mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
9e769d1fd0
* updating readme Signed-off-by: Mahfuza Humayra Mohona <mhmohona@gmail.com> Signed-off-by: Mahfuza Mohona <mahfuza.mohona@LEADSOFT.BIZ> * Updating GetWithRetry function Signed-off-by: Mahfuza Humayra Mohona <mhmohona@gmail.com> Signed-off-by: Mahfuza Mohona <mahfuza.mohona@LEADSOFT.BIZ> * Updating GetWithRetry function Signed-off-by: Mahfuza Humayra Mohona <mhmohona@gmail.com> Signed-off-by: Mahfuza Mohona <mahfuza.mohona@LEADSOFT.BIZ> * Updating GetWithRetry function Signed-off-by: Mahfuza Humayra Mohona <mhmohona@gmail.com> Signed-off-by: Mahfuza Mohona <mahfuza.mohona@LEADSOFT.BIZ> * removing update Signed-off-by: Mahfuza Mohona <mahfuza.mohona@LEADSOFT.BIZ> * Update utils.go Signed-off-by: Mahfuza Mohona <mahfuza.mohona@LEADSOFT.BIZ>
269 lines
6.6 KiB
Go
269 lines
6.6 KiB
Go
package e2e
|
|
|
|
// Namespace Description
|
|
var LitmusChaosnamespaceYaml = []byte(`
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: test-litmus
|
|
`)
|
|
|
|
// Litmus Chaos Service Account
|
|
var ChaosServiceAccountYaml = []byte(`
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: pod-cpu-hog-sa
|
|
namespace: test-litmus
|
|
labels:
|
|
name: pod-cpu-hog-sa
|
|
app.kubernetes.io/part-of: litmus
|
|
`)
|
|
|
|
var ChaosRoleYaml = []byte(`
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: pod-cpu-hog-sa
|
|
namespace: test-litmus
|
|
labels:
|
|
name: pod-cpu-hog-sa
|
|
app.kubernetes.io/part-of: litmus
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods","events"]
|
|
verbs: ["create","list","get","patch","update","delete","deletecollection"]
|
|
- apiGroups: [""]
|
|
resources: ["pods/exec","pods/log","replicationcontrollers"]
|
|
verbs: ["create","list","get"]
|
|
- apiGroups: ["batch"]
|
|
resources: ["jobs"]
|
|
verbs: ["create","list","get","delete","deletecollection"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments","statefulsets","daemonsets","replicasets"]
|
|
verbs: ["list","get"]
|
|
- apiGroups: ["apps.openshift.io"]
|
|
resources: ["deploymentconfigs"]
|
|
verbs: ["list","get"]
|
|
- apiGroups: ["argoproj.io"]
|
|
resources: ["rollouts"]
|
|
verbs: ["list","get"]
|
|
- apiGroups: ["litmuschaos.io"]
|
|
resources: ["chaosengines","chaosexperiments","chaosresults"]
|
|
verbs: ["create","list","get","patch","update"]
|
|
`)
|
|
|
|
var ChaosRoleBindingYaml = []byte(`
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: pod-cpu-hog-sa
|
|
namespace: test-litmus
|
|
labels:
|
|
name: pod-cpu-hog-sa
|
|
app.kubernetes.io/part-of: litmus
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: pod-cpu-hog-sa
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: pod-cpu-hog-sa
|
|
namespace: test-litmus
|
|
`)
|
|
|
|
// Pod CPU Hog Experiment
|
|
var PodCPUHogExperimentYaml = []byte(`
|
|
apiVersion: litmuschaos.io/v1alpha1
|
|
description:
|
|
message: |
|
|
Injects cpu consumption on pods belonging to an app deployment
|
|
kind: ChaosExperiment
|
|
metadata:
|
|
name: pod-cpu-hog
|
|
labels:
|
|
name: pod-cpu-hog
|
|
app.kubernetes.io/part-of: litmus
|
|
app.kubernetes.io/component: chaosexperiment
|
|
app.kubernetes.io/version: 1.13.3
|
|
spec:
|
|
definition:
|
|
scope: Namespaced
|
|
permissions:
|
|
- apiGroups:
|
|
- ""
|
|
- "batch"
|
|
- "apps"
|
|
- "apps.openshift.io"
|
|
- "argoproj.io"
|
|
- "litmuschaos.io"
|
|
resources:
|
|
- "jobs"
|
|
- "pods"
|
|
- "pods/log"
|
|
- "events"
|
|
- "replicationcontrollers"
|
|
- "deployments"
|
|
- "statefulsets"
|
|
- "daemonsets"
|
|
- "replicasets"
|
|
- "deploymentconfigs"
|
|
- "rollouts"
|
|
- "pods/exec"
|
|
- "chaosengines"
|
|
- "chaosexperiments"
|
|
- "chaosresults"
|
|
verbs:
|
|
- "create"
|
|
- "list"
|
|
- "get"
|
|
- "patch"
|
|
- "update"
|
|
- "delete"
|
|
- "deletecollection"
|
|
image: "litmuschaos/go-runner:1.13.3"
|
|
imagePullPolicy: Always
|
|
args:
|
|
- -c
|
|
- ./experiments -name pod-cpu-hog
|
|
command:
|
|
- /bin/bash
|
|
env:
|
|
- name: TOTAL_CHAOS_DURATION
|
|
value: '60'
|
|
|
|
## Number of CPU cores to stress
|
|
- name: CPU_CORES
|
|
value: '1'
|
|
|
|
## Percentage of total pods to target
|
|
- name: PODS_AFFECTED_PERC
|
|
value: ''
|
|
|
|
## Period to wait before and after injection of chaos in sec
|
|
- name: RAMP_TIME
|
|
value: ''
|
|
|
|
## env var that describes the library used to execute the chaos
|
|
## default: litmus. Supported values: litmus, pumba
|
|
- name: LIB
|
|
value: 'litmus'
|
|
|
|
## It is used in pumba lib only
|
|
- name: LIB_IMAGE
|
|
value: 'litmuschaos/go-runner:1.13.3'
|
|
|
|
## It is used in pumba lib only
|
|
- name: STRESS_IMAGE
|
|
value: 'alexeiled/stress-ng:latest-ubuntu'
|
|
|
|
# provide the socket file path
|
|
# it is used in pumba lib
|
|
- name: SOCKET_PATH
|
|
value: '/var/run/docker.sock'
|
|
|
|
- name: TARGET_PODS
|
|
value: ''
|
|
|
|
## it defines the sequence of chaos execution for multiple target pods
|
|
## supported values: serial, parallel
|
|
- name: SEQUENCE
|
|
value: 'parallel'
|
|
|
|
labels:
|
|
name: pod-cpu-hog
|
|
app.kubernetes.io/part-of: litmus
|
|
app.kubernetes.io/component: experiment-job
|
|
app.kubernetes.io/version: 1.13.3
|
|
|
|
`)
|
|
|
|
// ChaosEngine Manifest
|
|
var ChaosEngineYaml = []byte(`
|
|
apiVersion: litmuschaos.io/v1alpha1
|
|
kind: ChaosEngine
|
|
metadata:
|
|
name: kind-chaos
|
|
namespace: test-litmus
|
|
spec:
|
|
# It can be active/stop
|
|
engineState: 'active'
|
|
appinfo:
|
|
appns: 'kyverno'
|
|
applabel: 'app.kubernetes.io/name=kyverno'
|
|
appkind: 'deployment'
|
|
chaosServiceAccount: pod-cpu-hog-sa
|
|
# It can be delete/retain
|
|
jobCleanUpPolicy: 'delete'
|
|
experiments:
|
|
- name: pod-cpu-hog
|
|
spec:
|
|
components:
|
|
env:
|
|
#number of cpu cores to be consumed
|
|
#verify the resources the app has been launched with
|
|
- name: CPU_CORES
|
|
value: '1'
|
|
|
|
- name: TOTAL_CHAOS_DURATION
|
|
value: '60' # in seconds
|
|
`)
|
|
|
|
// install disallow_cri_sock_mount
|
|
var DisallowAddingCapabilitiesYaml = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: disallow-add-capabilities
|
|
annotations:
|
|
policies.kyverno.io/category: Pod Security Standards (Baseline)
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Capabilities permit privileged actions without giving full root access.
|
|
Adding capabilities beyond the default set must not be allowed.
|
|
spec:
|
|
validationFailureAction: enforce
|
|
background: true
|
|
rules:
|
|
- name: capabilities
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
validate:
|
|
message: >-
|
|
Adding of additional capabilities beyond the default set is not allowed.
|
|
The fields spec.containers[*].securityContext.capabilities.add and
|
|
spec.initContainers[*].securityContext.capabilities.add must be empty.
|
|
pattern:
|
|
spec:
|
|
containers:
|
|
- =(securityContext):
|
|
=(capabilities):
|
|
X(add): null
|
|
=(initContainers):
|
|
- =(securityContext):
|
|
=(capabilities):
|
|
X(add): null
|
|
|
|
`)
|
|
|
|
// disallow_cri_sock_mount Resource
|
|
var KyvernoTestResourcesYaml = []byte(`
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: add-new-capabilities
|
|
spec:
|
|
containers:
|
|
- name: add-new-capabilities
|
|
image: "ubuntu:18.04"
|
|
command:
|
|
- /bin/sleep
|
|
- "300"
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
`)
|