mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 10:55:05 +00:00
Code Activity

remove old policies

Browse source
This commit is contained in:
shivkumar dudhani 2019-10-14 14:58:44 -07:00
parent a4a0a27472
commit e6920b79ea
51 changed files with 0 additions and 1547 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
test/ConfigMapGenerator-SecretGenerator/configMap.yaml
View file

@ -1,20 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: game-config
namespace: default
labels:
originalLabel : isHere
data:
ui.properties : |
color.good=green
color.bad=red
game.properties : |
enemies=predators
lives=3
configmap.data: |
ns=default
labels=originalLabel
labelscount=1

7
test/ConfigMapGenerator-SecretGenerator/namespace.yaml
View file

@ -1,7 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: "ns2"
labels:
LabelForSelector : "namespace2"

20
test/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml
View file

@ -1,20 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata :
name: "policy-configmapgenerator-test"
spec:
rules:
- name: "copyCM"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : copied-cm
clone:
namespace : default
name : game-config

93
test/ConfigMapGenerator-SecretGenerator/policy-namespace-patch-cmgCG-sgCG.yaml
View file

@ -1,93 +0,0 @@
# This is a test-policy with patch, configMapGenerator with and without "copyFrom" option,
# secretGenerator with and without "copyFrom" option.
# To apply this policy you need to create secret and configMap in "default" namespace
# and then create a namespace
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : "policy-ns-patch-cmg-sg"
spec :
rules:
- name: "patchNamespace2"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
mutate:
patches:
- path: "/metadata/labels/isMutatedByPolicy"
op: add
value: "true"
- name: "copyCM"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : copied-cm
clone:
namespace : default
name : game-config
- name: "generateCM"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : generated-cm
data :
data:
secretData: "very sensitive data from cmg"
database: mongodb
database_uri: mongodb://localhost:27017
keys: |
image.public.key=771
rsa.public.key=42
- name: "generateSecret"
match:
resources:
kinds :
- Namespace
name: ns2
generate :
kind: Secret
name : generated-secrets
data :
foo : bar
app.properties : /
foo1=bar1
foo2=bar2
ui.properties : /
foo1=bar1
foo2=bar2
- name: "copySecret"
match:
resources:
kinds :
- Namespace
name: ns2
generate :
kind: Secret
name : copied-secrets
copyFrom :
namespace : default
name : mysecret
data :
foo : bar
secretData: "data from sg"

10
test/ConfigMapGenerator-SecretGenerator/secrets.yaml
View file

@ -1,10 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: mysecret
labels:
originalLabel : isHere
type: Opaque
data:
username: dXNlcg==
password: cGFzc3dvcmQ=

62
test/CronJob/cronjobs.yaml
View file

@ -1,62 +0,0 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hellow
labels :
label : "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: 12hello
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: hello23
labels:
label: "original"
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hel32lo
image: busybox
args:
- /bin/sh
- -c
- date; echo Hello from the Kubernetes cluster
restartPolicy: OnFailure

39
test/CronJob/policy-cronjob-wldcrd.yaml
View file

@ -1,39 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-cronjob
spec:
rules:
- name: pCJ
match:
resources:
kinds :
- CronJob
name: "?ell*"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/schedule"
op : replace
value : "* */1 * * *"
- path: "/metadata/labels/label"
op: add
value: "not_original"
- path: "/metadata/labels/label234e3"
op: remove
validate:
message: "This resource is broken"
pattern:
metadata:
labels:
label: "not_original"
spec:
jobTemplate:
spec:
template:
spec:
containers:
- name: "h*"
image: busybox

43
test/DaemonSet/DaemonSet.yaml
View file

@ -1,43 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluentd-elasticsearch
namespace: kube-system
labels:
k8s-app: fluentd-logging
originalLabel : isHere
spec:
selector:
matchLabels:
name: fluentd-elasticsearch
template:
metadata:
labels:
name: fluentd-elasticsearch
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: fluentd-elasticsearch
image: k8s.gcr.io/fluentd-elasticsearch:1.20
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
terminationGracePeriodSeconds: 30
volumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers

29
test/DaemonSet/policy-daemonset.yaml
View file

@ -1,29 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-daemonset
spec:
rules:
- name: "Patch and Volume validation"
match:
resources:
kinds:
- DaemonSet
name: fluentd-elasticsearch
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
validate:
message: "This daemonset is broken"
pattern:
spec:
template:
spec:
containers:
volumeMounts:
- name: varlibdockercontainers
readOnly: false

21
test/Deployment/nginx-deployment.yaml
View file

@ -1,21 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80

25
test/Deployment/policy-deployment-any.yaml
View file

@ -1,25 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : policy-deployment
spec :
rules:
- name: "First policy v2"
match:
resources:
kinds :
- Deployment
mutate:
patches:
- path: /metadata/labels/isMutated
op: add
value: "true"
- path: /metadata/labels/app
op: replace
value: "nginx_is_mutated"
validate:
message: "Because I like only mutated resources"
pattern:
metadata:
labels:
app: "*mutated"

13
test/Endpoint/endpoints.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Endpoints
metadata:
name: test-endpoint
labels:
label : test
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 443
protocol: TCP

34
test/Endpoint/policy-endpoints.yaml
View file

@ -1,34 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : policy-endpoints
spec :
rules:
- name: pEP
match:
resources:
kinds :
- Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.172"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP
validate:
message: "This resource has wrong IP"
pattern:
subsets:
- addresses:
- ip: "192.168.10.171|192.168.10.172"

22
test/HorizontalPodAutoscaler/hpa.yaml
View file

@ -1,22 +0,0 @@
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: wildfly-example
labels:
originalLabel: isHere
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
kind: Deployment
name: wildfly-example
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
targetAverageUtilization: 80
- type: Resource
resource:
name: memory
targetAverageValue: 1000Mi

32
test/HorizontalPodAutoscaler/policy-hpa.yaml
View file

@ -1,32 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-hpa
spec :
rules:
- name: hpa1
match:
resources:
kinds :
- HorizontalPodAutoscaler
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- op: replace
path: "/spec/metrics/1/resource/targetAverageValue"
value: "959Mi"
validate:
message: "There is wrong resorce request or apiVersion"
pattern:
spec:
scaleTargetRef:
apiVersion: extensions/v1beta1
# metrics:
# - type: Resource
# resource:
# name: cpu|memory

16
test/Ingress/ingress.yaml
View file

@ -1,16 +0,0 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
labels:
originalLabel: isHere
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: testprod
servicePort: 80

32
test/Ingress/policy-ingress.yaml
View file

@ -1,32 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata :
name : policy-ingress
spec :
rules:
- name: ingress1
match:
resources:
kinds :
- Ingress
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/rules/0/http/paths/0/path"
op : replace
value: "/mutatedpath"
validate:
message: "Ingress allowed only for prod services"
pattern:
spec:
rules:
- http:
paths:
- path: "*"
backend:
serviceName: "*prod"

22
test/Job/job.yaml
View file

@ -1,22 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: pi
spec:
template:
spec:
containers:
- name: piv0
image: perl
command: ["perl"]
ports:
- containerPort: 90
protocol: TCP
- name: pi
image: perl
command: ["perl"]
- name: piv1
image: perl
command: ["perl"]
restartPolicy: Never
backoffLimit: 4

55
test/Job/policy-job.yaml
View file

@ -1,55 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-job-perl-bigint
spec :
rules:
- name: job2
match:
resources:
kinds:
- Job
name: pi
mutate:
overlay:
spec:
template:
spec:
containers:
- (name): piv0
ports:
- containerPort: 80
protocol: TCP
- name: job1
match:
resources:
kinds:
- Job
name: pi
mutate:
overlay:
metadata:
labels:
isOverlayed: "true"
spec:
template:
spec:
containers:
- name: "pi1"
image: "vasylev.perl"
- name: "pi2"
image: "maxov.perl"
patches:
- path : "/spec/template/spec/containers/0/command"
op : add
value: [ "-Mbignum=bpi", "-wle", "print bpi(2000)" ]
- path : "/spec/backoffLimit"
op: add
value: 10
validate:
message: "This job should not be restarted"
pattern:
spec:
template:
spec:
restartPolicy: Never

14
test/LimitRange/limitrange.yaml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: LimitRange
metadata:
name: test-mem-limit-range
labels:
containerSize: minimal
spec:
limits:
- default:
memory: 512Mi
cpu: 10m
defaultRequest:
memory: 256Mi
type: Container

26
test/LimitRange/policy-limitrange.yaml
View file

@ -1,26 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : policy-limitrange
spec :
rules:
- name: "rule"
match:
resources:
kinds :
- LimitRange
selector:
matchLabels:
containerSize: minimal
mutate:
patches:
- path : "/spec/limits/0/default/memory"
op : add
value: 384Mi
validate:
message: "The CPU value is incorrect"
pattern:
spec:
limits:
- default:
cpu: 10m

7
test/Namespace/namespace.yaml
View file

@ -1,7 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: namespace-not-modified
labels:
LabelForSelector : "namespace"
replaced : "no"

23
test/Namespace/policy-namespace.yaml
View file

@ -1,23 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata :
name : policy-namespace
spec :
rules:
- name: ns1
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace"
mutate:
patches:
- path: "/metadata/labels/replaced"
op: add
value: "yes"
- path: "/metadata/name"
op: replace
value: "modified-namespace"

36
test/NetworkPolicy/networkpolicy.yaml
View file

@ -1,36 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
labels:
originalLabel : isHere
namespace: default
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.129.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978

31
test/NetworkPolicy/policy-network-policy.yaml
View file

@ -1,31 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-network-policy
spec:
rules:
- name: np1
match:
resources:
kinds :
- NetworkPolicy
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/ingress/0/from/0/ipBlock/cidr"
op : replace
value: "172.17.128.0/17"
validate:
message: "This network policy does not meet security criteria"
pattern:
spec:
ingress:
- from:
- ipBlock:
except:
- 172.17.129.0/24

19
test/PersistentVolumeClaim/PVC.yaml
View file

@ -1,19 +0,0 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: game-myclaim
labels:
originalLabel : isHere
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: slow
selector:
matchLabels:
release: "stable"
matchExpressions:
- {key: environment, operator: In, values: [dev]}

26
test/PersistentVolumeClaim/policy-PVC.yaml
View file

@ -1,26 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-pvc
spec:
rules:
- name: pvc1
match:
resources:
kinds :
- PersistentVolumeClaim
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/spec/resources/requests/storage"
op : replace
value: "6Gi"
validate:
message: "I don't like this pvc"
pattern:
spec:
accessModes:
- ReadWrite*

11
test/PodDisruptionBudget/pdb.yaml
View file

@ -1,11 +0,0 @@
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: game-pdb
labels:
isMutated: "false"
spec:
minAvailable: 2
selector:
matchLabels:
app: zookeeper

27
test/PodDisruptionBudget/policy-pdb.yaml
View file

@ -1,27 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-pdb
spec:
rules:
- name: pdb1
match:
resources:
kinds :
- PodDisruptionBudget
name: "game-pdb"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/spec/minAvailable"
op : replace
value: "5%"
validate:
message: "This PDB has the wrong selector"
pattern:
spec:
selector:
matchLabels:
app: "zoo*"

18
test/PodTemplate/PodTemplate.yaml
View file

@ -1,18 +0,0 @@
apiVersion: v1
kind: PodTemplate
metadata:
name: nginx-test
labels:
app: nginx
originalLabel: isHere
template:
spec:
containers:
- name: redis
image: redis
ports:
- containerPort: 80
protocol: TCP
restartPolicy: Never
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst

38
test/PodTemplate/policy-PodTemplate.yaml
View file

@ -1,38 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: test-podtemplate
spec:
rules:
- name: podtemplate1
match:
resources:
kinds :
- PodTemplate
selector:
matchLabels:
originalLabel: isHere
mutate:
overlay:
template:
spec:
restartPolicy: Always
patches:
- path: "/metadata/labels/app"
op : replace
value : mutedApp
- path: "/template/spec/containers/0/name"
op : replace
value : mongodb
- path: "/template/spec/containers/0/image"
op : replace
value : mongodb
validate:
message: "Port 80 is only allowed"
pattern:
template:
spec:
containers:
- name: "*"
ports:
- containerPort: 80

88
test/README.md
View file

@ -1,88 +0,0 @@
# Test samples
This directory contains policies and resources for testing. There are definitions for each supported resource type and an sample policy for the corresponding resource.
## How to use
Currently, the testing is possible only via ```kubectl``` when kyverno is installed to the cluster. So, [build and install the policy controller](/documentation/installation.md) first.
Each folder contains a pair of files, one of which is the definition of the resource, and the second is the definition of the policy for this resource. Let's look at an example of the endpoints mutation. Endpoints are listed in file `test/Endpoints/endpoints.yaml`:
````yaml
apiVersion: v1
kind: Endpoints
metadata:
name: test-endpoint
labels:
label : test
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 443
protocol: TCP
````
Create this resource:
````yaml
> kubectl create -f test/Endpoints/endpoints.yaml
endpoints/test-endpoint created
> kubectl get -f test/Endpoints/endpoints.yaml
NAME ENDPOINTS AGE
test-endpoint 192.168.10.171:443 6s
````
We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources.
````bash
> kubectl delete -f test/Endpoints/endpoints.yaml
endpoints "test-endpoint" deleted
````
We have this a policy for enpoints ([policy-endpoint.yaml](/test/Endpoints/policy-endpoint.yaml)):
````yaml
apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
rules:
- name: ""
resource:
kinds:
- Endpoints
selector:
matchLabels:
label : test
mutate:
patches:
- path : "/subsets/0/ports/0/port"
op : replace
value: 9663
- path : "/subsets/0"
op: add
value:
addresses:
- ip: "192.168.10.171"
ports:
- name: load-balancer-connection
port: 80
protocol: UDP
````
This policy does 2 patches:
- **replaces** the first port of the first connection to 6443
- **adds** new endpoint with IP 192.168.10.171 and port 80 (UDP)
Let's apply this policy and create the endpoints again to see the changes:
````bash
> kubectl create -f test/Endpoints/policy-endpoints.yaml
policy.policy.nirmata.io/policy-endpoints created
> kubectl create -f test/Endpoints/endpoints.yaml
endpoints/test-endpoint created
> kubectl get -f test/Endpoints/endpoints.yaml
NAME ENDPOINTS AGE
test-endpoint 192.168.10.171:80,192.168.10.171:9663 30s
````
As you can see, the endpoints resource was created with changes: a new port 80 was added, and port 443 was changed to 6443.
**Enjoy :)**

48
test/ResourceQuota/policy-quota-validation.yaml
View file

@ -1,48 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : policy-quota-low-test-validation
spec :
rules:
- name: "rule1"
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many RAM"
pattern:
spec:
hard:
memory: "8Gi|12Gi"
- name: "rule2"
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many CPUs"
pattern:
spec:
hard:
cpu: <3
- name: "rule3"
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
validate:
message: "This RQ requests too many PODs"
pattern:
spec:
hard:
pods: 1|2|3|4

34
test/ResourceQuota/policy-quota.yaml
View file

@ -1,34 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : policy-quota-low-test
spec :
rules:
- name: "rule"
match:
resources:
kinds :
- ResourceQuota
selector:
matchLabels:
quota: low
mutate:
patches:
- path : "/spec/scopeSelector/matchExpressions/1"
op : add
value :
operator : In
scopeName: PriorityClass
values: ["low-medium"]
- path : "/spec/hard"
op : replace
value: {
"cpu": "10",
"memory": "10Gi",
"pods": "10",
"limits.memory": "12Gi",
"requests.nvidia.com/gpu": "8"
}
- path : "/metadata/labels/quota-soft"
op : replace
value : replaced

17
test/ResourceQuota/quota.yaml
View file

@ -1,17 +0,0 @@
apiVersion: v1
kind: ResourceQuota
metadata:
name: pods-low
labels:
quota: "low"
spec:
hard:
cpu: 2
memory: 8Gi
pods: 4
limits.memory: 12Gi
scopeSelector:
matchExpressions:
- operator : In
scopeName: PriorityClass
values: ["low"]

29
test/Secret/policy-secret.yaml
View file

@ -1,29 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-secrets
spec:
rules:
- name: secret1
match:
resources:
kinds :
- Secret
name: "mysecret"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/originalLabel"
op: remove
- path : "/data/newPass"
op : add
value : "bmV3UmFuZG9tUGFzcwo="
- path : "/data/password"
op : replace
value : "Y29tcHJvbWlzZWQK"
validate:
message: "This type of secrets does not meet security criteria"
pattern:
type: "Opaque"

11
test/Secret/secret.yaml
View file

@ -1,11 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: mysecret
labels:
originalLabel : isHere
type: Opaque
data:
username: TmlybWF0YQ==
password: aXNDb29s

45
test/SecurityContext/nginx.yaml
View file

@ -1,45 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: psp-demo
labels:
app.type: prod
spec:
replicas: 1
selector:
matchLabels:
app: psp
template:
metadata:
labels:
app: psp
spec:
containers:
- name: sec-ctx
image: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: psp-demo-unprivileged
labels:
app.type: prod
spec:
replicas: 1
selector:
matchLabels:
app: psp
template:
metadata:
labels:
app: psp
spec:
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-unprivileged
image: nginxinc/nginx-unprivileged
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo

21
test/SecurityContext/policy.yaml
View file

@ -1,21 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-security-context
spec:
rules:
- name: set-userID
match:
resources:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
mutate:
overlay:
spec:
template:
spec:
securityContext:
runAsNonRoot: true

33
test/Service/policy-service.yaml
View file

@ -1,33 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : policy-service
spec :
rules:
- name: ps1
match:
resources:
kinds:
- Service
name: "game-service*"
mutate:
patches:
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/metadata/labels/secretLabel"
op : replace
value : "weKnow"
- path : "/metadata/labels/originalLabel"
op : remove
- path: "/spec/selector/app"
op: replace
value: "mutedApp"
validate:
message: "This service has wrong port"
pattern:
spec:
ports:
- name: "http"
protocol: TCP
port: 80|8080

15
test/Service/service.yaml
View file

@ -1,15 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: game-service
labels:
originalLabel : isHere
secretLabel : thisIsMySecret
spec:
selector:
app: MyApp
ports:
- name: http
protocol: TCP
port: 80
targetPort: 9376

36
test/StatefulSet/StatefulSet.yaml
View file

@ -1,36 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: game-web
labels:
originalLabel : isHere
spec:
selector:
matchLabels:
app: nginxo # has to match .spec.template.metadata.labels
serviceName: "nginxo"
replicas: 3 # by default is 1
template:
metadata:
labels:
app: nginxo # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: nginxo
image: k8s.gcr.io/nginx-but-no-slim:0.8
ports:
- containerPort: 8780
name: webp
volumeMounts:
- name: www
mountPath: /usr/share/nginxo/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "my-storage-class"
resources:
requests:
storage: 1Gi

39
test/StatefulSet/policy-StatefulSet.yaml
View file

@ -1,39 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: policy-statefulset
spec:
rules:
- name: statefulset1
match:
resources:
kinds :
- StatefulSet
selector:
matchLabels:
originalLabel: isHere
mutate:
patches:
- path: "/spec/template/metadata/labels/isMutated"
op: add
value: "true"
- path: "/metadata/labels/isMutated"
op: add
value: "true"
- path : "/metadata/labels/originalLabel"
op : remove
- path : "/spec/serviceName"
op : replace
value : "not-a-nginx"
validate:
message: "This SS is broken"
pattern:
spec:
replicas: ">2"
volumeClaimTemplates:
- metadata:
name: www
spec:
resources:
requests:
storage: "<50Gi"

41
test/generate-resource/generate.sh
View file

@ -1,41 +0,0 @@
#!/bin/bash
### To use this script to generate resource:
### ./resource.sh --file=resource.yaml --replica=10
for i in "$@"
do
case $i in
--file=*)
file="${i#*=}"
shift
;;
--replica=*)
replica="${i#*=}"
shift
;;
esac
done
if [ -z "${file}" ]; then
echo -e "Please specify '--file' where resource is located."
exit 1
fi
if [ -z "${replica}" ]; then
echo -e "Please specify '--replica' of the number of replicas you want to create."
exit 1
fi
echo "loading resource from ${file}"
RESOURCE=$(cat ${file} | sed -n -e 's/^ name: //p')
echo "generating ${replica} replicas from resource $RESOURCE"
for i in $(seq 1 ${replica})
do
# echo `cat ${file} | sed "s/name: ${RESOURCE}/name: ${RESOURCE}-${i}/"`
dstfile=`sed 's/.\{5\}$/-$i&/' <<< "${file}"`
cat ${file} | sed "s/name: ${RESOURCE}/name: ${RESOURCE}-${i}/" > ${dstfile}
done

73
test/generate-resource/main.go
View file

@ -1,73 +0,0 @@
package main
import (
"bytes"
"encoding/json"
"flag"
"fmt"
ioutil "io/ioutil"
"os"
"path/filepath"
"strconv"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
yaml "k8s.io/apimachinery/pkg/util/yaml"
)
var policyPath, replica string
func main() {
generatePolicies()
}
func generatePolicies() error {
var policy *kyverno.ClusterPolicy
file, err := ioutil.ReadFile(policyPath)
if err != nil {
return fmt.Errorf("failed to load file: %v", err)
}
fmt.Printf("Generating policies from %s\n", policyPath)
rawPolicy, err := yaml.ToJSON(file)
if err != nil {
return err
}
if err := json.Unmarshal(rawPolicy, &policy); err != nil {
return fmt.Errorf("failed to decode policy %s, err: %v", policy.Name, err)
}
oldName := policy.Name
repl, _ := strconv.Atoi(replica)
for i := 0; i < repl; i++ {
newName := oldName + "-" + strconv.Itoa(i)
data := bytes.Replace(file, []byte(oldName), []byte(newName), -1)
writeToFile(data, "./.policy/"+newName+".yaml")
}
return nil
}
func writeToFile(data []byte, filename string) {
dir := filepath.Dir(filename)
if _, err := os.Stat(dir); os.IsNotExist(err) {
if err = os.MkdirAll(dir, 0755); err != nil {
fmt.Println(err)
}
}
if err := ioutil.WriteFile(filename, data, 0755); err != nil {
fmt.Println(err)
}
}
func init() {
flag.StringVar(&policyPath, "policyPath", "", "Path to a policy")
flag.StringVar(&replica, "replica", "10", "the number of replicas to generate")
flag.Parse()
}

20
test/generate/configMap.yaml
View file

@ -1,20 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: game-config
namespace: default
labels:
originalLabel : isHere
data:
ui.properties : |
color.good=green
color.bad=red
game.properties : |
enemies=predators
lives=3
configmap.data: |
ns=default
labels=originalLabel
labelscount=1

20
test/generate/configMap_default.yaml
View file

@ -1,20 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config-template
namespace: default
labels:
originalLabel : isHere
data:
ui.properties : |
color.good=green
color.bad=red
game.properties : |
enemies=predators
lives=3
configmap.data: |
ns=default
labels=originalLabel
labelscount=1

7
test/generate/namespace.yaml
View file

@ -1,7 +0,0 @@
kind: Namespace
apiVersion: v1
metadata:
name: "ns2"
labels:
LabelForSelector : "namespace2"

38
test/generate/policy_basic.yaml
View file

@ -1,38 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
name : basic-policy
spec :
rules:
- name: "Basic clone config generator for all namespaces"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: ConfigMap
name: default-config
clone:
namespace: default
name: config-template
- name: "Basic config generator for all namespaces"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: Secret
name: mongo-creds
data:
data:
DB_USER: YWJyYWthZGFicmE=
DB_PASSWORD: YXBwc3dvcmQ=
metadata:
labels:
purpose: mongo

36
test/generate/policy_generate.yaml
View file

@ -1,36 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: "zk-kafka-address"
spec:
rules:
- name: "copy-comfigmap"
match:
resources:
kinds :
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate :
kind: ConfigMap
name : copied-cm
clone:
namespace : default
name : game-config
- name: "zk-kafka-address"
match:
resources:
kinds:
- Namespace
selector:
matchExpressions:
- {key: LabelForSelector, operator: In, values: [namespace2]}
generate:
kind: ConfigMap
name: zk-kafka-address
data:
kind: ConfigMap
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"

25
test/generate/policy_networkPolicy.yaml
View file

@ -1,25 +0,0 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: "default"
spec:
rules:
- name: "deny-all-traffic"
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: deny-all-traffic
data:
spec:
podSelector:
matchLabels: {}
matchExpressions: []
policyTypes: []
metadata:
annotations: {}
labels:
policyname: "default"