMap.yaml | 0 .../namespace.yaml | 0 .../policy-cm-test.yaml | 0 .../policy-namespace-patch-cmgCG-sgCG.yaml | 0 .../secrets.yaml | 0 {examples => test}/CronJob/cronjob.yaml | 0 .../CronJob/policy-CronJob.yaml | 0 {examples => test}/DaemonSet/DaemonSet.yaml | 0 {examples => test}/DaemonSet/policy-ds.yaml | 0 .../Deployment/ghost-deployment.yaml | 0 .../Deployment/nginx-deployment.yaml | 0 .../Deployment/policy-deployment-ghost.yaml | 0 .../Deployment/policy-deployment.yaml | 0 {examples => test}/Endpoints/endpoints.yaml | 0 .../Endpoints/policy-endpoints.yaml | 0 .../HorizontalPodAutoscaler.yaml | 0 .../HorizontalPodAutoscaler/policy-hpa.yaml | 0 {examples => test}/Ingress/ingress.yaml | 0 {examples => test}/Ingress/policy-ingess.yaml | 0 {examples => test}/Job/job.yaml | 0 {examples => test}/Job/policy-job.yaml | 0 {examples => test}/LimitRange/limitrange.yaml | 0 .../LimitRange/policy-limitrange.yaml | 0 {examples => test}/Namespace/namespace.yaml | 0 .../Namespace/policy-namespace-by-name.yaml | 0 .../Namespace/policy-namespace.yaml | 0 .../NetworkPolicy/networkpolicy.yaml | 0 .../NetworkPolicy/policy-networkpolicy.yaml | 0 .../PersistentVolumeClaim/PVC.yaml | 0 .../PersistentVolumeClaim/policy-PVC.yaml | 0 .../PodDisruptionBudget/pdb.yaml | 0 .../PodDisruptionBudget/policy-pdb.yaml | 0 .../PodTemplate/PodTemplate.yaml | 0 .../PodTemplate/policy-PodTemplate.yaml | 0 {examples => test}/README.md | 0 .../ResourceQuota/policy-quota.yaml | 0 {examples => test}/ResourceQuota/quota.yaml | 0 .../Secrets/policy-secrets.yaml | 0 {examples => test}/Secrets/secrets.yaml | 0 {examples => test}/Services/Services.yaml | 0 .../Services/policy-Service.yaml | 0 .../StatefulSet/StatefulSet.yaml | 0 .../StatefulSet/policy-StatefulSet.yaml | 0 52 files changed, 155 insertions(+) create mode 100644 examples/Validate/check_cpu_memory.yaml create mode 100644 examples/Validate/check_hostpath.yaml create mode 100644 examples/Validate/check_image_version.yaml create mode 100644 examples/Validate/check_nodeport.yaml create mode 100644 examples/Validate/check_probe_exists.yaml create mode 100644 examples/Validate/check_probe_intervals.yaml create mode 100644 examples/Validate/check_whitelist_registries.yaml rename {examples => test}/ConfigMap/configMap.yaml (100%) rename {examples => test}/ConfigMap/policy-ConfigMap.yaml (100%) rename {examples => test}/ConfigMapGenerator-SecretGenerator/configMap.yaml (100%) rename {examples => test}/ConfigMapGenerator-SecretGenerator/namespace.yaml (100%) rename {examples => test}/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml (100%) rename {examples => test}/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml (100%) rename {examples => test}/ConfigMapGenerator-SecretGenerator/secrets.yaml (100%) rename {examples => test}/CronJob/cronjob.yaml (100%) rename {examples => test}/CronJob/policy-CronJob.yaml (100%) rename {examples => test}/DaemonSet/DaemonSet.yaml (100%) rename {examples => test}/DaemonSet/policy-ds.yaml (100%) rename {examples => test}/Deployment/ghost-deployment.yaml (100%) rename {examples => test}/Deployment/nginx-deployment.yaml (100%) rename {examples => test}/Deployment/policy-deployment-ghost.yaml (100%) rename {examples => test}/Deployment/policy-deployment.yaml (100%) rename {examples => test}/Endpoints/endpoints.yaml (100%) rename {examples => test}/Endpoints/policy-endpoints.yaml (100%) rename {examples => test}/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml (100%) rename {examples => test}/HorizontalPodAutoscaler/policy-hpa.yaml (100%) rename {examples => test}/Ingress/ingress.yaml (100%) rename {examples => test}/Ingress/policy-ingess.yaml (100%) rename {examples => test}/Job/job.yaml (100%) rename {examples => test}/Job/policy-job.yaml (100%) rename {examples => test}/LimitRange/limitrange.yaml (100%) rename {examples => test}/LimitRange/policy-limitrange.yaml (100%) rename {examples => test}/Namespace/namespace.yaml (100%) rename {examples => test}/Namespace/policy-namespace-by-name.yaml (100%) rename {examples => test}/Namespace/policy-namespace.yaml (100%) rename {examples => test}/NetworkPolicy/networkpolicy.yaml (100%) rename {examples => test}/NetworkPolicy/policy-networkpolicy.yaml (100%) rename {examples => test}/PersistentVolumeClaim/PVC.yaml (100%) rename {examples => test}/PersistentVolumeClaim/policy-PVC.yaml (100%) rename {examples => test}/PodDisruptionBudget/pdb.yaml (100%) rename {examples => test}/PodDisruptionBudget/policy-pdb.yaml (100%) rename {examples => test}/PodTemplate/PodTemplate.yaml (100%) rename {examples => test}/PodTemplate/policy-PodTemplate.yaml (100%) rename {examples => test}/README.md (100%) rename {examples => test}/ResourceQuota/policy-quota.yaml (100%) rename {examples => test}/ResourceQuota/quota.yaml (100%) rename {examples => test}/Secrets/policy-secrets.yaml (100%) rename {examples => test}/Secrets/secrets.yaml (100%) rename {examples => test}/Services/Services.yaml (100%) rename {examples => test}/Services/policy-Service.yaml (100%) rename {examples => test}/StatefulSet/StatefulSet.yaml (100%) rename {examples => test}/StatefulSet/policy-StatefulSet.yaml (100%) diff --git a/examples/Validate/check_cpu_memory.yaml b/examples/Validate/check_cpu_memory.yaml new file mode 100644 index 0000000000..61ab1d2b70 --- /dev/null +++ b/examples/Validate/check_cpu_memory.yaml @@ -0,0 +1,36 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: check-cpu-memory +spec: + rules: + - name: check-defined + resource: + kind: Deployment + validate: + message: "Resource requests and limits are required for CPU and memory" + pattern: + spec: + containers: + - name: "*" + resources: + limits: + memory: "?" + cpu: "?" + requests: + memory: "?" + cpu: "?" + - name: check-memory-in-range + resource: + kind: Deployment + validate: + message: "Memory request cannot be greater than 10Gi" + pattern: + spec: + containers: + - name: "*" + resources: + requests: + # If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern. + # The OR operator can combine the patterns with logical expressions and text patterns. + memory: "<10Gi|<1024Mi" \ No newline at end of file diff --git a/examples/Validate/check_hostpath.yaml b/examples/Validate/check_hostpath.yaml new file mode 100644 index 0000000000..8ebe1d7817 --- /dev/null +++ b/examples/Validate/check_hostpath.yaml @@ -0,0 +1,15 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: check-host-path +spec: + rules: + - name: check-host-path + resource: + kind: Pod + validate: + message: "Host path volumes are not allowed" + pattern: + volumes: + - name: "*" + hostPath: null diff --git a/examples/Validate/check_image_version.yaml b/examples/Validate/check_image_version.yaml new file mode 100644 index 0000000000..a9cc32d05d --- /dev/null +++ b/examples/Validate/check_image_version.yaml @@ -0,0 +1,17 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: whitelist-registries +spec: + rules: + - name: check-whitelist-registries + message: "Registry is not allowed" + resource: + kind: Deployment + validate: + pattern: + template: + spec: + containers: + - image: "(*:latest)" # select images which end with :latest + imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always" \ No newline at end of file diff --git a/examples/Validate/check_nodeport.yaml b/examples/Validate/check_nodeport.yaml new file mode 100644 index 0000000000..1a5fd25c05 --- /dev/null +++ b/examples/Validate/check_nodeport.yaml @@ -0,0 +1,14 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: check-host-path +spec: + rules: + - name: check-host-path + resource: + kind: Service + validate: + message: "Node port services are not allowed" + pattern: + spec: + type: "!NodePort" \ No newline at end of file diff --git a/examples/Validate/check_probe_exists.yaml b/examples/Validate/check_probe_exists.yaml new file mode 100644 index 0000000000..d055455bf5 --- /dev/null +++ b/examples/Validate/check_probe_exists.yaml @@ -0,0 +1,28 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: check-probe-exists +spec: + rules: + - name: check-liveness-probe-exists + resource: + kind: StatefulSet + validate: + message: "a livenessProbe is required" + pattern: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + livenessProbe: + periodSeconds: ? + - resource: + kind: Deployment + name: check-readiness-probe-exists + validate: + message: "a readinessProbe is required" + pattern: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + readinessProbe: + periodSeconds: ? diff --git a/examples/Validate/check_probe_intervals.yaml b/examples/Validate/check_probe_intervals.yaml new file mode 100644 index 0000000000..77bc50b9ce --- /dev/null +++ b/examples/Validate/check_probe_intervals.yaml @@ -0,0 +1,27 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: check-probe-intervals +spec: + rules: + - name: check-probe-intervals + resource: + kind: Deployment + validate: + message: "livenessProbe must be > 10s" + pattern: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + livenessProbe: + periodSeconds: ">10" + - resource: + kind: Deployment + validate: + pattern: + message: "readinessProbe must be > 10s" + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + readinessProbe: + periodSeconds: ">10" diff --git a/examples/Validate/check_whitelist_registries.yaml b/examples/Validate/check_whitelist_registries.yaml new file mode 100644 index 0000000000..79aceab2e0 --- /dev/null +++ b/examples/Validate/check_whitelist_registries.yaml @@ -0,0 +1,18 @@ +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: check-whitelist-registries +spec: + rules: + - name: check-whitelist-registries + message: "Registry is not allowed" + resource: + kind: Deployment + validate: + pattern: + template: + spec: + containers: + # Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*" + # If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|". + image: https://private.registry.io* | https://hub.docker.io/nirmata/* diff --git a/examples/ConfigMap/configMap.yaml b/test/ConfigMap/configMap.yaml similarity index 100% rename from examples/ConfigMap/configMap.yaml rename to test/ConfigMap/configMap.yaml diff --git a/examples/ConfigMap/policy-ConfigMap.yaml b/test/ConfigMap/policy-ConfigMap.yaml similarity index 100% rename from examples/ConfigMap/policy-ConfigMap.yaml rename to test/ConfigMap/policy-ConfigMap.yaml diff --git a/examples/ConfigMapGenerator-SecretGenerator/configMap.yaml b/test/ConfigMapGenerator-SecretGenerator/configMap.yaml similarity index 100% rename from examples/ConfigMapGenerator-SecretGenerator/configMap.yaml rename to test/ConfigMapGenerator-SecretGenerator/configMap.yaml diff --git a/examples/ConfigMapGenerator-SecretGenerator/namespace.yaml b/test/ConfigMapGenerator-SecretGenerator/namespace.yaml similarity index 100% rename from examples/ConfigMapGenerator-SecretGenerator/namespace.yaml rename to test/ConfigMapGenerator-SecretGenerator/namespace.yaml diff --git a/examples/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml b/test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml similarity index 100% rename from examples/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml rename to test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml diff --git a/examples/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml b/test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml similarity index 100% rename from examples/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml rename to test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml diff --git a/examples/ConfigMapGenerator-SecretGenerator/secrets.yaml b/test/ConfigMapGenerator-SecretGenerator/secrets.yaml similarity index 100% rename from examples/ConfigMapGenerator-SecretGenerator/secrets.yaml rename to test/ConfigMapGenerator-SecretGenerator/secrets.yaml diff --git a/examples/CronJob/cronjob.yaml b/test/CronJob/cronjob.yaml similarity index 100% rename from examples/CronJob/cronjob.yaml rename to test/CronJob/cronjob.yaml diff --git a/examples/CronJob/policy-CronJob.yaml b/test/CronJob/policy-CronJob.yaml similarity index 100% rename from examples/CronJob/policy-CronJob.yaml rename to test/CronJob/policy-CronJob.yaml diff --git a/examples/DaemonSet/DaemonSet.yaml b/test/DaemonSet/DaemonSet.yaml similarity index 100% rename from examples/DaemonSet/DaemonSet.yaml rename to test/DaemonSet/DaemonSet.yaml diff --git a/examples/DaemonSet/policy-ds.yaml b/test/DaemonSet/policy-ds.yaml similarity index 100% rename from examples/DaemonSet/policy-ds.yaml rename to test/DaemonSet/policy-ds.yaml diff --git a/examples/Deployment/ghost-deployment.yaml b/test/Deployment/ghost-deployment.yaml similarity index 100% rename from examples/Deployment/ghost-deployment.yaml rename to test/Deployment/ghost-deployment.yaml diff --git a/examples/Deployment/nginx-deployment.yaml b/test/Deployment/nginx-deployment.yaml similarity index 100% rename from examples/Deployment/nginx-deployment.yaml rename to test/Deployment/nginx-deployment.yaml diff --git a/examples/Deployment/policy-deployment-ghost.yaml b/test/Deployment/policy-deployment-ghost.yaml similarity index 100% rename from examples/Deployment/policy-deployment-ghost.yaml rename to test/Deployment/policy-deployment-ghost.yaml diff --git a/examples/Deployment/policy-deployment.yaml b/test/Deployment/policy-deployment.yaml similarity index 100% rename from examples/Deployment/policy-deployment.yaml rename to test/Deployment/policy-deployment.yaml diff --git a/examples/Endpoints/endpoints.yaml b/test/Endpoints/endpoints.yaml similarity index 100% rename from examples/Endpoints/endpoints.yaml rename to test/Endpoints/endpoints.yaml diff --git a/examples/Endpoints/policy-endpoints.yaml b/test/Endpoints/policy-endpoints.yaml similarity index 100% rename from examples/Endpoints/policy-endpoints.yaml rename to test/Endpoints/policy-endpoints.yaml diff --git a/examples/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml b/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml similarity index 100% rename from examples/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml rename to test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml diff --git a/examples/HorizontalPodAutoscaler/policy-hpa.yaml b/test/HorizontalPodAutoscaler/policy-hpa.yaml similarity index 100% rename from examples/HorizontalPodAutoscaler/policy-hpa.yaml rename to test/HorizontalPodAutoscaler/policy-hpa.yaml diff --git a/examples/Ingress/ingress.yaml b/test/Ingress/ingress.yaml similarity index 100% rename from examples/Ingress/ingress.yaml rename to test/Ingress/ingress.yaml diff --git a/examples/Ingress/policy-ingess.yaml b/test/Ingress/policy-ingess.yaml similarity index 100% rename from examples/Ingress/policy-ingess.yaml rename to test/Ingress/policy-ingess.yaml diff --git a/examples/Job/job.yaml b/test/Job/job.yaml similarity index 100% rename from examples/Job/job.yaml rename to test/Job/job.yaml diff --git a/examples/Job/policy-job.yaml b/test/Job/policy-job.yaml similarity index 100% rename from examples/Job/policy-job.yaml rename to test/Job/policy-job.yaml diff --git a/examples/LimitRange/limitrange.yaml b/test/LimitRange/limitrange.yaml similarity index 100% rename from examples/LimitRange/limitrange.yaml rename to test/LimitRange/limitrange.yaml diff --git a/examples/LimitRange/policy-limitrange.yaml b/test/LimitRange/policy-limitrange.yaml similarity index 100% rename from examples/LimitRange/policy-limitrange.yaml rename to test/LimitRange/policy-limitrange.yaml diff --git a/examples/Namespace/namespace.yaml b/test/Namespace/namespace.yaml similarity index 100% rename from examples/Namespace/namespace.yaml rename to test/Namespace/namespace.yaml diff --git a/examples/Namespace/policy-namespace-by-name.yaml b/test/Namespace/policy-namespace-by-name.yaml similarity index 100% rename from examples/Namespace/policy-namespace-by-name.yaml rename to test/Namespace/policy-namespace-by-name.yaml diff --git a/examples/Namespace/policy-namespace.yaml b/test/Namespace/policy-namespace.yaml similarity index 100% rename from examples/Namespace/policy-namespace.yaml rename to test/Namespace/policy-namespace.yaml diff --git a/examples/NetworkPolicy/networkpolicy.yaml b/test/NetworkPolicy/networkpolicy.yaml similarity index 100% rename from examples/NetworkPolicy/networkpolicy.yaml rename to test/NetworkPolicy/networkpolicy.yaml diff --git a/examples/NetworkPolicy/policy-networkpolicy.yaml b/test/NetworkPolicy/policy-networkpolicy.yaml similarity index 100% rename from examples/NetworkPolicy/policy-networkpolicy.yaml rename to test/NetworkPolicy/policy-networkpolicy.yaml diff --git a/examples/PersistentVolumeClaim/PVC.yaml b/test/PersistentVolumeClaim/PVC.yaml similarity index 100% rename from examples/PersistentVolumeClaim/PVC.yaml rename to test/PersistentVolumeClaim/PVC.yaml diff --git a/examples/PersistentVolumeClaim/policy-PVC.yaml b/test/PersistentVolumeClaim/policy-PVC.yaml similarity index 100% rename from examples/PersistentVolumeClaim/policy-PVC.yaml rename to test/PersistentVolumeClaim/policy-PVC.yaml diff --git a/examples/PodDisruptionBudget/pdb.yaml b/test/PodDisruptionBudget/pdb.yaml similarity index 100% rename from examples/PodDisruptionBudget/pdb.yaml rename to test/PodDisruptionBudget/pdb.yaml diff --git a/examples/PodDisruptionBudget/policy-pdb.yaml b/test/PodDisruptionBudget/policy-pdb.yaml similarity index 100% rename from examples/PodDisruptionBudget/policy-pdb.yaml rename to test/PodDisruptionBudget/policy-pdb.yaml diff --git a/examples/PodTemplate/PodTemplate.yaml b/test/PodTemplate/PodTemplate.yaml similarity index 100% rename from examples/PodTemplate/PodTemplate.yaml rename to test/PodTemplate/PodTemplate.yaml diff --git a/examples/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml similarity index 100% rename from examples/PodTemplate/policy-PodTemplate.yaml rename to test/PodTemplate/policy-PodTemplate.yaml diff --git a/examples/README.md b/test/README.md similarity index 100% rename from examples/README.md rename to test/README.md diff --git a/examples/ResourceQuota/policy-quota.yaml b/test/ResourceQuota/policy-quota.yaml similarity index 100% rename from examples/ResourceQuota/policy-quota.yaml rename to test/ResourceQuota/policy-quota.yaml diff --git a/examples/ResourceQuota/quota.yaml b/test/ResourceQuota/quota.yaml similarity index 100% rename from examples/ResourceQuota/quota.yaml rename to test/ResourceQuota/quota.yaml diff --git a/examples/Secrets/policy-secrets.yaml b/test/Secrets/policy-secrets.yaml similarity index 100% rename from examples/Secrets/policy-secrets.yaml rename to test/Secrets/policy-secrets.yaml diff --git a/examples/Secrets/secrets.yaml b/test/Secrets/secrets.yaml similarity index 100% rename from examples/Secrets/secrets.yaml rename to test/Secrets/secrets.yaml diff --git a/examples/Services/Services.yaml b/test/Services/Services.yaml similarity index 100% rename from examples/Services/Services.yaml rename to test/Services/Services.yaml diff --git a/examples/Services/policy-Service.yaml b/test/Services/policy-Service.yaml similarity index 100% rename from examples/Services/policy-Service.yaml rename to test/Services/policy-Service.yaml diff --git a/examples/StatefulSet/StatefulSet.yaml b/test/StatefulSet/StatefulSet.yaml similarity index 100% rename from examples/StatefulSet/StatefulSet.yaml rename to test/StatefulSet/StatefulSet.yaml diff --git a/examples/StatefulSet/policy-StatefulSet.yaml b/test/StatefulSet/policy-StatefulSet.yaml similarity index 100% rename from examples/StatefulSet/policy-StatefulSet.yaml rename to test/StatefulSet/policy-StatefulSet.yaml From 26c826518a51c25ffc863b35e0faa0bc85ae8f54 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 00:46:37 -0700 Subject: [PATCH 2/4] fix name and message --- examples/Validate/check_image_version.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/examples/Validate/check_image_version.yaml b/examples/Validate/check_image_version.yaml index a9cc32d05d..e71335499e 100644 --- a/examples/Validate/check_image_version.yaml +++ b/examples/Validate/check_image_version.yaml @@ -1,17 +1,16 @@ apiVersion: policy.nirmata.io/v1alpha1 kind: Policy metadata: - name: whitelist-registries + name: image-pull-policy spec: rules: - - name: check-whitelist-registries - message: "Registry is not allowed" + - name: image-pull-policy + message: "Image tag ':latest' requires imagePullPolicy 'Always'" resource: kind: Deployment - validate: - pattern: - template: - spec: - containers: - - image: "(*:latest)" # select images which end with :latest - imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always" \ No newline at end of file + overlay: + template: + spec: + containers: + - image: "(*:latest)" # select images which end with :latest + imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always" \ No newline at end of file From e200cdc2a412d820c3d3c9b78a1ffadfa655e55c Mon Sep 17 00:00:00 2001 From: Anton Kostenko Date: Tue, 21 May 2019 17:54:55 +0300 Subject: [PATCH 3/4] new policy structure policies are modified according to new logic --- test/ConfigMap/configMap.yaml | 14 ------ test/ConfigMap/policy-ConfigMap.yaml | 20 -------- test/CronJob/cronjob.yaml | 21 --------- test/CronJob/policy-CronJob.yaml | 20 -------- test/DaemonSet/DaemonSet.yaml | 2 +- test/DaemonSet/policy-ds.yaml | 21 --------- test/Deployment/ghost-deployment.yaml | 34 -------------- test/Deployment/policy-deployment-ghost.yaml | 24 ---------- test/Deployment/policy-deployment.yaml | 20 -------- test/Endpoints/endpoints.yaml | 13 ----- test/Endpoints/policy-endpoints.yaml | 25 ---------- .../HorizontalPodAutoscaler.yaml | 20 -------- test/HorizontalPodAutoscaler/policy-hpa.yaml | 30 ++++++++---- test/Ingress/policy-ingess.yaml | 19 -------- test/Job/job.yaml | 1 - test/Job/policy-job.yaml | 24 ++++++---- test/LimitRange/limitrange.yaml | 1 + test/LimitRange/policy-limitrange.yaml | 18 +++++-- test/Namespace/namespace.yaml | 11 ++--- test/Namespace/policy-namespace-by-name.yaml | 25 ---------- test/Namespace/policy-namespace.yaml | 38 +++++++-------- test/NetworkPolicy/policy-networkpolicy.yaml | 21 --------- test/PersistentVolumeClaim/policy-PVC.yaml | 23 +++++---- test/PodDisruptionBudget/policy-pdb.yaml | 24 ++++++---- test/PodTemplate/PodTemplate.yaml | 12 ++--- test/PodTemplate/policy-PodTemplate.yaml | 33 ++++++++----- test/README.md | 47 ++++++++++--------- test/ResourceQuota/policy-quota.yaml | 16 ++++--- test/Secrets/policy-secrets.yaml | 22 --------- test/Secrets/secrets.yaml | 11 ----- test/Services/Services.yaml | 17 ------- test/Services/policy-Service.yaml | 23 --------- test/StatefulSet/StatefulSet.yaml | 13 ++--- test/StatefulSet/policy-StatefulSet.yaml | 29 ++++++++---- 34 files changed, 191 insertions(+), 501 deletions(-) delete mode 100644 test/ConfigMap/configMap.yaml delete mode 100644 test/ConfigMap/policy-ConfigMap.yaml delete mode 100644 test/CronJob/cronjob.yaml delete mode 100644 test/CronJob/policy-CronJob.yaml delete mode 100644 test/DaemonSet/policy-ds.yaml delete mode 100644 test/Deployment/ghost-deployment.yaml delete mode 100644 test/Deployment/policy-deployment-ghost.yaml delete mode 100644 test/Deployment/policy-deployment.yaml delete mode 100644 test/Endpoints/endpoints.yaml delete mode 100644 test/Endpoints/policy-endpoints.yaml delete mode 100644 test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml delete mode 100644 test/Ingress/policy-ingess.yaml delete mode 100644 test/Namespace/policy-namespace-by-name.yaml delete mode 100644 test/NetworkPolicy/policy-networkpolicy.yaml delete mode 100644 test/Secrets/policy-secrets.yaml delete mode 100644 test/Secrets/secrets.yaml delete mode 100644 test/Services/Services.yaml delete mode 100644 test/Services/policy-Service.yaml diff --git a/test/ConfigMap/configMap.yaml b/test/ConfigMap/configMap.yaml deleted file mode 100644 index 80f31212ae..0000000000 --- a/test/ConfigMap/configMap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: game-config - namespace: default -data: - secretData: "very sensitive data" - secretDatatoreplace: "data is not changed" - game.properties: | - enemies=aliens - lives=3 - ui.properties: | - color.good=purple - color.bad=yellow diff --git a/test/ConfigMap/policy-ConfigMap.yaml b/test/ConfigMap/policy-ConfigMap.yaml deleted file mode 100644 index 10af719567..0000000000 --- a/test/ConfigMap/policy-ConfigMap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 -kind: Policy -metadata : - name: policy-configmap-test -spec: - rules: - - name: "Policy ConfigMap sample rule" - resource: - kind : ConfigMap - name: "game-config" - mutate: - patches: - - path: "/data/newKey" - op: add - value: newValue - - path: "/data/secretData" - op: remove - - path: "/data/secretDatatoreplace" - op: replace - value: "data is replaced" diff --git a/test/CronJob/cronjob.yaml b/test/CronJob/cronjob.yaml deleted file mode 100644 index 778253d7e2..0000000000 --- a/test/CronJob/cronjob.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: hello - labels : - label : "original" - -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox - args: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure diff --git a/test/CronJob/policy-CronJob.yaml b/test/CronJob/policy-CronJob.yaml deleted file mode 100644 index 52f287c0d1..0000000000 --- a/test/CronJob/policy-CronJob.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-cronjob - -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : CronJob - name: "hello" - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path : "/spec/schedule" - op : replace - value : "* */1 * * *" - - diff --git a/test/DaemonSet/DaemonSet.yaml b/test/DaemonSet/DaemonSet.yaml index 1bf8993f80..c6d30247fe 100644 --- a/test/DaemonSet/DaemonSet.yaml +++ b/test/DaemonSet/DaemonSet.yaml @@ -40,4 +40,4 @@ spec: path: /var/log - name: varlibdockercontainers hostPath: - path: /var/lib/docker/containers \ No newline at end of file + path: /var/lib/docker/containers diff --git a/test/DaemonSet/policy-ds.yaml b/test/DaemonSet/policy-ds.yaml deleted file mode 100644 index a0f8bfc2cf..0000000000 --- a/test/DaemonSet/policy-ds.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-daemonset -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : DaemonSet - selector: - matchLabels: - originalLabel: isHere - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/labels/originalLabel" - op: remove - - path : "/spec/template/spec/containers/0/image" - op : replace - value: "k8s.gcr.io/fluentd-elasticsearch:latest" diff --git a/test/Deployment/ghost-deployment.yaml b/test/Deployment/ghost-deployment.yaml deleted file mode 100644 index 8bf95b9788..0000000000 --- a/test/Deployment/ghost-deployment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -kind: "Deployment" -apiVersion: "extensions/v1beta1" -metadata: - name: "ghost" - labels: - nirmata.io/deployment.name: "ghost" - nirmata.io/application.name: "ghost" - nirmata.io/component: "ghost" -spec: - replicas: 1 - revisionHistoryLimit: 5 - selector: - matchLabels: - nirmata.io/application.name: "ghost" - nirmata.io/component: "ghost" - strategy: - type: "RollingUpdate" - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - nirmata.io/deployment.name: "ghost" - nirmata.io/application.name: "ghost" - nirmata.io/component: "ghost" - spec: - containers: - - name: "ghost" - image: "ghost:2.9.1-alpine" - ports: - - containerPort: 8080 - protocol: "TCP" - diff --git a/test/Deployment/policy-deployment-ghost.yaml b/test/Deployment/policy-deployment-ghost.yaml deleted file mode 100644 index 758f187945..0000000000 --- a/test/Deployment/policy-deployment-ghost.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-deployment-ghost -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Deployment - selector : - matchLabels : - nirmata.io/deployment.name: "ghost" - patch: - - path: /metadata/labels/isMutated - op: add - value: "true" - - path: "/spec/strategy/rollingUpdate/maxSurge" - op: add - value: 5 - - path: "/spec/template/spec/containers/0/ports/0" - op: replace - value: - containerPort: 2368 - protocol: TCP diff --git a/test/Deployment/policy-deployment.yaml b/test/Deployment/policy-deployment.yaml deleted file mode 100644 index 4bc0f23fd2..0000000000 --- a/test/Deployment/policy-deployment.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-deployment -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Deployment - name: nginx-deployment - patch: - - path: /metadata/labels/isMutated - op: add - value: "true" - - path: /metadata/labels/app - op: replace - value: "nginx_is_mutated" - - - diff --git a/test/Endpoints/endpoints.yaml b/test/Endpoints/endpoints.yaml deleted file mode 100644 index 792a83da96..0000000000 --- a/test/Endpoints/endpoints.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Endpoints -metadata: - name: test-endpoint - labels: - label : test -subsets: -- addresses: - - ip: 192.168.10.171 - ports: - - name: secure-connection - port: 443 - protocol: TCP \ No newline at end of file diff --git a/test/Endpoints/policy-endpoints.yaml b/test/Endpoints/policy-endpoints.yaml deleted file mode 100644 index 2a8c09dda5..0000000000 --- a/test/Endpoints/policy-endpoints.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-endpoints -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Endpoints - selector: - matchLabels: - label : test - patch: - - path : "/subsets/0/ports/0/port" - op : replace - value: 9663 - - path : "/subsets/0" - op: add - value: - addresses: - - ip: "192.168.10.171" - ports: - - name: load-balancer-connection - port: 80 - protocol: UDP \ No newline at end of file diff --git a/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml b/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml deleted file mode 100644 index b8a029ac16..0000000000 --- a/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: wildfly-example -spec: - scaleTargetRef: - apiVersion: extensions/v1beta1 - kind: Deployment - name: wildfly-example - minReplicas: 1 - maxReplicas: 5 - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - - type: Resource - resource: - name: memory - targetAverageValue: 1000Mi diff --git a/test/HorizontalPodAutoscaler/policy-hpa.yaml b/test/HorizontalPodAutoscaler/policy-hpa.yaml index ba0640c9f3..840c41fc46 100644 --- a/test/HorizontalPodAutoscaler/policy-hpa.yaml +++ b/test/HorizontalPodAutoscaler/policy-hpa.yaml @@ -1,20 +1,30 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-hpa +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-hpa spec : - failurePolicy: stopOnError rules: - - resource: + - name: hpa1 + resource: kind : HorizontalPodAutoscaler selector: matchLabels: originalLabel: isHere - patch: - - path: "/metadata/labels" + mutate: + patches: + - path: "/metadata/labels/isMutated" op: add - value: - isMutated: "true" + value: "true" - op: replace path: "/spec/metrics/1/resource/targetAverageValue" value: "959Mi" + validate: + message: "There is wrong resorce request or apiVersion" + pattern: + spec: + scaleTargetRef: + apiVersion: extensions/v1beta1 +# metrics: +# - type: Resource +# resource: +# name: cpu|memory diff --git a/test/Ingress/policy-ingess.yaml b/test/Ingress/policy-ingess.yaml deleted file mode 100644 index 8151a1dd73..0000000000 --- a/test/Ingress/policy-ingess.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-ingress -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Ingress - selector: - matchLabels: - originalLabel: isHere - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path : "/spec/rules/0/http/paths/0/path" - op : replace - value: "/mutatedpath" diff --git a/test/Job/job.yaml b/test/Job/job.yaml index e5a2e20bdd..c569475ff7 100644 --- a/test/Job/job.yaml +++ b/test/Job/job.yaml @@ -11,4 +11,3 @@ spec: command: ["perl"] restartPolicy: Never backoffLimit: 4 - diff --git a/test/Job/policy-job.yaml b/test/Job/policy-job.yaml index 29d003de2a..eb023a8bf4 100644 --- a/test/Job/policy-job.yaml +++ b/test/Job/policy-job.yaml @@ -1,17 +1,25 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-job-perl-bigint +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-job-perl-bigint spec : - failurePolicy: stopOnError rules: - - resource: - kind : Job + - name: job1 + resource: + kind: Job name: pi - patch: + mutate: + patches: - path : "/spec/template/spec/containers/0/command" op : add value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ] - path : "/spec/backoffLimit" op: add value: 10 + validate: + message: "This job should not be restarted" + pattern: + spec: + template: + spec: + restartPolicy: Never diff --git a/test/LimitRange/limitrange.yaml b/test/LimitRange/limitrange.yaml index 7f72ceea26..b37a69aa09 100644 --- a/test/LimitRange/limitrange.yaml +++ b/test/LimitRange/limitrange.yaml @@ -8,6 +8,7 @@ spec: limits: - default: memory: 512Mi + cpu: 10m defaultRequest: memory: 256Mi type: Container diff --git a/test/LimitRange/policy-limitrange.yaml b/test/LimitRange/policy-limitrange.yaml index e6269c2c4d..79d3c7bf45 100644 --- a/test/LimitRange/policy-limitrange.yaml +++ b/test/LimitRange/policy-limitrange.yaml @@ -1,16 +1,24 @@ -apiVersion : policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-limitrange spec : - failurePolicy: stopOnError rules: - - resource: + - name: + resource: kind : LimitRange selector: matchLabels: containerSize: minimal - patch: - - path : "/spec/limits/0/default/memory" + mutate: + patches: + - path : "/spec/limits/0/memory" op : replace value: "384Mi" + validate: + message: "The CPU value is incorrect" + pattern: + spec: + limits: + - default: + cpu: 9m diff --git a/test/Namespace/namespace.yaml b/test/Namespace/namespace.yaml index 1ddf14d9fc..c83e3cc729 100644 --- a/test/Namespace/namespace.yaml +++ b/test/Namespace/namespace.yaml @@ -1,8 +1,7 @@ kind: Namespace apiVersion: v1 -metadata: - name: "namespace-not-modified" - labels: - LabelForSelector : "namespace" - replaced : "no" - +metadata: + name: namespace-not-modified + labels: + LabelForSelector : "namespace" + replaced : "no" diff --git a/test/Namespace/policy-namespace-by-name.yaml b/test/Namespace/policy-namespace-by-name.yaml deleted file mode 100644 index 4f3ec6636a..0000000000 --- a/test/Namespace/policy-namespace-by-name.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 - -kind : Policy - -metadata : - name : policy-namespace - -spec : - failurePolicy: stopOnError - - rules: - - resource: - kind : Namespace - name : "namespace-not-modified" - - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/name" - op: replace - value: "modified-namespace" - - - diff --git a/test/Namespace/policy-namespace.yaml b/test/Namespace/policy-namespace.yaml index 2bddde6394..9ef999212f 100644 --- a/test/Namespace/policy-namespace.yaml +++ b/test/Namespace/policy-namespace.yaml @@ -1,27 +1,21 @@ -apiVersion : policy.nirmata.io/v1alpha1 - -kind : Policy - +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy metadata : name : policy-namespace spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Namespace - selector: - matchLabels: - LabelForSelector : "namespace" - - patch: - - path: "/metadata/labels/replaced" - op: add - value: "yes" - - path: "/metadata/name" - op: replace - value: "modified-namespace-name" - - - + - name: ns1 + resource: + kind : Namespace + selector: + matchLabels: + LabelForSelector : "namespace" + mutate: + patches: + - path: "/metadata/labels/replaced" + op: add + value: "yes" + - path: "/metadata/name" + op: replace + value: "modified-namespace" diff --git a/test/NetworkPolicy/policy-networkpolicy.yaml b/test/NetworkPolicy/policy-networkpolicy.yaml deleted file mode 100644 index 1ae08fbcd0..0000000000 --- a/test/NetworkPolicy/policy-networkpolicy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-network-policy -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : NetworkPolicy - selector: - matchLabels: - originalLabel: isHere - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/labels/originalLabel" - op: remove - - path : "/spec/ingress/0/from/0/ipBlock/cidr" - op : replace - value: "172.17.128.0/17" diff --git a/test/PersistentVolumeClaim/policy-PVC.yaml b/test/PersistentVolumeClaim/policy-PVC.yaml index 533c02d721..4a05f586af 100644 --- a/test/PersistentVolumeClaim/policy-PVC.yaml +++ b/test/PersistentVolumeClaim/policy-PVC.yaml @@ -1,17 +1,24 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-pvc -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-pvc +spec: rules: - - resource: + - name: pvc1 + resource: kind : PersistentVolumeClaim matchLabels: originalLabel: isHere - patch: + mutate: + patches: - path: "/metadata/labels/originalLabel" op: remove - path : "/spec/resources/requests/storage" op : replace value: "6Gi" + validate: + message: "I don't like this pvc" + pattern: + spec: + accessModes: + - ReadWrite diff --git a/test/PodDisruptionBudget/policy-pdb.yaml b/test/PodDisruptionBudget/policy-pdb.yaml index 6b9fa18a67..736d0199d4 100644 --- a/test/PodDisruptionBudget/policy-pdb.yaml +++ b/test/PodDisruptionBudget/policy-pdb.yaml @@ -1,17 +1,25 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-pdb -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-pdb +spec: rules: - - resource: + - name: pdb1 + resource: kind : PodDisruptionBudget name: "game-pdb" - patch: + mutate: + patches: - path: "/metadata/labels/isMutated" op: add value: "true" - path : "/spec/minAvailable" op : replace value: "5%" + validate: + message: "This PDB has the wrong selector" + pattern: + spec: + selector: + matchLabels: + app: "zoo*" diff --git a/test/PodTemplate/PodTemplate.yaml b/test/PodTemplate/PodTemplate.yaml index 18b7c7e9f3..08c1fb5239 100644 --- a/test/PodTemplate/PodTemplate.yaml +++ b/test/PodTemplate/PodTemplate.yaml @@ -1,16 +1,16 @@ apiVersion: v1 kind: PodTemplate -metadata: +metadata: name: nginx-test - labels: + labels: app: nginx originalLabel: isHere -template: - spec: - containers: +template: + spec: + containers: - name: redis image: redis - ports: + ports: - containerPort: 80 protocol: TCP restartPolicy: Always diff --git a/test/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml index b084af9cd7..dbe7b01e2a 100644 --- a/test/PodTemplate/policy-PodTemplate.yaml +++ b/test/PodTemplate/policy-PodTemplate.yaml @@ -1,21 +1,32 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : test-podtemplate -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: test-podtemplate +spec: rules: - - resource: + - name: podtemplate1 + resource: kind : PodTemplate selector: matchLabels: originalLabel: isHere - patch: + mutate: + patches: - path: "/metadata/labels/app" op : replace value : mutedApp - path: "/template/spec/containers/0/name" op : replace - value : my-mutated-app - - path: "/metadata/labels/originalLabel" - op : remove + value : mongodb + - path: "/template/spec/containers/0/image" + op : replace + value : mongodb + validate: + message: "Port 80 is not for redis" + pattern: + template: + spec: + containers: + - name: "!redis" + ports: + - containerPort: 80 diff --git a/test/README.md b/test/README.md index c2b5edb2bb..83136b4cb8 100644 --- a/test/README.md +++ b/test/README.md @@ -29,37 +29,38 @@ test-endpoint 192.168.10.171:443 6s ``` We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources. ``` -> kubectl delete -f test/endpoints.yaml +> kubectl delete -f test/endpoints.yaml endpoints "test-endpoint" deleted ``` We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`): ``` -apiVersion : policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-endpoints spec : - failurePolicy: stopOnError rules: - - resource: - kind : Endpoints - selector: - matchLabels: - label : test - patch: - - path : "/subsets/0/ports/0/port" - op : replace - value: 9663 - - path : "/subsets/0" - op: add - value: - addresses: - - ip: "192.168.10.171" - ports: - - name: additional-connection - port: 80 - protocol: UDP + - name: + resource: + kind : Endpoints + selector: + matchLabels: + label : test + mutate: + patches: + - path : "/subsets/0/ports/0/port" + op : replace + value: 9663 + - path : "/subsets/0" + op: add + value: + addresses: + - ip: "192.168.10.171" + ports: + - name: load-balancer-connection + port: 80 + protocol: UDP ``` This policy does 2 patches: @@ -68,9 +69,9 @@ This policy does 2 patches: Let's apply this policy and create the endpoints again to see the changes: ``` -> kubectl create -f examples/Endpoints/policy-endpoints.yaml +> kubectl create -f examples/Endpoints/policy-endpoints.yaml policy.policy.nirmata.io/policy-endpoints created -> kubectl create -f examples/Endpoints/endpoints.yaml +> kubectl create -f examples/Endpoints/endpoints.yaml endpoints/test-endpoint created > kubectl get -f examples/Endpoints/endpoints.yaml NAME ENDPOINTS AGE diff --git a/test/ResourceQuota/policy-quota.yaml b/test/ResourceQuota/policy-quota.yaml index f4190e87e8..89248787fe 100644 --- a/test/ResourceQuota/policy-quota.yaml +++ b/test/ResourceQuota/policy-quota.yaml @@ -1,19 +1,20 @@ -apiVersion : policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-quota-low-test spec : - failurePolicy: stopOnError rules: - - resource: + - name: + resource: kind : ResourceQuota selector: matchLabels: quota: low - patch: + mutate: + patches: - path : "/spec/scopeSelector/matchExpressions/1" op : add - value : + value : operator : In scopeName: PriorityClass values: ["low-medium"] @@ -25,4 +26,7 @@ spec : "pods": "10", "limits.memory": "12Gi", "requests.nvidia.com/gpu": "8" - } \ No newline at end of file + } + - path : "/metadata/labels/quota-soft" + op : replace + value : replaced diff --git a/test/Secrets/policy-secrets.yaml b/test/Secrets/policy-secrets.yaml deleted file mode 100644 index 4dbc5d4ae2..0000000000 --- a/test/Secrets/policy-secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-secrets -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Secret - name: "mysecret" - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/labels/originalLabel" - op: remove - - path : "/data/newPass" - op : add - value : "bmV3UmFuZG9tUGFzcwo=" - - path : "/data/password" - op : replace - value : "Y29tcHJvbWlzZWQK" diff --git a/test/Secrets/secrets.yaml b/test/Secrets/secrets.yaml deleted file mode 100644 index 6794580532..0000000000 --- a/test/Secrets/secrets.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: mysecret - labels: - originalLabel : isHere - -type: Opaque -data: - username: QXByaW9yaXQK - password: cXVlc3QxIQo= diff --git a/test/Services/Services.yaml b/test/Services/Services.yaml deleted file mode 100644 index eb92e8d406..0000000000 --- a/test/Services/Services.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: game-service - labels: - originalLabel : isHere - - secretLabel : thisIsMySecret -spec: - selector: - app: MyApp - ports: - - name: http - - protocol: TCP - port: 80 - targetPort: 9376 diff --git a/test/Services/policy-Service.yaml b/test/Services/policy-Service.yaml deleted file mode 100644 index 9f8d598b5e..0000000000 --- a/test/Services/policy-Service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-service -spec : - failurePolicy: stopOnError - rules: - - resource: - kind: Service - name: game-service - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path : "/metadata/labels/secretLabel" - op : replace - value : "weKnow" - - path : "/metadata/labels/originalLabel" - op : remove - - path: "/spec/selector/app" - op: replace - value: "mutedApp" - diff --git a/test/StatefulSet/StatefulSet.yaml b/test/StatefulSet/StatefulSet.yaml index 341db0e4c8..4970d7fdfd 100644 --- a/test/StatefulSet/StatefulSet.yaml +++ b/test/StatefulSet/StatefulSet.yaml @@ -2,32 +2,29 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: game-web - labels: - originalLabel : isHere - spec: selector: matchLabels: - app: nginx-but-no # has to match .spec.template.metadata.labels - serviceName: "nginx-but-no" + app: nginxo # has to match .spec.template.metadata.labels + serviceName: "nginxo" replicas: 3 # by default is 1 template: metadata: labels: - app: nginx-but-no # has to match .spec.selector.matchLabels + app: nginxo # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - - name: nginx-but-no + - name: nginxo image: k8s.gcr.io/nginx-but-no-slim:0.8 ports: - containerPort: 8780 name: webp volumeMounts: - name: www - mountPath: /usr/share/nginx-but-no/html + mountPath: /usr/share/nginxo/html volumeClaimTemplates: - metadata: name: www diff --git a/test/StatefulSet/policy-StatefulSet.yaml b/test/StatefulSet/policy-StatefulSet.yaml index c969dababd..f9277c6016 100644 --- a/test/StatefulSet/policy-StatefulSet.yaml +++ b/test/StatefulSet/policy-StatefulSet.yaml @@ -1,16 +1,17 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-statefulset -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-statefulset +spec: rules: - - resource: + - name: statefulset1 + resource: kind : StatefulSet selector: matchLabels: originalLabel: isHere - patch: + mutate: + patches: - path: "/spec/template/metadata/labels/isMutated" op: add value: "true" @@ -22,3 +23,15 @@ spec : - path : "/spec/serviceName" op : replace value : "not-a-nginx" + validate: + message: "This SS is broken" + pattern: + spec: + replicas: ">20" + volumeClaimTemplates: + - metadata: + name: www + spec: + resources: + requests: + storage: "<50Gi" From 2997a5139b7eb051454bc8ea13d902090cfd9d19 Mon Sep 17 00:00:00 2001 From: Anton Kostenko Date: Tue, 21 May 2019 17:56:59 +0300 Subject: [PATCH 4/4] updated policies updated policies according to new policy structure for testing --- test/ConfigMap/CM.yaml | 14 +++++ test/ConfigMap/policy-CM.yaml | 49 +++++++++++++++ test/CronJob/cronjobs.yaml | 62 +++++++++++++++++++ test/CronJob/policy-cronjob-wldcrd.yaml | 37 +++++++++++ test/DaemonSet/policy-daemonset.yaml | 27 ++++++++ test/Deployment/policy-deployment-any.yaml | 25 ++++++++ test/Endpoint/endpoints.yaml | 13 ++++ test/Endpoint/policy-endpoints.yaml | 32 ++++++++++ test/HorizontalPodAutoscaler/hpa.yaml | 22 +++++++ test/Ingress/policy-ingress.yaml | 30 +++++++++ test/NetworkPolicy/policy-network-policy.yaml | 29 +++++++++ .../policy-quota-validation.yaml | 42 +++++++++++++ test/Secret/policy-secret.yaml | 27 ++++++++ test/Secret/secret.yaml | 11 ++++ test/Service/policy-service.yaml | 31 ++++++++++ test/Service/service.yaml | 15 +++++ 16 files changed, 466 insertions(+) create mode 100644 test/ConfigMap/CM.yaml create mode 100644 test/ConfigMap/policy-CM.yaml create mode 100644 test/CronJob/cronjobs.yaml create mode 100644 test/CronJob/policy-cronjob-wldcrd.yaml create mode 100644 test/DaemonSet/policy-daemonset.yaml create mode 100644 test/Deployment/policy-deployment-any.yaml create mode 100644 test/Endpoint/endpoints.yaml create mode 100644 test/Endpoint/policy-endpoints.yaml create mode 100644 test/HorizontalPodAutoscaler/hpa.yaml create mode 100644 test/Ingress/policy-ingress.yaml create mode 100644 test/NetworkPolicy/policy-network-policy.yaml create mode 100644 test/ResourceQuota/policy-quota-validation.yaml create mode 100644 test/Secret/policy-secret.yaml create mode 100644 test/Secret/secret.yaml create mode 100644 test/Service/policy-service.yaml create mode 100644 test/Service/service.yaml diff --git a/test/ConfigMap/CM.yaml b/test/ConfigMap/CM.yaml new file mode 100644 index 0000000000..80f31212ae --- /dev/null +++ b/test/ConfigMap/CM.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: game-config + namespace: default +data: + secretData: "very sensitive data" + secretDatatoreplace: "data is not changed" + game.properties: | + enemies=aliens + lives=3 + ui.properties: | + color.good=purple + color.bad=yellow diff --git a/test/ConfigMap/policy-CM.yaml b/test/ConfigMap/policy-CM.yaml new file mode 100644 index 0000000000..843ff23f7e --- /dev/null +++ b/test/ConfigMap/policy-CM.yaml @@ -0,0 +1,49 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-cm +spec : + rules: + - name: pCM1 + resource: + kind : ConfigMap + name: "game-config" + mutate: + patches: + - path : "/data/newKey" + op : add + value : newValue + - name: pCM2 + resource: + kind : ConfigMap + name: "game-config" + mutate: + patches: + - path : "/data/secretData" + op : remove + - path : "/data/secretDatatoreplace" + op : replace + value : "data is replaced" + - name: pCM3 + resource: + kind : ConfigMap + name: "game-config" + mutate: + patches: + - path : "/data/secretData" + op : add + value : newData + validate: + message: "There is only one enemy" + pattern: + data: + game.properties: "*enemies=aliens*" + - name: pCM4 + resource: + kind : ConfigMap + name: "game-config" + validate: + message: "This CM data is broken because it does not have ui.properties" + pattern: + data: + ui.properties: "*" diff --git a/test/CronJob/cronjobs.yaml b/test/CronJob/cronjobs.yaml new file mode 100644 index 0000000000..8e5dd00c37 --- /dev/null +++ b/test/CronJob/cronjobs.yaml @@ -0,0 +1,62 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello + labels : + label : "original" +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hellow + labels : + label : "original" +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: 12hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello23 + labels: + label: "original" +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hel32lo + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure diff --git a/test/CronJob/policy-cronjob-wldcrd.yaml b/test/CronJob/policy-cronjob-wldcrd.yaml new file mode 100644 index 0000000000..4ef1598c35 --- /dev/null +++ b/test/CronJob/policy-cronjob-wldcrd.yaml @@ -0,0 +1,37 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-cronjob +spec: + rules: + - name: + resource: + kind : CronJob + name: "?ell*" + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/spec/schedule" + op : replace + value : "* */1 * * *" + - path: "/metadata/labels/label" + op: add + value: "not_original" + - path: "/metadata/labels/label234e3" + op: remove + validate: + message: "This resource is broken" + pattern: + metadata: + labels: + label: "not_original" + spec: + jobTemplate: + spec: + template: + spec: + containers: + - name: "h*" + image: busybox diff --git a/test/DaemonSet/policy-daemonset.yaml b/test/DaemonSet/policy-daemonset.yaml new file mode 100644 index 0000000000..47912c2795 --- /dev/null +++ b/test/DaemonSet/policy-daemonset.yaml @@ -0,0 +1,27 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-daemonset +spec: + rules: + - name: "Patch and Volume validation" + resource: + kind: DaemonSet + name: fluentd-elasticsearch + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path: "/metadata/labels/originalLabel" + op: remove + validate: + message: "This daemonset is broken" + pattern: + spec: + template: + spec: + containers: + volumeMounts: + - name: varlibdockercontainers + readOnly: false diff --git a/test/Deployment/policy-deployment-any.yaml b/test/Deployment/policy-deployment-any.yaml new file mode 100644 index 0000000000..6a43ec225d --- /dev/null +++ b/test/Deployment/policy-deployment-any.yaml @@ -0,0 +1,25 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-deployment +spec : + rules: + - name: "First policy v2" + resource: + kind : Deployment + name: nginx-* + mutate: + patches: + - path: /metadata/labels/isMutated + op: add + value: "true" + - path: /metadata/labels/app + op: replace + value: "nginx_is_mutated" + + validate: + message: "Because I like only mutated resources" + pattern: + metadata: + labels: + app: "*mutated" diff --git a/test/Endpoint/endpoints.yaml b/test/Endpoint/endpoints.yaml new file mode 100644 index 0000000000..958d931482 --- /dev/null +++ b/test/Endpoint/endpoints.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: test-endpoint + labels: + label : test +subsets: +- addresses: + - ip: 192.168.10.171 + ports: + - name: secure-connection + port: 443 + protocol: TCP diff --git a/test/Endpoint/policy-endpoints.yaml b/test/Endpoint/policy-endpoints.yaml new file mode 100644 index 0000000000..335573c6ba --- /dev/null +++ b/test/Endpoint/policy-endpoints.yaml @@ -0,0 +1,32 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-endpoints +spec : + rules: + - name: + resource: + kind : Endpoints + selector: + matchLabels: + label : test + mutate: + patches: + - path : "/subsets/0/ports/0/port" + op : replace + value: 9663 + - path : "/subsets/0" + op: add + value: + addresses: + - ip: "192.168.10.171" + ports: + - name: load-balancer-connection + port: 80 + protocol: UDP + validate: + message: "This resource has wrong IP" + pattern: + subsets: + - addresses: + - ip: "192.168.10.171|192.168.10.172" diff --git a/test/HorizontalPodAutoscaler/hpa.yaml b/test/HorizontalPodAutoscaler/hpa.yaml new file mode 100644 index 0000000000..75dd3b6467 --- /dev/null +++ b/test/HorizontalPodAutoscaler/hpa.yaml @@ -0,0 +1,22 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: wildfly-example + labels: + originalLabel: isHere +spec: + scaleTargetRef: + apiVersion: extensions/v1beta1 + kind: Deployment + name: wildfly-example + minReplicas: 1 + maxReplicas: 5 + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 + - type: Resource + resource: + name: memory + targetAverageValue: 1000Mi diff --git a/test/Ingress/policy-ingress.yaml b/test/Ingress/policy-ingress.yaml new file mode 100644 index 0000000000..e0c2abb1a7 --- /dev/null +++ b/test/Ingress/policy-ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata : + name : policy-ingress +spec : + rules: + - name: ingress1 + resource: + kind : Ingress + selector: + matchLabels: + originalLabel: isHere + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/spec/rules/0/http/paths/0/path" + op : replace + value: "/mutatedpath" + validate: + message: "Ingress allowed only for prod services" + pattern: + spec: + rules: + - http: + paths: + - path: "*" + backend: + serviceName: "*prod" diff --git a/test/NetworkPolicy/policy-network-policy.yaml b/test/NetworkPolicy/policy-network-policy.yaml new file mode 100644 index 0000000000..3e105c687b --- /dev/null +++ b/test/NetworkPolicy/policy-network-policy.yaml @@ -0,0 +1,29 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-network-policy +spec: + rules: + - name: np1 + resource: + kind : NetworkPolicy + selector: + matchLabels: + originalLabel: isHere + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/spec/ingress/0/from/0/ipBlock/cidr" + op : replace + value: "172.17.128.0/17" + validate: + message: "This network policy does not meet security criteria" + pattern: + spec: + ingress: + - from: + - ipBlock: + except: + - 172.17.129.0/24 diff --git a/test/ResourceQuota/policy-quota-validation.yaml b/test/ResourceQuota/policy-quota-validation.yaml new file mode 100644 index 0000000000..fcf59a5173 --- /dev/null +++ b/test/ResourceQuota/policy-quota-validation.yaml @@ -0,0 +1,42 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-quota-low-test-validation +spec : + rules: + - name: + resource: + kind : ResourceQuota + selector: + matchLabels: + quota: low + validate: + message: "This RQ requests too many RAM" + pattern: + spec: + hard: + memory: "8Gi|12Gi" + - name: + resource: + kind : ResourceQuota + selector: + matchLabels: + quota: low + validate: + message: "This RQ requests too many CPUs" + pattern: + spec: + hard: + cpu: <3 + - name: + resource: + kind : ResourceQuota + selector: + matchLabels: + quota: low + validate: + message: "This RQ requests too many PODs" + pattern: + spec: + hard: + pods: 1|2|3|4 diff --git a/test/Secret/policy-secret.yaml b/test/Secret/policy-secret.yaml new file mode 100644 index 0000000000..aeae51ad14 --- /dev/null +++ b/test/Secret/policy-secret.yaml @@ -0,0 +1,27 @@ +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-secrets +spec: + rules: + - name: secret1 + resource: + kind : Secret + name: "mysecret" + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path: "/metadata/labels/originalLabel" + op: remove + - path : "/data/newPass" + op : add + value : "bmV3UmFuZG9tUGFzcwo=" + - path : "/data/password" + op : replace + value : "Y29tcHJvbWlzZWQK" + validate: + message: "This type of secrets does not meet security criteria" + pattern: + type: "Opaque" diff --git a/test/Secret/secret.yaml b/test/Secret/secret.yaml new file mode 100644 index 0000000000..930487bde9 --- /dev/null +++ b/test/Secret/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mysecret + labels: + originalLabel : isHere + +type: Opaque +data: + username: TmlybWF0YQ== + password: aXNDb29s diff --git a/test/Service/policy-service.yaml b/test/Service/policy-service.yaml new file mode 100644 index 0000000000..c92f4c6d21 --- /dev/null +++ b/test/Service/policy-service.yaml @@ -0,0 +1,31 @@ +apiVersion : kubepolicy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-service +spec : + rules: + - name: ps1 + resource: + kind: Service + name: "game-service*" + mutate: + patches: + - path: "/metadata/labels/isMutated" + op: add + value: "true" + - path : "/metadata/labels/secretLabel" + op : replace + value : "weKnow" + - path : "/metadata/labels/originalLabel" + op : remove + - path: "/spec/selector/app" + op: replace + value: "mutedApp" + validate: + message: "This service has wrong port" + pattern: + spec: + ports: + - name: "http" + protocol: TCP + port: 80|8080 diff --git a/test/Service/service.yaml b/test/Service/service.yaml new file mode 100644 index 0000000000..9ebda125a1 --- /dev/null +++ b/test/Service/service.yaml @@ -0,0 +1,15 @@ +kind: Service +apiVersion: v1 +metadata: + name: game-service + labels: + originalLabel : isHere + secretLabel : thisIsMySecret +spec: + selector: + app: MyApp + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 9376