mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 09:56:55 +00:00
e227636271
* fixed generate flow Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added test for generate policy with clone Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * small conflict fix Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * print logs for e2e Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * changing log level Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added wait while creating policy Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * remove log level from e2e Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * added a clusterpolicy check while creating a namespaced resource in e2e tests Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * updated the github_action name for e2e tests Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * changing waiting time to 1 sec Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * remove log Signed-off-by: Shuting Zhao <shutting06@gmail.com> Co-authored-by: Shuting Zhao <shutting06@gmail.com>
412 lines
9.1 KiB
Go
412 lines
9.1 KiB
Go
package generate
|
|
|
|
// Namespace Description
|
|
var namespaceYaml = []byte(`
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: test
|
|
`)
|
|
|
|
// Namespace With Label Description
|
|
var namespaceWithLabelYaml = []byte(`
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: test
|
|
labels:
|
|
security: standard
|
|
`)
|
|
|
|
// Cluster Policy to generate Role and RoleBinding with synchronize=true
|
|
var roleRoleBindingYamlWithSync = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-role-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: Role
|
|
name: "ns-role"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
data:
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "watch", "list"]
|
|
- name: "gen-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: RoleBinding
|
|
name: "ns-role-binding"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
data:
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: minikube-user
|
|
roleRef:
|
|
kind: Role
|
|
name: ns-role
|
|
namespace: "{{request.object.metadata.name}}"
|
|
apiGroup: rbac.authorization.k8s.io
|
|
`)
|
|
|
|
// Cluster Policy to generate Role and RoleBinding with Clone
|
|
var roleRoleBindingYamlWithClone = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-role-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: Role
|
|
name: "ns-role"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: Role
|
|
name: "ns-role"
|
|
namespace: "default"
|
|
- name: "gen-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: RoleBinding
|
|
name: "ns-role-binding"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: RoleBinding
|
|
name: "ns-role-binding"
|
|
namespace: default
|
|
`)
|
|
|
|
// Source Role from which ROle is Cloned by generate
|
|
var sourceRoleYaml = []byte(`
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
namespace: default
|
|
name: ns-role
|
|
rules:
|
|
- apiGroups: ["*"]
|
|
resources: ["*"]
|
|
verbs: ["get", "watch", "list", "delete", "create"]
|
|
`)
|
|
|
|
// Source RoleBinding from which RoleBinding is Cloned by generate
|
|
var sourceRoleBindingYaml = []byte(`
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: ns-role-binding
|
|
namespace: default
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: minikube-user
|
|
roleRef:
|
|
kind: Role
|
|
name: ns-role
|
|
apiGroup: rbac.authorization.k8s.io
|
|
`)
|
|
|
|
// ClusterPolicy to generate ClusterRole and ClusterRoleBinding with synchronize = true
|
|
var genClusterRoleYamlWithSync = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-cluster-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-cluster-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRole
|
|
name: ns-cluster-role
|
|
synchronize: true
|
|
data:
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "watch", "list"]
|
|
- name: "gen-cluster-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRoleBinding
|
|
name: ns-cluster-role-binding
|
|
synchronize: true
|
|
data:
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: ns-cluster-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: "kyverno-service-account"
|
|
namespace: "{{request.object.metadata.name}}"
|
|
`)
|
|
|
|
// ClusterPolicy to generate ClusterRole and ClusterRoleBinding with clone = true
|
|
var genClusterRoleYamlWithClone = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "gen-cluster-policy"
|
|
spec:
|
|
background: false
|
|
rules:
|
|
- name: "gen-cluster-role"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRole
|
|
name: ns-cluster-role
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: ClusterRole
|
|
name: base-cluster-role
|
|
namespace: default
|
|
- name: "gen-cluster-role-binding"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ClusterRoleBinding
|
|
name: ns-cluster-role-binding
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
kind: ClusterRole
|
|
name: base-cluster-role-binding
|
|
namespace: default
|
|
`)
|
|
|
|
var baseClusterRoleData = []byte(`
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: base-cluster-role
|
|
rules:
|
|
- apiGroups:
|
|
- "*"
|
|
resources:
|
|
- namespaces
|
|
- networkpolicies
|
|
- secrets
|
|
- configmaps
|
|
- resourcequotas
|
|
- limitranges
|
|
- roles
|
|
- clusterroles
|
|
- rolebindings
|
|
- clusterrolebindings
|
|
verbs:
|
|
- create # generate new resources
|
|
- get # check the contents of exiting resources
|
|
- update # update existing resource, if required configuration defined in policy is not present
|
|
- delete # clean-up, if the generate trigger resource is deleted
|
|
`)
|
|
|
|
var baseClusterRoleBindingData = []byte(`
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: base-cluster-role-binding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: base-cluster-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: kyverno-service-account
|
|
namespace: kyverno
|
|
`)
|
|
|
|
var genNetworkPolicyYaml = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: add-networkpolicy
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- name: allow-dns
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
selector:
|
|
matchLabels:
|
|
security: standard
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- "kube-system"
|
|
- "default"
|
|
- "kube-public"
|
|
- "nova-kyverno"
|
|
generate:
|
|
synchronize: true
|
|
kind: NetworkPolicy
|
|
name: allow-dns
|
|
namespace: "{{request.object.metadata.name}}"
|
|
data:
|
|
spec:
|
|
egress:
|
|
- ports:
|
|
- protocol: UDP
|
|
port: 5353
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
`)
|
|
|
|
var updatGenNetworkPolicyYaml = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: add-networkpolicy
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- name: allow-dns
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
selector:
|
|
matchLabels:
|
|
security: standard
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- "kube-system"
|
|
- "default"
|
|
- "kube-public"
|
|
- "nova-kyverno"
|
|
generate:
|
|
synchronize: true
|
|
kind: NetworkPolicy
|
|
name: allow-dns
|
|
namespace: "{{request.object.metadata.name}}"
|
|
data:
|
|
spec:
|
|
egress:
|
|
- ports:
|
|
- protocol: TCP
|
|
port: 5353
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
`)
|
|
|
|
var updateSynchronizeInGeneratePolicyYaml = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: add-networkpolicy
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- name: allow-dns
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
selector:
|
|
matchLabels:
|
|
security: standard
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- "kube-system"
|
|
- "default"
|
|
- "kube-public"
|
|
- "nova-kyverno"
|
|
generate:
|
|
synchronize: false
|
|
kind: NetworkPolicy
|
|
name: allow-dns
|
|
namespace: "{{request.object.metadata.name}}"
|
|
data:
|
|
spec:
|
|
egress:
|
|
- ports:
|
|
- protocol: UDP
|
|
port: 5353
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
`)
|
|
|
|
var cloneSourceResource = []byte(`
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: game-demo
|
|
data:
|
|
initial_lives: "2"
|
|
`)
|
|
|
|
var genCloneConfigMapPolicyYaml = []byte(`
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: generate-policy
|
|
spec:
|
|
rules:
|
|
- name: copy-game-demo
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
- default
|
|
- kube-public
|
|
- kyverno
|
|
generate:
|
|
kind: ConfigMap
|
|
name: game-demo
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
clone:
|
|
namespace: default
|
|
name: game-demo
|
|
`)
|