-
Notifications
You must be signed in to change notification settings - Fork 320
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: update template and CI to requires-sync-data (#355)
Signed-off-by: Andrew Peabody <andrewpeabody@google.com>
- Loading branch information
Showing
85 changed files
with
1,552 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
artifacthub/library/general/horizontalpodautoscaler/1.0.1/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
version: 1.0.1 | ||
name: k8shorizontalpodautoscaler | ||
displayName: Horizontal Pod Autoscaler | ||
createdAt: "2023-06-12T20:47:46Z" | ||
description: Disallow the following scenarios when deploying `HorizontalPodAutoscalers` 1. Deployment of HorizontalPodAutoscalers with `.spec.minReplicas` or `.spec.maxReplicas` outside the ranges defined in the constraint 2. Deployment of HorizontalPodAutoscalers where the difference between `.spec.minReplicas` and `.spec.maxReplicas` is less than the configured `minimumReplicaSpread` 3. Deployment of HorizontalPodAutoscalers that do not reference a valid `scaleTargetRef` (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet). | ||
digest: 6ad69d08a3b11e856a1366f8dcdb370ca05ab83d8278d0e0df9698fd8b973e72 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/horizontalpodautoscaler | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Horizontal Pod Autoscaler | ||
Disallow the following scenarios when deploying `HorizontalPodAutoscalers` 1. Deployment of HorizontalPodAutoscalers with `.spec.minReplicas` or `.spec.maxReplicas` outside the ranges defined in the constraint 2. Deployment of HorizontalPodAutoscalers where the difference between `.spec.minReplicas` and `.spec.maxReplicas` is less than the configured `minimumReplicaSpread` 3. Deployment of HorizontalPodAutoscalers that do not reference a valid `scaleTargetRef` (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet). | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/horizontalpodautoscaler/1.0.1/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/general/horizontalpodautoscaler/1.0.1/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
16 changes: 16 additions & 0 deletions
16
...ary/general/horizontalpodautoscaler/1.0.1/samples/horizontalpodautoscaler/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sHorizontalPodAutoscaler | ||
metadata: | ||
name: horizontal-pod-autoscaler | ||
spec: | ||
enforcementAction: deny | ||
match: | ||
kinds: | ||
- apiGroups: ["autoscaling"] | ||
kinds: ["HorizontalPodAutoscaler"] | ||
parameters: | ||
minimumReplicaSpread: 1 | ||
enforceScaleTargetRef: true | ||
ranges: | ||
- min_replicas: 3 | ||
max_replicas: 6 |
19 changes: 19 additions & 0 deletions
19
...al/horizontalpodautoscaler/1.0.1/samples/horizontalpodautoscaler/example_allowed_hpa.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: autoscaling/v2 | ||
kind: HorizontalPodAutoscaler | ||
metadata: | ||
name: nginx-hpa-allowed | ||
namespace: default | ||
spec: | ||
minReplicas: 3 | ||
maxReplicas: 6 | ||
metrics: | ||
- resource: | ||
name: cpu | ||
target: | ||
averageUtilization: 900 | ||
type: Utilization | ||
type: Resource | ||
scaleTargetRef: | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
name: nginx-deployment |
19 changes: 19 additions & 0 deletions
19
...lpodautoscaler/1.0.1/samples/horizontalpodautoscaler/example_disallowed_hpa_replicas.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: autoscaling/v2 | ||
kind: HorizontalPodAutoscaler | ||
metadata: | ||
name: nginx-hpa-disallowed-replicas | ||
namespace: default | ||
spec: | ||
minReplicas: 2 | ||
maxReplicas: 7 | ||
metrics: | ||
- resource: | ||
name: cpu | ||
target: | ||
averageUtilization: 900 | ||
type: Utilization | ||
type: Resource | ||
scaleTargetRef: | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
name: nginx-deployment |
19 changes: 19 additions & 0 deletions
19
...utoscaler/1.0.1/samples/horizontalpodautoscaler/example_disallowed_hpa_replicaspread.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: autoscaling/v2 | ||
kind: HorizontalPodAutoscaler | ||
metadata: | ||
name: nginx-hpa-disallowed-replicaspread | ||
namespace: default | ||
spec: | ||
minReplicas: 4 | ||
maxReplicas: 4 | ||
metrics: | ||
- resource: | ||
name: cpu | ||
target: | ||
averageUtilization: 900 | ||
type: Utilization | ||
type: Resource | ||
scaleTargetRef: | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
name: nginx-deployment |
19 changes: 19 additions & 0 deletions
19
...dautoscaler/1.0.1/samples/horizontalpodautoscaler/example_disallowed_hpa_scaletarget.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: autoscaling/v2 | ||
kind: HorizontalPodAutoscaler | ||
metadata: | ||
name: nginx-hpa-disallowed-scaletarget | ||
namespace: default | ||
spec: | ||
minReplicas: 3 | ||
maxReplicas: 6 | ||
metrics: | ||
- resource: | ||
name: cpu | ||
target: | ||
averageUtilization: 900 | ||
type: Utilization | ||
type: Resource | ||
scaleTargetRef: | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
name: nginx-deployment-missing |
24 changes: 24 additions & 0 deletions
24
...eral/horizontalpodautoscaler/1.0.1/samples/horizontalpodautoscaler/example_inventory.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: nginx-deployment | ||
namespace: default | ||
labels: | ||
app: nginx | ||
spec: | ||
replicas: 3 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
example: allowed-deployment | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
example: allowed-deployment | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:1.14.2 | ||
ports: | ||
- containerPort: 80 |
33 changes: 33 additions & 0 deletions
33
artifacthub/library/general/horizontalpodautoscaler/1.0.1/suite.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
kind: Suite | ||
apiVersion: test.gatekeeper.sh/v1alpha1 | ||
metadata: | ||
name: horizontalpodautoscaler | ||
tests: | ||
- name: horizontal-pod-autoscaler | ||
template: template.yaml | ||
constraint: samples/horizontalpodautoscaler/constraint.yaml | ||
cases: | ||
- name: example-allowed-hpa | ||
object: samples/horizontalpodautoscaler/example_allowed_hpa.yaml | ||
inventory: | ||
- samples/horizontalpodautoscaler/example_inventory.yaml | ||
assertions: | ||
- violations: no | ||
- name: example-disallowed-hpa-replicas | ||
object: samples/horizontalpodautoscaler/example_disallowed_hpa_replicas.yaml | ||
inventory: | ||
- samples/horizontalpodautoscaler/example_inventory.yaml | ||
assertions: | ||
- violations: yes | ||
- name: example-disallowed-hpa-replicaspread | ||
object: samples/horizontalpodautoscaler/example_disallowed_hpa_replicaspread.yaml | ||
inventory: | ||
- samples/horizontalpodautoscaler/example_inventory.yaml | ||
assertions: | ||
- violations: yes | ||
- name: example-disallowed-scaletarget | ||
object: samples/horizontalpodautoscaler/example_disallowed_hpa_scaletarget.yaml | ||
inventory: | ||
- samples/horizontalpodautoscaler/example_inventory.yaml | ||
assertions: | ||
- violations: yes |
14 changes: 14 additions & 0 deletions
14
artifacthub/library/general/horizontalpodautoscaler/1.0.1/sync.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: config.gatekeeper.sh/v1alpha1 | ||
kind: Config | ||
metadata: | ||
name: config | ||
namespace: "gatekeeper-system" | ||
spec: | ||
sync: | ||
syncOnly: | ||
- group: "apps" | ||
version: "v1" | ||
kind: "Deployment" | ||
- group: "apps" | ||
version: "v1" | ||
kind: "StatefulSet" |
102 changes: 102 additions & 0 deletions
102
artifacthub/library/general/horizontalpodautoscaler/1.0.1/template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8shorizontalpodautoscaler | ||
annotations: | ||
metadata.gatekeeper.sh/title: "Horizontal Pod Autoscaler" | ||
metadata.gatekeeper.sh/version: 1.0.1 | ||
metadata.gatekeeper.sh/requires-sync-data: | | ||
"[ | ||
[ | ||
{ | ||
"groups":["apps"], | ||
"versions": ["v1"], | ||
"kinds": ["Deployment"] | ||
}, | ||
{ | ||
"groups":["apps"], | ||
"versions": ["v1"], | ||
"kinds": ["StatefulSet"] | ||
} | ||
] | ||
]" | ||
description: >- | ||
Disallow the following scenarios when deploying `HorizontalPodAutoscalers` | ||
1. Deployment of HorizontalPodAutoscalers with `.spec.minReplicas` or `.spec.maxReplicas` outside the ranges defined in the constraint | ||
2. Deployment of HorizontalPodAutoscalers where the difference between `.spec.minReplicas` and `.spec.maxReplicas` is less than the configured `minimumReplicaSpread` | ||
3. Deployment of HorizontalPodAutoscalers that do not reference a valid `scaleTargetRef` (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet). | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sHorizontalPodAutoscaler | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
properties: | ||
enforceScaleTargetRef: | ||
description: If set to true it validates the HPA scaleTargetRef exists | ||
type: boolean | ||
minimumReplicaSpread: | ||
description: If configured it enforces the minReplicas and maxReplicas in an HPA must have a spread of at least this many replicas | ||
type: integer | ||
ranges: | ||
type: array | ||
description: Allowed ranges for numbers of replicas. Values are inclusive. | ||
items: | ||
type: object | ||
description: A range of allowed replicas. Values are inclusive. | ||
properties: | ||
min_replicas: | ||
description: The minimum number of replicas allowed, inclusive. | ||
type: integer | ||
max_replicas: | ||
description: The maximum number of replicas allowed, inclusive. | ||
type: integer | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
rego: | | ||
package k8shorizontalpodautoscaler | ||
violation[{"msg": msg}] { | ||
input.review.kind.kind == "HorizontalPodAutoscaler" | ||
hpa := input.review.object | ||
not input_replica_limit(hpa) | ||
msg := sprintf("The %v <%v> minReplicas %v or maxReplicas %v is not allowed: %v. Allowed ranges: %v", [hpa.kind, hpa.metadata.name, hpa.spec.minReplicas, hpa.spec.maxReplicas, input.parameters.ranges]) | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.kind.kind == "HorizontalPodAutoscaler" | ||
hpa := input.review.object | ||
not input_replica_spread(hpa) | ||
msg := sprintf("The %v <%v> is configured with minReplicas %v and maxReplicas %v which is a spread of %v replica(s). The spread must be at least %v replica(s)", [hpa.kind, hpa.metadata.name, hpa.spec.minReplicas, hpa.spec.maxReplicas, hpa.spec.maxReplicas - hpa.spec.minReplicas, input.parameters.minimumReplicaSpread]) | ||
} | ||
violation[{"msg": msg}] { | ||
input.review.kind.kind == "HorizontalPodAutoscaler" | ||
hpa := input.review.object | ||
input.parameters.enforceScaleTargetRef | ||
not data.inventory.namespace[hpa.metadata.namespace][hpa.spec.scaleTargetRef.apiVersion][hpa.spec.scaleTargetRef.kind][hpa.spec.scaleTargetRef.name] | ||
msg := sprintf("The HorizontalPodAutoscaler <%v> has a scaleTargetRef of <%v/%v> but it does not exist. The scaleTargetRef for the HorizontalPodAutoscaler must exist", [hpa.metadata.name, hpa.spec.scaleTargetRef.kind, hpa.spec.scaleTargetRef.name]) | ||
} | ||
input_replica_limit(hpa) { | ||
count(input.parameters.ranges) > 0 | ||
range := input.parameters.ranges[_] | ||
value_within_range(range, hpa.spec.minReplicas, hpa.spec.maxReplicas) | ||
} | ||
value_within_range(range, min_provided, max_provided) { | ||
range.min_replicas <= min_provided | ||
range.max_replicas >= max_provided | ||
} | ||
input_replica_spread(hpa) { | ||
input.parameters.minimumReplicaSpread | ||
(hpa.spec.maxReplicas - hpa.spec.minReplicas) >= input.parameters.minimumReplicaSpread | ||
} |
25 changes: 25 additions & 0 deletions
25
artifacthub/library/general/poddisruptionbudget/1.0.3/artifacthub-pkg.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
version: 1.0.3 | ||
name: k8spoddisruptionbudget | ||
displayName: Pod Disruption Budget | ||
createdAt: "2023-06-12T20:47:47Z" | ||
description: |- | ||
Disallow the following scenarios when deploying PodDisruptionBudgets or resources that implement the replica subresource (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment of PodDisruptionBudgets with .spec.maxUnavailable == 0 2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining. | ||
https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | ||
digest: b5f0b45b6b1894cf43f6b40970557afb9549b6541760c9481bc8acfc3c572815 | ||
license: Apache-2.0 | ||
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/poddisruptionbudget | ||
keywords: | ||
- gatekeeper | ||
- open-policy-agent | ||
- policies | ||
readme: |- | ||
# Pod Disruption Budget | ||
Disallow the following scenarios when deploying PodDisruptionBudgets or resources that implement the replica subresource (e.g. Deployment, ReplicationController, ReplicaSet, StatefulSet): 1. Deployment of PodDisruptionBudgets with .spec.maxUnavailable == 0 2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining. | ||
https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | ||
install: |- | ||
### Usage | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/poddisruptionbudget/1.0.3/template.yaml | ||
``` | ||
provider: | ||
name: Gatekeeper Library |
2 changes: 2 additions & 0 deletions
2
artifacthub/library/general/poddisruptionbudget/1.0.3/kustomization.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
resources: | ||
- template.yaml |
13 changes: 13 additions & 0 deletions
13
...hub/library/general/poddisruptionbudget/1.0.3/samples/poddisruptionbudget/constraint.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
kind: K8sPodDisruptionBudget | ||
metadata: | ||
name: pod-distruption-budget | ||
spec: | ||
match: | ||
kinds: | ||
- apiGroups: ["apps"] | ||
kinds: ["Deployment", "ReplicaSet", "StatefulSet"] | ||
- apiGroups: ["policy"] | ||
kinds: ["PodDisruptionBudget"] | ||
- apiGroups: [""] | ||
kinds: ["ReplicationController"] |
24 changes: 24 additions & 0 deletions
24
...al/poddisruptionbudget/1.0.3/samples/poddisruptionbudget/example_allowed_deployment1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: nginx-deployment-allowed-1 | ||
namespace: default | ||
labels: | ||
app: nginx | ||
spec: | ||
replicas: 3 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
example: allowed-deployment-1 | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
example: allowed-deployment-1 | ||
spec: | ||
containers: | ||
- name: nginx | ||
image: nginx:1.14.2 | ||
ports: | ||
- containerPort: 80 |
Oops, something went wrong.