From 504f84cd5fd83911a555a724af2bc66ca5f9e1dd Mon Sep 17 00:00:00 2001 From: Lavish pal Date: Fri, 2 Aug 2024 18:42:24 +0530 Subject: [PATCH] simplify the cel expression Signed-off-by: Lavish pal --- .github/actions/run-tests/action.yaml | 16 + .github/actions/setup-env/action.yaml | 51 ++ .github/workflows/cel-test.yml | 65 ++ .github/workflows/test.yml | 72 +- .../bad-gitrepositories.yaml | 0 .../bad.yaml | 0 ...aw-test-rename-after-issue-10313-fix.yaml} | 0 .../good-gitrepositories.yaml | 0 .../good.yaml | 0 .../policy-ready.yaml | 0 .../.kyverno-test/kyverno-test.yaml | 4 +- .../chainsaw-step-02-apply-1.yaml | 6 + .../chainsaw-step-02-apply-2.yaml | 6 + .../chainsaw-step-02-apply-3.yaml | 4 + .../chainsaw-step-02-apply-4.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 34 + .../.chainsaw-test/patched-ns-alt.yaml | 7 + .../.chainsaw-test/patched-ns-disabled.yaml | 6 + .../.chainsaw-test/patched-ns-enabled.yaml | 6 + .../.chainsaw-test/patched-ns-none.yaml | 6 + .../.chainsaw-test/policy-ready.yaml | 6 + .../.kyverno-test/kyverno-test.yaml | 21 + .../add-ambient-mode-namespace.yaml | 30 + .../artifacthub-pkg.yml | 22 + .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 41 ++ .../.chainsaw-test/ns-bad-disabled.yaml | 6 + .../.chainsaw-test/ns-bad-nolabel.yaml | 4 + .../.chainsaw-test/ns-bad-somelabel.yaml | 6 + .../.chainsaw-test/ns-good.yaml | 15 + .../.kyverno-test/kyverno-test.yaml | 28 + .../artifacthub-pkg.yml | 22 + .../enforce-ambient-mode-namespace.yaml | 32 + .../.chainsaw-test/bad.yaml | 12 + .../.chainsaw-test/chainsaw-test.yaml | 36 + .../.chainsaw-test/good.yaml | 12 + .../.chainsaw-test/policy-ready.yaml | 6 + .../.chainsaw-test/prereq.yaml | 12 + .../prevent-duplicate-hpa/artifacthub-pkg.yml | 32 + .../prevent-duplicate-hpa.yaml | 70 ++ .../chainsaw-step-01-assert-1.yaml | 6 + .../.chainsaw-test/chainsaw-test.yaml | 38 + .../.chainsaw-test/pod-bad.yaml | 67 ++ .../.chainsaw-test/pod-good.yaml | 97 +++ .../.chainsaw-test/podcontroller-bad.yaml | 158 ++++ .../.chainsaw-test/podcontroller-good.yaml | 271 +++++++ .../.kyverno-test/kyverno-test.yaml | 73 ++ .../.kyverno-test/resource.yaml | 684 ++++++++++++++++++ other/require-cpu-limits/artifacthub-pkg.yml | 22 + .../require-cpu-limits.yaml | 41 ++ .../artifacthub-pkg.yml | 4 +- .../verify-image-with-multi-keys.yaml | 4 +- .../disallow-host-ports/artifacthub-pkg.yml | 2 +- .../disallow-host-ports.yaml | 32 +- 54 files changed, 2116 insertions(+), 91 deletions(-) create mode 100644 .github/actions/run-tests/action.yaml create mode 100644 .github/actions/setup-env/action.yaml create mode 100644 .github/workflows/cel-test.yml rename flux-cel/verify-git-repositories/{.chainsaw-test => .chainsaw-test-rename-after-issue-10313-fix}/bad-gitrepositories.yaml (100%) rename flux-cel/verify-git-repositories/{.chainsaw-test => .chainsaw-test-rename-after-issue-10313-fix}/bad.yaml (100%) rename flux-cel/verify-git-repositories/{.chainsaw-test/chainsaw-test.yaml => .chainsaw-test-rename-after-issue-10313-fix/chainsaw-test-rename-after-issue-10313-fix.yaml} (100%) rename flux-cel/verify-git-repositories/{.chainsaw-test => .chainsaw-test-rename-after-issue-10313-fix}/good-gitrepositories.yaml (100%) rename flux-cel/verify-git-repositories/{.chainsaw-test => .chainsaw-test-rename-after-issue-10313-fix}/good.yaml (100%) rename flux-cel/verify-git-repositories/{.chainsaw-test => .chainsaw-test-rename-after-issue-10313-fix}/policy-ready.yaml (100%) create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml create mode 100644 istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml create mode 100644 istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml create mode 100644 istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml create mode 100644 istio/add-ambient-mode-namespace/artifacthub-pkg.yml create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml create mode 100644 istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml create mode 100644 istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml create mode 100644 istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml create mode 100644 istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml create mode 100644 other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml create mode 100755 other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/prevent-duplicate-hpa/.chainsaw-test/good.yaml create mode 100644 other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml create mode 100644 other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml create mode 100644 other/prevent-duplicate-hpa/artifacthub-pkg.yml create mode 100644 other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml create mode 100644 other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100644 other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/require-cpu-limits/.chainsaw-test/pod-bad.yaml create mode 100644 other/require-cpu-limits/.chainsaw-test/pod-good.yaml create mode 100644 other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml create mode 100644 other/require-cpu-limits/.kyverno-test/kyverno-test.yaml create mode 100644 other/require-cpu-limits/.kyverno-test/resource.yaml create mode 100644 other/require-cpu-limits/artifacthub-pkg.yml create mode 100644 other/require-cpu-limits/require-cpu-limits.yaml diff --git a/.github/actions/run-tests/action.yaml b/.github/actions/run-tests/action.yaml new file mode 100644 index 000000000..9da5ca54e --- /dev/null +++ b/.github/actions/run-tests/action.yaml @@ -0,0 +1,16 @@ +name: "Runs E2E Tests" +description: "Runs E2E tests using chainsaw" +inputs: + tests: + description: "Test regex" + required: true +runs: + using: "composite" + steps: + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + - name: Test with Chainsaw + shell: bash + run: | + set -e + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false diff --git a/.github/actions/setup-env/action.yaml b/.github/actions/setup-env/action.yaml new file mode 100644 index 000000000..8bdbd708a --- /dev/null +++ b/.github/actions/setup-env/action.yaml @@ -0,0 +1,51 @@ +name: "Setup Environment for E2E Tests" +description: "Sets up the environment for the E2E workflows" +inputs: + k8s-version: + description: "Kubernetes version" + required: true +runs: + using: "composite" + steps: + - name: Setup Go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version: ~1.21.1 + - name: Install Tools + shell: bash + run: | + set -e + curl -LO "https://dl.k8s.io/release/${{ inputs.k8s-version }}/bin/linux/amd64/kubectl" + sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl + - name: Install kind + shell: bash + run: | + set -e + # For AMD64 / x86_64 + [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 + # For ARM64 + [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind + - name: Install latest Kyverno CLI + uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 + - name: Create kind cluster + shell: bash + run: | + set -e + kind create cluster --image kindest/node:${{ inputs.k8s-version }} --config ./.github/kind.yml + - name: Install latest kyverno + shell: bash + run: | + set -e + kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml + - name: Wait for kyverno ready + shell: bash + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s + - name: Install CRDs + shell: bash + run: | + set -e + kubectl apply -f ./.chainsaw/crds diff --git a/.github/workflows/cel-test.yml b/.github/workflows/cel-test.yml new file mode 100644 index 000000000..ec7564140 --- /dev/null +++ b/.github/workflows/cel-test.yml @@ -0,0 +1,65 @@ +name: E2E Tests - CEL + +permissions: {} + +on: + workflow_dispatch: {} + pull_request: + branches: + - 'main' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + chainsaw: + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.25 + version: v1.25.16 + - name: v1.26 + version: v1.26.14 + - name: v1.27 + version: v1.27.11 + - name: v1.28 + version: v1.28.7 + - name: v1.29 + version: v1.29.2 + tests: + - ^argo-cel$ + - ^aws-cel$ + - ^best-practices-cel$ + - ^consul-cel$ + - ^flux-cel$ + - ^istio-cel$ + - ^kasten-cel$ + - ^kubecost-cel$ + - ^linkerd-cel$ + - ^nginx-ingress-cel$ + - ^openshift-cel$ + - ^other-cel$/^a + - ^other-cel$/^[b-d] + - ^other-cel$/^[e-l] + - ^other-cel$/^[m-q] + - ^other-cel$/^re[c-q] + - ^other-cel$/^res + - ^other-cel$/^[s-z] + - ^pod-security-cel$ + - ^psa-cel$ + - ^traefik-cel$ + runs-on: ubuntu-latest + name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Environment + uses: ./.github/actions/setup-env + with: + k8s-version: ${{ matrix.k8s-version.version }} + - name: Run CEL Tests + uses: ./.github/actions/run-tests + with: + tests: ${{ matrix.tests }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 73f7d2e0a..8c78461b7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,104 +30,46 @@ jobs: version: v1.29.2 tests: - ^argo$ - - ^argo-cel$ - ^aws$ - - ^aws-cel$ - ^best-practices$ - - ^best-practices-cel$ - ^castai$ - ^cert-manager$ - ^cleanup$ - ^consul$ - - ^consul-cel$ - ^external-secret-operator$ - ^flux$ - - ^flux-cel$ - ^istio$ - - ^istio-cel$ - ^karpenter$ - ^kasten$ - - ^kasten-cel$ - ^kubecost$ - - ^kubecost-cel$ - ^kubeops$ - ^kubevirt$ - ^linkerd$ - - ^linkerd-cel$ - ^nginx-ingress$ - - ^nginx-ingress-cel$ - ^openshift$ - - ^openshift-cel$ - ^other$/^a - - ^other-cel$/^a - ^other$/^[b-d] - - ^other-cel$/^[b-d] - ^other$/^[e-l] - - ^other-cel$/^[e-l] - ^other$/^[m-q] - - ^other-cel$/^[m-q] - ^other$/^re[c-q] - - ^other-cel$/^re[c-q] - ^other$/^res - - ^other-cel$/^res - ^other$/^[s-z] - - ^other-cel$/^[s-z] - ^pod-security$ - - ^pod-security-cel$ - ^psa$ - - ^psa-cel$ - ^psp-migration$ - ^tekton$ - ^traefik$ - - ^traefik-cel$ - ^velero$ runs-on: ubuntu-latest name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Setup Go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - name: Setup Environment + uses: ./.github/actions/setup-env with: - go-version: ~1.21.1 - - name: Install Tools - run: | - set -e - curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" - sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl - - name: Install kind - shell: bash - run: | - set -e - # For AMD64 / x86_64 - [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 - # For ARM64 - [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 - chmod +x ./kind - sudo mv ./kind /usr/local/bin/kind - - name: Install latest Kyverno CLI - uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 - - name: Create kind cluster - run: | - set -e - kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml - - name: Install latest kyverno - run: | - set -e - kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml - - name: Wait for kyverno ready - run: | - set -e - kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s - - name: Install CRDs - run: | - set -e - kubectl apply -f ./.chainsaw/crds - - name: Install Chainsaw - uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6 - - name: Test with Chainsaw - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -e - chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false + k8s-version: ${{ matrix.k8s-version.version }} + - name: Run Tests + uses: ./.github/actions/run-tests + with: + tests: ${{ matrix.tests }} \ No newline at end of file diff --git a/flux-cel/verify-git-repositories/.chainsaw-test/bad-gitrepositories.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml similarity index 100% rename from flux-cel/verify-git-repositories/.chainsaw-test/bad-gitrepositories.yaml rename to flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml diff --git a/flux-cel/verify-git-repositories/.chainsaw-test/bad.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad.yaml similarity index 100% rename from flux-cel/verify-git-repositories/.chainsaw-test/bad.yaml rename to flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/bad.yaml diff --git a/flux-cel/verify-git-repositories/.chainsaw-test/chainsaw-test.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/chainsaw-test-rename-after-issue-10313-fix.yaml similarity index 100% rename from flux-cel/verify-git-repositories/.chainsaw-test/chainsaw-test.yaml rename to flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/chainsaw-test-rename-after-issue-10313-fix.yaml diff --git a/flux-cel/verify-git-repositories/.chainsaw-test/good-gitrepositories.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml similarity index 100% rename from flux-cel/verify-git-repositories/.chainsaw-test/good-gitrepositories.yaml rename to flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml diff --git a/flux-cel/verify-git-repositories/.chainsaw-test/good.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good.yaml similarity index 100% rename from flux-cel/verify-git-repositories/.chainsaw-test/good.yaml rename to flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/good.yaml diff --git a/flux-cel/verify-git-repositories/.chainsaw-test/policy-ready.yaml b/flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml similarity index 100% rename from flux-cel/verify-git-repositories/.chainsaw-test/policy-ready.yaml rename to flux-cel/verify-git-repositories/.chainsaw-test-rename-after-issue-10313-fix/policy-ready.yaml diff --git a/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml b/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml index 91bae26eb..e15021fd6 100644 --- a/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml +++ b/flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml @@ -5,8 +5,8 @@ metadata: policies: - ../verify-git-repositories.yaml resources: -- ../.chainsaw-test/good-gitrepositories.yaml -- ../.chainsaw-test/bad-gitrepositories.yaml +- ../.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml +- ../.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml results: - policy: verify-git-repositories rule: github-repositories-only diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml new file mode 100644 index 000000000..71651310f --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: ambient + name: istio-test-en-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml new file mode 100644 index 000000000..32cbd8936 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: other + name: istio-test-dis-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml new file mode 100644 index 000000000..6b17ee831 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-test-none-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml new file mode 100644 index 000000000..7b14de9b6 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: bar + name: istio-test-alt-ns diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..51c8ca8fb --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,34 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: add-ambient-mode-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ../add-ambient-mode-namespace.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - apply: + file: chainsaw-step-02-apply-2.yaml + - apply: + file: chainsaw-step-02-apply-3.yaml + - apply: + file: chainsaw-step-02-apply-4.yaml + - name: step-03 + try: + - assert: + file: patched-ns-alt.yaml + - assert: + file: patched-ns-disabled.yaml + - assert: + file: patched-ns-enabled.yaml + - assert: + file: patched-ns-none.yaml diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml new file mode 100644 index 000000000..7ad1fb2fe --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: bar + istio.io/dataplane-mode: ambient + name: istio-test-alt-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml new file mode 100644 index 000000000..95de97e29 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: ambient + name: istio-test-dis-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml new file mode 100644 index 000000000..ee122e92b --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: ambient + name: istio-test-en-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml new file mode 100644 index 000000000..c13793cf5 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: ambient + name: istio-test-none-ns \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..12870b244 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-ambient-mode-namespace +status: + ready: true \ No newline at end of file diff --git a/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml b/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..1b1fa13e0 --- /dev/null +++ b/istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: add-ambient-mode-namespace +policies: +- ../add-ambient-mode-namespace.yaml +resources: +- ../.chainsaw-test/patched-ns-disabled.yaml +- ../.chainsaw-test/patched-ns-enabled.yaml +- ../.chainsaw-test/patched-ns-alt.yaml +- ../.chainsaw-test/patched-ns-none.yaml +results: +- policy: add-ambient-mode-namespace + rule: check-ambient-mode-enabled + kind: Namespace + resources: + - istio-test-none-ns + - istio-test-dis-ns + - istio-test-en-ns + - istio-test-alt-ns + result: pass diff --git a/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml b/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml new file mode 100644 index 000000000..df5fd0992 --- /dev/null +++ b/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-ambient-mode-namespace + annotations: + policies.kyverno.io/title: Add Istio Ambient Mode + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` + must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already + contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` + set to `ambient` for all new Namespaces. +spec: + rules: + - name: add-ambient-mode-enabled + match: + any: + - resources: + kinds: + - Namespace + mutate: + patchStrategicMerge: + metadata: + labels: + istio.io/dataplane-mode: ambient diff --git a/istio/add-ambient-mode-namespace/artifacthub-pkg.yml b/istio/add-ambient-mode-namespace/artifacthub-pkg.yml new file mode 100644 index 000000000..7d3226555 --- /dev/null +++ b/istio/add-ambient-mode-namespace/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: add-ambient-mode-namespace +version: 1.0.0 +displayName: Add Istio Ambient Mode +createdAt: "2024-07-25T20:07:52.000Z" +description: >- + In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/add-ambient-mode-namespace/add-ambient-mode-namespace.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. As an alternative to rejecting Namespace definitions which don't already contain this label, it can be added automatically. This policy adds the label `istio.io/dataplane-mode` set to `ambient` for all new Namespaces. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Namespace" +digest: f81b9ba15c410e62589f0bf79b22a694b41a2294557c91d3c87683772922a8c0 diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..5e9e5da0c --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-ambient-mode-namespace +status: + ready: true diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..ba6b3d82f --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,41 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-ambient-mode-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ../enforce-ambient-mode-namespace.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: enforce-ambient-mode-namespace + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: ns-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad-disabled.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad-nolabel.yaml + - apply: + expect: + - check: + ($error != null): true + file: ns-bad-somelabel.yaml diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml new file mode 100644 index 000000000..0915ecd8e --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-disabled.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: other + name: bad-istio-amb01 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml new file mode 100644 index 000000000..50c60d84f --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-nolabel.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bad-istio-amb03 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml new file mode 100644 index 000000000..d18925001 --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-bad-somelabel.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: enabled + name: bad-istio-amb02 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml new file mode 100644 index 000000000..7520123b5 --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.chainsaw-test/ns-good.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio.io/dataplane-mode: ambient + name: good-istio-amb01 +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: disabled + istio.io/dataplane-mode: ambient + bar: enabled + name: good-istio-amb02 \ No newline at end of file diff --git a/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml b/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..e2e458be1 --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,28 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-ambient-mode-namespace +policies: +- ../enforce-ambient-mode-namespace.yaml +resources: +- ../.chainsaw-test/ns-bad-disabled.yaml +- ../.chainsaw-test/ns-bad-nolabel.yaml +- ../.chainsaw-test/ns-bad-somelabel.yaml +- ../.chainsaw-test/ns-good.yaml +results: +- policy: enforce-ambient-mode-namespace + rule: check-ambient-mode-enabled + kind: Namespace + resources: + - bad-istio-amb01 + - bad-istio-amb02 + - bad-istio-amb03 + result: fail +- policy: enforce-ambient-mode-namespace + rule: check-ambient-mode-enabled + kind: Namespace + resources: + - good-istio-amb01 + - good-istio-amb02 + result: pass + diff --git a/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml new file mode 100644 index 000000000..a01e95c16 --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: enforce-ambient-mode-namespace +version: 1.0.0 +displayName: Enforce Istio Ambient Mode +createdAt: "2024-07-25T20:07:52.000Z" +description: >- + In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml + ``` +keywords: + - kyverno + - Istio +readme: | + In order for Istio to include namespaces in ambient mode, the label `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces set `istio.io/dataplane-mode` to `ambient`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Istio" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Namespace" +digest: 1d0f6644ba09afd6fe0dcb431b434c509b995580a5fef2f795df2fc979c6a931 diff --git a/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml new file mode 100644 index 000000000..0428f52c5 --- /dev/null +++ b/istio/enforce-ambient-mode-namespace/enforce-ambient-mode-namespace.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-ambient-mode-namespace + annotations: + policies.kyverno.io/title: Enforce Istio Ambient Mode + policies.kyverno.io/category: Istio + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.8.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + In order for Istio to include namespaces in ambient mode, the label + `istio.io/dataplane-mode` must be set to `ambient`. This policy ensures that all new Namespaces + set `istio.io/dataplane-mode` to `ambient`. +spec: + validationFailureAction: audit + background: true + rules: + - name: check-amblient-mode-enabled + match: + any: + - resources: + kinds: + - Namespace + validate: + message: "All new Namespaces must have Istio ambient mode enabled." + pattern: + metadata: + labels: + istio.io/dataplane-mode: ambient diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml new file mode 100644 index 000000000..c9c7eb1d7 --- /dev/null +++ b/other/prevent-duplicate-hpa/.chainsaw-test/bad.yaml @@ -0,0 +1,12 @@ +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: bad-httpd-hpa +spec: + maxReplicas: 3 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: httpd-deployment + targetCPUUtilizationPercentage: 50 diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..77903eb72 --- /dev/null +++ b/other/prevent-duplicate-hpa/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,36 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: prevent-duplicate-hpa +spec: + steps: + - name: 01 - Create policy and Enforce + try: + - apply: + file: ../prevent-duplicate-hpa.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: prevent-duplicate-hpa + spec: + validationFailureAction: Enforce + - assert: + file: policy-ready.yaml + - name: 02 - Create some unique HPAs + try: + - apply: + file: prereq.yaml + - name: 03 - Try to create duplicate HPAs + try: + - apply: + file: bad.yaml + expect: + - check: + ($error != null): true + - name: 04 - Create new unique HPAs + try: + - apply: + file: good.yaml diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/good.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/good.yaml new file mode 100644 index 000000000..19c4309c2 --- /dev/null +++ b/other/prevent-duplicate-hpa/.chainsaw-test/good.yaml @@ -0,0 +1,12 @@ +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: good-hpa +spec: + maxReplicas: 3 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: redis-deployment + targetCPUUtilizationPercentage: 50 diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..dc9963c0d --- /dev/null +++ b/other/prevent-duplicate-hpa/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-duplicate-hpa +status: + ready: true diff --git a/other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml b/other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml new file mode 100644 index 000000000..c399889fc --- /dev/null +++ b/other/prevent-duplicate-hpa/.chainsaw-test/prereq.yaml @@ -0,0 +1,12 @@ +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: httpd-hpa-exist +spec: + maxReplicas: 3 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: httpd-deployment + targetCPUUtilizationPercentage: 50 diff --git a/other/prevent-duplicate-hpa/artifacthub-pkg.yml b/other/prevent-duplicate-hpa/artifacthub-pkg.yml new file mode 100644 index 000000000..6431e6018 --- /dev/null +++ b/other/prevent-duplicate-hpa/artifacthub-pkg.yml @@ -0,0 +1,32 @@ +name: prevent-duplicate-hpa +version: 1.0.0 +displayName: Prevent Duplicate HorizontalPodAutoscalers +createdAt: "2024-07-22T12:35:30Z" +description: >- + HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment + or replication controller. It requires defining a specific target resource by kind and name. + There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs + which target the same resource. This policy has two rules, the first of which ensures that the only targetRef + kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second + prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml + ``` +keywords: + - kyverno + - other +readme: | + HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment + or replication controller. It requires defining a specific target resource by kind and name. + There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs + which target the same resource. This policy has two rules, the first of which ensures that the only targetRef + kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second + prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.27" + kyverno/subject: "HorizontalPodAutoscaler" +digest: 32b4d593d3efa4b433dcc54f76aaaf140f3d654a3905261718ab89155930d880 diff --git a/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml b/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml new file mode 100644 index 000000000..ac625ce65 --- /dev/null +++ b/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml @@ -0,0 +1,70 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: prevent-duplicate-hpa + annotations: + policies.kyverno.io/title: Prevent Duplicate HorizontalPodAutoscalers + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.4 + kyverno.io/kubernetes-version: "1.27" + policies.kyverno.io/subject: HorizontalPodAutoscaler + policies.kyverno.io/description: >- + HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment + or replication controller. It requires defining a specific target resource by kind and name. + There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs + which target the same resource. This policy has two rules, the first of which ensures that the only targetRef + kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second + prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource. +spec: + validationFailureAction: Audit + background: false + rules: + - name: verify-kind-name-duplicates + match: + any: + - resources: + kinds: + - HorizontalPodAutoscaler + operations: + - CREATE + validate: + message: >- + The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet. + pattern: + spec: + scaleTargetRef: + kind: Deployment | StatefulSet | ReplicaSet | DaemonSet + - name: check-targetref-duplicates + match: + any: + - resources: + kinds: + - HorizontalPodAutoscaler + operations: + - CREATE + preconditions: + all: + - key: + - Deployment + - StatefulSet + - ReplicaSet + - DaemonSet + operator: AnyIn + value: "{{ request.object.spec.scaleTargetRef.kind }}" + context: + - name: targets + apiCall: + urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers" + jmesPath: "items[?spec.scaleTargetRef.kind=='{{ request.object.spec.scaleTargetRef.kind }}'].spec.scaleTargetRef.name" + validate: + message: >- + The target {{ request.object.spec.scaleTargetRef.kind }} named + {{ request.object.spec.scaleTargetRef.name }} already has an existing + HPA configured for it. Duplicate HPAs are not allowed. + deny: + conditions: + all: + - key: "{{ request.object.spec.scaleTargetRef.name }}" + operator: AnyIn + value: "{{ targets }}" diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..b4edddc1d --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-cpu-limits +status: + ready: true diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..6c3d855b7 --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-cpu-limits +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-cpu-limits.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-cpu-limits + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..9a135528d --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35 diff --git a/other/require-cpu-limits/.chainsaw-test/pod-good.yaml b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..cadee0f49 --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..ac56be204 --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,158 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35 +--- diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..330e0e9cb --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,271 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" diff --git a/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml b/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8dc751676 --- /dev/null +++ b/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,73 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-cpu-limits +policies: +- ../require-cpu-limits.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: require-cpu-limits + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: check-cpu-limits +- kind: Deployment + policy: require-cpu-limits + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: check-cpu-limits +- kind: Pod + policy: require-cpu-limits + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + result: fail + rule: check-cpu-limits +- kind: CronJob + policy: require-cpu-limits + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + result: pass + rule: check-cpu-limits +- kind: Deployment + policy: require-cpu-limits + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + result: pass + rule: check-cpu-limits +- kind: Pod + policy: require-cpu-limits + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + result: pass + rule: check-cpu-limits diff --git a/other/require-cpu-limits/.kyverno-test/resource.yaml b/other/require-cpu-limits/.kyverno-test/resource.yaml new file mode 100644 index 000000000..441cd0c9d --- /dev/null +++ b/other/require-cpu-limits/.kyverno-test/resource.yaml @@ -0,0 +1,684 @@ +###### Pods - Bad +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename +--- +###### Pods - Good +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + +###### Deployments - Bad +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +###### Deployments - Good +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + +###### CronJobs - Bad +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +###### CronJobs - Good +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" diff --git a/other/require-cpu-limits/artifacthub-pkg.yml b/other/require-cpu-limits/artifacthub-pkg.yml new file mode 100644 index 000000000..125a5efc9 --- /dev/null +++ b/other/require-cpu-limits/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: require-cpu-limits +version: 1.0.0 +displayName: Require CPU Limits +createdAt: "2024-05-19T20:30:06.000Z" +description: >- + Setting CPU limits on pods ensures fair distribution of resources, preventing any single pod from monopolizing CPU and impacting the performance of other pods. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/require-cpu-limits/require-cpu-limits.yaml + ``` +keywords: +- kyverno +- Other +readme: | + Setting CPU limits on pods ensures fair distribution of resources, preventing any single pod from monopolizing CPU and impacting the performance of other pods. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.26" + kyverno/subject: "Pod" +digest: 1d9998010342080ae64f309befdf52065de557cdcc10ddf68d8476b5af93d505 diff --git a/other/require-cpu-limits/require-cpu-limits.yaml b/other/require-cpu-limits/require-cpu-limits.yaml new file mode 100644 index 000000000..7e7ec5a20 --- /dev/null +++ b/other/require-cpu-limits/require-cpu-limits.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-cpu-limits + annotations: + policies.kyverno.io/title: Require CPU Limits + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + Setting CPU limits on containers ensures fair distribution of resources, preventing any single container from monopolizing CPU and impacting the performance of other containers. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. +spec: + validationFailureAction: Audit + background: true + rules: + - name: check-cpu-limits + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU limits are required for all containers." + pattern: + spec: + containers: + - (name): "*" + resources: + limits: + cpu: "?*" + =(ephemeralContainers): + - =(name): "*" + resources: + limits: + cpu: "?*" + =(initContainers): + - =(name): "*" + resources: + limits: + cpu: "?*" diff --git a/other/verify-image-with-multi-keys/artifacthub-pkg.yml b/other/verify-image-with-multi-keys/artifacthub-pkg.yml index 886ef0e86..630316e2e 100644 --- a/other/verify-image-with-multi-keys/artifacthub-pkg.yml +++ b/other/verify-image-with-multi-keys/artifacthub-pkg.yml @@ -12,11 +12,11 @@ keywords: - kyverno - Software Supply Chain Security readme: | - There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `key` in the `default` Namespace and also a Namespace key in the same ConfigMap. + There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Software Supply Chain Security" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 14cc8946fcc7d3141270826f036b28226c88c5d8e93ba475b1523e90512a281b +digest: 512b32c2d9e2bcf48907258ca01ff675efb4ed0d1967351ad161e50b20512d56 diff --git a/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml b/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml index 2c1592bde..4c77e2ce9 100644 --- a/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml +++ b/other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml @@ -15,7 +15,7 @@ metadata: the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" - key in a ConfigMap called `key` in the `default` Namespace + key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap. spec: validationFailureAction: enforce @@ -42,4 +42,4 @@ spec: - keys: publicKeys: "{{ keys.data.production }}" - keys: - publicKeys: "{{ keys.data.{{request.namespace}} }}" \ No newline at end of file + publicKeys: "{{ keys.data.{{request.namespace}} }}" diff --git a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml index 619a073ff..f0a5c882b 100644 --- a/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml +++ b/pod-security-cel/baseline/disallow-host-ports/artifacthub-pkg.yml @@ -19,5 +19,5 @@ annotations: kyverno/category: "Pod Security Standards (Baseline) in CEL" kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: b95cfe16e11be0b9507736687bd99b5ea78c455f8fc35194220326ea5ff3913c +digest: 7cf73b6a1d171059742e0bf243acc6d5aef20b4f45aca0a2c73a162df23b375a createdAt: "2023-12-03T00:22:34Z" diff --git a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml index b7603ecfb..4ec05497f 100644 --- a/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml +++ b/pod-security-cel/baseline/disallow-host-ports/disallow-host-ports.yaml @@ -30,24 +30,18 @@ spec: cel: expressions: - expression: >- - object.spec.containers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)) - message: >- - Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort - must either be unset or set to `0`. + [ + object.spec.containers, + object.spec.initContainers, + object.spec.ephemeralContainers + ].all(containers, !has(containers) || + containers.all(container, !has(container.ports) || + container.ports.all(port, !has(port.hostPort) || port.hostPort == 0) + ) + ) + message: >- + Use of host ports is disallowed. The field spec.containers[*].ports[*].hostPort, + spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort + must either be unset or set to `0`. - - expression: >- - !has(object.spec.initContainers) || - object.spec.initContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)) - message: >- - Use of host ports is disallowed. The field spec.initContainers[*].ports[*].hostPort - must either be unset or set to `0`. - - expression: >- - !has(object.spec.ephemeralContainers) || - object.spec.ephemeralContainers.all(container, !has(container.ports) || - container.ports.all(port, !has(port.hostPort) || port.hostPort == 0)) - message: >- - Use of host ports is disallowed. The field spec.ephemeralContainers[*].ports[*].hostPort - must either be unset or set to `0`.