new policy structure

policies are modified according to new logic

test/ConfigMap/configMap.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: game-config
-  namespace: default
-data:
-  secretData: "very sensitive data"
-  secretDatatoreplace: "data is not changed"
-  game.properties: |
-    enemies=aliens
-    lives=3
-  ui.properties: |
-    color.good=purple
-    color.bad=yellow

test/ConfigMap/policy-ConfigMap.yaml

@@ -1,20 +0,0 @@
-apiVersion : kubepolicy.nirmata.io/v1alpha1
-kind: Policy
-metadata :
-  name: policy-configmap-test
-spec:
-  rules:
-  - name: "Policy ConfigMap sample rule"
-    resource:
-      kind : ConfigMap
-      name: "game-config"
-    mutate:
-      patches:
-      - path: "/data/newKey"
-        op: add
-        value: newValue
-      - path: "/data/secretData"
-        op: remove
-      - path: "/data/secretDatatoreplace"
-        op: replace
-        value: "data is replaced"

test/CronJob/cronjob.yaml

@@ -1,21 +0,0 @@
-apiVersion: batch/v1beta1
-kind: CronJob
-metadata:
-  name: hello
-  labels :
-   label : "original"
-
-spec:
-  schedule: "*/1 * * * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-          - name: hello
-            image: busybox
-            args:
-            - /bin/sh
-            - -c
-            - date; echo Hello from the Kubernetes cluster
-          restartPolicy: OnFailure

test/CronJob/policy-CronJob.yaml

@@ -1,20 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-cronjob
-
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : CronJob
-        name: "hello"
-      patch:
-        - path: "/metadata/labels/isMutated"
-          op: add
-          value: "true"
-        - path : "/spec/schedule"
-          op : replace
-          value : "* */1 * * *"
-      
-

test/DaemonSet/DaemonSet.yaml

@@ -40,4 +40,4 @@ spec:
           path: /var/log
       - name: varlibdockercontainers
         hostPath:
-          path: /var/lib/docker/containers
+          path: /var/lib/docker/containers

test/DaemonSet/policy-ds.yaml

@@ -1,21 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-daemonset
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : DaemonSet
-        selector:
-          matchLabels:
-            originalLabel: isHere
-      patch:
-        - path: "/metadata/labels/isMutated"
-          op: add
-          value: "true"
-        - path: "/metadata/labels/originalLabel"
-          op: remove
-        - path : "/spec/template/spec/containers/0/image"
-          op : replace
-          value: "k8s.gcr.io/fluentd-elasticsearch:latest"

test/Deployment/ghost-deployment.yaml

@@ -1,34 +0,0 @@
-kind: "Deployment"
-apiVersion: "extensions/v1beta1"
-metadata:
-  name: "ghost"
-  labels:
-    nirmata.io/deployment.name: "ghost"
-    nirmata.io/application.name: "ghost"
-    nirmata.io/component: "ghost"
-spec:
-  replicas: 1
-  revisionHistoryLimit: 5
-  selector:
-    matchLabels:
-      nirmata.io/application.name: "ghost"
-      nirmata.io/component: "ghost"
-  strategy:
-    type: "RollingUpdate"
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
-  template:
-    metadata:
-      labels:
-        nirmata.io/deployment.name: "ghost"
-        nirmata.io/application.name: "ghost"
-        nirmata.io/component: "ghost"
-    spec:
-      containers:
-      - name: "ghost"
-        image: "ghost:2.9.1-alpine"
-        ports:
-        - containerPort: 8080
-          protocol: "TCP"
-

test/Deployment/policy-deployment-ghost.yaml

@@ -1,24 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-deployment-ghost
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : Deployment
-        selector :
-          matchLabels :
-           nirmata.io/deployment.name: "ghost"
-      patch:
-      - path: /metadata/labels/isMutated
-        op: add
-        value: "true"
-      - path: "/spec/strategy/rollingUpdate/maxSurge"
-        op: add
-        value: 5
-      - path: "/spec/template/spec/containers/0/ports/0"
-        op: replace
-        value:
-          containerPort: 2368
-          protocol: TCP

test/Deployment/policy-deployment.yaml

@@ -1,20 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-deployment
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : Deployment
-        name: nginx-deployment
-      patch:
-      - path: /metadata/labels/isMutated
-        op: add
-        value: "true"
-      - path: /metadata/labels/app
-        op: replace
-        value: "nginx_is_mutated" 
-          
-
-

test/Endpoints/endpoints.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: test-endpoint
-  labels:
-    label : test
-subsets:
-- addresses:
-  - ip: 192.168.10.171
-  ports:
-  - name: secure-connection
-    port: 443
-    protocol: TCP

test/Endpoints/policy-endpoints.yaml

@@ -1,25 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-endpoints
-spec :
-  failurePolicy: stopOnError
-  rules:
-  - resource:
-      kind : Endpoints
-      selector:
-        matchLabels:
-          label : test
-    patch:
-      - path : "/subsets/0/ports/0/port"
-        op : replace
-        value: 9663
-      - path : "/subsets/0"
-        op: add
-        value:
-          addresses:
-          - ip: "192.168.10.171"
-          ports:
-          - name: load-balancer-connection
-            port: 80
-            protocol: UDP

test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml

@@ -1,20 +0,0 @@
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: wildfly-example
-spec:
-  scaleTargetRef:
-    apiVersion: extensions/v1beta1
-    kind: Deployment
-    name: wildfly-example
-  minReplicas: 1
-  maxReplicas: 5
-  metrics:
-  - type: Resource
-    resource:
-      name: cpu
-      targetAverageUtilization: 80
-  - type: Resource
-    resource:
-      name: memory
-      targetAverageValue: 1000Mi

test/HorizontalPodAutoscaler/policy-hpa.yaml

@@ -1,20 +1,30 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-kind : Policy
+kind: Policy
-metadata :
+metadata:
-  name : policy-hpa
+  name: policy-hpa
 spec :
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name: hpa1
+      resource:
         kind : HorizontalPodAutoscaler
         selector:
           matchLabels:
             originalLabel: isHere
-      patch:
+      mutate:
-        - path: "/metadata/labels"
+        patches:
+        - path: "/metadata/labels/isMutated"
           op: add
-          value:
+          value: "true"
-            isMutated: "true"
         - op: replace
           path: "/spec/metrics/1/resource/targetAverageValue"
           value: "959Mi"
+      validate:
+        message: "There is wrong resorce request or apiVersion"
+        pattern:
+          spec:
+            scaleTargetRef:
+              apiVersion: extensions/v1beta1
+#            metrics:
+#              - type: Resource
+#                resource:
+#                  name: cpu|memory

test/Ingress/policy-ingess.yaml

@@ -1,19 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-ingress
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : Ingress
-        selector:
-          matchLabels:
-            originalLabel: isHere
-      patch:
-        - path: "/metadata/labels/isMutated"
-          op: add
-          value: "true"
-        - path : "/spec/rules/0/http/paths/0/path"
-          op : replace
-          value: "/mutatedpath"

test/Job/job.yaml

@@ -11,4 +11,3 @@ spec:
         command: ["perl"]
       restartPolicy: Never
   backoffLimit: 4
-

test/Job/policy-job.yaml

@@ -1,17 +1,25 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-kind : Policy
+kind: Policy
-metadata :
+metadata:
-  name : policy-job-perl-bigint
+  name: policy-job-perl-bigint
 spec :
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name: job1
-        kind : Job
+      resource:
+        kind: Job
         name: pi
-      patch:
+      mutate:
+        patches:
         - path : "/spec/template/spec/containers/0/command"
           op : add
           value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ]
         - path : "/spec/backoffLimit"
           op: add
           value: 10
+      validate:
+        message: "This job should not be restarted"
+        pattern:
+          spec:
+            template:
+              spec:
+                restartPolicy: Never

test/LimitRange/limitrange.yaml

@@ -8,6 +8,7 @@ spec:
   limits:
   - default:
       memory: 512Mi
+      cpu: 10m
     defaultRequest:
       memory: 256Mi
     type: Container

test/LimitRange/policy-limitrange.yaml

@@ -1,16 +1,24 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion : kubepolicy.nirmata.io/v1alpha1
 kind : Policy
 metadata :
   name : policy-limitrange
 spec :
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name:
+      resource:
         kind : LimitRange
         selector:
           matchLabels:
             containerSize: minimal
-      patch:
+      mutate:
-        - path : "/spec/limits/0/default/memory"
+        patches:
+        - path : "/spec/limits/0/memory"
           op : replace
           value: "384Mi"
+      validate:
+        message: "The CPU value is incorrect"
+        pattern:
+          spec:
+            limits:
+            - default:
+                cpu: 9m

test/Namespace/namespace.yaml

@@ -1,8 +1,7 @@
 kind: Namespace
 apiVersion: v1
-metadata: 
+metadata:
-    name: "namespace-not-modified"
+  name: namespace-not-modified
-    labels: 
+  labels:
-      LabelForSelector : "namespace"
+    LabelForSelector : "namespace"
-      replaced : "no"
+    replaced : "no"
-      

test/Namespace/policy-namespace-by-name.yaml

@@ -1,25 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-
-kind : Policy
-
-metadata :
-  name : policy-namespace
-
-spec :
-  failurePolicy: stopOnError
-
-  rules:
-  - resource:
-      kind : Namespace
-      name : "namespace-not-modified"
-      
-    patch:
-    - path: "/metadata/labels/isMutated"
-      op: add
-      value: "true"
-    - path: "/metadata/name"
-      op: replace
-      value: "modified-namespace"
-
-  
-   

test/Namespace/policy-namespace.yaml

@@ -1,27 +1,21 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-
+kind: Policy
-kind : Policy
-
 metadata :
   name : policy-namespace
 
 spec :
-  failurePolicy: stopOnError
-
   rules:
-  - resource:
+    - name: ns1
-      kind : Namespace
+      resource:
-      selector:
+        kind : Namespace
-        matchLabels:
+        selector:
-          LabelForSelector : "namespace"
+          matchLabels:
-      
+            LabelForSelector : "namespace"
-    patch:
+      mutate:
-    - path: "/metadata/labels/replaced"
+        patches:
-      op: add
+        - path: "/metadata/labels/replaced"
-      value: "yes"
+          op: add
-    - path: "/metadata/name"
+          value: "yes"
-      op: replace
+        - path: "/metadata/name"
-      value: "modified-namespace-name"
+          op: replace
-
+          value: "modified-namespace"
-  
-   

test/NetworkPolicy/policy-networkpolicy.yaml

@@ -1,21 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-network-policy
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : NetworkPolicy
-        selector:
-          matchLabels:
-            originalLabel: isHere
-      patch:
-        - path: "/metadata/labels/isMutated"
-          op: add
-          value: "true"
-        - path: "/metadata/labels/originalLabel"
-          op: remove
-        - path : "/spec/ingress/0/from/0/ipBlock/cidr"
-          op : replace
-          value: "172.17.128.0/17"

test/PersistentVolumeClaim/policy-PVC.yaml

@@ -1,17 +1,24 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-kind : Policy
+kind: Policy
-metadata :
+metadata:
-  name : policy-pvc
+  name: policy-pvc
-spec :
+spec:
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name: pvc1
+      resource:
         kind : PersistentVolumeClaim
         matchLabels:
             originalLabel: isHere
-      patch:
+      mutate:
+        patches:
         - path: "/metadata/labels/originalLabel"
           op: remove
         - path : "/spec/resources/requests/storage"
           op : replace
           value: "6Gi"
+      validate:
+        message: "I don't like this pvc"
+        pattern:
+          spec:
+            accessModes:
+              - ReadWrite

test/PodDisruptionBudget/policy-pdb.yaml

@@ -1,17 +1,25 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-kind : Policy
+kind: Policy
-metadata :
+metadata:
-  name : policy-pdb
+  name: policy-pdb
-spec :
+spec:
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name: pdb1
+      resource:
         kind : PodDisruptionBudget
         name: "game-pdb"
-      patch:
+      mutate:
+        patches:
         - path: "/metadata/labels/isMutated"
           op: add
           value: "true"
         - path : "/spec/minAvailable"
           op : replace
           value: "5%"
+      validate:
+        message: "This PDB has the wrong selector"
+        pattern:
+          spec:
+            selector:
+              matchLabels:
+                app: "zoo*"

test/PodTemplate/PodTemplate.yaml

@@ -1,16 +1,16 @@
 apiVersion: v1
 kind: PodTemplate
-metadata: 
+metadata:
  name: nginx-test
- labels: 
+ labels:
   app: nginx
   originalLabel: isHere
-template: 
+template:
- spec: 
+ spec:
-  containers: 
+  containers:
     - name: redis
       image: redis
-      ports: 
+      ports:
       - containerPort: 80
         protocol: TCP
   restartPolicy: Always

test/PodTemplate/policy-PodTemplate.yaml

@@ -1,21 +1,32 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-kind : Policy
+kind: Policy
-metadata :
+metadata:
-  name : test-podtemplate
+  name: test-podtemplate
-spec :
+spec:
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name: podtemplate1
+      resource:
         kind : PodTemplate
         selector:
           matchLabels:
             originalLabel: isHere
-      patch:
+      mutate:
+        patches:
         - path: "/metadata/labels/app"
           op : replace
           value : mutedApp
         - path: "/template/spec/containers/0/name"
           op : replace
-          value : my-mutated-app
+          value : mongodb
-        - path: "/metadata/labels/originalLabel"
+        - path: "/template/spec/containers/0/image"
-          op : remove
+          op : replace
+          value : mongodb
+      validate:
+        message: "Port 80 is not for redis"
+        pattern:
+          template:
+            spec:
+              containers:
+                - name: "!redis"
+                  ports:
+                  - containerPort: 80

test/README.md

@@ -29,37 +29,38 @@ test-endpoint   192.168.10.171:443   6s
 ```
 We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources.
 ```
-> kubectl delete -f test/endpoints.yaml 
+> kubectl delete -f test/endpoints.yaml
 endpoints "test-endpoint" deleted
 ```
 We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`):
 
 ```
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion : kubepolicy.nirmata.io/v1alpha1
 kind : Policy
 metadata :
   name : policy-endpoints
 spec :
-  failurePolicy: stopOnError
   rules:
-  - resource:
+    - name:
-      kind : Endpoints
+      resource:
-      selector:
+        kind : Endpoints
-        matchLabels:
+        selector:
-          label : test
+          matchLabels:
-    patch:
+            label : test
-      - path : "/subsets/0/ports/0/port"
+      mutate:
-        op : replace
+        patches:
-        value: 9663
+          - path : "/subsets/0/ports/0/port"
-      - path : "/subsets/0"
+            op : replace
-        op: add
+            value: 9663
-        value:
+          - path : "/subsets/0"
-          addresses:
+            op: add
-          - ip: "192.168.10.171"
+            value:
-          ports:
+              addresses:
-          - name: additional-connection
+              - ip: "192.168.10.171"
-            port: 80
+              ports:
-            protocol: UDP
+              - name: load-balancer-connection
+                port: 80
+                protocol: UDP
 ```
 This policy does 2 patches:
 
@@ -68,9 +69,9 @@ This policy does 2 patches:
 
 Let's apply this policy and create the endpoints again to see the changes:
 ```
-> kubectl create -f examples/Endpoints/policy-endpoints.yaml 
+> kubectl create -f examples/Endpoints/policy-endpoints.yaml
 policy.policy.nirmata.io/policy-endpoints created
-> kubectl create -f examples/Endpoints/endpoints.yaml 
+> kubectl create -f examples/Endpoints/endpoints.yaml
 endpoints/test-endpoint created
 > kubectl get -f examples/Endpoints/endpoints.yaml
 NAME            ENDPOINTS                               AGE

test/ResourceQuota/policy-quota.yaml

@@ -1,19 +1,20 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion : kubepolicy.nirmata.io/v1alpha1
 kind : Policy
 metadata :
   name : policy-quota-low-test
 spec :
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name:
+      resource:
         kind : ResourceQuota
         selector:
           matchLabels:
             quota: low
-      patch:
+      mutate:
+        patches:
         - path : "/spec/scopeSelector/matchExpressions/1"
           op : add
-          value : 
+          value :
             operator : In
             scopeName: PriorityClass
             values: ["low-medium"]
@@ -25,4 +26,7 @@ spec :
             "pods": "10",
             "limits.memory": "12Gi",
             "requests.nvidia.com/gpu": "8"
-          }
+          }
+        - path : "/metadata/labels/quota-soft"
+          op : replace
+          value : replaced

test/Secrets/policy-secrets.yaml

@@ -1,22 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-secrets
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind : Secret
-        name: "mysecret"
-      patch:
-        - path: "/metadata/labels/isMutated"
-          op: add
-          value: "true"
-        - path: "/metadata/labels/originalLabel"
-          op: remove
-        - path : "/data/newPass"
-          op : add
-          value : "bmV3UmFuZG9tUGFzcwo="
-        - path : "/data/password"
-          op : replace
-          value : "Y29tcHJvbWlzZWQK"

test/Secrets/secrets.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mysecret
-  labels:
-    originalLabel : isHere
-
-type: Opaque
-data:
-  username: QXByaW9yaXQK
-  password: cXVlc3QxIQo=

test/Services/Services.yaml

@@ -1,17 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: game-service
-  labels:
-    originalLabel : isHere
-    
-    secretLabel : thisIsMySecret
-spec:
-  selector:
-    app: MyApp
-  ports:
-  - name: http
-    
-    protocol: TCP
-    port: 80
-    targetPort: 9376

test/Services/policy-Service.yaml

@@ -1,23 +0,0 @@
-apiVersion : policy.nirmata.io/v1alpha1
-kind : Policy
-metadata :
-  name : policy-service
-spec :
-  failurePolicy: stopOnError
-  rules:
-    - resource:
-        kind: Service
-        name: game-service
-      patch:
-        - path: "/metadata/labels/isMutated"
-          op: add
-          value: "true"
-        - path : "/metadata/labels/secretLabel"
-          op : replace
-          value : "weKnow"
-        - path : "/metadata/labels/originalLabel"
-          op : remove
-        - path: "/spec/selector/app"
-          op: replace
-          value: "mutedApp"
-

test/StatefulSet/StatefulSet.yaml

@@ -2,32 +2,29 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: game-web
-
   labels:
-
     originalLabel : isHere
-
 spec:
   selector:
     matchLabels:
-      app: nginx-but-no # has to match .spec.template.metadata.labels
+      app: nginxo # has to match .spec.template.metadata.labels
-  serviceName: "nginx-but-no"
+  serviceName: "nginxo"
   replicas: 3 # by default is 1
   template:
     metadata:
       labels:
-        app: nginx-but-no # has to match .spec.selector.matchLabels
+        app: nginxo # has to match .spec.selector.matchLabels
     spec:
       terminationGracePeriodSeconds: 10
       containers:
-      - name: nginx-but-no
+      - name: nginxo
         image: k8s.gcr.io/nginx-but-no-slim:0.8
         ports:
         - containerPort: 8780
           name: webp
         volumeMounts:
         - name: www
-          mountPath: /usr/share/nginx-but-no/html
+          mountPath: /usr/share/nginxo/html
   volumeClaimTemplates:
   - metadata:
       name: www

test/StatefulSet/policy-StatefulSet.yaml

@@ -1,16 +1,17 @@
-apiVersion : policy.nirmata.io/v1alpha1
+apiVersion: kubepolicy.nirmata.io/v1alpha1
-kind : Policy
+kind: Policy
-metadata :
+metadata:
-  name : policy-statefulset
+  name: policy-statefulset
-spec :
+spec:
-  failurePolicy: stopOnError
   rules:
-    - resource:
+    - name: statefulset1
+      resource:
         kind : StatefulSet
         selector:
           matchLabels:
             originalLabel: isHere
-      patch:
+      mutate:
+        patches:
         - path: "/spec/template/metadata/labels/isMutated"
           op: add
           value: "true"
@@ -22,3 +23,15 @@ spec :
         - path : "/spec/serviceName"
           op : replace
           value : "not-a-nginx"
+      validate:
+        message: "This SS is broken"
+        pattern:
+          spec:
+            replicas: ">20"
+            volumeClaimTemplates:
+            - metadata:
+                name: www
+              spec:
+                resources:
+                  requests:
+                    storage: "<50Gi"