mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 10:55:05 +00:00
Code Activity

new policy structure

Browse source 
policies are modified according to new logic
This commit is contained in:
Anton Kostenko 2019-05-21 17:54:55 +03:00
parent 26c826518a
commit e200cdc2a4
34 changed files with 191 additions and 501 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
test/ConfigMap/configMap.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: game-config
namespace: default
data:
secretData: "very sensitive data"
secretDatatoreplace: "data is not changed"
game.properties: |
enemies=aliens
lives=3
ui.properties: |
color.good=purple
color.bad=yellow

20
test/ConfigMap/policy-ConfigMap.yaml
View file

@ -1,20 +0,0 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name: policy-configmap-test
spec:
rules:
- name: "Policy ConfigMap sample rule"
resource:
kind : ConfigMap
name: "game-config"
mutate:
patches:
- path: "/data/newKey"
op: add
value: newValue
- path: "/data/secretData"
op: remove
- path: "/data/secretDatatoreplace"
op: replace
value: "data is replaced"

21
test/CronJob/cronjob.yaml
View file

@ -1,21 +0,0 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure

20
test/CronJob/policy-CronJob.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-cronjob
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : CronJob
name: "hello"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/schedule"
op : replace
value : "* */1 * * *"

2
test/DaemonSet/DaemonSet.yaml
View file

@ -40,4 +40,4 @@ spec:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
path: /var/lib/docker/containers

21
test/DaemonSet/policy-ds.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-daemonset
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : DaemonSet
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/template/spec/containers/0/image"
op : replace
value: "k8s.gcr.io/fluentd-elasticsearch:latest"

34
test/Deployment/ghost-deployment.yaml
View file

@ -1,34 +0,0 @@
kind: "Deployment"
apiVersion: "extensions/v1beta1"
metadata:
name: "ghost"
labels:
nirmata.io/deployment.name: "ghost"
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
spec:
replicas: 1
revisionHistoryLimit: 5
selector:
matchLabels:
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
strategy:
type: "RollingUpdate"
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
nirmata.io/deployment.name: "ghost"
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
spec:
containers:
- name: "ghost"
image: "ghost:2.9.1-alpine"
ports:
- containerPort: 8080
protocol: "TCP"

24
test/Deployment/policy-deployment-ghost.yaml
View file

@ -1,24 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment-ghost
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Deployment
selector :
matchLabels :
nirmata.io/deployment.name: "ghost"
patch:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: "/spec/strategy/rollingUpdate/maxSurge"
op: add
value: 5
- path: "/spec/template/spec/containers/0/ports/0"
op: replace
value:
containerPort: 2368
protocol: TCP

20
test/Deployment/policy-deployment.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Deployment
name: nginx-deployment
patch:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: /metadata/labels/app
op: replace
value: "nginx_is_mutated"

13
test/Endpoints/endpoints.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Endpoints
metadata:
name: test-endpoint
labels:
label : test
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 443
protocol: TCP

25
test/Endpoints/policy-endpoints.yaml
View file

@ -1,25 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Endpoints
selector:
matchLabels:
label : test
patch:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP

20
test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml
View file

@ -1,20 +0,0 @@
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: wildfly-example
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
kind: Deployment
name: wildfly-example
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
- type: Resource
resource:
name: memory
targetAverageValue: 1000Mi

30
test/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -1,20 +1,30 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-hpa
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-hpa
spec :
failurePolicy: stopOnError
rules:
- resource:
- name: hpa1
resource:
kind : HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value:
isMutated: "true"
value: "true"
- op: replace
path: "/spec/metrics/1/resource/targetAverageValue"
value: "959Mi"
validate:
message: "There is wrong resorce request or apiVersion"
pattern:
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
# metrics:
# - type: Resource
# resource:
# name: cpu|memory

19
test/Ingress/policy-ingess.yaml
View file

@ -1,19 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-ingress
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Ingress
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/rules/0/http/paths/0/path"
op : replace
value: "/mutatedpath"

1
test/Job/job.yaml
View file

@ -11,4 +11,3 @@ spec:
command: ["perl"]
restartPolicy: Never
backoffLimit: 4

24
test/Job/policy-job.yaml
View file

@ -1,17 +1,25 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-job-perl-bigint
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-job-perl-bigint
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Job
- name: job1
resource:
kind: Job
name: pi
patch:
mutate:
patches:
- path : "/spec/template/spec/containers/0/command"
op : add
value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ]
- path : "/spec/backoffLimit"
op: add
value: 10
validate:
message: "This job should not be restarted"
pattern:
spec:
template:
spec:
restartPolicy: Never

1
test/LimitRange/limitrange.yaml
View file

@ -8,6 +8,7 @@ spec:
limits:
- default:
memory: 512Mi
cpu: 10m
defaultRequest:
memory: 256Mi
type: Container

18
test/LimitRange/policy-limitrange.yaml
View file

@ -1,16 +1,24 @@
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-limitrange
spec :
failurePolicy: stopOnError
rules:
- resource:
- name:
resource:
kind : LimitRange
selector:
matchLabels:
containerSize: minimal
patch:
- path : "/spec/limits/0/default/memory"
mutate:
patches:
- path : "/spec/limits/0/memory"
op : replace
value: "384Mi"
validate:
message: "The CPU value is incorrect"
pattern:
spec:
limits:
- default:
cpu: 9m

11
test/Namespace/namespace.yaml
View file

@ -1,8 +1,7 @@
kind: Namespace
apiVersion: v1
metadata:
name: "namespace-not-modified"
labels:
LabelForSelector : "namespace"
replaced : "no"
metadata:
name: namespace-not-modified
labels:
LabelForSelector : "namespace"
replaced : "no"

25
test/Namespace/policy-namespace-by-name.yaml
View file

@ -1,25 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-namespace
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Namespace
name : "namespace-not-modified"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/name"
op: replace
value: "modified-namespace"

38
test/Namespace/policy-namespace.yaml
View file

@ -1,27 +1,21 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name : policy-namespace
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
patch:
- path: "/metadata/labels/replaced"
op: add
value: "yes"
- path: "/metadata/name"
op: replace
value: "modified-namespace-name"
- name: ns1
resource:
kind : Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
mutate:
patches:
- path: "/metadata/labels/replaced"
op: add
value: "yes"
- path: "/metadata/name"
op: replace
value: "modified-namespace"

21
test/NetworkPolicy/policy-networkpolicy.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-network-policy
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/ingress/0/from/0/ipBlock/cidr"
op : replace
value: "172.17.128.0/17"

23
test/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -1,17 +1,24 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-pvc
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-pvc
spec:
rules:
- resource:
- name: pvc1
resource:
kind : PersistentVolumeClaim
matchLabels:
originalLabel: isHere
patch:
mutate:
patches:
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/resources/requests/storage"
op : replace
value: "6Gi"
validate:
message: "I don't like this pvc"
pattern:
spec:
accessModes:
- ReadWrite

24
test/PodDisruptionBudget/policy-pdb.yaml
View file

@ -1,17 +1,25 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-pdb
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-pdb
spec:
rules:
- resource:
- name: pdb1
resource:
kind : PodDisruptionBudget
name: "game-pdb"
patch:
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/minAvailable"
op : replace
value: "5%"
validate:
message: "This PDB has the wrong selector"
pattern:
spec:
selector:
matchLabels:
app: "zoo*"

12
test/PodTemplate/PodTemplate.yaml
View file

@ -1,16 +1,16 @@
apiVersion: v1
kind: PodTemplate
metadata:
metadata:
name: nginx-test
labels:
labels:
app: nginx
originalLabel: isHere
template:
spec:
containers:
template:
spec:
containers:
- name: redis
image: redis
ports:
ports:
- containerPort: 80
protocol: TCP
restartPolicy: Always

33
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -1,21 +1,32 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : test-podtemplate
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: test-podtemplate
spec:
rules:
- resource:
- name: podtemplate1
resource:
kind : PodTemplate
selector:
matchLabels:
originalLabel: isHere
patch:
mutate:
patches:
- path: "/metadata/labels/app"
op : replace
value : mutedApp
- path: "/template/spec/containers/0/name"
op : replace
value : my-mutated-app
- path: "/metadata/labels/originalLabel"
op : remove
value : mongodb
- path: "/template/spec/containers/0/image"
op : replace
value : mongodb
validate:
message: "Port 80 is not for redis"
pattern:
template:
spec:
containers:
- name: "!redis"
ports:
- containerPort: 80

47
test/README.md
View file

@ -29,37 +29,38 @@ test-endpoint 192.168.10.171:443 6s
```
We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources.
```
> kubectl delete -f test/endpoints.yaml
> kubectl delete -f test/endpoints.yaml
endpoints "test-endpoint" deleted
```
We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`):
```
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Endpoints
selector:
matchLabels:
label : test
patch:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: additional-connection
port: 80
protocol: UDP
- name:
resource:
kind : Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP
```
This policy does 2 patches:
@ -68,9 +69,9 @@ This policy does 2 patches:
Let's apply this policy and create the endpoints again to see the changes:
```
> kubectl create -f examples/Endpoints/policy-endpoints.yaml
> kubectl create -f examples/Endpoints/policy-endpoints.yaml
policy.policy.nirmata.io/policy-endpoints created
> kubectl create -f examples/Endpoints/endpoints.yaml
> kubectl create -f examples/Endpoints/endpoints.yaml
endpoints/test-endpoint created
> kubectl get -f examples/Endpoints/endpoints.yaml
NAME ENDPOINTS AGE

16
test/ResourceQuota/policy-quota.yaml
View file

@ -1,19 +1,20 @@
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-quota-low-test
spec :
failurePolicy: stopOnError
rules:
- resource:
- name:
resource:
kind : ResourceQuota
selector:
matchLabels:
quota: low
patch:
mutate:
patches:
- path : "/spec/scopeSelector/matchExpressions/1"
op : add
value :
value :
operator : In
scopeName: PriorityClass
values: ["low-medium"]
@ -25,4 +26,7 @@ spec :
"pods": "10",
"limits.memory": "12Gi",
"requests.nvidia.com/gpu": "8"
}
}
- path : "/metadata/labels/quota-soft"
op : replace
value : replaced

22
test/Secrets/policy-secrets.yaml
View file

@ -1,22 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-secrets
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Secret
name: "mysecret"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/data/newPass"
op : add
value : "bmV3UmFuZG9tUGFzcwo="
- path : "/data/password"
op : replace
value : "Y29tcHJvbWlzZWQK"

11
test/Secrets/secrets.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: mysecret
labels:
originalLabel : isHere
type: Opaque
data:
username: QXByaW9yaXQK
password: cXVlc3QxIQo=

17
test/Services/Services.yaml
View file

@ -1,17 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: game-service
labels:
originalLabel : isHere
secretLabel : thisIsMySecret
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376

23
test/Services/policy-Service.yaml
View file

@ -1,23 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-service
spec :
failurePolicy: stopOnError
rules:
- resource:
kind: Service
name: game-service
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/metadata/labels/secretLabel"
op : replace
value : "weKnow"
- path : "/metadata/labels/originalLabel"
op : remove
- path: "/spec/selector/app"
op: replace
value: "mutedApp"

13
test/StatefulSet/StatefulSet.yaml
View file

@ -2,32 +2,29 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: game-web
labels:
originalLabel : isHere
spec:
selector:
matchLabels:
app: nginx-but-no # has to match .spec.template.metadata.labels
serviceName: "nginx-but-no"
app: nginxo # has to match .spec.template.metadata.labels
serviceName: "nginxo"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginx-but-no # has to match .spec.selector.matchLabels
app: nginxo # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx-but-no
- name: nginxo
image: k8s.gcr.io/nginx-but-no-slim:0.8
ports:
- containerPort: 8780
name: webp
volumeMounts:
- name: www
mountPath: /usr/share/nginx-but-no/html
mountPath: /usr/share/nginxo/html
volumeClaimTemplates:
- metadata:
name: www

29
test/StatefulSet/policy-StatefulSet.yaml
View file

@ -1,16 +1,17 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-statefulset
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-statefulset
spec:
rules:
- resource:
- name: statefulset1
resource:
kind : StatefulSet
selector:
matchLabels:
originalLabel: isHere
patch:
mutate:
patches:
- path: "/spec/template/metadata/labels/isMutated"
op: add
value: "true"
@ -22,3 +23,15 @@ spec :
- path : "/spec/serviceName"
op : replace
value : "not-a-nginx"
validate:
message: "This SS is broken"
pattern:
spec:
replicas: ">20"
volumeClaimTemplates:
- metadata:
name: www
spec:
resources:
requests:
storage: "<50Gi"