[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support resource lists in CLI #4082

Merged
merged 2 commits into from
Jun 20, 2022
Merged

feat: Support resource lists in CLI #4082

merged 2 commits into from
Jun 20, 2022

Conversation

4molybdenum2
Copy link
Contributor
@4molybdenum2 4molybdenum2 commented Jun 6, 2022
edited
Loading

Signed-off-by: 4molybdenum2 tathagatapaul7@gmail.com

Related issue

Closes #2857

Milestone of this PR

1.8.0

What type of PR is this

/kind enhancement

Proposed Changes

  • Support for the results[].resource field to be a list (array/string) in addition to single value.
  • Update documentation

Proof Manifests

kyverno-test.yaml:

name: resource-lists
policies:
  -  policy.yaml
resources:
  -  resource.yaml
results:
  - policy: resource-lists
    rule: require-image-tag
    resources: 
    - myapp-pod1
    - myapp-pod2
    kind: Pod
    result: pass
  - policy: resource-lists
    rule: validate-image-tag
    resources: 
    - myapp-pod3
    kind: Pod
    result: pass

Policy (policy.yaml):

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: resource-lists
  annotations:
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      The ':latest' tag is mutable and can lead to unexpected errors if the 
      image changes. A best practice is to use an immutable tag that maps to 
      a specific version of an application pod.      
spec:
  validationFailureAction: audit
  rules:
  - name: require-image-tag
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "An image tag is required."  
      pattern:
        spec:
          containers:
          - image: "*:*"
  - name: validate-image-tag
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Using a mutable image tag e.g. 'latest' is not allowed."
      pattern:
        spec:
          containers:
          - image: "!*:latest"

Resources (resource.yaml):

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod1
  labels:
    app: myapp1
spec: 
  containers:
  - name: nginx
    image: nginx:1.12

---
apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod2
  labels:
    app: myapp2
spec: 
  containers:
  - name: nginx
    image: nginx:1.12

---
apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod3
  labels:
    app: myapp3
spec: 
  containers:
  - name: nginx
    image: nginx:1.12

Output:

applying 1 policy to 3 resources...

│───│────────────────│────────────────────│────────────────────────│────────│
│ # │ POLICY         │ RULE               │ RESOURCE               │ RESULT │
│───│────────────────│────────────────────│────────────────────────│────────│
│ 1 │ resource-lists │ require-image-tag  │ default/Pod/myapp-pod1 │ Pass   │
│ 1 │ resource-lists │ require-image-tag  │ default/Pod/myapp-pod2 │ Pass   │
│ 2 │ resource-lists │ validate-image-tag │ default/Pod/myapp-pod3 │ Pass   │
│───│────────────────│────────────────────│────────────────────────│────────│

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • I have added tests that prove my fix is effective or that my feature works.
  • My PR contains new or altered behavior to Kyverno CLI
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the doc update and the link is:

Further Comments

@4molybdenum2
Copy link
Contributor Author

cc @chipzoller

@codecov-commenter
Copy link
codecov-commenter commented Jun 6, 2022
edited
Loading

Codecov Report

Merging #4082 (af47f27) into main (f67f145) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #4082   +/-   ##
=======================================
  Coverage   29.60%   29.60%           
=======================================
  Files         139      139           
  Lines       18661    18661           
=======================================
  Hits         5524     5524           
  Misses      12460    12460           
  Partials      677      677

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f67f145...af47f27. Read the comment docs.

@chipzoller
Copy link
Contributor

cc @Prateeknandle as this is relevant to the redesign. We must account for the capabilities reflected in this PR.

@vyankyGH vyankyGH requested a review from chipzoller as a code owner June 9, 2022 04:40
vyankyGH
vyankyGH previously approved these changes Jun 9, 2022
View reviewed changes
@vyankyGH
Copy link
Contributor
vyankyGH commented Jun 9, 2022

/lgtm

@vyankyGH
Copy link
Contributor

@4molybdenum2 can you please resolve conflicts, it's blocking for merging PR.

@4molybdenum2
added resource lists for test cli
0c8234a 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
@4molybdenum2
Copy link
Contributor Author

Resolved conflicts @vyankyGH. Waiting for checks

@vyankyGH vyankyGH enabled auto-merge (squash) June 20, 2022 06:28
@vyankyGH vyankyGH merged commit 16f8620 into kyverno:main Jun 20, 2022
rurikudo pushed a commit to rurikudo/kyverno that referenced this pull request Jun 22, 2022
@4molybdenum2 @rurikudo
added resource lists for test cli (kyverno#4082)
bb288e9 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
rurikudo pushed a commit to rurikudo/kyverno that referenced this pull request Jun 23, 2022
@4molybdenum2 @rurikudo
added resource lists for test cli (kyverno#4082)
0fd1373 
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
@chipzoller chipzoller mentioned this pull request Sep 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vyankyGH vyankyGH vyankyGH approved these changes

@chipzoller chipzoller Awaiting requested review from chipzoller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CLI] Test manifest to support results[].resource list values
4 participants
@4molybdenum2 @codecov-commenter @chipzoller @vyankyGH