From 8927ae8f079069d36e8fe31b44f6cb172642df90 Mon Sep 17 00:00:00 2001 From: nataliagranato Date: Wed, 24 Jan 2024 14:50:16 -0300 Subject: [PATCH] add: policies, resources and new actions --- .github/workflows/kyverno-test-policy.yaml | 29 ++++++++ .github/workflows/kyverno.yaml | 44 ++++++----- policies/require-resources-limits.yml | 36 ++++++--- resources/require-resources-limits.yml | 18 +++++ tests/kyverno-test.yaml | 24 ------ tests/require_labels.yaml | 31 -------- tests/resource.yaml | 86 ---------------------- 7 files changed, 94 insertions(+), 174 deletions(-) create mode 100644 .github/workflows/kyverno-test-policy.yaml create mode 100644 resources/require-resources-limits.yml delete mode 100644 tests/kyverno-test.yaml delete mode 100644 tests/require_labels.yaml delete mode 100644 tests/resource.yaml diff --git a/.github/workflows/kyverno-test-policy.yaml b/.github/workflows/kyverno-test-policy.yaml new file mode 100644 index 0000000..d097f14 --- /dev/null +++ b/.github/workflows/kyverno-test-policy.yaml @@ -0,0 +1,29 @@ +name: kyverno-policy-test +# This workflow is triggered on push to any branch and pull request to the main branch. +# It runs on ubuntu-latest. +# It uses the community action kyverno/action-install-cli@v0.2.0 +# It runs the following steps: +on: + push: + branches: + - '*' + pull_request: + branches: + - main +jobs: + test: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repo + uses: actions/checkout@v4 + - name: Install Kyverno CLI + uses: kyverno/action-install-cli@v0.2.0 + with: + release: 'v1.11.0' + - name: Check install + run: kyverno version + - name: Test new resources against existing policies + run: kyverno apply policies/ -r resources/ + diff --git a/.github/workflows/kyverno.yaml b/.github/workflows/kyverno.yaml index 973d7af..09bfb56 100644 --- a/.github/workflows/kyverno.yaml +++ b/.github/workflows/kyverno.yaml @@ -1,27 +1,25 @@ -name: kyverno-policy-test +name: Kyverno Policy Check + on: - push: - branches: - - '*' - pull_request: - branches: - - main - + push: + branches: + - main + jobs: - test: + test-kyverno-policies: runs-on: ubuntu-latest - permissions: - contents: read + steps: - - name: Checkout repo - uses: actions/checkout@v4 - - name: Install Kyverno CLI - uses: kyverno/action-install-cli@v0.2.0 - with: - release: 'v1.11.0' - - name: Check install - run: kyverno version - - name: Test new resources against existing policies - run: kyverno apply policies/ -r resources/ - - name: Test pre-defined cases - run: kyverno test tests/ \ No newline at end of file + - name: Checkout Repository + uses: actions/checkout@v2 + + - name: Validate YAML Indentation + run: | + if ! yamllint policies/; then + echo "YAML indentation validation failed." + exit 1 + fi + + - name: Simulate Apply Kyverno Policy + run: | + kubectl apply -f policies/require-resources-limits.yml --dry-run=client -o yaml diff --git a/policies/require-resources-limits.yml b/policies/require-resources-limits.yml index 63f33ce..c186ffd 100644 --- a/policies/require-resources-limits.yml +++ b/policies/require-resources-limits.yml @@ -1,22 +1,38 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: require-resources-limits + name: require-requests-limits + annotations: + policies.kyverno.io/title: Require Limits and Requests + policies.kyverno.io/category: Best Practices, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/description: >- + As application workloads share cluster resources, it is important to limit resources + requested and consumed by each Pod. It is recommended to require resource requests and + limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, + defaults will automatically be applied to each Pod based on the LimitRange configuration. + This policy validates that all containers have something specified for memory and CPU + requests and memory limits. spec: - validationFailureAction: Enforce + validationFailureAction: audit + background: true rules: - - name: validate-resources-limits + - name: validate-resources match: - resources: - kinds: - - Pod + any: + - resources: + kinds: + - Pod validate: - message: "Pod {{request.object.metadata.name}} does not have resource limits set" + message: "CPU and memory resource requests and limits are required." pattern: spec: containers: - - name: "*" - resources: - limits: + - resources: + requests: memory: "?*" cpu: "?*" + limits: + memory: "?*" diff --git a/resources/require-resources-limits.yml b/resources/require-resources-limits.yml new file mode 100644 index 0000000..7d58c71 --- /dev/null +++ b/resources/require-resources-limits.yml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + run: nginx + name: nginx + namespace: default +spec: + containers: + - image: nginx + name: nginx + resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + cpu: "?*" diff --git a/tests/kyverno-test.yaml b/tests/kyverno-test.yaml deleted file mode 100644 index 3c600c1..0000000 --- a/tests/kyverno-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cli.kyverno.io/v1alpha1 -kind: Test -metadata: - name: require-requests-limits -policies: - - ../require-pod-requests-limits.yaml -resources: - - resource.yaml -results: - - kind: Pod - policy: require-requests-limits - resources: - - badpod01 - - badpod02 - - badpod03 - result: fail - rule: validate-resources - - kind: Pod - policy: require-requests-limits - resources: - - goodpod01 - - goodpod02 - result: pass - rule: validate-resources diff --git a/tests/require_labels.yaml b/tests/require_labels.yaml deleted file mode 100644 index 82a58aa..0000000 --- a/tests/require_labels.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: require-labels - annotations: - policies.kyverno.io/title: Require Labels - policies.kyverno.io/category: Best Practices - policies.kyverno.io/minversion: 1.6.0 - policies.kyverno.io/severity: medium - policies.kyverno.io/subject: Pod, Label - policies.kyverno.io/description: >- - Define and use labels that identify semantic attributes of your application or Deployment. - A common set of labels allows tools to work collaboratively, describing objects in a common manner that - all tools can understand. The recommended labels describe applications in a way that can be - queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. -spec: - validationFailureAction: audit - background: true - rules: - - name: check-for-labels - match: - any: - - resources: - kinds: - - Pod - validate: - message: "The label `app.kubernetes.io/name` is required." - pattern: - metadata: - labels: - app: "?*" diff --git a/tests/resource.yaml b/tests/resource.yaml deleted file mode 100644 index 58dc88b..0000000 --- a/tests/resource.yaml +++ /dev/null @@ -1,86 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: goodpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: goodpod02 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - resources: - requests: - memory: "50Mi" - cpu: "100m" - limits: - memory: "100Mi" - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod01 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod02 - labels: - app: myapp -spec: - containers: - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" ---- -apiVersion: v1 -kind: Pod -metadata: - name: badpod03 - labels: - app: myapp -spec: - containers: - - name: busybox - image: busybox - - name: nginx - image: nginx - resources: - requests: - memory: "256Mi" - cpu: "0.5" - limits: - memory: "256Mi"