forked from kyverno/kyverno
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: ShutingZhao <shuting@nirmata.com>
- Loading branch information
1 parent
bbd0cb0
commit 9e6fe70
Showing
10 changed files
with
134 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 7 additions & 3 deletions
10
.../conformance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/02-check.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,13 @@ | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestStep | ||
apply: | ||
- file: policy-namespaced-target.yaml | ||
- file: policy-fail-1-no-ns-namespaced-target.yaml | ||
shouldFail: true | ||
- file: policy-cluster-target.yaml | ||
- file: policy-fail-2-ns-cluster-target.yaml | ||
shouldFail: true | ||
- file: policy-pass-1-ns-namespaced-target.yaml | ||
shouldFail: false | ||
- file: policy-pass-2-no-ns-cluster-target.yaml | ||
shouldFail: false | ||
- file: policy-pass.yaml | ||
- file: policy-pass-3.yaml | ||
shouldFail: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 0 additions & 19 deletions
19
...kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-cluster-target.yaml
This file was deleted.
Oops, something went wrong.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
...e/validation/clusterpolicy/target-namespace-scope/policy-pass-1-ns-namespaced-target.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: user-per-namespace-pass-2 | ||
spec: | ||
generateExistingOnPolicyUpdate: true | ||
rules: | ||
- generate: | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
data: | ||
rules: | ||
- verbs: | ||
- "*" | ||
apiGroups: | ||
- "*" | ||
resources: | ||
- "*" | ||
kind: Role | ||
name: superuser | ||
namespace: "{{request.object.metadata.name}}" | ||
synchronize: true | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- Namespace | ||
names: | ||
- dev-* | ||
name: role-per-namespace |
28 changes: 28 additions & 0 deletions
28
...e/validation/clusterpolicy/target-namespace-scope/policy-pass-2-no-ns-cluster-target.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
apiVersion: kyverno.io/v1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: target-namespace-scope-pass-1 | ||
spec: | ||
generateExistingOnPolicyUpdate: true | ||
rules: | ||
- generate: | ||
apiVersion: iam.aws.crossplane.io/v1beta1 | ||
data: | ||
rules: | ||
- verbs: | ||
- "*" | ||
apiGroups: | ||
- "*" | ||
resources: | ||
- "*" | ||
kind: Role | ||
name: superuser | ||
synchronize: true | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- Namespace | ||
names: | ||
- dev-* | ||
name: role-per-namespace |
48 changes: 48 additions & 0 deletions
48
...ormance/kuttl/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
apiVersion: kyverno.io/v2beta1 | ||
kind: ClusterPolicy | ||
metadata: | ||
name: expiration-for-policyexceptions | ||
annotations: | ||
policies.kyverno.io/title: Expiration for PolicyExceptions | ||
policies.kyverno.io/category: Other | ||
policies.kyverno.io/severity: medium | ||
policies.kyverno.io/subject: PolicyException | ||
kyverno.io/kyverno-version: 1.9.0 | ||
policies.kyverno.io/minversion: 1.9.0 | ||
kyverno.io/kubernetes-version: "1.24" | ||
policies.kyverno.io/description: >- | ||
In situations where Ops/Platform teams want to allow exceptions on a | ||
temporary basis, there must be a way to remove the PolicyException once the | ||
expiration time has been reached. After the exception is removed, the rule(s) | ||
for which the exception is granted go back into full effect. This policy generates | ||
a ClusterCleanupPolicy with a four hour expiration time after which the PolicyException | ||
is deleted. It may be necessary to grant both the Kyverno as well as cleanup controller | ||
ServiceAccounts additional permissions to operate this policy. | ||
spec: | ||
rules: | ||
- name: expire-four-hours | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- PolicyException | ||
generate: | ||
apiVersion: kyverno.io/v2alpha1 | ||
kind: ClusterCleanupPolicy | ||
name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }} | ||
synchronize: false | ||
data: | ||
metadata: | ||
labels: | ||
kyverno.io/automated: "true" | ||
spec: | ||
schedule: "{{ time_add('{{ time_now_utc() }}','4h') | time_to_cron(@) }}" | ||
match: | ||
any: | ||
- resources: | ||
kinds: | ||
- PolicyException | ||
namespaces: | ||
- "{{ request.namespace }}" | ||
names: | ||
- "{{ request.object.metadata.name }}" |