diff --git a/scripts/website/generate.go b/scripts/website/generate.go
index 62496ed03..7749fb7ee 100644
--- a/scripts/website/generate.go
+++ b/scripts/website/generate.go
@@ -10,6 +10,7 @@ import (
"strings"
"gopkg.in/yaml.v3"
+ "k8s.io/utils/strings/slices"
)
const (
@@ -28,6 +29,9 @@ const (
mutationPattern = `(\s*)(type:\s+'category',\s+label:\s+'Mutation',\s+collapsed:\s+true,\s+items:\s*\[\s)(\s*)([^\]]*,)`
)
+// Skip including examples for the following Kinds
+var skipExampleKinds = []string{"AdmissionReview"}
+
// Suite ...
// ToDo (nilekh): Get this struct from the Gatekeeper repo.
type Suite struct {
@@ -140,7 +144,20 @@ func main() {
fmt.Println("error while reading ", testCase.Object)
panic(err)
}
- examples += fmt.Sprintf("\n%s
\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n \n", testCase.Name, exampleContent, exampleRawURL)
+
+ exampleResource := make(map[string]interface{})
+ err = yaml.Unmarshal(exampleContent, &exampleResource)
+ if err != nil {
+ fmt.Printf("error while unmarshaling: %v", exampleRawURL)
+ panic(err)
+ }
+
+ if exampleKind, ok := exampleResource["kind"].(string); !ok {
+ fmt.Printf("error while parsing kind: %v", exampleRawURL)
+ panic(err)
+ } else if !slices.Contains(skipExampleKinds, exampleKind) {
+ examples += fmt.Sprintf("\n%s
\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n \n", testCase.Name, exampleContent, exampleRawURL)
+ }
}
allExamples += fmt.Sprintf("\n%s
\n\n%s\n%s\n\n
", test.Name, constraintExample, examples)
diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md
index 765425505..880f4fee3 100644
--- a/website/docs/validation/allow-privilege-escalation.md
+++ b/website/docs/validation/allow-privilege-escalation.md
@@ -222,37 +222,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-privilege-escalation-disallowed
- labels:
- app: nginx-privilege-escalation
- spec:
- containers:
- - name: nginx
- image: nginx
- securityContext:
- allowPrivilegeEscalation: true
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml
-```
-
diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md
index 9876ba1aa..a8a7d03db 100644
--- a/website/docs/validation/automount-serviceaccount-token.md
+++ b/website/docs/validation/automount-serviceaccount-token.md
@@ -161,36 +161,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/example_disallowed.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-automountserviceaccounttoken-update
- labels:
- app: nginx-automountserviceaccounttoken
- spec:
- automountServiceAccountToken: true
- containers:
- - name: nginx
- image: nginx
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml
-```
-
diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md
index bb6d86f4d..33a9430da 100644
--- a/website/docs/validation/capabilities.md
+++ b/website/docs/validation/capabilities.md
@@ -317,46 +317,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: opa-disallowed
- labels:
- owner: me.agilebank.demo
- spec:
- containers:
- - name: opa
- image: openpolicyagent/opa:0.9.2
- args:
- - "run"
- - "--server"
- - "--addr=localhost:8080"
- securityContext:
- capabilities:
- add: ["disallowedcapability"]
- resources:
- limits:
- cpu: "100m"
- memory: "30Mi"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml
-```
-
diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md
index 83e219488..c44abbbe6 100644
--- a/website/docs/validation/ephemeralstoragelimit.md
+++ b/website/docs/validation/ephemeralstoragelimit.md
@@ -471,44 +471,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml
```
-
-
-ephemeral-storage-limit-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: opa-allowed
- labels:
- owner: me.agilebank.demo
- spec:
- containers:
- - name: opa
- image: openpolicyagent/opa:0.9.2
- args:
- - "run"
- - "--server"
- - "--addr=localhost:8080"
- resources:
- limits:
- cpu: "100m"
- memory: "1Gi"
- ephemeral-storage: "1Pi"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml
-```
-
diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md
index 04d28cec3..423aa049f 100644
--- a/website/docs/validation/flexvolume-drivers.md
+++ b/website/docs/validation/flexvolume-drivers.md
@@ -184,43 +184,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_disallowed.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-flexvolume-driver-disallowed
- labels:
- app: nginx-flexvolume-driver
- spec:
- containers:
- - name: nginx
- image: nginx
- volumeMounts:
- - mountPath: /test
- name: test-volume
- readOnly: true
- volumes:
- - name: test-volume
- flexVolume:
- driver: "example/testdriver" #"example/lvm"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml
-```
-
diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md
index 1b5b4a27c..0891bc036 100644
--- a/website/docs/validation/forbidden-sysctls.md
+++ b/website/docs/validation/forbidden-sysctls.md
@@ -208,41 +208,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-forbidden-sysctls-disallowed
- labels:
- app: nginx-forbidden-sysctls
- spec:
- containers:
- - name: nginx
- image: nginx
- securityContext:
- sysctls:
- - name: kernel.msgmax
- value: "65536"
- - name: net.core.somaxconn
- value: "1024"
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml
-```
-
diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md
index 6a35e43c0..cc96a5599 100644
--- a/website/docs/validation/fsgroup.md
+++ b/website/docs/validation/fsgroup.md
@@ -216,42 +216,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/example_allowed.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: fsgroup-disallowed
- spec:
- securityContext:
- fsGroup: 2000 # directory will have group ID 2000
- volumes:
- - name: fsgroup-demo-vol
- emptyDir: {}
- containers:
- - name: fsgroup-demo
- image: busybox
- command: [ "sh", "-c", "sleep 1h" ]
- volumeMounts:
- - name: fsgroup-demo-vol
- mountPath: /data/demo
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml
-```
-
diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md
index cd7430a09..e709f76e8 100644
--- a/website/docs/validation/host-filesystem.md
+++ b/website/docs/validation/host-filesystem.md
@@ -292,43 +292,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-host-filesystem
- labels:
- app: nginx-host-filesystem-disallowed
- spec:
- containers:
- - name: nginx
- image: nginx
- volumeMounts:
- - mountPath: /cache
- name: cache-volume
- readOnly: true
- volumes:
- - name: cache-volume
- hostPath:
- path: /tmp # directory location on host
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml
-```
-
diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md
index 0c433062e..26c35ce8c 100644
--- a/website/docs/validation/host-namespaces.md
+++ b/website/docs/validation/host-namespaces.md
@@ -150,37 +150,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/example_disallowed.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-host-namespace-disallowed
- labels:
- app: nginx-host-namespace
- spec:
- hostPID: true
- hostIPC: true
- containers:
- - name: nginx
- image: nginx
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml
-```
-
diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md
index 373d1ab3f..1debe644c 100644
--- a/website/docs/validation/host-network-ports.md
+++ b/website/docs/validation/host-network-ports.md
@@ -250,39 +250,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-host-networking-ports-disallowed
- labels:
- app: nginx-host-networking-ports
- spec:
- hostNetwork: true
- containers:
- - name: nginx
- image: nginx
- ports:
- - containerPort: 9001
- hostPort: 9001
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml
-```
-
diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md
index ef596bbde..fe56c7d8b 100644
--- a/website/docs/validation/privileged-containers.md
+++ b/website/docs/validation/privileged-containers.md
@@ -215,37 +215,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-privileged-disallowed
- labels:
- app: nginx-privileged
- spec:
- containers:
- - name: nginx
- image: nginx
- securityContext:
- privileged: true
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml
-```
-
diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md
index e792ff25b..2fd4cf590 100644
--- a/website/docs/validation/proc-mount.md
+++ b/website/docs/validation/proc-mount.md
@@ -262,37 +262,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-proc-mount-disallowed
- labels:
- app: nginx-proc-mount
- spec:
- containers:
- - name: nginx
- image: nginx
- securityContext:
- procMount: Unmasked #Default
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml
-```
-
diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md
index cefd32931..f87b6d817 100644
--- a/website/docs/validation/read-only-root-filesystem.md
+++ b/website/docs/validation/read-only-root-filesystem.md
@@ -225,37 +225,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-readonlyrootfilesystem-disallowed
- labels:
- app: nginx-readonlyrootfilesystem
- spec:
- containers:
- - name: nginx
- image: nginx
- securityContext:
- readOnlyRootFilesystem: false
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml
-```
-
diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md
index 4561c24f7..d9c6ea4cc 100644
--- a/website/docs/validation/requiredprobes.md
+++ b/website/docs/validation/requiredprobes.md
@@ -255,55 +255,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/example_disallowed2.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: test-pod1
- spec:
- containers:
- - name: nginx-1
- image: nginx:1.7.9
- ports:
- - containerPort: 80
- livenessProbe:
- # tcpSocket:
- # port: 80
- # initialDelaySeconds: 5
- # periodSeconds: 10
- volumeMounts:
- - mountPath: /tmp/cache
- name: cache-volume
- - name: tomcat
- image: tomcat
- ports:
- - containerPort: 8080
- readinessProbe:
- tcpSocket:
- port: 8080
- initialDelaySeconds: 5
- periodSeconds: 10
- volumes:
- - name: cache-volume
- emptyDir: {}
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/update.yaml
-```
-
diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md
index f44f5588a..3c33766b5 100644
--- a/website/docs/validation/selinux.md
+++ b/website/docs/validation/selinux.md
@@ -284,41 +284,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-selinux-disallowed
- labels:
- app: nginx-selinux
- spec:
- containers:
- - name: nginx
- image: nginx
- securityContext:
- seLinuxOptions:
- level: s1:c234,c567
- user: sysadm_u
- role: sysadm_r
- type: svirt_lxc_net_t
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml
-```
-
diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md
index 69d592ca8..0b1ddfb77 100644
--- a/website/docs/validation/users.md
+++ b/website/docs/validation/users.md
@@ -450,42 +450,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-users-disallowed
- labels:
- app: nginx-users
- spec:
- securityContext:
- supplementalGroups:
- - 250
- fsGroup: 250
- containers:
- - name: nginx
- image: nginx
- securityContext:
- runAsUser: 250
- runAsGroup: 250
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml
-```
-
diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md
index b2ed0f55d..f2b8042bd 100644
--- a/website/docs/validation/volumes.md
+++ b/website/docs/validation/volumes.md
@@ -194,49 +194,6 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/example_allowed.yaml
```
-
-
-update
-
-```yaml
-kind: AdmissionReview
-apiVersion: admission.k8s.io/v1beta1
-request:
- operation: "UPDATE"
- object:
- apiVersion: v1
- kind: Pod
- metadata:
- name: nginx-volume-types-disallowed
- labels:
- app: nginx-volume-types
- spec:
- containers:
- - name: nginx
- image: nginx
- volumeMounts:
- - mountPath: /cache
- name: cache-volume
- - name: nginx2
- image: nginx
- volumeMounts:
- - mountPath: /cache2
- name: demo-vol
- volumes:
- - name: cache-volume
- hostPath:
- path: /tmp # directory location on host
- - name: demo-vol
- emptyDir: {}
-
-```
-
-Usage
-
-```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml
-```
-