1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

add policies

This commit is contained in:
shivkumar dudhani 2019-09-06 10:03:24 -07:00
parent 288332b6bf
commit ff60dc05fd
31 changed files with 516 additions and 0 deletions

View file

@ -0,0 +1,16 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: mutate-pod-disable-automoutingapicred
spec:
rules:
- name: pod-disable-automoutingapicred
match:
resources:
kinds:
- Pod
mutate:
overlay:
spec:
(serviceAccountName): "*"
automountServiceAccountToken: false

View file

@ -0,0 +1,18 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-image
spec:
rules:
- name: validate-tag
match:
resources:
kinds:
- Pod
validate:
message: "imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'"
pattern:
spec:
containers:
- (image): "*:latest"
imagePullPolicy: "!IfNotPresent"

View file

@ -0,0 +1,17 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-image-pullpolicy-notalways
spec:
rules:
- name: image-pullpolicy-notalways
match:
resources:
kinds:
- Pod
validate:
message: "image pull policy 'Always' forbidden"
pattern:
spec:
containers:
- imagePullPolicy: "!Always"

View file

@ -0,0 +1,29 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-image
spec:
rules:
- name: validate-tag
match:
resources:
kinds:
- Pod
validate:
message: "An image tag is required"
pattern:
spec:
containers:
- image: "*:*"
- name: validate-latest
match:
resources:
kinds:
- Pod
validate:
message: "imagePullPolicy 'Always' required with tag 'latest'"
pattern:
spec:
containers:
- (image): "*latest"
imagePullPolicy: Always

View file

@ -0,0 +1,17 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-image-tag-notlatest
spec:
rules:
- name: image-tag-notlatest
match:
resources:
kinds:
- Pod
validate:
message: "image tag 'latest' forbidden"
pattern:
spec:
containers:
- image: "!*:latest"

View file

@ -0,0 +1,17 @@
apiVersion : kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-image-tag-notspecified
spec:
rules:
- name: image-tag-notspecified
match:
resources:
kinds:
- Pod
validate:
message: "image tag not specified"
pattern:
spec:
containers:
- image: "*:*"

View file

@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-probes
spec:
validationFailureAction: "audit"
rules:
- name: check-probes
match:
resources:
kinds:
- Pod
# exclude:
# namespaces:
# - kube-system
validate:
message: "Liveness and readiness probes are required"
pattern:
spec:
containers:
livenessProbe:
periodSeconds: ">0"
readinessProbe:
periodSeconds: ">0"

View file

@ -0,0 +1,26 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: check-resources
spec:
# validationFailureAction: "audit"
rules:
- name: check-pod-resources
message: "CPU and memory resource requests and limits are required"
match:
resources:
kinds:
- Pod
name: myapp-pod
validate:
pattern:
spec:
containers:
- name: "*"
resources:
requests:
memory: "?*"
cpu: "?*"
limits:
memory: "?*"
cpu: "?*"

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx

View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
serviceAccountName: default
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:latest
imagePullPolicy: IfNotPresent

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:1.12
imagePullPolicy: IfNotPresent

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: Always

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:latest

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:1.12

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx:latest

View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
containers:
- name: nginx
image: nginx

View file

@ -0,0 +1,18 @@
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
name: validate-namespace
spec:
rules:
- name: check-default-namespace
match:
resources:
kinds:
- Pod
validate:
message: "A namespace is required"
anyPattern:
- metadata:
namespace: "?*"
- metadata:
namespace: "!default"

View file

@ -33,3 +33,41 @@ func Test_validate_nonRootUsers(t *testing.T) {
func Test_generate_networkPolicy(t *testing.T) {
testScenario(t, "/test/scenarios/test/scenario_generate_networkPolicy.yaml")
}
// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
func Test_validate_image_latest_ifnotpresent_deny(t *testing.T) {
testScenario(t, "/test/scenarios/test/scenario_validate_image_latest_ifnotpresent_deny.yaml")
}
func Test_validate_image_latest_ifnotpresent_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_latest_ifnotpresent_pass.yaml")
}
func Test_validate_image_tag_notspecified_deny(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_deny.yaml")
}
func Test_validate_image_tag_notspecified_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_notspecified_pass.yaml")
}
func Test_validate_image_pullpolicy_notalways_deny(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_deny.yaml")
}
func Test_validate_image_pullpolicy_notalways_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_pullpolicy_notalways_pass.yaml")
}
func Test_validate_image_tag_latest_deny(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_deny.yaml")
}
func Test_validate_image_tag_latest_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_validate_image_tag_latest_pass.yaml")
}
func Test_mutate_pod_disable_automoutingapicred_pass(t *testing.T) {
testScenario(t, "test/scenarios/test/scenario_mutate_pod_disable_automountingapicred.yaml")
}

View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
creationTimestamp:
labels:
app: myapp
name: myapp-pod
spec:
automountServiceAccountToken: false
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: nginx
resources: {}
serviceAccountName: default
status: {}

View file

@ -0,0 +1,19 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_mutate_pod_disable_automountingapicred.yaml
resource: examples/best_practices/resource_mutate_pod_disable_automountingapicred.yaml
expected:
mutation:
patchedresource: test/output/output_mutate_pod_disable_automoutingapicred.yaml
policyresponse:
policy: mutate-pod-disable-automoutingapicred
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: pod-disable-automoutingapicred
type: Mutation
message: "succesfully process overlay"
success: true

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_deny.yaml
expected:
validation:
policyresponse:
policy: validate-image
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: validate-tag
type: Validation
message: "Validation rule 'validate-tag' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. imagePullPolicy 'IfNotPresent' forbidden with image tag 'latest'"
success: false

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
resource: examples/best_practices/resource_validate_image_latest_ifnotpresent_pass.yaml
expected:
validation:
policyresponse:
policy: validate-image
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: validate-tag
type: Validation
message: "Validation rule 'validate-tag' succesfully validated"
success: true

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_deny.yaml
expected:
validation:
policyresponse:
policy: validate-image-pullpolicy-notalways
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: image-pullpolicy-notalways
type: Validation
message: "Validation rule 'image-pullpolicy-notalways' failed at '/spec/containers/0/imagePullPolicy/' for resource Pod//myapp-pod. image pull policy 'Always' forbidden"
success: false

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_pullpolicy_notalways_deny.yaml
resource: examples/best_practices/resource_validate_image_pullpolicy_notalways_pass.yaml
expected:
validation:
policyresponse:
policy: validate-image-pullpolicy-notalways
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: image-pullpolicy-notalways
type: Validation
message: "Validation rule 'image-pullpolicy-notalways' succesfully validated"
success: true

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
resource: examples/best_practices/resource_validate_image_tag_latest_deny.yaml
expected:
validation:
policyresponse:
policy: validate-image-tag-notlatest
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: image-tag-notlatest
type: Validation
message: "Validation rule 'image-tag-notlatest' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag 'latest' forbidden"
success: false

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_tag_latest_deny.yaml
resource: examples/best_practices/resource_validate_image_tag_latest_pass.yaml
expected:
validation:
policyresponse:
policy: validate-image-tag-notlatest
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: image-tag-notlatest
type: Validation
message: "Validation rule 'image-tag-notlatest' succesfully validated"
success: true

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
resource: examples/best_practices/resource_validate_image_tag_notspecified_deny.yaml
expected:
validation:
policyresponse:
policy: validate-image-tag-notspecified
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: image-tag-notspecified
type: Validation
message: "Validation rule 'image-tag-notspecified' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. image tag not specified"
success: false

View file

@ -0,0 +1,18 @@
# file path relative to project root
input:
policy: examples/best_practices/policy_validate_image_tag_notspecified_deny.yaml
resource: examples/best_practices/resource_validate_image_tag_notspecified_pass.yaml
expected:
validation:
policyresponse:
policy: validate-image-tag-notspecified
resource:
kind: Pod
apiVersion: v1
namespace: ''
name: myapp-pod
rules:
- name: image-tag-notspecified
type: Validation
message: "Validation rule 'image-tag-notspecified' succesfully validated"
success: true