mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Updated examples

Browse source
This commit is contained in:
Anton Kostenko 2019-05-23 20:37:11 +03:00
parent 2bed831aff
commit e2d5b0c1ef
14 changed files with 166 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
examples/Validate/check_cpu_memory.yaml
View file

@ -6,33 +6,33 @@ spec:
rules: rules:
- name: check-defined - name: check-defined
resource: resource:
kinds: kinds:
- Deployment - Deployment
validate: validate:
message: "Resource requests and limits are required for CPU and memory" message: "Resource limits are required for CPU and memory"
pattern:
spec:
containers:
- name: "*"
resources:
limits:
memory: "?"
cpu: "?"
requests:
memory: "?"
cpu: "?"
- name: check-memory-in-range
resource:
kinds:
- Deployment
validate:
message: "Memory request cannot be greater than 10Gi"
pattern: pattern:
spec: spec:
containers: template:
- name: "*" spec:
resources: containers:
requests: - name: "*"
# If the value contains logical operator, the integer after it will be checked. No numeric characters will be a part of pattern. resources:
# The OR operator can combine the patterns with logical expressions and text patterns. limits:
memory: "<10Gi|<1024Mi" memory: "*"
cpu: "*"
- name: check-cpu
resource:
kinds:
- Deployment
validate:
message: "CPU request should be 4"
pattern:
spec:
template:
spec:
containers:
- name: "*"
resources:
requests:
cpu: "4"

12
examples/Validate/check_hostpath.yaml
View file

@ -6,11 +6,13 @@ spec:
rules: rules:
- name: check-host-path - name: check-host-path
resource: resource:
kinds: kinds:
- Pod - Pod
validate: validate:
message: "Host path volumes are not allowed" message: "Host path should be /var/log"
pattern: pattern:
volumes: spec:
- name: "*" volumes:
hostPath: null - (name): log
hostPath:
path: /var/log

16
examples/Validate/check_image_version.yaml
View file

@ -5,13 +5,15 @@ metadata:
spec: spec:
rules: rules:
- name: image-pull-policy - name: image-pull-policy
message: "Image tag ':latest' requires imagePullPolicy 'Always'"
resource: resource:
kinds: kinds:
- Deployment - Deployment
overlay: validate:
template: message: "Image tag ':latest' requires imagePullPolicy 'Always'"
pattern:
spec: spec:
containers: template:
- image: "(*:latest)" # select images which end with :latest spec:
imagePullPolicy: "Always" # ensure that the imagePullPolicy is "Always" containers:
- (image): "*latest" # select images which end with :latest
imagePullPolicy: Always # ensure that the imagePullPolicy is "Always"

6
examples/Validate/check_nodeport.yaml
View file

@ -6,10 +6,10 @@ spec:
rules: rules:
- name: check-host-path - name: check-host-path
resource: resource:
kinds: kinds:
- Service - Service
validate: validate:
message: "Node port services are not allowed" message: "Only NodePort type is allowed"
pattern: pattern:
spec: spec:
type: "!NodePort" type: "NodePort"

7
examples/Validate/check_not_root.yaml
View file

@ -6,7 +6,10 @@ spec :
rules: rules:
- name: check-non-root - name: check-non-root
resource: resource:
kind: Deployment, StatefuleSet, DaemonSet kinds:
- Deployment
- StatefuleSet
- DaemonSet
validate: validate:
message: "Root user is not allowed" message: "Root user is not allowed"
pattern: pattern:
@ -14,4 +17,4 @@ spec :
template: template:
spec: spec:
securityContext: securityContext:
runAsNotRoot: true runAsNonRoot: true

40
examples/Validate/check_probe_exists.yaml
View file

@ -1,30 +1,36 @@
apiVersion : kyverno.io/v1alpha1 apiVersion : kyverno.io/v1alpha1
kind: Policy kind : Policy
metadata: metadata :
name: check-probe-exists name: check-probe-exists
spec: spec:
rules: rules:
- name: check-liveness-probe-exists - name: check-liveness-probe-exists
resource: resource:
kinds: kinds :
- StatefulSet - StatefulSet
validate: validate:
message: "a livenessProbe is required" message: "a livenessProbe is required"
pattern: pattern:
containers: spec:
# In this case every object in containers list will be checked for pattern template:
- name: "*" spec:
livenessProbe: containers:
periodSeconds: "?" # In this case every object in containers list will be checked for pattern
- resource: - name: "*"
kinds: livenessProbe:
- Deployment periodSeconds: ">0"
name: check-readinessprobe-exists - name: check-readiness-probe-exists
resource:
kinds :
- StatefulSet
validate: validate:
message: "a readinessProbe is required" message: "a readinessProbe is required"
pattern: pattern:
containers: spec:
# In this case every object in containers list will be checked for pattern template:
- name: "*" spec:
readinessProbe: containers:
periodSeconds: "?" # In this case every object in containers list will be checked for pattern
- name: "*"
readinessProbe:
periodSeconds: ">0"

40
examples/Validate/check_probe_intervals.yaml
View file

@ -1,30 +1,36 @@
apiVersion : kyverno.io/v1alpha1 apiVersion : kyverno.io/v1alpha1
kind: Policy kind : Policy
metadata: metadata :
name: check-probe-intervals name: check-probe-intervals
spec: spec:
rules: rules:
- name: check-probe-intervals - name: check-probe-intervals
resource: resource:
kinds: kinds :
- Deployment - Deployment
validate: validate:
message: "livenessProbe must be > 10s" message: "livenessProbe must be > 10s"
pattern: pattern:
containers: spec:
# In this case every object in containers list will be checked for pattern template:
- name: "*" spec:
livenessProbe: containers:
periodSeconds: ">10" # In this case every object in containers list will be checked for pattern
- resource: - name: "*"
kinds: livenessProbe:
periodSeconds: ">10"
- name: check-probe-intervals
resource:
kinds :
- Deployment - Deployment
name: check-readinessprobe-intervals
validate: validate:
message: "readinessProbe must be > 10s"
pattern: pattern:
message: "readinessProbe must be > 10s" spec:
containers: template:
# In this case every object in containers list will be checked for pattern spec:
- name: "*" containers:
readinessProbe: # In this case every object in containers list will be checked for pattern
periodSeconds: ">10" - name: "*"
readinessProbe:
periodSeconds: ">10"

18
examples/Validate/check_whitelist_registries.yaml
View file

@ -5,15 +5,17 @@ metadata:
spec: spec:
rules: rules:
- name: check-whitelist-registries - name: check-whitelist-registries
message: "Registry is not allowed"
resource: resource:
kinds: kinds:
- Deployment - Deployment
- StatefulSet
validate: validate:
message: "Registry is not allowed"
pattern: pattern:
template: spec:
spec: template:
containers: spec:
# Checks if the image path starts with "https://private.registry.io" OR "https://hub.docker.io/nirmata/*" containers:
# If some property contains operator | as a normal part of its value, it should be escaped by backslash: "\|". - name: "*"
image: https://private.registry.io* | https://hub.docker.io/nirmata/* # Checks if the image path starts with "https://hub.docker.io/nirmata/*"
image: https://hub.docker.io/nirmata/*

7
examples/mutate/overlay/policy_set_imagePullPolicy.yaml
View file

@ -14,7 +14,6 @@ spec:
template: template:
spec: spec:
containers: containers:
# match images which end with :latest # set the imagePullPolicy to "Always"
- (image): "*:latest" - (imagePullPolicy): "IfNotPresent"
# set the imagePullPolicy to "Always" imagePullPolicy: "Always"
imagePullPolicy: "Always"

18
test/ConfigMap/policy-CM.yaml
View file

@ -6,17 +6,27 @@ spec :
rules: rules:
- name: pCM1 - name: pCM1
resource: resource:
kinds : kinds :
- ConfigMap - ConfigMap
name: "game-config" name: "game-config"
mutate: mutate:
overlay:
data:
char.properties: |
Name=Ellen Ripley
Race=human
patches: patches:
- path: "/data/ship.properties"
op: add
value: |
type=starship
owner=utany.corp
- path : "/data/newKey" - path : "/data/newKey"
op : add op : add
value : newValue value : newValue
- name: pCM2 - name: pCM2
resource: resource:
kinds : kinds :
- ConfigMap - ConfigMap
name: "game-config" name: "game-config"
mutate: mutate:
@ -28,7 +38,7 @@ spec :
value : "data is replaced" value : "data is replaced"
- name: pCM3 - name: pCM3
resource: resource:
kinds : kinds :
- ConfigMap - ConfigMap
name: "game-config" name: "game-config"
mutate: mutate:
@ -43,7 +53,7 @@ spec :
game.properties: "*enemies=aliens*" game.properties: "*enemies=aliens*"
- name: pCM4 - name: pCM4
resource: resource:
kinds : kinds :
- ConfigMap - ConfigMap
name: "game-config" name: "game-config"
validate: validate:

7
test/Job/job.yaml
View file

@ -6,8 +6,15 @@ spec:
template: template:
spec: spec:
containers: containers:
- name: piv0
image: perl
command: ["perl"]
ports: dsvd12
- name: pi - name: pi
image: perl image: perl
command: ["perl"] command: ["perl"]
- name: piv1
image: perl
command: ["perl"]
restartPolicy: Never restartPolicy: Never
backoffLimit: 4 backoffLimit: 4

29
test/Job/policy-job.yaml
View file

@ -6,10 +6,22 @@ spec :
rules: rules:
- name: job1 - name: job1
resource: resource:
kinds: kinds:
- Job - Job
name: pi name: pi
mutate: mutate:
overlay:
metadata:
labels:
isOverlayed: "true"
spec:
template:
spec:
containers:
- name: "pi1"
image: "vasylev.perl"
- name: "pi2"
image: "maxov.perl"
patches: patches:
- path : "/spec/template/spec/containers/0/command" - path : "/spec/template/spec/containers/0/command"
op : add op : add
@ -24,3 +36,18 @@ spec :
template: template:
spec: spec:
restartPolicy: Never restartPolicy: Never
- name: job2
resource:
kinds:
- Job
name: pi
mutate:
overlay:
spec:
template:
spec:
containers:
- (name): piv0
ports:
- containerPort: 80
protocol: TCP

2
test/PodTemplate/PodTemplate.yaml
View file

@ -13,6 +13,6 @@ template:
ports: ports:
- containerPort: 80 - containerPort: 80
protocol: TCP protocol: TCP
restartPolicy: Always restartPolicy: Never
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst dnsPolicy: ClusterFirst

10
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -6,12 +6,16 @@ spec:
rules: rules:
- name: podtemplate1 - name: podtemplate1
resource: resource:
kinds : kinds :
- PodTemplate - PodTemplate
selector: selector:
matchLabels: matchLabels:
originalLabel: isHere originalLabel: isHere
mutate: mutate:
overlay:
template:
spec:
restartPolicy: Always
patches: patches:
- path: "/metadata/labels/app" - path: "/metadata/labels/app"
op : replace op : replace
@ -23,11 +27,11 @@ spec:
op : replace op : replace
value : mongodb value : mongodb
validate: validate:
message: "Port 80 is not for redis" message: "Port 80 is only allowed"
pattern: pattern:
template: template:
spec: spec:
containers: containers:
- name: "!redis" - name: "*"
ports: ports:
- containerPort: 80 - containerPort: 80