From 590260be993861d2da6ea2e28ad67b2559031bcd Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 14:44:04 -0700 Subject: [PATCH 01/23] update installation doc --- documentation/installation.md | 29 +++++++++------- documentation/writing-policies-validate.md | 6 ++++ documentation/writing-policies.md | 40 ++++++++++++++++++++++ 3 files changed, 63 insertions(+), 12 deletions(-) diff --git a/documentation/installation.md b/documentation/installation.md index 97d88a591c..67e02a64c2 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -1,23 +1,28 @@ +[documentation](/README.md#documentation) / Installation + # Installation -The controller can be installed and operated in two ways: **Outside the cluster** and **Inside the cluster**. The controller **outside** the cluster is much more convenient to debug and verify changes in its code, so we can call it 'debug mode'. The controller **inside** the cluster is designed for use in the real world, and the **QA testing** should be performed when controller operate in this mode. +To install Kyverno in your cluster run: - -## Inside the cluster (normal use) - -Just execute the command for creating all necesarry resources: `kubectl create -f definitions/install.yaml` -In this mode controller will get TLS key/certificate pair and loads in-cluster config automatically on start. -To check if the controller is working, find it in the list of kube-system pods: +To check if the Kyverno controller -`kubectl get pods -n kube-system` +`kubectl get pods -n kyverno` -The pod with controller contains **'kube-policy'** in its name. The STATUS column will show the health state of the controller. If controller doesn't start, see its logs: +If the Kyverno controller doesn't start, you can check its status and logs: -`kubectl describe pod -n kube-system` +`kubectl describe pod -n kyverno` -or +`kubectl logs -n kyverno` -`kubectl logs -n kube-system` +# Installing in a Development Environment +To run Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building + +# Try Kyverno without a Kubernetes cluster + +To write and test policies without installing Kyverno in a Kubernetes cluster you can try the [Kyverno CLI](documentation/testing-policies-cli.md). + + +Read Next >> [Writing Policies](/documentation/writing-policies.md) \ No newline at end of file diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index a8c505253f..1dc217c7c8 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -1 +1,7 @@ +[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Validate + + # Policies that Validate Configurations + + +Read Next >> [Mutate](/documentation/writing-policies-mutate.md) \ No newline at end of file diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index 79729e58f0..5c0b7cd46b 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -1 +1,41 @@ +[documentation](/README.md#documentation) / Writing Policies + # Writing Policies + +A Kyverno policy contains a set of rules. Each rule matches resources by kind, name, or selectors. + +````yaml +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : policy +spec : + + # Each policy has a list of rules applied in declaration order + rules: + + # Rules must have a name + - name: "check-pod-controller-labels" + + # Each rule matches specific resource described by "resource" field. + resource: + kind: Deployment, StatefulSet, DaemonSet + # Name is optional. By default validation policy is applicable to any resource of supported kinds. + # Name supports wildcards * and ? + name: "*" + # Selector is optional and can be used to match specific resources + # Selector values support wildcards * and ? + selector: + # A selector can use match + matchLabels: + app: mongodb + matchExpressions: + - {key: tier, operator: In, values: [database]} + + + # Each rule can contain a single validate, mutate, or generate directive + ... +```` + + +Read Next >> [Validate](/documentation/writing-policies-validate.md) \ No newline at end of file From 393511f8322f48108547d036c4e811d4645f4dbf Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 14:49:10 -0700 Subject: [PATCH 02/23] fix installation.md --- documentation/installation.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/documentation/installation.md b/documentation/installation.md index 67e02a64c2..4ea83b2cb6 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -4,17 +4,17 @@ To install Kyverno in your cluster run: -`kubectl create -f definitions/install.yaml` + `kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml` -To check if the Kyverno controller +To check if the Kyverno controller is running use: -`kubectl get pods -n kyverno` + `kubectl get pods -n kyverno` -If the Kyverno controller doesn't start, you can check its status and logs: +If the Kyverno controller doesn't start, you can check its status and logs for errors: -`kubectl describe pod -n kyverno` + `kubectl describe pod -n kyverno` -`kubectl logs -n kyverno` + `kubectl logs -n kyverno` # Installing in a Development Environment From d1b822e918161f93f0807d599d68b7071fbb55de Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 15:50:36 -0700 Subject: [PATCH 03/23] update links and consolidate test docs --- README.md | 4 ++-- documentation/installation.md | 4 ++-- documentation/testing-policies-cli.md | 1 - documentation/testing-policies-kubectl.md | 2 -- documentation/testing-policies.md | 12 ++++++++++++ documentation/writing-policies-generate.md | 9 +++++++++ documentation/writing-policies-mutate.md | 10 +++++++++- documentation/writing-policies-validate.md | 7 +++++-- documentation/writing-policies.md | 4 ++-- 9 files changed, 41 insertions(+), 12 deletions(-) delete mode 100644 documentation/testing-policies-cli.md delete mode 100644 documentation/testing-policies-kubectl.md diff --git a/README.md b/README.md index 581acacdcf..dcf6c3d681 100644 --- a/README.md +++ b/README.md @@ -117,8 +117,8 @@ Additional examples are available in [examples](/examples). * [Mutate](documentation/writing-policies-mutate.md) * [Generate](documentation/writing-policies-generate.md) * [Testing Policies](documentation/testing-policies.md) - * [Using kubectl](documentation/testing-policies-kubectl.md) - * [Using the Kyverno CLI](documentation/testing-policies-kyverno-cli.md) + * [Using kubectl](documentation/testing-policies.md#Test-using-kubectl) + * [Using the Kyverno CLI](documentation/testing-policies.md#Test-using-the-Kyverno-CLI) ## Roadmap diff --git a/documentation/installation.md b/documentation/installation.md index 4ea83b2cb6..9705f93c47 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -1,4 +1,4 @@ -[documentation](/README.md#documentation) / Installation +*[documentation](/README.md#documentation) / Installation* # Installation @@ -25,4 +25,4 @@ To run Kyverno in a development environment see: https://github.com/nirmata/kyve To write and test policies without installing Kyverno in a Kubernetes cluster you can try the [Kyverno CLI](documentation/testing-policies-cli.md). -Read Next >> [Writing Policies](/documentation/writing-policies.md) \ No newline at end of file +*Read Next >> [Writing Policies](/documentation/writing-policies.md)* \ No newline at end of file diff --git a/documentation/testing-policies-cli.md b/documentation/testing-policies-cli.md deleted file mode 100644 index 2bcec053c8..0000000000 --- a/documentation/testing-policies-cli.md +++ /dev/null @@ -1 +0,0 @@ -# Kyverno CLI diff --git a/documentation/testing-policies-kubectl.md b/documentation/testing-policies-kubectl.md deleted file mode 100644 index d8ce94b633..0000000000 --- a/documentation/testing-policies-kubectl.md +++ /dev/null @@ -1,2 +0,0 @@ -# Testing using kubectl - diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md index 6af9b95815..eeae9071ee 100644 --- a/documentation/testing-policies.md +++ b/documentation/testing-policies.md @@ -1 +1,13 @@ +*[documentation](/README.md#documentation) / Testing Policies* + + # Testing Policies + + +## Test using kubectl + + +## Test using the Kyverno CLI + + + diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 9b6344e0ee..2baa9c2374 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -1 +1,10 @@ +*[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Generate* + # Policies that Generate Configurations + + + + + +*Read Next >> [Mutate](/documentation/writing-policies-generate.md)* + diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index f073d1b693..5fbed5002e 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -1 +1,9 @@ -# Policies that Mutate Configurations +*[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Mutate* + +# Mutate Configurations + + + + + +*Read Next >> [Generate](/documentation/writing-policies-generate.md)* diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index 1dc217c7c8..e38c5e7a1a 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -1,7 +1,10 @@ -[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Validate +*[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Validate* # Policies that Validate Configurations -Read Next >> [Mutate](/documentation/writing-policies-mutate.md) \ No newline at end of file + + + +*Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* \ No newline at end of file diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index 5c0b7cd46b..eb22385006 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -1,4 +1,4 @@ -[documentation](/README.md#documentation) / Writing Policies +*[documentation](/README.md#documentation) / Writing Policies* # Writing Policies @@ -38,4 +38,4 @@ spec : ```` -Read Next >> [Validate](/documentation/writing-policies-validate.md) \ No newline at end of file +*Read Next >> [Validate](/documentation/writing-policies-validate.md)* \ No newline at end of file From ad4c4d2e835277d5e8310e6a09d1326ead221aba Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 15:56:01 -0700 Subject: [PATCH 04/23] fix links --- documentation/writing-policies-generate.md | 6 +++--- documentation/writing-policies-mutate.md | 2 +- documentation/writing-policies-validate.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 2baa9c2374..47d91804b8 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -1,10 +1,10 @@ -*[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Generate* +*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate* -# Policies that Generate Configurations +# Generate Configurations -*Read Next >> [Mutate](/documentation/writing-policies-generate.md)* +*Read Next >> [Testing Policies](/documentation/testing-policies.md)* diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index 5fbed5002e..f67fb288c7 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -1,4 +1,4 @@ -*[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Mutate* +*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Mutate* # Mutate Configurations diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index e38c5e7a1a..d1ff1d2247 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -1,7 +1,7 @@ -*[documentation](/README.md#documentation) / Writing Policies [Writing Policies](/documentation/writing-policies.md) / Validate* +*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Validate* -# Policies that Validate Configurations +# Validate Configurations From 88162a76995a6389f9c509084b40ae0591aa3617 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 15:58:20 -0700 Subject: [PATCH 05/23] center title --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dcf6c3d681..9952842cf7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Kyverno - Kubernetes Native Policy Management +#
Kyverno - Kubernetes Native Policy Management
![logo](documentation/images/Kyverno_Horizontal.png) From 6340b18e1cd04beaea37f2c832fbed650073685a Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 16:03:20 -0700 Subject: [PATCH 06/23] remove center - has no effect --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9952842cf7..dcf6c3d681 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -#
Kyverno - Kubernetes Native Policy Management
+# Kyverno - Kubernetes Native Policy Management ![logo](documentation/images/Kyverno_Horizontal.png) From 82536b28da24b0aaf23d0da732795df79d71e3d0 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Tue, 21 May 2019 16:09:05 -0700 Subject: [PATCH 07/23] update commands and text --- documentation/installation.md | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/documentation/installation.md b/documentation/installation.md index 9705f93c47..0b66b62555 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -2,19 +2,27 @@ # Installation -To install Kyverno in your cluster run: +To install Kyverno in your cluster run the following command on a host with kubectl access: - `kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml` +````sh +kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml +```` -To check if the Kyverno controller is running use: +To check the Kyverno controller status, run the command: - `kubectl get pods -n kyverno` +````sh +kubectl get pods -n kyverno +```` -If the Kyverno controller doesn't start, you can check its status and logs for errors: +If the Kyverno controller is not running, you can check its status and logs for errors: - `kubectl describe pod -n kyverno` +````sh +kubectl describe pod -n kyverno +```` - `kubectl logs -n kyverno` +````sh +kubectl logs -n kyverno +```` # Installing in a Development Environment @@ -22,7 +30,7 @@ To run Kyverno in a development environment see: https://github.com/nirmata/kyve # Try Kyverno without a Kubernetes cluster -To write and test policies without installing Kyverno in a Kubernetes cluster you can try the [Kyverno CLI](documentation/testing-policies-cli.md). +The [Kyverno CLI](documentation/testing-policies-cli.md) allows you to write and test policies without installing Kyverno in a Kubernetes cluster. -*Read Next >> [Writing Policies](/documentation/writing-policies.md)* \ No newline at end of file +*Read Next >> [Writing Policies](/documentation/writing-policies.md)* From 25b60590ca94a56cde15e3b389262af588c10077 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 00:09:45 -0700 Subject: [PATCH 08/23] - add validation example - update docs for validation --- documentation/installation.md | 2 + documentation/testing-policies.md | 3 ++ documentation/writing-policies-generate.md | 2 +- documentation/writing-policies-mutate.md | 2 +- documentation/writing-policies-validate.md | 61 +++++++++++++++++++++- documentation/writing-policies.md | 3 ++ examples/Validate/check_not_root.yaml | 17 ++++++ 7 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 examples/Validate/check_not_root.yaml diff --git a/documentation/installation.md b/documentation/installation.md index 9705f93c47..0aa98a49cd 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -25,4 +25,6 @@ To run Kyverno in a development environment see: https://github.com/nirmata/kyve To write and test policies without installing Kyverno in a Kubernetes cluster you can try the [Kyverno CLI](documentation/testing-policies-cli.md). + +--- *Read Next >> [Writing Policies](/documentation/writing-policies.md)* \ No newline at end of file diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md index eeae9071ee..25ff0a309d 100644 --- a/documentation/testing-policies.md +++ b/documentation/testing-policies.md @@ -11,3 +11,6 @@ + +--- + diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 47d91804b8..81151b52d7 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -5,6 +5,6 @@ - +--- *Read Next >> [Testing Policies](/documentation/testing-policies.md)* diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index f67fb288c7..d972c5a735 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -5,5 +5,5 @@ - +--- *Read Next >> [Generate](/documentation/writing-policies-generate.md)* diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index d1ff1d2247..afdd33b438 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -3,8 +3,65 @@ # Validate Configurations +A validation rule is expressed as an overlay pattern that expresses the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern: + +1. Validation will fail if a field is defined in the pattern and if the field does not exist in the configuration. +2. Undefined fields are treated as wildcards. +3. A validation pattern field with the wildcard value '*' will match zero or more alphanumeric characters. Empty values or missing fields are matched. +4. A validation pattern field with the wildcard value '?' will match any single alphanumeric character. Empty or missing fields are not matched. +5. A validation pattern field with the wildcard value '*?' will match any alphanumeric characters and requires the field to be present with non-empty values. +6. A validation pattern field with the value `null` requires that the field not be defined or have a null value. +6. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'. +7. Validation of child values is only performed if the parent matches the pattern. + +## Patterns + +### Wildcards +1. `*` - matches zero or more alphanumeric characters +2. `?` - maatches a single alphanumeric character + +### Operators + +| Operator | Meaning | +|------------|---------------------------| +| `>` | greater than | +| `<` | less than | +| `>=` | greater than or equals to | +| `<=` | less than or equals to | +| `!` | not equals | +| `|` | logical or | +| `&` | logical and | + +There is no operator for `equals` as providing a field value in the pattern requires equality to the value. + +## Example + +````yaml + +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : validation-example +spec : + rules: + - resource: + # Kind specifies one or more resource types to match + kind: Deployment, StatefuleSet, DaemonSet + # Name is optional and can use wildcards + name: * + # Selector is optional + selector: + validate: + # Message is optional + message: "The label app is required" + pattern: + spec: + selector: + matchLabels: + app: ?* + +```` - - +--- *Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* \ No newline at end of file diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index eb22385006..7c8a9bc337 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -37,5 +37,8 @@ spec : ... ```` +Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **validate**, **mutate**, or **generate** child node. + +--- *Read Next >> [Validate](/documentation/writing-policies-validate.md)* \ No newline at end of file diff --git a/examples/Validate/check_not_root.yaml b/examples/Validate/check_not_root.yaml new file mode 100644 index 0000000000..12685e4e22 --- /dev/null +++ b/examples/Validate/check_not_root.yaml @@ -0,0 +1,17 @@ +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : check-non-root +spec : + rules: + - name: check-non-root + resource: + kind: Deployment, StatefuleSet, DaemonSet + validate: + message: "Root user is not allowed" + pattern: + spec: + template: + spec: + securityContext: + runAsNotRoot: true From 1e057d43621395f4007fd868e2a9222e6ad9b43f Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 00:15:06 -0700 Subject: [PATCH 09/23] add link to examples folder --- documentation/writing-policies-validate.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index afdd33b438..6b56910fc8 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -62,6 +62,8 @@ spec : ```` +Additional examples are available in [examples](/examples/) + --- *Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* \ No newline at end of file From a828f816c1cf886abc4235b67fd47213cf3117d0 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 00:26:09 -0700 Subject: [PATCH 10/23] fix format --- documentation/writing-policies-validate.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index 6b56910fc8..4044cd022d 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -29,8 +29,8 @@ A validation rule is expressed as an overlay pattern that expresses the desired | `>=` | greater than or equals to | | `<=` | less than or equals to | | `!` | not equals | -| `|` | logical or | -| `&` | logical and | +| \| | logical or | +| `&` | logical and | There is no operator for `equals` as providing a field value in the pattern requires equality to the value. @@ -66,4 +66,4 @@ Additional examples are available in [examples](/examples/) --- -*Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* \ No newline at end of file +*Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* From 16c14b30d16ba3cf730547741559b06513cbf3a7 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 00:27:20 -0700 Subject: [PATCH 11/23] fix sp --- documentation/writing-policies-validate.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index 4044cd022d..a315472f3e 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -18,7 +18,7 @@ A validation rule is expressed as an overlay pattern that expresses the desired ### Wildcards 1. `*` - matches zero or more alphanumeric characters -2. `?` - maatches a single alphanumeric character +2. `?` - matches a single alphanumeric character ### Operators @@ -29,7 +29,7 @@ A validation rule is expressed as an overlay pattern that expresses the desired | `>=` | greater than or equals to | | `<=` | less than or equals to | | `!` | not equals | -| \| | logical or | +| \| | logical or | | `&` | logical and | There is no operator for `equals` as providing a field value in the pattern requires equality to the value. From 6251e971cc87643aff2ec64021bb4e51c469134f Mon Sep 17 00:00:00 2001 From: Denis Belyshev Date: Wed, 22 May 2019 18:14:10 +0300 Subject: [PATCH 12/23] 34: Updated documentation --- README.md | 19 +++++---- documentation/testing-policies.md | 19 +++++++-- documentation/writing-policies-generate.md | 38 ++++++++++++++++++ documentation/writing-policies-mutate.md | 2 + documentation/writing-policies.md | 3 +- test/README.md | 45 ++++++++++++---------- 6 files changed, 91 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index dcf6c3d681..40fe736527 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Kyverno allows cluster adminstrators to manage environment specific configuratio Kyverno policies are Kubernetes resources that can be written in YAML or JSON. Kyverno policies can validate, mutate, and generate any Kubernetes resources. -Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching polcies to return results that enforce admission policies or reject requests. +Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests. Kyverno policies can match resources using the resource kind, name, and label selectors. Wildcards are supported in names. @@ -25,7 +25,7 @@ Policy enforcement is captured using Kubernetes events. Kyverno also reports pol This policy requires that all pods have CPU and memory resource requests and limits: ````yaml -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kyverno.io/v1alpha1 kind: Policy metadata: name: check-cpu-memory @@ -33,7 +33,8 @@ spec: rules: - name: check-pod-resources resource: - kind: Pod + kinds: + - Pod validate: message: "CPU and memory resource requests and limits are required" pattern: @@ -56,7 +57,7 @@ spec: This policy sets the imagePullPolicy to Always if the image tag is latest: ````yaml -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kyverno.io/v1alpha1 kind: Policy metadata: name: set-image-pull-policy @@ -64,13 +65,14 @@ spec: rules: - name: set-image-pull-policy resource: - kind: Pod + kinds: + - Pod mutate: overlay: spec: containers: # match images which end with :latest - - image: "(*:latest)" + - (image): "*:latest" # set the imagePullPolicy to "Always" imagePullPolicy: "Always" ```` @@ -80,7 +82,7 @@ spec: This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'. ````yaml -apiVersion: policy.nirmata.io/v1alpha1 +apiVersion: kyverno.io/v1alpha1 kind: Policy metadata: name: "zk-kafka-address" @@ -88,7 +90,8 @@ spec: rules: - name: "zk-kafka-address" resource: - kind : Namespace + kinds: + - Namespace selector: matchExpressions: - {key: kafka, operator: Exists} diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md index 25ff0a309d..316106437b 100644 --- a/documentation/testing-policies.md +++ b/documentation/testing-policies.md @@ -2,15 +2,26 @@ # Testing Policies - +The resources definitions for testing are located in [/test](/test) directory. Each test contains a pair of files: one is the resource definition, and the second is the kyverno policy for this definition. ## Test using kubectl +To do this you should [install kyverno to the cluster](/documentation/installation.md). +For example, to test the simplest kyverno policy for ConfigMap, create the policy and then the resource itself via kubectl: +````bash +cd test/ConfigMap +kubectl create -f policy-CM.yaml +kubectl create -f CM.yaml +```` +Then compare the original resource definition in CM.yaml with the actual one: +````bash +kubectl get -f CM.yaml -o yaml +```` ## Test using the Kyverno CLI +*This feature will be available soon* +## Autotest - ---- - +*Will be available after Kyverno CLI is implemented* \ No newline at end of file diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 81151b52d7..02e625ea7d 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -2,8 +2,46 @@ # Generate Configurations +```generatate``` feature can be applied to created namespaces to create new resources in them. This feature is useful when every namespace in a cluster must contain some basic required resources. The feature is available for policy rules in which the resource kind is Namespace. +## Example +````yaml +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : basic-policy +spec : + rules: + - name: "Basic confog generator for all namespaces" + resource: + kind: Namespace + generate: + # For now the next kinds are supported: + # ConfigMap + # Secret + - kind: ConfigMap + name: default-config + copyFrom: + namespace: default + name: config-template + data: + DB_ENDPOINT: mongodb://mydomain.ua/db_stage:27017 + labels: + purpose: mongo + - kind: Secret + name: mongo-creds + data: + DB_USER: YWJyYWthZGFicmE= + DB_PASSWORD: YXBwc3dvcmQ= + labels: + purpose: mongo +```` + +In this example, when this policy is applied, any new namespace will receive 2 new resources after its creation: +* ConfigMap copied from default/config-template with added value DB_ENDPOINT. +* Secret with values DB_USER and DB_PASSWORD. +Both resources will contain a label ```purpose: mongo``` --- *Read Next >> [Testing Policies](/documentation/testing-policies.md)* diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index d972c5a735..c47680cf0c 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -2,7 +2,9 @@ # Mutate Configurations +The ```mutate``` rule contains actions that should be applied to the resource before its creation. Mutation can be made using patches or overlay. Using ```patches``` in the JSONPatch format, you can make point changes to the created resource, and ```overlays``` are designed to bring the resource to the desired view according to a specific pattern. +Resource mutation occurs before validation, so the validation rules should not contradict the changes set in the mutation section. --- diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index 7c8a9bc337..6bbefb2846 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -37,8 +37,7 @@ spec : ... ```` -Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **validate**, **mutate**, or **generate** child node. - +Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation. --- *Read Next >> [Validate](/documentation/writing-policies-validate.md)* \ No newline at end of file diff --git a/test/README.md b/test/README.md index 83136b4cb8..0544c86a0f 100644 --- a/test/README.md +++ b/test/README.md @@ -1,10 +1,12 @@ -# Examples +# Test examples Examples of policies and resources with which you can play to see the kube-policy in action. There are definitions for each supported resource type and an example policy for the corresponding resource. ## How to play -First of all, **build and install the policy controller**: see README file in the project's root. +For now, the testing is possible only via ```kubectl``` when kyverno is installed to the cluster. So, [build and install the policy controller](/documentation/installation.md) first. + Each folder contains a pair of files, one of which is the definition of the resource, and the second is the definition of the policy for this resource. Let's look at an example of the endpoints mutation. Endpoints are listed in file `examples/Endpoints/endpoints.yaml`: -```apiVersion: v1 +````yaml +apiVersion: v1 kind: Endpoints metadata: name: test-endpoint @@ -17,25 +19,25 @@ subsets: - name: secure-connection port: 443 protocol: TCP -``` +```` Create this resource: -``` -> kubectl create -f examples/Endpoints/endpoints.yaml +````yaml +> kubectl create -f test/Endpoints/endpoints.yaml endpoints/test-endpoint created -> kubectl get -f examples/Endpoints/endpoints.yaml +> kubectl get -f test/Endpoints/endpoints.yaml NAME ENDPOINTS AGE test-endpoint 192.168.10.171:443 6s -``` +```` We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources. -``` -> kubectl delete -f test/endpoints.yaml +````bash +> kubectl delete -f test/Endpoints/endpoints.yaml endpoints "test-endpoint" deleted -``` -We have this a policy for enpoints (`examples/Endpoints/policy-endpoint.yaml`): +```` +We have this a policy for enpoints ([policy-endpoint.yaml](/test/Endpoints/policy-endpoint.yaml)): -``` -apiVersion : kubepolicy.nirmata.io/v1alpha1 +````yaml +apiVersion : kyverno.io/v1alpha1 kind : Policy metadata : name : policy-endpoints @@ -43,7 +45,8 @@ spec : rules: - name: resource: - kind : Endpoints + kinds: + - Endpoints selector: matchLabels: label : test @@ -61,22 +64,22 @@ spec : - name: load-balancer-connection port: 80 protocol: UDP -``` +```` This policy does 2 patches: - **replaces** the first port of the first connection to 6443 - **adds** new endpoint with IP 192.168.10.171 and port 80 (UDP) Let's apply this policy and create the endpoints again to see the changes: -``` -> kubectl create -f examples/Endpoints/policy-endpoints.yaml +````bash +> kubectl create -f test/Endpoints/policy-endpoints.yaml policy.policy.nirmata.io/policy-endpoints created -> kubectl create -f examples/Endpoints/endpoints.yaml +> kubectl create -f test/Endpoints/endpoints.yaml endpoints/test-endpoint created -> kubectl get -f examples/Endpoints/endpoints.yaml +> kubectl get -f test/Endpoints/endpoints.yaml NAME ENDPOINTS AGE test-endpoint 192.168.10.171:80,192.168.10.171:9663 30s -``` +```` As you can see, the endpoints resource was created with changes: a new port 80 was added, and port 443 was changed to 6443. **Enjoy :)** From 87c1b850adc618da65535c89ff2e1a137578764d Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 18:15:35 +0300 Subject: [PATCH 13/23] Update writing-policies-generate.md --- documentation/writing-policies-generate.md | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 02e625ea7d..77cc451841 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -41,6 +41,7 @@ spec : In this example, when this policy is applied, any new namespace will receive 2 new resources after its creation: * ConfigMap copied from default/config-template with added value DB_ENDPOINT. * Secret with values DB_USER and DB_PASSWORD. + Both resources will contain a label ```purpose: mongo``` --- From 6d6d18ce3e92ae9df0ae7021feac12166bb216af Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 19:30:34 +0300 Subject: [PATCH 14/23] 34: Updated Roadmap with links to the issues --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 40fe736527..d7aa320e11 100644 --- a/README.md +++ b/README.md @@ -44,12 +44,12 @@ spec: - name: "*" resources: limits: - # '?' requires a value (at least 1 character) - memory: "?" - cpu: "?" + # '?' requires at least 1 character and '*' means that there can be 0 or several characters after a single character marked by ? + memory: "?*" + cpu: "?*" requests: - memory: "?" - cpu: "?" + memory: "?*" + cpu: "?*" ```` ### 2. Mutating resources @@ -128,11 +128,11 @@ Additional examples are available in [examples](/examples). Here are some the major features we plan on completing before a 1.0 release: -* Events -* Policy Violations -* Generate any resource -* Conditionals on existing resources -* Extend CLI to operate on cluster resources +* [Events](https://github.com/nirmata/kyverno/issues/14) +* [Policy Violations](https://github.com/nirmata/kyverno/issues/24) +* [Generate any resource](https://github.com/nirmata/kyverno/issues/21) +* [Conditionals on existing resources](https://github.com/nirmata/kyverno/issues/57) +* [Extend CLI to operate on cluster resources ](https://github.com/nirmata/kyverno/issues/25) ## Getting help From 1fd75b94878d408dea7371ae5b40028a6107ef0a Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 19:32:23 +0300 Subject: [PATCH 15/23] Documentation for Mutate moved up Documentation for Mutate moved before the Validate according to the order of deatures application --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d7aa320e11..ff13dcd403 100644 --- a/README.md +++ b/README.md @@ -116,8 +116,8 @@ Additional examples are available in [examples](/examples). * [Getting Started](documentation/installation.md) * [Writing Policies](documentation/writing-policies.md) - * [Validate](documentation/writing-policies-validate.md) * [Mutate](documentation/writing-policies-mutate.md) + * [Validate](documentation/writing-policies-validate.md) * [Generate](documentation/writing-policies-generate.md) * [Testing Policies](documentation/testing-policies.md) * [Using kubectl](documentation/testing-policies.md#Test-using-kubectl) From 834a39f63c3b9fdc4cd18afb8d10fed1ee2ebe22 Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 19:33:38 +0300 Subject: [PATCH 16/23] Changed order of pages --- documentation/writing-policies-validate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index a315472f3e..2781af110e 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -66,4 +66,4 @@ Additional examples are available in [examples](/examples/) --- -*Read Next >> [Mutate](/documentation/writing-policies-mutate.md)* +*Read Next >> [Generate](/documentation/writing-policies-generate.md)* From d73576bd042139c14a18ebdb7744759c0a47c28b Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 19:37:30 +0300 Subject: [PATCH 17/23] 34: Fixed Validate documentation --- documentation/writing-policies-validate.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index 2781af110e..fe3b905e0b 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -9,10 +9,10 @@ A validation rule is expressed as an overlay pattern that expresses the desired 2. Undefined fields are treated as wildcards. 3. A validation pattern field with the wildcard value '*' will match zero or more alphanumeric characters. Empty values or missing fields are matched. 4. A validation pattern field with the wildcard value '?' will match any single alphanumeric character. Empty or missing fields are not matched. -5. A validation pattern field with the wildcard value '*?' will match any alphanumeric characters and requires the field to be present with non-empty values. -6. A validation pattern field with the value `null` requires that the field not be defined or have a null value. -6. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'. -7. Validation of child values is only performed if the parent matches the pattern. +5. A validation pattern field with the wildcard value '?*' will match any alphanumeric characters and requires the field to be present with non-empty values. +6. A validation pattern field with the value `null` or "" (empty string) requires that the field not be defined or has no value. +7. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'. +8. Validation of child values is only performed if the parent matches the pattern. ## Patterns @@ -30,7 +30,6 @@ A validation rule is expressed as an overlay pattern that expresses the desired | `<=` | less than or equals to | | `!` | not equals | | \| | logical or | -| `&` | logical and | There is no operator for `equals` as providing a field value in the pattern requires equality to the value. @@ -46,7 +45,10 @@ spec : rules: - resource: # Kind specifies one or more resource types to match - kind: Deployment, StatefuleSet, DaemonSet + kinds: + - Deployment + - StatefuleSet + - DaemonSet # Name is optional and can use wildcards name: * # Selector is optional @@ -58,7 +60,7 @@ spec : spec: selector: matchLabels: - app: ?* + app: "?*" ```` From a59c0f6e40dcc025bd1d6048d3aac86bd2f98887 Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 20:03:25 +0300 Subject: [PATCH 18/23] Update writing-policies-validate.md --- documentation/writing-policies-validate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index fe3b905e0b..402fbc71e4 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -34,7 +34,7 @@ A validation rule is expressed as an overlay pattern that expresses the desired There is no operator for `equals` as providing a field value in the pattern requires equality to the value. ## Example - +The next rule prevents the creation of Deployment, StatefuleSet and DaemonSet resources without label 'app' in selector: ````yaml apiVersion : kyverno.io/v1alpha1 From 0fac5f7dae82bf6c896dd0ec38d3eb2adaa5d10f Mon Sep 17 00:00:00 2001 From: Denys Bielyshev <47354295+belyshevdenis@users.noreply.github.com> Date: Wed, 22 May 2019 20:38:55 +0300 Subject: [PATCH 19/23] Created Mutate documentation --- documentation/writing-policies-mutate.md | 130 ++++++++++++++++++++++- 1 file changed, 129 insertions(+), 1 deletion(-) diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index c47680cf0c..1c4c044c56 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -6,6 +6,134 @@ The ```mutate``` rule contains actions that should be applied to the resource be Resource mutation occurs before validation, so the validation rules should not contradict the changes set in the mutation section. +## Patches + +The patches are used to make direct changes in the created resource. In the next example the patch will be applied to all Deployments that contain a word "nirmata" in the name. + +````yaml +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : policy-v1 +spec : + rules: + - name: "Deployment of *nirmata* images" + resource: + kind: Deployment + # Name is optional. By default validation policy is applicable to any resource of supported kind. + # Name supports wildcards * and ? + name: "*nirmata*" + mutate: + patches: + # This patch adds sidecar container to every deployment that matches this policy + - path: "/spec/template/spec/containers/0/" + op: add + value: + - image: "nirmata.io/sidecar:latest" + imagePullPolicy: "Always" + ports: + - containerPort: 443 +```` +There is one patch in the rule, it will add the new image to the "containers" list with specified parameters. Patch is described in [JSONPatch](http://jsonpatch.com/) format and support the operations ('op' field): +* **add** +* **replace** +* **remove** + +Here is the example with of a patch which removes a label from the secret: +````yaml +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : policy-remove-label +spec : + rules: + - name: "Remove unwanted label" + resource: + # Will be applied to all secrets, because name and selector are not specified + kind: Secret + mutate: + patches: + - path: "/metadata/labels/purpose" + op: remove +```` + +Note, that if **remove** operation cannot be applied, then this **remove** operation will be skipped with no error. + +## Overlay + +The Mutation Overlay is the desired form of resource. The existing resource parameters are replaced with the parameters described in the overlay. If there are no such parameters in the target resource, they are copied to the resource from the overlay. The overlay is not used to delete the properties of a resource: use **patches** for this purpose. + +The next overlay will add or change the hard limit for memory to 2 gigabytes in every ResourceQuota with label ```quota: low```: + +````yaml +apiVersion : kyverno.io/v1alpha1 +kind : Policy +metadata : + name : policy-change-memory-limit +spec : + rules: + - name: "Set hard memory limit to 2Gi" + resource: + # Will be applied to all secrets, because name and selector are not specified + kind: ResourceQuota + selector: + matchLabels: + quota: low + mutate: + overlay: + spec: + hard: + limits.memory: 2Gi +```` +The ```overlay``` keyword under ```mutate``` feature describes the desired form of ResourceQuota. + +### Working with lists + +The application of an overlay to the list without additional settings is pretty straightforward: the new items will be added to the list exсept of those that totally equal to existent items. For example, the next overlay will add IP "192.168.10.172" to all addresses in all Endpoints: + +````yaml +apiVersion: policy.nirmata.io/v1alpha1 +kind: Policy +metadata: + name: policy-endpoints- +spec: + rules: + - resource: + # Applied to all endpoints + kind : Endpoints + mutate: + overlay: + subsets: + - addresses: + - ip: 192.168.10.172 +```` + +You can use overlays to merge objects inside lists using **anchor** items marked by parentheses. For example, this overlay will add/replace port to 6443 in all ports with name that start from the word "secure": +````yaml +apiVersion : policy.nirmata.io/v1alpha1 +kind : Policy +metadata : + name : policy-endpoints-should-be-more-secure +spec : + rules: + - resource: + # Applied to all endpoints + kind : Endpoints + mutate: + overlay: + subsets: + - ports: + - (name): "secure*" + port: 6443 +```` + +The **anchors** marked in parentheses support **wildcards**: +1. `*` - matches zero or more alphanumeric characters +2. `?` - matches a single alphanumeric character + +## Details + +The behavior of overlays described more detailed in the project's wiki: [Mutation Overlay](https://github.com/nirmata/kyverno/wiki/Mutation-Overlay) --- -*Read Next >> [Generate](/documentation/writing-policies-generate.md)* +*Read Next >> [Validate](/documentation/writing-policies-validate.md)* From d185bbaa589eed4e76e1f75537584f4a82bc86fa Mon Sep 17 00:00:00 2001 From: shuting Date: Wed, 22 May 2019 19:09:21 -0700 Subject: [PATCH 20/23] update mutate overlay example in readme --- README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ff13dcd403..d433f5d832 100644 --- a/README.md +++ b/README.md @@ -66,15 +66,17 @@ spec: - name: set-image-pull-policy resource: kinds: - - Pod + - Deployment mutate: overlay: spec: - containers: - # match images which end with :latest - - (image): "*:latest" - # set the imagePullPolicy to "Always" - imagePullPolicy: "Always" + template: + spec: + containers: + # match images which end with :latest + - (image): "*:latest" + # set the imagePullPolicy to "Always" + imagePullPolicy: "Always" ```` ### 3. Generating resources From e4aff985e4e479d6ea0a04136e31eb764fa02894 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 19:36:45 -0700 Subject: [PATCH 21/23] add alternatives --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index ff13dcd403..fdb7588c50 100644 --- a/README.md +++ b/README.md @@ -107,6 +107,17 @@ spec: Additional examples are available in [examples](/examples). +## Alternatives + +### Open Policy Agent + +[Open Policy Agent (OPA)](https://www.openpolicyagent.org/) is a general-purpose policy engine that can be used as a Kubernetes admission controller. It supports a large set of use cases. Policies are written using [Rego](https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies#what-is-rego) a custom query language. + +### External configuration management tools + +Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations. + + ## Status *Kyverno is under active development and not ready for production use. Key components and policy definitions are likely to change as we complete core features.* From 4eea73ab60ba1a02b6e55ebc31ad27170567bc69 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 20:02:19 -0700 Subject: [PATCH 22/23] update CLI doc --- documentation/testing-policies.md | 39 +++++++++++++++++-- .../CLI/deployment/policy-deployment.yaml | 4 +- .../d2.yaml => resources/ghost.yaml} | 0 .../d1.yaml => resources/nginx.yaml} | 0 4 files changed, 38 insertions(+), 5 deletions(-) rename examples/CLI/deployment/{resource/d2.yaml => resources/ghost.yaml} (100%) rename examples/CLI/deployment/{resource/d1.yaml => resources/nginx.yaml} (100%) diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md index 316106437b..17a1b9df05 100644 --- a/documentation/testing-policies.md +++ b/documentation/testing-policies.md @@ -20,8 +20,41 @@ kubectl get -f CM.yaml -o yaml ## Test using the Kyverno CLI -*This feature will be available soon* +The Kyverno Command Line Interface (CLI) tool enables writing and testing policies without requiring Kubernetes clusters and without having to apply local policy changes to a cluster. -## Autotest +### Building the CLI -*Will be available after Kyverno CLI is implemented* \ No newline at end of file +You will need a [Go environment](https://golang.org/doc/install) setup. + +1. Clone the Kyverno repo + +````bash +git clone https://github.com/nirmata/kyverno/ +```` + +2. Build the CLI + +````bash +cd kyverno/cmd +go build +```` + +Or, you can directly build and install the CLI using `go get`: + +````bash +go get -u https://github.com/nirmata/kyverno/cmd +```` + +### Using the CLI + +To test a policy using the CLI type: + +`kyverno ` + +For example: + +```bash +kyverno ../examples/CLI/policy-deployment.yaml ../examples/CLI/resources +``` + +In future releases, the CLI will support complete validation of policies and will allow testing policies against resources in Kubernetes clusters. diff --git a/examples/CLI/deployment/policy-deployment.yaml b/examples/CLI/deployment/policy-deployment.yaml index ef8ab8b9bf..ed4992d91b 100644 --- a/examples/CLI/deployment/policy-deployment.yaml +++ b/examples/CLI/deployment/policy-deployment.yaml @@ -19,12 +19,12 @@ spec : op: replace value: "nginx_is_mutated" validate: - message: "The imagePullPolicy shoud set to Always" + message: "The imagePullPolicy must be Always when :latest is used as a tag" pattern: spec: template: spec: containers: - - (name): "*" + - (name): "*:latest" imagePullPolicy: Always diff --git a/examples/CLI/deployment/resource/d2.yaml b/examples/CLI/deployment/resources/ghost.yaml similarity index 100% rename from examples/CLI/deployment/resource/d2.yaml rename to examples/CLI/deployment/resources/ghost.yaml diff --git a/examples/CLI/deployment/resource/d1.yaml b/examples/CLI/deployment/resources/nginx.yaml similarity index 100% rename from examples/CLI/deployment/resource/d1.yaml rename to examples/CLI/deployment/resources/nginx.yaml From b2085785864161048f620388f340556656f915dc Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 22 May 2019 20:14:03 -0700 Subject: [PATCH 23/23] update comment --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a72562320..90b7aeaefe 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,8 @@ spec: - name: "*" resources: limits: - # '?' requires at least 1 character and '*' means that there can be 0 or several characters after a single character marked by ? + # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters. + # Using them togther e.g. '?*' requires at least one character. memory: "?*" cpu: "?*" requests: