Add missing build artifacts

Signed-off-by: Paul Krizak <paul.krizak@gmail.com>
open-policy-agent · Oct 27, 2023 · f1d9328 · f1d9328
1 parent 33b39e1
commit f1d9328
Show file tree

Hide file tree

Showing 15 changed files with 442 additions and 0 deletions.
diff --git a/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml b/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8sreplicalimits
+displayName: Replica Limits
+createdAt: "2023-10-27T22:42:28Z"
+description: Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
+digest: 30c15576b26d9b879d5c2486f72478a36e39404510117734cb11f8570a2285a7
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/replicalimits
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Replica Limits
+    Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/replicalimits/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library
diff --git a/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml b/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sReplicaLimits
+metadata:
+  name: replica-limits
+spec:
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment"]
+      - apiGroups: ["autoscaling"]
+        kinds: ["Scale"]
+  parameters:
+    ranges:
+    - min_replicas: 3
+      max_replicas: 50
diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: allowed-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
diff --git a/...facthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml b/...facthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: disallowed-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 100
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
diff --git a/...thub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml b/...thub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml
@@ -0,0 +1,6 @@
+apiVersion: autoscaling/v1
+kind: Scale
+metadata:
+  name: allowed-deployment
+spec:
+  replicas: 3
diff --git a/...b/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml b/...b/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml
@@ -0,0 +1,6 @@
+apiVersion: autoscaling/v1
+kind: Scale
+metadata:
+  name: allowed-deployment
+spec:
+  replicas: 100
diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sReplicaLimits
+metadata:
+  name: replica-limits
+spec:
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment"]
+      - apiGroups: ["autoscaling"]
+        kinds: ["Scale"]
+  parameters:
+    ranges:
+    - min_replicas: 0
+      max_replicas: 50
diff --git a/...cthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml b/...cthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: allowed-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 0
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
diff --git a/...ub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml b/...ub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: disallowed-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 100
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
diff --git a/...library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml b/...library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml
@@ -0,0 +1,7 @@
+apiVersion: autoscaling/v1
+kind: Scale
+metadata:
+  name: allowed-deployment
+# kubectl scale deploy <name> --replicas=0 creates a Scale
+# resource with an empty spec, not replicas:0
+spec: {}
diff --git a/...rary/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml b/...rary/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml
@@ -0,0 +1,6 @@
+apiVersion: autoscaling/v1
+kind: Scale
+metadata:
+  name: allowed-deployment
+spec:
+  replicas: 100
diff --git a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml
@@ -0,0 +1,45 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: replicalimits
+tests:
+- name: replica-limit
+  template: template.yaml
+  constraint: samples/replicalimits/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/replicalimits/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-scale-allowed
+    object: samples/replicalimits/example_scale_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/replicalimits/example_disallowed.yaml
+    assertions:
+    - violations: yes
+  - name: example-scale-disallowed
+    object: samples/replicalimits/example_scale_disallowed.yaml
+    assertions:
+    - violations: yes
+- name: replica-limit-zero
+  template: template.yaml
+  constraint: samples/replicalimits_zero/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/replicalimits_zero/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-scale-allowed
+    object: samples/replicalimits_zero/example_scale_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/replicalimits_zero/example_disallowed.yaml
+    assertions:
+    - violations: yes
+  - name: example-scale-disallowed
+    object: samples/replicalimits_zero/example_scale_disallowed.yaml
+    assertions:
+    - violations: yes
diff --git a/artifacthub/library/general/replicalimits/1.1.0/template.yaml b/artifacthub/library/general/replicalimits/1.1.0/template.yaml
@@ -0,0 +1,58 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sreplicalimits
+  annotations:
+    metadata.gatekeeper.sh/title: "Replica Limits"
+    metadata.gatekeeper.sh/version: 1.1.0
+    description: >-
+      Requires that objects with the field `spec.replicas` (Deployments,
+      ReplicaSets, etc.) specify a number of replicas within defined ranges.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sReplicaLimits
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            ranges:
+              type: array
+              description: Allowed ranges for numbers of replicas.  Values are inclusive.
+              items:
+                type: object
+                description: A range of allowed replicas.  Values are inclusive.
+                properties:
+                  min_replicas:
+                    description: The minimum number of replicas allowed, inclusive.
+                    type: integer
+                  max_replicas:
+                    description: The maximum number of replicas allowed, inclusive.
+                    type: integer
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sreplicalimits
+
+        object_name = input.review.object.metadata.name
+        object_kind = input.review.kind.kind
+
+        violation[{"msg": msg}] {
+            spec := input.review.object.spec
+            not input_replica_limit(spec)
+            msg := sprintf("The provided number of replicas is not allowed for %v: %v. Allowed ranges: %v", [object_kind, object_name, input.parameters])
+        }
+
+        input_replica_limit(spec) {
+            provided := object.get(spec, "replicas", 0)
+            count(input.parameters.ranges) > 0
+            range := input.parameters.ranges[_]
+            value_within_range(range, provided)
+        }
+
+        value_within_range(range, value) {
+            range.min_replicas <= value
+            range.max_replicas >= value
+        }