From d3f3c6ce53536c5f585baa5c756b06642e969ff1 Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Wed, 25 Oct 2023 20:05:21 -0700 Subject: [PATCH] Update replicalimits source template and rego to version 1.1.0 --- .../replicalimits/1.1.0/artifacthub-pkg.yml | 22 +++++++ .../replicalimits/1.1.0/kustomization.yaml | 2 + .../samples/replicalimits/constraint.yaml | 15 +++++ .../replicalimits/example_allowed.yaml | 19 ++++++ .../replicalimits/example_disallowed.yaml | 19 ++++++ .../replicalimits/example_scale_allowed.yaml | 6 ++ .../example_scale_disallowed.yaml | 6 ++ .../replicalimits_zero/constraint.yaml | 15 +++++ .../replicalimits_zero/example_allowed.yaml | 19 ++++++ .../example_disallowed.yaml | 19 ++++++ .../example_scale_allowed.yaml | 7 +++ .../example_scale_disallowed.yaml | 6 ++ .../general/replicalimits/1.1.0/suite.yaml | 45 ++++++++++++++ .../general/replicalimits/1.1.0/template.yaml | 58 +++++++++++++++++++ src/general/replicalimits/constraint.tmpl | 2 +- src/general/replicalimits/src.rego | 2 +- website/docs/validation/replicalimits.md | 2 +- 17 files changed, 261 insertions(+), 3 deletions(-) create mode 100644 artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/suite.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/template.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml b/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml new file mode 100644 index 000000000..f2b629923 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.0 +name: k8sreplicalimits +displayName: Replica Limits +createdAt: "2023-10-26T03:04:07Z" +description: Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. +digest: 30c15576b26d9b879d5c2486f72478a36e39404510117734cb11f8570a2285a7 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/replicalimits +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Replica Limits + Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/replicalimits/1.1.0/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml b/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml new file mode 100644 index 000000000..db3488afe --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sReplicaLimits +metadata: + name: replica-limits +spec: + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] + parameters: + ranges: + - min_replicas: 3 + max_replicas: 50 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml new file mode 100644 index 000000000..f5a2b1d8c --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 3 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml new file mode 100644 index 000000000..1c4899d20 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 100 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml new file mode 100644 index 000000000..4ec230bd3 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 3 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml new file mode 100644 index 000000000..7baf42c62 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml new file mode 100644 index 000000000..28f0b6d09 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sReplicaLimits +metadata: + name: replica-limits +spec: + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] + parameters: + ranges: + - min_replicas: 0 + max_replicas: 50 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml new file mode 100644 index 000000000..ac33574d9 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 0 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml new file mode 100644 index 000000000..1c4899d20 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 100 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml new file mode 100644 index 000000000..55cef478b --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml @@ -0,0 +1,7 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: {} diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml new file mode 100644 index 000000000..7baf42c62 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 diff --git a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml new file mode 100644 index 000000000..5790e3add --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml @@ -0,0 +1,45 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: replicalimits +tests: +- name: replica-limit + template: template.yaml + constraint: samples/replicalimits/constraint.yaml + cases: + - name: example-allowed + object: samples/replicalimits/example_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits/example_scale_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/replicalimits/example_disallowed.yaml + assertions: + - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits/example_scale_disallowed.yaml + assertions: + - violations: yes +- name: replica-limit-zero + template: template.yaml + constraint: samples/replicalimits_zero/constraint.yaml + cases: + - name: example-allowed + object: samples/replicalimits_zero/example_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/replicalimits_zero/example_disallowed.yaml + assertions: + - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits_zero/example_scale_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/replicalimits/1.1.0/template.yaml b/artifacthub/library/general/replicalimits/1.1.0/template.yaml new file mode 100644 index 000000000..4fee9e4ea --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/template.yaml @@ -0,0 +1,58 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sreplicalimits + annotations: + metadata.gatekeeper.sh/title: "Replica Limits" + metadata.gatekeeper.sh/version: 1.1.0 + description: >- + Requires that objects with the field `spec.replicas` (Deployments, + ReplicaSets, etc.) specify a number of replicas within defined ranges. +spec: + crd: + spec: + names: + kind: K8sReplicaLimits + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + ranges: + type: array + description: Allowed ranges for numbers of replicas. Values are inclusive. + items: + type: object + description: A range of allowed replicas. Values are inclusive. + properties: + min_replicas: + description: The minimum number of replicas allowed, inclusive. + type: integer + max_replicas: + description: The maximum number of replicas allowed, inclusive. + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sreplicalimits + + object_name = input.review.object.metadata.name + object_kind = input.review.kind.kind + + violation[{"msg": msg}] { + spec := input.review.object.spec + not input_replica_limit(spec) + msg := sprintf("The provided number of replicas is not allowed for %v: %v. Allowed ranges: %v", [object_kind, object_name, input.parameters]) + } + + input_replica_limit(spec) { + provided := object.get(spec, "replicas", 0) + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, provided) + } + + value_within_range(range, value) { + range.min_replicas <= value + range.max_replicas >= value + } diff --git a/src/general/replicalimits/constraint.tmpl b/src/general/replicalimits/constraint.tmpl index 2b4dc9183..657a3b528 100644 --- a/src/general/replicalimits/constraint.tmpl +++ b/src/general/replicalimits/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8sreplicalimits annotations: metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. diff --git a/src/general/replicalimits/src.rego b/src/general/replicalimits/src.rego index 796000da2..4a2666d71 100644 --- a/src/general/replicalimits/src.rego +++ b/src/general/replicalimits/src.rego @@ -10,7 +10,7 @@ violation[{"msg": msg}] { } input_replica_limit(spec) { - provided := input.review.object.spec.replicas + provided := object.get(spec, "replicas", 0) count(input.parameters.ranges) > 0 range := input.parameters.ranges[_] value_within_range(range, provided) diff --git a/website/docs/validation/replicalimits.md b/website/docs/validation/replicalimits.md index 01eba9683..343e99059 100644 --- a/website/docs/validation/replicalimits.md +++ b/website/docs/validation/replicalimits.md @@ -16,7 +16,7 @@ metadata: name: k8sreplicalimits annotations: metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.