mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

fix(cli): handle excluded resources as pass (#9274)

Browse source 
* fix(cli): handle excluded resources as pass

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* test: add cli test for exclude

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
This commit is contained in:
Khaled Emara 2023-12-28 09:16:55 +02:00 committed by GitHub
parent 71739b85ee
commit d5491746e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 111 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
cmd/cli/kubectl-kyverno/commands/test/output.go
View file

@ -74,6 +74,25 @@ func printTestResult(
testCount++
rows = append(rows, row)
}
// if there are no RuleResponse, the resource has been excluded. This is a pass.
if len(rows) == 0 {
row := table.Row{
RowCompact: table.RowCompact{
ID: testCount,
Policy: color.Policy("", test.Policy),
Rule: color.Rule(test.Rule),
Resource: color.Resource(test.Kind, test.Namespace, resource),
Result: color.ResultPass(),
Reason: color.Excluded(),
IsFailure: false,
},
Message: color.Excluded(),
}
rc.Skip++
testCount++
rows = append(rows, row)
}
}
// if not found
if len(rows) == 0 {

4
cmd/cli/kubectl-kyverno/output/color/color.go
View file

@ -52,6 +52,10 @@ func Resource(kind, namespace, name string) string {
return color.BoldFgCyan.Sprint(namespace) + "/" + color.BoldFgCyan.Sprint(kind) + "/" + color.BoldFgCyan.Sprint(name)
}
func Excluded() string {
return color.BoldYellow.Sprint("Excluded")
}
func NotFound() string {
return color.BoldYellow.Sprint("Not found")
}

16
test/cli/test/exclude/kyverno-test.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: kyverno-test.yaml
policies:
- policy.yaml
resources:
- resources.yaml
results:
- kind: Pod
policy: require-requests-limits
resources:
- require-requests-limits-skip
- ceph-csi/require-requests-limits-failed
result: skip
rule: validate-resources

50
test/cli/test/exclude/policy.yaml Normal file
View file

@ -0,0 +1,50 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-requests-limits
annotations:
policies.kyverno.io/title: Require Limits and Requests
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
As application workloads share cluster resources, it is important to limit resources
requested and consumed by each Pod. It is recommended to require resource requests and
limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
defaults will automatically be applied to each Pod based on the LimitRange configuration.
This policy validates that all containers have something specified for memory and CPU
requests and memory limits.
spec:
background: true
validationFailureAction: enforce
rules:
- name: validate-resources
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- ceph-csi
- resources:
kinds:
- Pod
selector:
matchLabels:
require-requests-limits.kyverno.io/exclude: "true"
validate:
message: "CPU and memory resource requests and limits are required."
pattern:
spec:
containers:
- resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"
cpu: "?*"

22
test/cli/test/exclude/resources.yaml Normal file
View file

@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Pod
metadata:
labels:
require-requests-limits.kyverno.io/exclude: "true"
name: require-requests-limits-skip
namespace: test
spec:
containers:
- name: test
image: nginx
---
apiVersion: v1
kind: Pod
metadata:
name: require-requests-limits-failed
namespace: ceph-csi
spec:
containers:
- name: test
image: nginx