From db8422c5109a5af4da84712ded04f03611880182 Mon Sep 17 00:00:00 2001 From: nataliagranato Date: Wed, 24 Jan 2024 14:10:58 -0300 Subject: [PATCH] add: starting the project. --- .chainsaw.yaml | 18 +++++ .github/workflows/check-actions.yaml | 24 ++++++ .github/workflows/ci.yaml | 75 +++++++++++++++++ .github/workflows/dependabot.yml | 6 ++ .github/workflows/kind.yml | 36 +++++++++ .github/workflows/test.yaml | 112 ++++++++++++++++++++++++++ docs/policies-validade.md | 2 + policies/require-resources-limits.yml | 22 +++++ tests/kyverno-test.yaml | 24 ++++++ tests/require_labels.yaml | 31 +++++++ tests/resource.yaml | 86 ++++++++++++++++++++ 11 files changed, 436 insertions(+) create mode 100644 .chainsaw.yaml create mode 100644 .github/workflows/check-actions.yaml create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/dependabot.yml create mode 100644 .github/workflows/kind.yml create mode 100644 .github/workflows/test.yaml create mode 100644 docs/policies-validade.md create mode 100644 policies/require-resources-limits.yml create mode 100644 tests/kyverno-test.yaml create mode 100644 tests/require_labels.yaml create mode 100644 tests/resource.yaml diff --git a/.chainsaw.yaml b/.chainsaw.yaml new file mode 100644 index 0000000..8de72b5 --- /dev/null +++ b/.chainsaw.yaml @@ -0,0 +1,18 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + creationTimestamp: null + name: configuration +spec: + parallel: 1 + timeouts: + apply: 1m30s + assert: 1m30s + cleanup: 1m30s + delete: 1m30s + error: 1m30s + exec: 1m30s + fullName: true + forceTerminationGracePeriod: 5s + delayBeforeCleanup: 3s diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml new file mode 100644 index 0000000..4b2e10e --- /dev/null +++ b/.github/workflows/check-actions.yaml @@ -0,0 +1,24 @@ +name: Check actions + +permissions: {} + +on: + push: + branches: + - '*' + pull_request: + branches: + - 'main' + - 'release*' + +jobs: + check: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@ba37328d4ea95eaf8b3bd6c6cef308f709a5f2ec # v3.0.3 + with: + allowlist: | + kyverno/chainsaw \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..83d35e6 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,75 @@ +name: Policy Test + +permissions: {} + +on: + push: + branches: + - '*' + pull_request: + branches: + - main + - release* + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + path: policies + - name: Validate all policies + run: ./.hack/verify-files-structure.sh + working-directory: policies + - name: Clone Kyverno + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: kyverno/kyverno + path: kyverno + # The target branch of a pull request or the branch/tag of a push + ref: ${{ github.base_ref || github.ref_name }} + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ~1.21.1 + - name: Test Policy + run: go run ./cmd/cli/kubectl-kyverno test ../policies + working-directory: kyverno + + lint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + path: policies + - name: Checkout Kyverno + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + repository: kyverno/kyverno + path: kyverno + # The target branch of a pull request or the branch/tag of a push + ref: ${{ github.base_ref || github.ref_name }} + - name: Set up Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ~1.21.1 + - name: Lint policies + run: | + set -e + KYVERNO_EXPERIMENTAL=true go run ./cmd/cli/kubectl-kyverno fix test . --save + working-directory: kyverno + - name: Check artifacthub-pkg digests + run: ./.hack/update-artifacthub-pkg.sh + working-directory: policies + - name: Check diff + run: | + set -e + git --no-pager diff . + git diff --quiet --exit-code . + working-directory: policies \ No newline at end of file diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml new file mode 100644 index 0000000..1230149 --- /dev/null +++ b/.github/workflows/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/kind.yml b/.github/workflows/kind.yml new file mode 100644 index 0000000..ce27a28 --- /dev/null +++ b/.github/workflows/kind.yml @@ -0,0 +1,36 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +kubeadmConfigPatches: + - |- + kind: ClusterConfiguration + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + etcd: + local: + extraArgs: + listen-metrics-urls: http://0.0.0.0:2382 + scheduler: + extraArgs: + bind-address: 0.0.0.0 + - |- + kind: KubeProxyConfiguration + metricsBindAddress: 0.0.0.0 +nodes: + - role: control-plane + kubeadmConfigPatches: + - |- + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + protocol: TCP + - containerPort: 443 + hostPort: 443 + protocol: TCP + - role: worker + - role: worker + - role: worker \ No newline at end of file diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..a717ba5 --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,112 @@ +name: E2E Tests + +permissions: {} + +on: + workflow_dispatch: {} + pull_request: + branches: + - 'main' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + chainsaw: + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.25 + version: v1.25.11 + - name: v1.26 + version: v1.26.6 + - name: v1.27 + version: v1.27.3 + - name: v1.28 + version: v1.28.0 + tests: + - ^argo$ + - ^aws$ + - ^best-practices$ + - ^castai$ + - ^cert-manager$ + - ^consul$ + - ^external-secret-operator$ + - ^flux$ + - ^istio$ + - ^karpenter$ + - ^kasten$ + - ^kubecost$ + - ^kubeops$ + - ^kubevirt$ + - ^linkerd$ + - ^nginx-ingress$ + - ^openshift$ + - ^other$/^a + - ^other$/^[b-d] + - ^other$/^[e-l] + - ^other$/^[m-q] + - ^other$/^re[c-q] + - ^other$/^res + - ^other$/^[s-z] + - ^pod-security$ + - ^pod-security-cel$ + - ^psa$ + - ^psp-migration$ + # - ^tekton + # - ^traefik + # - ^velero + runs-on: ubuntu-latest + name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Setup Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ~1.21.1 + - name: Install Tools + run: | + set -e + curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" + sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl + - name: Install kind + shell: bash + run: | + set -e + # For AMD64 / x86_64 + [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 + # For ARM64 + [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64 + chmod +x ./kind + sudo mv ./kind /usr/local/bin/kind + - name: Install latest Kyverno CLI + uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0 + - name: Create kind cluster + run: | + set -e + kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml + - name: Install latest kyverno + run: | + set -e + kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml + - name: Wait for kyverno ready + run: | + set -e + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s + - name: Install CRDs + run: | + set -e + kubectl apply -f ./.chainsaw/crds + - name: Install Chainsaw + uses: kyverno/action-install-chainsaw@56be3cb4ec65a987b6ef4d7ab3a55ee17760a57c # v0.1.2 + with: + release: v0.0.9 + - name: Test with Chainsaw + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false \ No newline at end of file diff --git a/docs/policies-validade.md b/docs/policies-validade.md new file mode 100644 index 0000000..010bd9e --- /dev/null +++ b/docs/policies-validade.md @@ -0,0 +1,2 @@ +Tipo audit +Tipo enforce diff --git a/policies/require-resources-limits.yml b/policies/require-resources-limits.yml new file mode 100644 index 0000000..63f33ce --- /dev/null +++ b/policies/require-resources-limits.yml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-resources-limits +spec: + validationFailureAction: Enforce + rules: + - name: validate-resources-limits + match: + resources: + kinds: + - Pod + validate: + message: "Pod {{request.object.metadata.name}} does not have resource limits set" + pattern: + spec: + containers: + - name: "*" + resources: + limits: + memory: "?*" + cpu: "?*" diff --git a/tests/kyverno-test.yaml b/tests/kyverno-test.yaml new file mode 100644 index 0000000..3c600c1 --- /dev/null +++ b/tests/kyverno-test.yaml @@ -0,0 +1,24 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-requests-limits +policies: + - ../require-pod-requests-limits.yaml +resources: + - resource.yaml +results: + - kind: Pod + policy: require-requests-limits + resources: + - badpod01 + - badpod02 + - badpod03 + result: fail + rule: validate-resources + - kind: Pod + policy: require-requests-limits + resources: + - goodpod01 + - goodpod02 + result: pass + rule: validate-resources diff --git a/tests/require_labels.yaml b/tests/require_labels.yaml new file mode 100644 index 0000000..82a58aa --- /dev/null +++ b/tests/require_labels.yaml @@ -0,0 +1,31 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + policies.kyverno.io/title: Require Labels + policies.kyverno.io/category: Best Practices + policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod, Label + policies.kyverno.io/description: >- + Define and use labels that identify semantic attributes of your application or Deployment. + A common set of labels allows tools to work collaboratively, describing objects in a common manner that + all tools can understand. The recommended labels describe applications in a way that can be + queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value. +spec: + validationFailureAction: audit + background: true + rules: + - name: check-for-labels + match: + any: + - resources: + kinds: + - Pod + validate: + message: "The label `app.kubernetes.io/name` is required." + pattern: + metadata: + labels: + app: "?*" diff --git a/tests/resource.yaml b/tests/resource.yaml new file mode 100644 index 0000000..58dc88b --- /dev/null +++ b/tests/resource.yaml @@ -0,0 +1,86 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx + resources: + requests: + memory: "256Mi" + cpu: "0.5" + limits: + memory: "256Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + labels: + app: myapp +spec: + containers: + - name: busybox + image: busybox + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "100Mi" + - name: nginx + image: nginx + resources: + requests: + memory: "256Mi" + cpu: "0.5" + limits: + memory: "256Mi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx + resources: + requests: + memory: "256Mi" + cpu: "0.5" +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 + labels: + app: myapp +spec: + containers: + - name: busybox + image: busybox + - name: nginx + image: nginx + resources: + requests: + memory: "256Mi" + cpu: "0.5" + limits: + memory: "256Mi"