1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/test
2019-09-09 17:34:25 -07:00
..
ConfigMap change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
ConfigMapGenerator-SecretGenerator change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
CronJob change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
DaemonSet change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
Deployment change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
Endpoint change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
generate change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
generate-resource change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
HorizontalPodAutoscaler change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
Ingress change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
Job change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
LimitRange change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
mix change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
Namespace change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
NetworkPolicy change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
output add policies 2019-09-06 10:03:24 -07:00
PersistentVolumeClaim change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
PodDisruptionBudget change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
PodTemplate change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
ResourceQuota change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
scenarios add policy_validate_hostPID_hosIPC.yaml 2019-09-09 17:34:25 -07:00
Secret change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
SecurityContext change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
Service change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
StatefulSet change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00
README.md removed extra changes 2019-06-21 15:41:39 +03:00

Test samples

This directory contains policies and resources for testing. There are definitions for each supported resource type and an sample policy for the corresponding resource.

How to use

Currently, the testing is possible only via kubectl when kyverno is installed to the cluster. So, build and install the policy controller first.

Each folder contains a pair of files, one of which is the definition of the resource, and the second is the definition of the policy for this resource. Let's look at an example of the endpoints mutation. Endpoints are listed in file test/Endpoints/endpoints.yaml:

apiVersion: v1
kind: Endpoints
metadata:
  name: test-endpoint
  labels:
    label : test
subsets:
- addresses:
  - ip: 192.168.10.171
  ports:
  - name: secure-connection
    port: 443
    protocol: TCP

Create this resource:

> kubectl create -f test/Endpoints/endpoints.yaml
endpoints/test-endpoint created
> kubectl get -f test/Endpoints/endpoints.yaml
NAME            ENDPOINTS            AGE
test-endpoint   192.168.10.171:443   6s

We just created an endpoints resource and made sure that it was created without changes. Let's remove it now and try to create it again, but with an active policy for endpoints resources.

> kubectl delete -f test/Endpoints/endpoints.yaml
endpoints "test-endpoint" deleted

We have this a policy for enpoints (policy-endpoint.yaml):

apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
  name : policy-endpoints
spec :
  rules:
    - name: ""
      resource:
        kinds:
          - Endpoints
        selector:
          matchLabels:
            label : test
      mutate:
        patches:
          - path : "/subsets/0/ports/0/port"
            op : replace
            value: 9663
          - path : "/subsets/0"
            op: add
            value:
              addresses:
              - ip: "192.168.10.171"
              ports:
              - name: load-balancer-connection
                port: 80
                protocol: UDP

This policy does 2 patches:

  • replaces the first port of the first connection to 6443
  • adds new endpoint with IP 192.168.10.171 and port 80 (UDP)

Let's apply this policy and create the endpoints again to see the changes:

> kubectl create -f test/Endpoints/policy-endpoints.yaml
policy.policy.nirmata.io/policy-endpoints created
> kubectl create -f test/Endpoints/endpoints.yaml
endpoints/test-endpoint created
> kubectl get -f test/Endpoints/endpoints.yaml
NAME            ENDPOINTS                               AGE
test-endpoint   192.168.10.171:80,192.168.10.171:9663   30s

As you can see, the endpoints resource was created with changes: a new port 80 was added, and port 443 was changed to 6443.

Enjoy :)