mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

Merge pull request #104 from nirmata/policies-update

Browse source 
added workarounds to make examples valid
This commit is contained in:
Jim Bugwadia 2019-05-23 18:09:15 -07:00 committed by GitHub
commit e2be3084b7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 166 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
examples/Validate/check_cpu_memory.yaml
View file

@ -6,33 +6,33 @@ spec:
rules:
- name: check-defined
resource:
kinds:
kinds:
- Deployment
validate:
message: "Resource requests and limits are required for CPU and memory"
pattern:
spec:
containers:
- name: "*"
resources:
limits:
memory: "?"
cpu: "?"
requests:
memory: "?"
cpu: "?"
- name: check-memory-in-range
resource:
kinds:
- Deployment
validate:
message: "Memory request cannot be greater than 10Gi"
message: "Resource limits are required for CPU and memory"
pattern:
spec:
containers:
- name: "*"
resources:
requests:
# If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern.
# The OR operator can combine the patterns with logical expressions and text patterns.
memory: "<10Gi|<1024Mi"
template:
spec:
containers:
- name: "*"
resources:
limits:
memory: "*"
cpu: "*"
- name: check-cpu
resource:
kinds:
- Deployment
validate:
message: "CPU request should be 4"
pattern:
spec:
template:
spec:
containers:
- name: "*"
resources:
requests:
cpu: "4"

12
examples/Validate/check_hostpath.yaml
View file

@ -6,11 +6,13 @@ spec:
rules:
- name: check-host-path
resource:
kinds:
kinds:
- Pod
validate:
message: "Host path volumes are not allowed"
message: "Host path should be /var/log"
pattern:
volumes:
- name: "*"
hostPath: null
spec:
volumes:
- (name): log
hostPath:
path: /var/log

16
examples/Validate/check_image_version.yaml
View file

@ -5,13 +5,15 @@ metadata:
spec:
rules:
- name: image-pull-policy
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
resource:
kinds:
kinds:
- Deployment
overlay:
template:
validate:
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
pattern:
spec:
containers:
- image: "(*:latest)" # select images which end with :latest
imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always"
template:
spec:
containers:
- (image): "*latest" # select images which end with :latest
imagePullPolicy: Always # ensure that the imagePullPolicy is "Always"

6
examples/Validate/check_nodeport.yaml
View file

@ -6,10 +6,10 @@ spec:
rules:
- name: check-host-path
resource:
kinds:
kinds:
- Service
validate:
message: "Node port services are not allowed"
message: "Only NodePort type is allowed"
pattern:
spec:
type: "!NodePort"
type: "NodePort"

7
examples/Validate/check_not_root.yaml
View file

@ -6,7 +6,10 @@ spec :
rules:
- name: check-non-root
resource:
kind: Deployment, StatefuleSet, DaemonSet
kinds:
- Deployment
- StatefuleSet
- DaemonSet
validate:
message: "Root user is not allowed"
pattern:
@ -14,4 +17,4 @@ spec :
template:
spec:
securityContext:
runAsNotRoot: true
runAsNonRoot: true

40
examples/Validate/check_probe_exists.yaml
View file

@ -1,30 +1,36 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
kind : Policy
metadata :
name: check-probe-exists
spec:
rules:
- name: check-liveness-probe-exists
resource:
kinds:
kinds :
- StatefulSet
validate:
message: "a livenessProbe is required"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: "?"
- resource:
kinds:
- Deployment
name: check-readinessprobe-exists
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">0"
- name: check-readiness-probe-exists
resource:
kinds :
- StatefulSet
validate:
message: "a readinessProbe is required"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: "?"
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">0"

40
examples/Validate/check_probe_intervals.yaml
View file

@ -1,30 +1,36 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
kind : Policy
metadata :
name: check-probe-intervals
spec:
rules:
- name: check-probe-intervals
resource:
kinds:
kinds :
- Deployment
validate:
message: "livenessProbe must be > 10s"
pattern:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">10"
- resource:
kinds:
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
livenessProbe:
periodSeconds: ">10"
- name: check-probe-intervals
resource:
kinds :
- Deployment
name: check-readinessprobe-intervals
validate:
message: "readinessProbe must be > 10s"
pattern:
message: "readinessProbe must be > 10s"
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">10"
spec:
template:
spec:
containers:
# In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">10"

18
examples/Validate/check_whitelist_registries.yaml
View file

@ -5,15 +5,17 @@ metadata:
spec:
rules:
- name: check-whitelist-registries
message: "Registry is not allowed"
resource:
kinds:
kinds:
- Deployment
- StatefulSet
validate:
message: "Registry is not allowed"
pattern:
template:
spec:
containers:
# Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*"
# If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|".
image: https://private.registry.io* | https://hub.docker.io/nirmata/*
spec:
template:
spec:
containers:
- name: "*"
# Checks if the image path starts with "https://hub.docker.io/nirmata/*"
image: https://hub.docker.io/nirmata/*

7
examples/mutate/overlay/policy_set_imagePullPolicy.yaml
View file

@ -14,7 +14,6 @@ spec:
template:
spec:
containers:
# match images which end with :latest
- (image): "*:latest"
# set the imagePullPolicy to "Always"
imagePullPolicy: "Always"
# set the imagePullPolicy to "Always"
- (imagePullPolicy): "IfNotPresent"
imagePullPolicy: "Always"

18
test/ConfigMap/policy-CM.yaml
View file

@ -6,17 +6,27 @@ spec :
rules:
- name: pCM1
resource:
kinds :
kinds :
- ConfigMap
name: "game-config"
mutate:
overlay:
data:
char.properties: |
Name=Ellen Ripley
Race=human
patches:
- path: "/data/ship.properties"
op: add
value: |
type=starship
owner=utany.corp
- path : "/data/newKey"
op : add
value : newValue
- name: pCM2
resource:
kinds :
kinds :
- ConfigMap
name: "game-config"
mutate:
@ -28,7 +38,7 @@ spec :
value : "data is replaced"
- name: pCM3
resource:
kinds :
kinds :
- ConfigMap
name: "game-config"
mutate:
@ -43,7 +53,7 @@ spec :
game.properties: "*enemies=aliens*"
- name: pCM4
resource:
kinds :
kinds :
- ConfigMap
name: "game-config"
validate:

7
test/Job/job.yaml
View file

@ -6,8 +6,15 @@ spec:
template:
spec:
containers:
- name: piv0
image: perl
command: ["perl"]
ports: dsvd12
- name: pi
image: perl
command: ["perl"]
- name: piv1
image: perl
command: ["perl"]
restartPolicy: Never
backoffLimit: 4

29
test/Job/policy-job.yaml
View file

@ -6,10 +6,22 @@ spec :
rules:
- name: job1
resource:
kinds:
kinds:
- Job
name: pi
mutate:
overlay:
metadata:
labels:
isOverlayed: "true"
spec:
template:
spec:
containers:
- name: "pi1"
image: "vasylev.perl"
- name: "pi2"
image: "maxov.perl"
patches:
- path : "/spec/template/spec/containers/0/command"
op : add
@ -24,3 +36,18 @@ spec :
template:
spec:
restartPolicy: Never
- name: job2
resource:
kinds:
- Job
name: pi
mutate:
overlay:
spec:
template:
spec:
containers:
- (name): piv0
ports:
- containerPort: 80
protocol: TCP

2
test/PodTemplate/PodTemplate.yaml
View file

@ -13,6 +13,6 @@ template:
ports:
- containerPort: 80
protocol: TCP
restartPolicy: Always
restartPolicy: Never
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst

10
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -6,12 +6,16 @@ spec:
rules:
- name: podtemplate1
resource:
kinds :
kinds :
- PodTemplate
selector:
matchLabels:
originalLabel: isHere
mutate:
overlay:
template:
spec:
restartPolicy: Always
patches:
- path: "/metadata/labels/app"
op : replace
@ -23,11 +27,11 @@ spec:
op : replace
value : mongodb
validate:
message: "Port 80 is not for redis"
message: "Port 80 is only allowed"
pattern:
template:
spec:
containers:
- name: "!redis"
- name: "*"
ports:
- containerPort: 80