mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
add policies
This commit is contained in:
parent
288332b6bf
commit
ff60dc05fd
31 changed files with 516 additions and 0 deletions
|
@ -0,0 +1,16 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-pod-disable-automoutingapicred
|
||||
spec:
|
||||
rules:
|
||||
- name: pod-disable-automoutingapicred
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
mutate:
|
||||
overlay:
|
||||
spec:
|
||||
(serviceAccountName): "*"
|
||||
automountServiceAccountToken: false
|
|
@ -0,0 +1,18 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- (image): "*:latest"
|
||||
imagePullPolicy: "!IfNotPresent"
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image-pullpolicy-notalways
|
||||
spec:
|
||||
rules:
|
||||
- name: image-pullpolicy-notalways
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "image pull policy 'Always' forbidden"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- imagePullPolicy: "!Always"
|
29
examples/best_practices/policy_validate_image_tag.yaml
Normal file
29
examples/best_practices/policy_validate_image_tag.yaml
Normal file
|
@ -0,0 +1,29 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image
|
||||
spec:
|
||||
rules:
|
||||
- name: validate-tag
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "An image tag is required"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "*:*"
|
||||
- name: validate-latest
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "imagePullPolicy 'Always' required with tag 'latest'"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- (image): "*latest"
|
||||
imagePullPolicy: Always
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image-tag-notlatest
|
||||
spec:
|
||||
rules:
|
||||
- name: image-tag-notlatest
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "image tag 'latest' forbidden"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "!*:latest"
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion : kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-image-tag-notspecified
|
||||
spec:
|
||||
rules:
|
||||
- name: image-tag-notspecified
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "image tag not specified"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "*:*"
|
25
examples/best_practices/policy_validate_pod_probes.yaml
Normal file
25
examples/best_practices/policy_validate_pod_probes.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-probes
|
||||
spec:
|
||||
validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: check-probes
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
# exclude:
|
||||
# namespaces:
|
||||
# - kube-system
|
||||
validate:
|
||||
message: "Liveness and readiness probes are required"
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
livenessProbe:
|
||||
periodSeconds: ">0"
|
||||
readinessProbe:
|
||||
periodSeconds: ">0"
|
||||
|
26
examples/best_practices/policy_validate_pod_resources.yaml
Normal file
26
examples/best_practices/policy_validate_pod_resources.yaml
Normal file
|
@ -0,0 +1,26 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-resources
|
||||
spec:
|
||||
# validationFailureAction: "audit"
|
||||
rules:
|
||||
- name: check-pod-resources
|
||||
message: "CPU and memory resource requests and limits are required"
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
name: myapp-pod
|
||||
validate:
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- name: "*"
|
||||
resources:
|
||||
requests:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
||||
limits:
|
||||
memory: "?*"
|
||||
cpu: "?*"
|
10
examples/best_practices/resource_default_namespace.yaml
Normal file
10
examples/best_practices/resource_default_namespace.yaml
Normal file
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
|
@ -0,0 +1,12 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
serviceAccountName: default
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
imagePullPolicy: IfNotPresent
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
||||
imagePullPolicy: IfNotPresent
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:1.12
|
||||
imagePullPolicy: IfNotPresent
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
imagePullPolicy: Always
|
|
@ -0,0 +1,11 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
||||
imagePullPolicy: IfNotPresent
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:1.12
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
10
examples/best_practices/resource_validate_pod_resources.yaml
Normal file
10
examples/best_practices/resource_validate_pod_resources.yaml
Normal file
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: myapp-pod
|
||||
labels:
|
||||
app: myapp
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx
|
18
examples/best_practices/validate_default_namespace.yaml
Normal file
18
examples/best_practices/validate_default_namespace.yaml
Normal file
|
@ -0,0 +1,18 @@
|
|||
apiVersion: kyverno.io/v1alpha1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: validate-namespace
|
||||
spec:
|
||||
rules:
|
||||
- name: check-default-namespace
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: "A namespace is required"
|
||||
anyPattern:
|
||||
- metadata:
|
||||
namespace: "?*"
|
||||
- metadata:
|
||||
namespace: "!default"
|
|
@ -33,3 +33,41 @@ func Test_validate_nonRootUsers(t *testing.T) {
|
|||
func Test_generate_networkPolicy(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/test/scenario_generate_networkPolicy.yaml")
|
||||
}
|
||||
|
||||
// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
|
||||
func Test_validate_image_latest_ifnotpresent_deny(t *testing.T) {
|
||||
testScenario(t, "/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml")
|
||||
|
||||
}
|
||||
|
||||
func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_tag_notspecified_deny(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_tag_notspecified_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_tag_latest_deny(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml")
|
||||
}
|
||||
|
||||
func Test_validate_image_tag_latest_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml")
|
||||
}
|
||||
|
||||
func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) {
|
||||
testScenario(t, "test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml")
|
||||
}
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
creationTimestamp:
|
||||
labels:
|
||||
app: myapp
|
||||
name: myapp-pod
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- image: nginx
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: nginx
|
||||
resources: {}
|
||||
serviceAccountName: default
|
||||
status: {}
|
|
@ -0,0 +1,19 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
|
||||
resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml
|
||||
expected:
|
||||
mutation:
|
||||
patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
|
||||
policyresponse:
|
||||
policy: mutate-pod-disable-automoutingapicred
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: pod-disable-automoutingapicred
|
||||
type: Mutation
|
||||
message: "succesfully process overlay"
|
||||
success: true
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: validate-tag
|
||||
type: Validation
|
||||
message: "Validation rule 'validate-tag' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'"
|
||||
success: false
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: validate-tag
|
||||
type: Validation
|
||||
message: "Validation rule 'validate-tag' succesfully validated"
|
||||
success: true
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image-pullpolicy-notalways
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: image-pullpolicy-notalways
|
||||
type: Validation
|
||||
message: "Validation rule 'image-pullpolicy-notalways' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. image pull policy 'Always' forbidden"
|
||||
success: false
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image-pullpolicy-notalways
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: image-pullpolicy-notalways
|
||||
type: Validation
|
||||
message: "Validation rule 'image-pullpolicy-notalways' succesfully validated"
|
||||
success: true
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image-tag-notlatest
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: image-tag-notlatest
|
||||
type: Validation
|
||||
message: "Validation rule 'image-tag-notlatest' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag 'latest' forbidden"
|
||||
success: false
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image-tag-notlatest
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: image-tag-notlatest
|
||||
type: Validation
|
||||
message: "Validation rule 'image-tag-notlatest' succesfully validated"
|
||||
success: true
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image-tag-notspecified
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: image-tag-notspecified
|
||||
type: Validation
|
||||
message: "Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag not specified"
|
||||
success: false
|
|
@ -0,0 +1,18 @@
|
|||
# file path relative to project root
|
||||
input:
|
||||
policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
|
||||
resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml
|
||||
expected:
|
||||
validation:
|
||||
policyresponse:
|
||||
policy: validate-image-tag-notspecified
|
||||
resource:
|
||||
kind: Pod
|
||||
apiVersion: v1
|
||||
namespace: ''
|
||||
name: myapp-pod
|
||||
rules:
|
||||
- name: image-tag-notspecified
|
||||
type: Validation
|
||||
message: "Validation rule 'image-tag-notspecified' succesfully validated"
|
||||
success: true
|
Loading…
Add table
Reference in a new issue