mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

new policy structure

Browse source 
policies are modified according to new logic
This commit is contained in:
Anton Kostenko 2019-05-21 17:54:55 +03:00
parent 26c826518a
commit e200cdc2a4
34 changed files with 191 additions and 501 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
test/ConfigMap/configMap.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: game-config
namespace: default
data:
secretData: "very sensitive data"
secretDatatoreplace: "data is not changed"
game.properties: |
enemies=aliens
lives=3
ui.properties: |
color.good=purple
color.bad=yellow

20
test/ConfigMap/policy-ConfigMap.yaml
View file

@ -1,20 +0,0 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name: policy-configmap-test
spec:
rules:
- name: "Policy ConfigMap sample rule"
resource:
kind : ConfigMap
name: "game-config"
mutate:
patches:
- path: "/data/newKey"
op: add
value: newValue
- path: "/data/secretData"
op: remove
- path: "/data/secretDatatoreplace"
op: replace
value: "data is replaced"

21
test/CronJob/cronjob.yaml
View file

@ -1,21 +0,0 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure

20
test/CronJob/policy-CronJob.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-cronjob
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : CronJob
name: "hello"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/schedule"
op : replace
value : "* */1 * * *"

21
test/DaemonSet/policy-ds.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-daemonset
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : DaemonSet
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/template/spec/containers/0/image"
op : replace
value: "k8s.gcr.io/fluentd-elasticsearch:latest"

34
test/Deployment/ghost-deployment.yaml
View file

@ -1,34 +0,0 @@
kind: "Deployment"
apiVersion: "extensions/v1beta1"
metadata:
name: "ghost"
labels:
nirmata.io/deployment.name: "ghost"
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
spec:
replicas: 1
revisionHistoryLimit: 5
selector:
matchLabels:
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
strategy:
type: "RollingUpdate"
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
nirmata.io/deployment.name: "ghost"
nirmata.io/application.name: "ghost"
nirmata.io/component: "ghost"
spec:
containers:
- name: "ghost"
image: "ghost:2.9.1-alpine"
ports:
- containerPort: 8080
protocol: "TCP"

24
test/Deployment/policy-deployment-ghost.yaml
View file

@ -1,24 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment-ghost
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Deployment
selector :
matchLabels :
nirmata.io/deployment.name: "ghost"
patch:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: "/spec/strategy/rollingUpdate/maxSurge"
op: add
value: 5
- path: "/spec/template/spec/containers/0/ports/0"
op: replace
value:
containerPort: 2368
protocol: TCP

20
test/Deployment/policy-deployment.yaml
View file

@ -1,20 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-deployment
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Deployment
name: nginx-deployment
patch:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: /metadata/labels/app
op: replace
value: "nginx_is_mutated"

13
test/Endpoints/endpoints.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Endpoints
metadata:
name: test-endpoint
labels:
label : test
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 443
protocol: TCP

25
test/Endpoints/policy-endpoints.yaml
View file

@ -1,25 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Endpoints
selector:
matchLabels:
label : test
patch:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP

20
test/HorizontalPodAutoscaler/HorizontalPodAutoscaler.yaml
View file

@ -1,20 +0,0 @@
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: wildfly-example
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
kind: Deployment
name: wildfly-example
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
- type: Resource
resource:
name: memory
targetAverageValue: 1000Mi

30
test/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -1,20 +1,30 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-hpa
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-hpa
spec :
failurePolicy: stopOnError
rules:
- resource:
- name: hpa1
resource:
kind : HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value:
isMutated: "true"
value: "true"
- op: replace
path: "/spec/metrics/1/resource/targetAverageValue"
value: "959Mi"
validate:
message: "There is wrong resorce request or apiVersion"
pattern:
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
# metrics:
# - type: Resource
# resource:
# name: cpu|memory

19
test/Ingress/policy-ingess.yaml
View file

@ -1,19 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-ingress
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Ingress
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/rules/0/http/paths/0/path"
op : replace
value: "/mutatedpath"

1
test/Job/job.yaml
View file

@ -11,4 +11,3 @@ spec:
command: ["perl"]
restartPolicy: Never
backoffLimit: 4

24
test/Job/policy-job.yaml
View file

@ -1,17 +1,25 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-job-perl-bigint
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-job-perl-bigint
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Job
- name: job1
resource:
kind: Job
name: pi
patch:
mutate:
patches:
- path : "/spec/template/spec/containers/0/command"
op : add
value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ]
- path : "/spec/backoffLimit"
op: add
value: 10
validate:
message: "This job should not be restarted"
pattern:
spec:
template:
spec:
restartPolicy: Never

1
test/LimitRange/limitrange.yaml
View file

@ -8,6 +8,7 @@ spec:
limits:
- default:
memory: 512Mi
cpu: 10m
defaultRequest:
memory: 256Mi
type: Container

18
test/LimitRange/policy-limitrange.yaml
View file

@ -1,16 +1,24 @@
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-limitrange
spec :
failurePolicy: stopOnError
rules:
- resource:
- name:
resource:
kind : LimitRange
selector:
matchLabels:
containerSize: minimal
patch:
- path : "/spec/limits/0/default/memory"
mutate:
patches:
- path : "/spec/limits/0/memory"
op : replace
value: "384Mi"
validate:
message: "The CPU value is incorrect"
pattern:
spec:
limits:
- default:
cpu: 9m

3
test/Namespace/namespace.yaml
View file

@ -1,8 +1,7 @@
kind: Namespace
apiVersion: v1
metadata:
name: "namespace-not-modified"
name: namespace-not-modified
labels:
LabelForSelector : "namespace"
replaced : "no"

25
test/Namespace/policy-namespace-by-name.yaml
View file

@ -1,25 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-namespace
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Namespace
name : "namespace-not-modified"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/name"
op: replace
value: "modified-namespace"

20
test/Namespace/policy-namespace.yaml
View file

@ -1,27 +1,21 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name : policy-namespace
spec :
failurePolicy: stopOnError
rules:
- resource:
- name: ns1
resource:
kind : Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
patch:
mutate:
patches:
- path: "/metadata/labels/replaced"
op: add
value: "yes"
- path: "/metadata/name"
op: replace
value: "modified-namespace-name"
value: "modified-namespace"

21
test/NetworkPolicy/policy-networkpolicy.yaml
View file

@ -1,21 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-network-policy
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/ingress/0/from/0/ipBlock/cidr"
op : replace
value: "172.17.128.0/17"

23
test/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -1,17 +1,24 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-pvc
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-pvc
spec:
rules:
- resource:
- name: pvc1
resource:
kind : PersistentVolumeClaim
matchLabels:
originalLabel: isHere
patch:
mutate:
patches:
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/resources/requests/storage"
op : replace
value: "6Gi"
validate:
message: "I don't like this pvc"
pattern:
spec:
accessModes:
- ReadWrite

24
test/PodDisruptionBudget/policy-pdb.yaml
View file

@ -1,17 +1,25 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-pdb
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-pdb
spec:
rules:
- resource:
- name: pdb1
resource:
kind : PodDisruptionBudget
name: "game-pdb"
patch:
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/minAvailable"
op : replace
value: "5%"
validate:
message: "This PDB has the wrong selector"
pattern:
spec:
selector:
matchLabels:
app: "zoo*"

33
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -1,21 +1,32 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : test-podtemplate
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: test-podtemplate
spec:
rules:
- resource:
- name: podtemplate1
resource:
kind : PodTemplate
selector:
matchLabels:
originalLabel: isHere
patch:
mutate:
patches:
- path: "/metadata/labels/app"
op : replace
value : mutedApp
- path: "/template/spec/containers/0/name"
op : replace
value : my-mutated-app
- path: "/metadata/labels/originalLabel"
op : remove
value : mongodb
- path: "/template/spec/containers/0/image"
op : replace
value : mongodb
validate:
message: "Port 80 is not for redis"
pattern:
template:
spec:
containers:
- name: "!redis"
ports:
- containerPort: 80

11
test/README.md
View file

@ -35,19 +35,20 @@ endpoints "test-endpoint" deleted
We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`):
```
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
failurePolicy: stopOnError
rules:
- resource:
- name:
resource:
kind : Endpoints
selector:
matchLabels:
label : test
patch:
mutate:
patches:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
@ -57,7 +58,7 @@ spec :
addresses:
- ip: "192.168.10.171"
ports:
- name: additional-connection
- name: load-balancer-connection
port: 80
protocol: UDP
```

12
test/ResourceQuota/policy-quota.yaml
View file

@ -1,16 +1,17 @@
apiVersion : policy.nirmata.io/v1alpha1
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-quota-low-test
spec :
failurePolicy: stopOnError
rules:
- resource:
- name:
resource:
kind : ResourceQuota
selector:
matchLabels:
quota: low
patch:
mutate:
patches:
- path : "/spec/scopeSelector/matchExpressions/1"
op : add
value :
@ -26,3 +27,6 @@ spec :
"limits.memory": "12Gi",
"requests.nvidia.com/gpu": "8"
}
- path : "/metadata/labels/quota-soft"
op : replace
value : replaced

22
test/Secrets/policy-secrets.yaml
View file

@ -1,22 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-secrets
spec :
failurePolicy: stopOnError
rules:
- resource:
kind : Secret
name: "mysecret"
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/data/newPass"
op : add
value : "bmV3UmFuZG9tUGFzcwo="
- path : "/data/password"
op : replace
value : "Y29tcHJvbWlzZWQK"

11
test/Secrets/secrets.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: mysecret
labels:
originalLabel : isHere
type: Opaque
data:
username: QXByaW9yaXQK
password: cXVlc3QxIQo=

17
test/Services/Services.yaml
View file

@ -1,17 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: game-service
labels:
originalLabel : isHere
secretLabel : thisIsMySecret
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376

23
test/Services/policy-Service.yaml
View file

@ -1,23 +0,0 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-service
spec :
failurePolicy: stopOnError
rules:
- resource:
kind: Service
name: game-service
patch:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/metadata/labels/secretLabel"
op : replace
value : "weKnow"
- path : "/metadata/labels/originalLabel"
op : remove
- path: "/spec/selector/app"
op: replace
value: "mutedApp"

13
test/StatefulSet/StatefulSet.yaml
View file

@ -2,32 +2,29 @@ apiVersion: apps/v1
kind: StatefulSet
metadata:
name: game-web
labels:
originalLabel : isHere
spec:
selector:
matchLabels:
app: nginx-but-no # has to match .spec.template.metadata.labels
serviceName: "nginx-but-no"
app: nginxo # has to match .spec.template.metadata.labels
serviceName: "nginxo"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginx-but-no # has to match .spec.selector.matchLabels
app: nginxo # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginx-but-no
- name: nginxo
image: k8s.gcr.io/nginx-but-no-slim:0.8
ports:
- containerPort: 8780
name: webp
volumeMounts:
- name: www
mountPath: /usr/share/nginx-but-no/html
mountPath: /usr/share/nginxo/html
volumeClaimTemplates:
- metadata:
name: www

29
test/StatefulSet/policy-StatefulSet.yaml
View file

@ -1,16 +1,17 @@
apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
name : policy-statefulset
spec :
failurePolicy: stopOnError
apiVersion: kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata:
name: policy-statefulset
spec:
rules:
- resource:
- name: statefulset1
resource:
kind : StatefulSet
selector:
matchLabels:
originalLabel: isHere
patch:
mutate:
patches:
- path: "/spec/template/metadata/labels/isMutated"
op: add
value: "true"
@ -22,3 +23,15 @@ spec :
- path : "/spec/serviceName"
op : replace
value : "not-a-nginx"
validate:
message: "This SS is broken"
pattern:
spec:
replicas: ">20"
volumeClaimTemplates:
- metadata:
name: www
spec:
resources:
requests:
storage: "<50Gi"