From e200cdc2a412d820c3d3c9b78a1ffadfa655e55c Mon Sep 17 00:00:00 2001 From: Anton Kostenko Date: Tue, 21 May 2019 17:54:55 +0300 Subject: [PATCH] new policy structure policies are modified according to new logic --- test/ConfigMap/configMap.yaml | 14 ------ test/ConfigMap/policy-ConfigMap.yaml | 20 -------- test/CronJob/cronjob.yaml | 21 --------- test/CronJob/policy-CronJob.yaml | 20 -------- test/DaemonSet/DaemonSet.yaml | 2 +- test/DaemonSet/policy-ds.yaml | 21 --------- test/Deployment/ghost-deployment.yaml | 34 -------------- test/Deployment/policy-deployment-ghost.yaml | 24 ---------- test/Deployment/policy-deployment.yaml | 20 -------- test/Endpoints/endpoints.yaml | 13 ----- test/Endpoints/policy-endpoints.yaml | 25 ---------- .../HorizontalPodAutoscaler.yaml | 20 -------- test/HorizontalPodAutoscaler/policy-hpa.yaml | 30 ++++++++---- test/Ingress/policy-ingess.yaml | 19 -------- test/Job/job.yaml | 1 - test/Job/policy-job.yaml | 24 ++++++---- test/LimitRange/limitrange.yaml | 1 + test/LimitRange/policy-limitrange.yaml | 18 +++++-- test/Namespace/namespace.yaml | 11 ++--- test/Namespace/policy-namespace-by-name.yaml | 25 ---------- test/Namespace/policy-namespace.yaml | 38 +++++++-------- test/NetworkPolicy/policy-networkpolicy.yaml | 21 --------- test/PersistentVolumeClaim/policy-PVC.yaml | 23 +++++---- test/PodDisruptionBudget/policy-pdb.yaml | 24 ++++++---- test/PodTemplate/PodTemplate.yaml | 12 ++--- test/PodTemplate/policy-PodTemplate.yaml | 33 ++++++++----- test/README.md | 47 ++++++++++--------- test/ResourceQuota/policy-quota.yaml | 16 ++++--- test/Secrets/policy-secrets.yaml | 22 --------- test/Secrets/secrets.yaml | 11 ----- test/Services/Services.yaml | 17 ------- test/Services/policy-Service.yaml | 23 --------- test/StatefulSet/StatefulSet.yaml | 13 ++--- test/StatefulSet/policy-StatefulSet.yaml | 29 ++++++++---- 34 files changed, 191 insertions(+), 501 deletions(-) delete mode 100644 test/ConfigMap/configMap.yaml delete mode 100644 test/ConfigMap/policy-ConfigMap.yaml delete mode 100644 test/CronJob/cronjob.yaml delete mode 100644 test/CronJob/policy-CronJob.yaml delete mode 100644 test/DaemonSet/policy-ds.yaml delete mode 100644 test/Deployment/ghost-deployment.yaml delete mode 100644 test/Deployment/policy-deployment-ghost.yaml delete mode 100644 test/Deployment/policy-deployment.yaml delete mode 100644 test/Endpoints/endpoints.yaml delete mode 100644 test/Endpoints/policy-endpoints.yaml delete mode 100644 test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml delete mode 100644 test/Ingress/policy-ingess.yaml delete mode 100644 test/Namespace/policy-namespace-by-name.yaml delete mode 100644 test/NetworkPolicy/policy-networkpolicy.yaml delete mode 100644 test/Secrets/policy-secrets.yaml delete mode 100644 test/Secrets/secrets.yaml delete mode 100644 test/Services/Services.yaml delete mode 100644 test/Services/policy-Service.yaml diff --git a/test/ConfigMap/configMap.yaml b/test/ConfigMap/configMap.yaml deleted file mode 100644 index 80f31212ae..0000000000 --- a/test/ConfigMap/configMap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: game-config - namespace: default -data: - secretData: "very sensitive data" - secretDatatoreplace: "data is not changed" - game.properties: | - enemies=aliens - lives=3 - ui.properties: | - color.good=purple - color.bad=yellow diff --git a/test/ConfigMap/policy-ConfigMap.yaml b/test/ConfigMap/policy-ConfigMap.yaml deleted file mode 100644 index 10af719567..0000000000 --- a/test/ConfigMap/policy-ConfigMap.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : kubepolicy.nirmata.io/v1alpha1 -kind: Policy -metadata : - name: policy-configmap-test -spec: - rules: - - name: "Policy ConfigMap sample rule" - resource: - kind : ConfigMap - name: "game-config" - mutate: - patches: - - path: "/data/newKey" - op: add - value: newValue - - path: "/data/secretData" - op: remove - - path: "/data/secretDatatoreplace" - op: replace - value: "data is replaced" diff --git a/test/CronJob/cronjob.yaml b/test/CronJob/cronjob.yaml deleted file mode 100644 index 778253d7e2..0000000000 --- a/test/CronJob/cronjob.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: hello - labels : - label : "original" - -spec: - schedule: "*/1 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: hello - image: busybox - args: - - /bin/sh - - -c - - date; echo Hello from the Kubernetes cluster - restartPolicy: OnFailure diff --git a/test/CronJob/policy-CronJob.yaml b/test/CronJob/policy-CronJob.yaml deleted file mode 100644 index 52f287c0d1..0000000000 --- a/test/CronJob/policy-CronJob.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-cronjob - -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : CronJob - name: "hello" - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path : "/spec/schedule" - op : replace - value : "* */1 * * *" - - diff --git a/test/DaemonSet/DaemonSet.yaml b/test/DaemonSet/DaemonSet.yaml index 1bf8993f80..c6d30247fe 100644 --- a/test/DaemonSet/DaemonSet.yaml +++ b/test/DaemonSet/DaemonSet.yaml @@ -40,4 +40,4 @@ spec: path: /var/log - name: varlibdockercontainers hostPath: - path: /var/lib/docker/containers \ No newline at end of file + path: /var/lib/docker/containers diff --git a/test/DaemonSet/policy-ds.yaml b/test/DaemonSet/policy-ds.yaml deleted file mode 100644 index a0f8bfc2cf..0000000000 --- a/test/DaemonSet/policy-ds.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-daemonset -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : DaemonSet - selector: - matchLabels: - originalLabel: isHere - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/labels/originalLabel" - op: remove - - path : "/spec/template/spec/containers/0/image" - op : replace - value: "k8s.gcr.io/fluentd-elasticsearch:latest" diff --git a/test/Deployment/ghost-deployment.yaml b/test/Deployment/ghost-deployment.yaml deleted file mode 100644 index 8bf95b9788..0000000000 --- a/test/Deployment/ghost-deployment.yaml +++ /dev/null @@ -1,34 +0,0 @@ -kind: "Deployment" -apiVersion: "extensions/v1beta1" -metadata: - name: "ghost" - labels: - nirmata.io/deployment.name: "ghost" - nirmata.io/application.name: "ghost" - nirmata.io/component: "ghost" -spec: - replicas: 1 - revisionHistoryLimit: 5 - selector: - matchLabels: - nirmata.io/application.name: "ghost" - nirmata.io/component: "ghost" - strategy: - type: "RollingUpdate" - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - nirmata.io/deployment.name: "ghost" - nirmata.io/application.name: "ghost" - nirmata.io/component: "ghost" - spec: - containers: - - name: "ghost" - image: "ghost:2.9.1-alpine" - ports: - - containerPort: 8080 - protocol: "TCP" - diff --git a/test/Deployment/policy-deployment-ghost.yaml b/test/Deployment/policy-deployment-ghost.yaml deleted file mode 100644 index 758f187945..0000000000 --- a/test/Deployment/policy-deployment-ghost.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-deployment-ghost -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Deployment - selector : - matchLabels : - nirmata.io/deployment.name: "ghost" - patch: - - path: /metadata/labels/isMutated - op: add - value: "true" - - path: "/spec/strategy/rollingUpdate/maxSurge" - op: add - value: 5 - - path: "/spec/template/spec/containers/0/ports/0" - op: replace - value: - containerPort: 2368 - protocol: TCP diff --git a/test/Deployment/policy-deployment.yaml b/test/Deployment/policy-deployment.yaml deleted file mode 100644 index 4bc0f23fd2..0000000000 --- a/test/Deployment/policy-deployment.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-deployment -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Deployment - name: nginx-deployment - patch: - - path: /metadata/labels/isMutated - op: add - value: "true" - - path: /metadata/labels/app - op: replace - value: "nginx_is_mutated" - - - diff --git a/test/Endpoints/endpoints.yaml b/test/Endpoints/endpoints.yaml deleted file mode 100644 index 792a83da96..0000000000 --- a/test/Endpoints/endpoints.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Endpoints -metadata: - name: test-endpoint - labels: - label : test -subsets: -- addresses: - - ip: 192.168.10.171 - ports: - - name: secure-connection - port: 443 - protocol: TCP \ No newline at end of file diff --git a/test/Endpoints/policy-endpoints.yaml b/test/Endpoints/policy-endpoints.yaml deleted file mode 100644 index 2a8c09dda5..0000000000 --- a/test/Endpoints/policy-endpoints.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-endpoints -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Endpoints - selector: - matchLabels: - label : test - patch: - - path : "/subsets/0/ports/0/port" - op : replace - value: 9663 - - path : "/subsets/0" - op: add - value: - addresses: - - ip: "192.168.10.171" - ports: - - name: load-balancer-connection - port: 80 - protocol: UDP \ No newline at end of file diff --git a/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml b/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml deleted file mode 100644 index b8a029ac16..0000000000 --- a/test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: wildfly-example -spec: - scaleTargetRef: - apiVersion: extensions/v1beta1 - kind: Deployment - name: wildfly-example - minReplicas: 1 - maxReplicas: 5 - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: 80 - - type: Resource - resource: - name: memory - targetAverageValue: 1000Mi diff --git a/test/HorizontalPodAutoscaler/policy-hpa.yaml b/test/HorizontalPodAutoscaler/policy-hpa.yaml index ba0640c9f3..840c41fc46 100644 --- a/test/HorizontalPodAutoscaler/policy-hpa.yaml +++ b/test/HorizontalPodAutoscaler/policy-hpa.yaml @@ -1,20 +1,30 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-hpa +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-hpa spec : - failurePolicy: stopOnError rules: - - resource: + - name: hpa1 + resource: kind : HorizontalPodAutoscaler selector: matchLabels: originalLabel: isHere - patch: - - path: "/metadata/labels" + mutate: + patches: + - path: "/metadata/labels/isMutated" op: add - value: - isMutated: "true" + value: "true" - op: replace path: "/spec/metrics/1/resource/targetAverageValue" value: "959Mi" + validate: + message: "There is wrong resorce request or apiVersion" + pattern: + spec: + scaleTargetRef: + apiVersion: extensions/v1beta1 +# metrics: +# - type: Resource +# resource: +# name: cpu|memory diff --git a/test/Ingress/policy-ingess.yaml b/test/Ingress/policy-ingess.yaml deleted file mode 100644 index 8151a1dd73..0000000000 --- a/test/Ingress/policy-ingess.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-ingress -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Ingress - selector: - matchLabels: - originalLabel: isHere - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path : "/spec/rules/0/http/paths/0/path" - op : replace - value: "/mutatedpath" diff --git a/test/Job/job.yaml b/test/Job/job.yaml index e5a2e20bdd..c569475ff7 100644 --- a/test/Job/job.yaml +++ b/test/Job/job.yaml @@ -11,4 +11,3 @@ spec: command: ["perl"] restartPolicy: Never backoffLimit: 4 - diff --git a/test/Job/policy-job.yaml b/test/Job/policy-job.yaml index 29d003de2a..eb023a8bf4 100644 --- a/test/Job/policy-job.yaml +++ b/test/Job/policy-job.yaml @@ -1,17 +1,25 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-job-perl-bigint +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-job-perl-bigint spec : - failurePolicy: stopOnError rules: - - resource: - kind : Job + - name: job1 + resource: + kind: Job name: pi - patch: + mutate: + patches: - path : "/spec/template/spec/containers/0/command" op : add value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ] - path : "/spec/backoffLimit" op: add value: 10 + validate: + message: "This job should not be restarted" + pattern: + spec: + template: + spec: + restartPolicy: Never diff --git a/test/LimitRange/limitrange.yaml b/test/LimitRange/limitrange.yaml index 7f72ceea26..b37a69aa09 100644 --- a/test/LimitRange/limitrange.yaml +++ b/test/LimitRange/limitrange.yaml @@ -8,6 +8,7 @@ spec: limits: - default: memory: 512Mi + cpu: 10m defaultRequest: memory: 256Mi type: Container diff --git a/test/LimitRange/policy-limitrange.yaml b/test/LimitRange/policy-limitrange.yaml index e6269c2c4d..79d3c7bf45 100644 --- a/test/LimitRange/policy-limitrange.yaml +++ b/test/LimitRange/policy-limitrange.yaml @@ -1,16 +1,24 @@ -apiVersion : policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-limitrange spec : - failurePolicy: stopOnError rules: - - resource: + - name: + resource: kind : LimitRange selector: matchLabels: containerSize: minimal - patch: - - path : "/spec/limits/0/default/memory" + mutate: + patches: + - path : "/spec/limits/0/memory" op : replace value: "384Mi" + validate: + message: "The CPU value is incorrect" + pattern: + spec: + limits: + - default: + cpu: 9m diff --git a/test/Namespace/namespace.yaml b/test/Namespace/namespace.yaml index 1ddf14d9fc..c83e3cc729 100644 --- a/test/Namespace/namespace.yaml +++ b/test/Namespace/namespace.yaml @@ -1,8 +1,7 @@ kind: Namespace apiVersion: v1 -metadata: - name: "namespace-not-modified" - labels: - LabelForSelector : "namespace" - replaced : "no" - +metadata: + name: namespace-not-modified + labels: + LabelForSelector : "namespace" + replaced : "no" diff --git a/test/Namespace/policy-namespace-by-name.yaml b/test/Namespace/policy-namespace-by-name.yaml deleted file mode 100644 index 4f3ec6636a..0000000000 --- a/test/Namespace/policy-namespace-by-name.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 - -kind : Policy - -metadata : - name : policy-namespace - -spec : - failurePolicy: stopOnError - - rules: - - resource: - kind : Namespace - name : "namespace-not-modified" - - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/name" - op: replace - value: "modified-namespace" - - - diff --git a/test/Namespace/policy-namespace.yaml b/test/Namespace/policy-namespace.yaml index 2bddde6394..9ef999212f 100644 --- a/test/Namespace/policy-namespace.yaml +++ b/test/Namespace/policy-namespace.yaml @@ -1,27 +1,21 @@ -apiVersion : policy.nirmata.io/v1alpha1 - -kind : Policy - +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy metadata : name : policy-namespace spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Namespace - selector: - matchLabels: - LabelForSelector : "namespace" - - patch: - - path: "/metadata/labels/replaced" - op: add - value: "yes" - - path: "/metadata/name" - op: replace - value: "modified-namespace-name" - - - + - name: ns1 + resource: + kind : Namespace + selector: + matchLabels: + LabelForSelector : "namespace" + mutate: + patches: + - path: "/metadata/labels/replaced" + op: add + value: "yes" + - path: "/metadata/name" + op: replace + value: "modified-namespace" diff --git a/test/NetworkPolicy/policy-networkpolicy.yaml b/test/NetworkPolicy/policy-networkpolicy.yaml deleted file mode 100644 index 1ae08fbcd0..0000000000 --- a/test/NetworkPolicy/policy-networkpolicy.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-network-policy -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : NetworkPolicy - selector: - matchLabels: - originalLabel: isHere - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/labels/originalLabel" - op: remove - - path : "/spec/ingress/0/from/0/ipBlock/cidr" - op : replace - value: "172.17.128.0/17" diff --git a/test/PersistentVolumeClaim/policy-PVC.yaml b/test/PersistentVolumeClaim/policy-PVC.yaml index 533c02d721..4a05f586af 100644 --- a/test/PersistentVolumeClaim/policy-PVC.yaml +++ b/test/PersistentVolumeClaim/policy-PVC.yaml @@ -1,17 +1,24 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-pvc -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-pvc +spec: rules: - - resource: + - name: pvc1 + resource: kind : PersistentVolumeClaim matchLabels: originalLabel: isHere - patch: + mutate: + patches: - path: "/metadata/labels/originalLabel" op: remove - path : "/spec/resources/requests/storage" op : replace value: "6Gi" + validate: + message: "I don't like this pvc" + pattern: + spec: + accessModes: + - ReadWrite diff --git a/test/PodDisruptionBudget/policy-pdb.yaml b/test/PodDisruptionBudget/policy-pdb.yaml index 6b9fa18a67..736d0199d4 100644 --- a/test/PodDisruptionBudget/policy-pdb.yaml +++ b/test/PodDisruptionBudget/policy-pdb.yaml @@ -1,17 +1,25 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-pdb -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-pdb +spec: rules: - - resource: + - name: pdb1 + resource: kind : PodDisruptionBudget name: "game-pdb" - patch: + mutate: + patches: - path: "/metadata/labels/isMutated" op: add value: "true" - path : "/spec/minAvailable" op : replace value: "5%" + validate: + message: "This PDB has the wrong selector" + pattern: + spec: + selector: + matchLabels: + app: "zoo*" diff --git a/test/PodTemplate/PodTemplate.yaml b/test/PodTemplate/PodTemplate.yaml index 18b7c7e9f3..08c1fb5239 100644 --- a/test/PodTemplate/PodTemplate.yaml +++ b/test/PodTemplate/PodTemplate.yaml @@ -1,16 +1,16 @@ apiVersion: v1 kind: PodTemplate -metadata: +metadata: name: nginx-test - labels: + labels: app: nginx originalLabel: isHere -template: - spec: - containers: +template: + spec: + containers: - name: redis image: redis - ports: + ports: - containerPort: 80 protocol: TCP restartPolicy: Always diff --git a/test/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml index b084af9cd7..dbe7b01e2a 100644 --- a/test/PodTemplate/policy-PodTemplate.yaml +++ b/test/PodTemplate/policy-PodTemplate.yaml @@ -1,21 +1,32 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : test-podtemplate -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: test-podtemplate +spec: rules: - - resource: + - name: podtemplate1 + resource: kind : PodTemplate selector: matchLabels: originalLabel: isHere - patch: + mutate: + patches: - path: "/metadata/labels/app" op : replace value : mutedApp - path: "/template/spec/containers/0/name" op : replace - value : my-mutated-app - - path: "/metadata/labels/originalLabel" - op : remove + value : mongodb + - path: "/template/spec/containers/0/image" + op : replace + value : mongodb + validate: + message: "Port 80 is not for redis" + pattern: + template: + spec: + containers: + - name: "!redis" + ports: + - containerPort: 80 diff --git a/test/README.md b/test/README.md index c2b5edb2bb..83136b4cb8 100644 --- a/test/README.md +++ b/test/README.md @@ -29,37 +29,38 @@ test-endpoint 192.168.10.171:443 6s ``` We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources. ``` -> kubectl delete -f test/endpoints.yaml +> kubectl delete -f test/endpoints.yaml endpoints "test-endpoint" deleted ``` We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`): ``` -apiVersion : policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-endpoints spec : - failurePolicy: stopOnError rules: - - resource: - kind : Endpoints - selector: - matchLabels: - label : test - patch: - - path : "/subsets/0/ports/0/port" - op : replace - value: 9663 - - path : "/subsets/0" - op: add - value: - addresses: - - ip: "192.168.10.171" - ports: - - name: additional-connection - port: 80 - protocol: UDP + - name: + resource: + kind : Endpoints + selector: + matchLabels: + label : test + mutate: + patches: + - path : "/subsets/0/ports/0/port" + op : replace + value: 9663 + - path : "/subsets/0" + op: add + value: + addresses: + - ip: "192.168.10.171" + ports: + - name: load-balancer-connection + port: 80 + protocol: UDP ``` This policy does 2 patches: @@ -68,9 +69,9 @@ This policy does 2 patches: Let's apply this policy and create the endpoints again to see the changes: ``` -> kubectl create -f examples/Endpoints/policy-endpoints.yaml +> kubectl create -f examples/Endpoints/policy-endpoints.yaml policy.policy.nirmata.io/policy-endpoints created -> kubectl create -f examples/Endpoints/endpoints.yaml +> kubectl create -f examples/Endpoints/endpoints.yaml endpoints/test-endpoint created > kubectl get -f examples/Endpoints/endpoints.yaml NAME ENDPOINTS AGE diff --git a/test/ResourceQuota/policy-quota.yaml b/test/ResourceQuota/policy-quota.yaml index f4190e87e8..89248787fe 100644 --- a/test/ResourceQuota/policy-quota.yaml +++ b/test/ResourceQuota/policy-quota.yaml @@ -1,19 +1,20 @@ -apiVersion : policy.nirmata.io/v1alpha1 +apiVersion : kubepolicy.nirmata.io/v1alpha1 kind : Policy metadata : name : policy-quota-low-test spec : - failurePolicy: stopOnError rules: - - resource: + - name: + resource: kind : ResourceQuota selector: matchLabels: quota: low - patch: + mutate: + patches: - path : "/spec/scopeSelector/matchExpressions/1" op : add - value : + value : operator : In scopeName: PriorityClass values: ["low-medium"] @@ -25,4 +26,7 @@ spec : "pods": "10", "limits.memory": "12Gi", "requests.nvidia.com/gpu": "8" - } \ No newline at end of file + } + - path : "/metadata/labels/quota-soft" + op : replace + value : replaced diff --git a/test/Secrets/policy-secrets.yaml b/test/Secrets/policy-secrets.yaml deleted file mode 100644 index 4dbc5d4ae2..0000000000 --- a/test/Secrets/policy-secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-secrets -spec : - failurePolicy: stopOnError - rules: - - resource: - kind : Secret - name: "mysecret" - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path: "/metadata/labels/originalLabel" - op: remove - - path : "/data/newPass" - op : add - value : "bmV3UmFuZG9tUGFzcwo=" - - path : "/data/password" - op : replace - value : "Y29tcHJvbWlzZWQK" diff --git a/test/Secrets/secrets.yaml b/test/Secrets/secrets.yaml deleted file mode 100644 index 6794580532..0000000000 --- a/test/Secrets/secrets.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: mysecret - labels: - originalLabel : isHere - -type: Opaque -data: - username: QXByaW9yaXQK - password: cXVlc3QxIQo= diff --git a/test/Services/Services.yaml b/test/Services/Services.yaml deleted file mode 100644 index eb92e8d406..0000000000 --- a/test/Services/Services.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: game-service - labels: - originalLabel : isHere - - secretLabel : thisIsMySecret -spec: - selector: - app: MyApp - ports: - - name: http - - protocol: TCP - port: 80 - targetPort: 9376 diff --git a/test/Services/policy-Service.yaml b/test/Services/policy-Service.yaml deleted file mode 100644 index 9f8d598b5e..0000000000 --- a/test/Services/policy-Service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-service -spec : - failurePolicy: stopOnError - rules: - - resource: - kind: Service - name: game-service - patch: - - path: "/metadata/labels/isMutated" - op: add - value: "true" - - path : "/metadata/labels/secretLabel" - op : replace - value : "weKnow" - - path : "/metadata/labels/originalLabel" - op : remove - - path: "/spec/selector/app" - op: replace - value: "mutedApp" - diff --git a/test/StatefulSet/StatefulSet.yaml b/test/StatefulSet/StatefulSet.yaml index 341db0e4c8..4970d7fdfd 100644 --- a/test/StatefulSet/StatefulSet.yaml +++ b/test/StatefulSet/StatefulSet.yaml @@ -2,32 +2,29 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: game-web - labels: - originalLabel : isHere - spec: selector: matchLabels: - app: nginx-but-no # has to match .spec.template.metadata.labels - serviceName: "nginx-but-no" + app: nginxo # has to match .spec.template.metadata.labels + serviceName: "nginxo" replicas: 3 # by default is 1 template: metadata: labels: - app: nginx-but-no # has to match .spec.selector.matchLabels + app: nginxo # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - - name: nginx-but-no + - name: nginxo image: k8s.gcr.io/nginx-but-no-slim:0.8 ports: - containerPort: 8780 name: webp volumeMounts: - name: www - mountPath: /usr/share/nginx-but-no/html + mountPath: /usr/share/nginxo/html volumeClaimTemplates: - metadata: name: www diff --git a/test/StatefulSet/policy-StatefulSet.yaml b/test/StatefulSet/policy-StatefulSet.yaml index c969dababd..f9277c6016 100644 --- a/test/StatefulSet/policy-StatefulSet.yaml +++ b/test/StatefulSet/policy-StatefulSet.yaml @@ -1,16 +1,17 @@ -apiVersion : policy.nirmata.io/v1alpha1 -kind : Policy -metadata : - name : policy-statefulset -spec : - failurePolicy: stopOnError +apiVersion: kubepolicy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-statefulset +spec: rules: - - resource: + - name: statefulset1 + resource: kind : StatefulSet selector: matchLabels: originalLabel: isHere - patch: + mutate: + patches: - path: "/spec/template/metadata/labels/isMutated" op: add value: "true" @@ -22,3 +23,15 @@ spec : - path : "/spec/serviceName" op : replace value : "not-a-nginx" + validate: + message: "This SS is broken" + pattern: + spec: + replicas: ">20" + volumeClaimTemplates: + - metadata: + name: www + spec: + resources: + requests: + storage: "<50Gi"