From e2d5b0c1ef117ddf662e29153afcd5506a432bd4 Mon Sep 17 00:00:00 2001 From: Anton Kostenko Date: Thu, 23 May 2019 20:37:11 +0300 Subject: [PATCH] Updated examples --- examples/Validate/check_cpu_memory.yaml | 52 +++++++++---------- examples/Validate/check_hostpath.yaml | 12 +++-- examples/Validate/check_image_version.yaml | 16 +++--- examples/Validate/check_nodeport.yaml | 6 +-- examples/Validate/check_not_root.yaml | 7 ++- examples/Validate/check_probe_exists.yaml | 40 ++++++++------ examples/Validate/check_probe_intervals.yaml | 40 ++++++++------ .../Validate/check_whitelist_registries.yaml | 18 ++++--- .../overlay/policy_set_imagePullPolicy.yaml | 7 ++- test/ConfigMap/policy-CM.yaml | 18 +++++-- test/Job/job.yaml | 7 +++ test/Job/policy-job.yaml | 29 ++++++++++- test/PodTemplate/PodTemplate.yaml | 2 +- test/PodTemplate/policy-PodTemplate.yaml | 10 ++-- 14 files changed, 166 insertions(+), 98 deletions(-) diff --git a/examples/Validate/check_cpu_memory.yaml b/examples/Validate/check_cpu_memory.yaml index 00bac02e72..b1ab909b4e 100644 --- a/examples/Validate/check_cpu_memory.yaml +++ b/examples/Validate/check_cpu_memory.yaml @@ -6,33 +6,33 @@ spec: rules: - name: check-defined resource: - kinds: + kinds: - Deployment validate: - message: "Resource requests and limits are required for CPU and memory" - pattern: - spec: - containers: - - name: "*" - resources: - limits: - memory: "?" - cpu: "?" - requests: - memory: "?" - cpu: "?" - - name: check-memory-in-range - resource: - kinds: - - Deployment - validate: - message: "Memory request cannot be greater than 10Gi" + message: "Resource limits are required for CPU and memory" pattern: spec: - containers: - - name: "*" - resources: - requests: - # If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern. - # The OR operator can combine the patterns with logical expressions and text patterns. - memory: "<10Gi|<1024Mi" \ No newline at end of file + template: + spec: + containers: + - name: "*" + resources: + limits: + memory: "*" + cpu: "*" + + - name: check-cpu + resource: + kinds: + - Deployment + validate: + message: "CPU request should be 4" + pattern: + spec: + template: + spec: + containers: + - name: "*" + resources: + requests: + cpu: "4" diff --git a/examples/Validate/check_hostpath.yaml b/examples/Validate/check_hostpath.yaml index 0ee2baf7b5..5ea7c8619e 100644 --- a/examples/Validate/check_hostpath.yaml +++ b/examples/Validate/check_hostpath.yaml @@ -6,11 +6,13 @@ spec: rules: - name: check-host-path resource: - kinds: + kinds: - Pod validate: - message: "Host path volumes are not allowed" + message: "Host path should be /var/log" pattern: - volumes: - - name: "*" - hostPath: null + spec: + volumes: + - (name): log + hostPath: + path: /var/log diff --git a/examples/Validate/check_image_version.yaml b/examples/Validate/check_image_version.yaml index 8d41e4eb92..75cd1eddc7 100644 --- a/examples/Validate/check_image_version.yaml +++ b/examples/Validate/check_image_version.yaml @@ -5,13 +5,15 @@ metadata: spec: rules: - name: image-pull-policy - message: "Image tag ':latest' requires imagePullPolicy 'Always'" resource: - kinds: + kinds: - Deployment - overlay: - template: + validate: + message: "Image tag ':latest' requires imagePullPolicy 'Always'" + pattern: spec: - containers: - - image: "(*:latest)" # select images which end with :latest - imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always" \ No newline at end of file + template: + spec: + containers: + - (image): "*latest" # select images which end with :latest + imagePullPolicy: Always # ensure that the imagePullPolicy is "Always" diff --git a/examples/Validate/check_nodeport.yaml b/examples/Validate/check_nodeport.yaml index a8126e29b9..128075395b 100644 --- a/examples/Validate/check_nodeport.yaml +++ b/examples/Validate/check_nodeport.yaml @@ -6,10 +6,10 @@ spec: rules: - name: check-host-path resource: - kinds: + kinds: - Service validate: - message: "Node port services are not allowed" + message: "Only NodePort type is allowed" pattern: spec: - type: "!NodePort" \ No newline at end of file + type: "NodePort" diff --git a/examples/Validate/check_not_root.yaml b/examples/Validate/check_not_root.yaml index 12685e4e22..93234636e6 100644 --- a/examples/Validate/check_not_root.yaml +++ b/examples/Validate/check_not_root.yaml @@ -6,7 +6,10 @@ spec : rules: - name: check-non-root resource: - kind: Deployment, StatefuleSet, DaemonSet + kinds: + - Deployment + - StatefuleSet + - DaemonSet validate: message: "Root user is not allowed" pattern: @@ -14,4 +17,4 @@ spec : template: spec: securityContext: - runAsNotRoot: true + runAsNonRoot: true diff --git a/examples/Validate/check_probe_exists.yaml b/examples/Validate/check_probe_exists.yaml index b109baddef..9bd83521e5 100644 --- a/examples/Validate/check_probe_exists.yaml +++ b/examples/Validate/check_probe_exists.yaml @@ -1,30 +1,36 @@ apiVersion : kyverno.io/v1alpha1 -kind: Policy -metadata: +kind : Policy +metadata : name: check-probe-exists spec: rules: - name: check-liveness-probe-exists resource: - kinds: + kinds : - StatefulSet validate: message: "a livenessProbe is required" pattern: - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - livenessProbe: - periodSeconds: "?" - - resource: - kinds: - - Deployment - name: check-readinessprobe-exists + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + livenessProbe: + periodSeconds: ">0" + - name: check-readiness-probe-exists + resource: + kinds : + - StatefulSet validate: message: "a readinessProbe is required" pattern: - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - readinessProbe: - periodSeconds: "?" + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + readinessProbe: + periodSeconds: ">0" diff --git a/examples/Validate/check_probe_intervals.yaml b/examples/Validate/check_probe_intervals.yaml index 3e866ecebd..03c96f5092 100644 --- a/examples/Validate/check_probe_intervals.yaml +++ b/examples/Validate/check_probe_intervals.yaml @@ -1,30 +1,36 @@ apiVersion : kyverno.io/v1alpha1 -kind: Policy -metadata: +kind : Policy +metadata : name: check-probe-intervals spec: rules: - name: check-probe-intervals resource: - kinds: + kinds : - Deployment validate: message: "livenessProbe must be > 10s" pattern: - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - livenessProbe: - periodSeconds: ">10" - - resource: - kinds: + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + livenessProbe: + periodSeconds: ">10" + - name: check-probe-intervals + resource: + kinds : - Deployment - name: check-readinessprobe-intervals validate: + message: "readinessProbe must be > 10s" pattern: - message: "readinessProbe must be > 10s" - containers: - # In this case every object in containers list will be checked for pattern - - name: "*" - readinessProbe: - periodSeconds: ">10" + spec: + template: + spec: + containers: + # In this case every object in containers list will be checked for pattern + - name: "*" + readinessProbe: + periodSeconds: ">10" diff --git a/examples/Validate/check_whitelist_registries.yaml b/examples/Validate/check_whitelist_registries.yaml index 40b6beb7eb..05ee1fccad 100644 --- a/examples/Validate/check_whitelist_registries.yaml +++ b/examples/Validate/check_whitelist_registries.yaml @@ -5,15 +5,17 @@ metadata: spec: rules: - name: check-whitelist-registries - message: "Registry is not allowed" resource: - kinds: + kinds: - Deployment + - StatefulSet validate: + message: "Registry is not allowed" pattern: - template: - spec: - containers: - # Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*" - # If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|". - image: https://private.registry.io* | https://hub.docker.io/nirmata/* + spec: + template: + spec: + containers: + - name: "*" + # Checks if the image path starts with "https://hub.docker.io/nirmata/*" + image: https://hub.docker.io/nirmata/* diff --git a/examples/mutate/overlay/policy_set_imagePullPolicy.yaml b/examples/mutate/overlay/policy_set_imagePullPolicy.yaml index 0bf8a3331c..342a4f38c2 100644 --- a/examples/mutate/overlay/policy_set_imagePullPolicy.yaml +++ b/examples/mutate/overlay/policy_set_imagePullPolicy.yaml @@ -14,7 +14,6 @@ spec: template: spec: containers: - # match images which end with :latest - - (image): "*:latest" - # set the imagePullPolicy to "Always" - imagePullPolicy: "Always" \ No newline at end of file + # set the imagePullPolicy to "Always" + - (imagePullPolicy): "IfNotPresent" + imagePullPolicy: "Always" diff --git a/test/ConfigMap/policy-CM.yaml b/test/ConfigMap/policy-CM.yaml index 4cef6e1084..b50a522ec6 100644 --- a/test/ConfigMap/policy-CM.yaml +++ b/test/ConfigMap/policy-CM.yaml @@ -6,17 +6,27 @@ spec : rules: - name: pCM1 resource: - kinds : + kinds : - ConfigMap name: "game-config" mutate: + overlay: + data: + char.properties: | + Name=Ellen Ripley + Race=human patches: + - path: "/data/ship.properties" + op: add + value: | + type=starship + owner=utany.corp - path : "/data/newKey" op : add value : newValue - name: pCM2 resource: - kinds : + kinds : - ConfigMap name: "game-config" mutate: @@ -28,7 +38,7 @@ spec : value : "data is replaced" - name: pCM3 resource: - kinds : + kinds : - ConfigMap name: "game-config" mutate: @@ -43,7 +53,7 @@ spec : game.properties: "*enemies=aliens*" - name: pCM4 resource: - kinds : + kinds : - ConfigMap name: "game-config" validate: diff --git a/test/Job/job.yaml b/test/Job/job.yaml index c569475ff7..da7ffd1c30 100644 --- a/test/Job/job.yaml +++ b/test/Job/job.yaml @@ -6,8 +6,15 @@ spec: template: spec: containers: + - name: piv0 + image: perl + command: ["perl"] + ports: dsvd12 - name: pi image: perl command: ["perl"] + - name: piv1 + image: perl + command: ["perl"] restartPolicy: Never backoffLimit: 4 diff --git a/test/Job/policy-job.yaml b/test/Job/policy-job.yaml index 8cc7dc84ff..6022e11efe 100644 --- a/test/Job/policy-job.yaml +++ b/test/Job/policy-job.yaml @@ -6,10 +6,22 @@ spec : rules: - name: job1 resource: - kinds: + kinds: - Job name: pi mutate: + overlay: + metadata: + labels: + isOverlayed: "true" + spec: + template: + spec: + containers: + - name: "pi1" + image: "vasylev.perl" + - name: "pi2" + image: "maxov.perl" patches: - path : "/spec/template/spec/containers/0/command" op : add @@ -24,3 +36,18 @@ spec : template: spec: restartPolicy: Never + - name: job2 + resource: + kinds: + - Job + name: pi + mutate: + overlay: + spec: + template: + spec: + containers: + - (name): piv0 + ports: + - containerPort: 80 + protocol: TCP diff --git a/test/PodTemplate/PodTemplate.yaml b/test/PodTemplate/PodTemplate.yaml index 08c1fb5239..a393551059 100644 --- a/test/PodTemplate/PodTemplate.yaml +++ b/test/PodTemplate/PodTemplate.yaml @@ -13,6 +13,6 @@ template: ports: - containerPort: 80 protocol: TCP - restartPolicy: Always + restartPolicy: Never terminationGracePeriodSeconds: 30 dnsPolicy: ClusterFirst diff --git a/test/PodTemplate/policy-PodTemplate.yaml b/test/PodTemplate/policy-PodTemplate.yaml index e2732b8fab..232be6c499 100644 --- a/test/PodTemplate/policy-PodTemplate.yaml +++ b/test/PodTemplate/policy-PodTemplate.yaml @@ -6,12 +6,16 @@ spec: rules: - name: podtemplate1 resource: - kinds : + kinds : - PodTemplate selector: matchLabels: originalLabel: isHere mutate: + overlay: + template: + spec: + restartPolicy: Always patches: - path: "/metadata/labels/app" op : replace @@ -23,11 +27,11 @@ spec: op : replace value : mongodb validate: - message: "Port 80 is not for redis" + message: "Port 80 is only allowed" pattern: template: spec: containers: - - name: "!redis" + - name: "*" ports: - containerPort: 80