From f7590cfe785924bf045ecd8d60d16f7a9e4fb08b Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 2 Jul 2024 13:01:23 +0200 Subject: [PATCH 1/4] feat(cel): policies naming Signed-off-by: Nicolas Lamirault --- cel/C0001-container-image-tag/policy-C0001.yaml | 2 +- cel/C0002-container-liveness-probe/policy-C0002.yaml | 2 +- cel/C0003-container-readiness-probe/policy-C0003.yaml | 2 +- cel/C0008-container-resources/policy-C0008.yaml | 2 +- cel/M0001-metadata-labels/policy-M0001.yaml | 10 +++++----- cel/M0002-metadata-annotations/policy-M0002.yaml | 2 +- cel/M0003-metadata-portefaix-labels/policy-M0003.yaml | 10 +++++----- cel/N0001-namespace-default/policy-M0001.yaml | 2 +- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cel/C0001-container-image-tag/policy-C0001.yaml b/cel/C0001-container-image-tag/policy-C0001.yaml index 2923f62..7ecc427 100644 --- a/cel/C0001-container-image-tag/policy-C0001.yaml +++ b/cel/C0001-container-image-tag/policy-C0001.yaml @@ -17,7 +17,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-C0001 + name: c0001.metadata.portefaix.xyz spec: matchConstraints: resourceRules: diff --git a/cel/C0002-container-liveness-probe/policy-C0002.yaml b/cel/C0002-container-liveness-probe/policy-C0002.yaml index aa95551..e47d8bb 100644 --- a/cel/C0002-container-liveness-probe/policy-C0002.yaml +++ b/cel/C0002-container-liveness-probe/policy-C0002.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-C0002 + name: c0002.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/C0003-container-readiness-probe/policy-C0003.yaml b/cel/C0003-container-readiness-probe/policy-C0003.yaml index 786a3de..2cac76a 100644 --- a/cel/C0003-container-readiness-probe/policy-C0003.yaml +++ b/cel/C0003-container-readiness-probe/policy-C0003.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-C0003 + name: c0003.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/C0008-container-resources/policy-C0008.yaml b/cel/C0008-container-resources/policy-C0008.yaml index fb45b61..7f10fea 100644 --- a/cel/C0008-container-resources/policy-C0008.yaml +++ b/cel/C0008-container-resources/policy-C0008.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-C0008 + name: c0008.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/M0001-metadata-labels/policy-M0001.yaml b/cel/M0001-metadata-labels/policy-M0001.yaml index e66900c..37c03e7 100644 --- a/cel/M0001-metadata-labels/policy-M0001.yaml +++ b/cel/M0001-metadata-labels/policy-M0001.yaml @@ -18,15 +18,15 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-M0001 + name: m0001.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: resourceRules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["namespaces"] + # - apiGroups: [""] + # apiVersions: ["v1"] + # operations: ["CREATE", "UPDATE"] + # resources: ["namespaces"] - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] diff --git a/cel/M0002-metadata-annotations/policy-M0002.yaml b/cel/M0002-metadata-annotations/policy-M0002.yaml index 019f1a9..4d17144 100644 --- a/cel/M0002-metadata-annotations/policy-M0002.yaml +++ b/cel/M0002-metadata-annotations/policy-M0002.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-M0002 + name: m0002.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/M0003-metadata-portefaix-labels/policy-M0003.yaml b/cel/M0003-metadata-portefaix-labels/policy-M0003.yaml index db10688..0318759 100644 --- a/cel/M0003-metadata-portefaix-labels/policy-M0003.yaml +++ b/cel/M0003-metadata-portefaix-labels/policy-M0003.yaml @@ -18,15 +18,15 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-M0001 + name: m0003.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: resourceRules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["namespaces"] + # - apiGroups: [""] + # apiVersions: ["v1"] + # operations: ["CREATE", "UPDATE"] + # resources: ["namespaces"] - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] diff --git a/cel/N0001-namespace-default/policy-M0001.yaml b/cel/N0001-namespace-default/policy-M0001.yaml index 930fbf8..34056d4 100644 --- a/cel/N0001-namespace-default/policy-M0001.yaml +++ b/cel/N0001-namespace-default/policy-M0001.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: portefaix-N0001 + name: n0001.metadata.portefaix.xyz spec: failurePolicy: Fail matchConstraints: From 908428aefd5175a7c0a7538ee0157a2a9aaae503 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 2 Jul 2024 13:43:37 +0200 Subject: [PATCH 2/4] feat(cel): documentation Signed-off-by: Nicolas Lamirault --- cel/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cel/README.md b/cel/README.md index 13d436e..0e28d78 100644 --- a/cel/README.md +++ b/cel/README.md @@ -4,13 +4,13 @@ | Policy | | --------------------------------------------------------------------------------------------------- | -| [portefaix-C0001 - Container must not use latest image tag](cel/C0001-container-image-tag) | -| [portefaix-C0002 - Container must set liveness probe](cel/C0003-container-liveness-probe) | -| [portefaix-C0003 - Container must set readiness probe](cel/C0002-container-readiness-probe) | -| [portefaix-C0008 - Container resource constraints must be specified](cel/C0008-container-resources) | -| [portefaix-M0001 - Metadata must set recommanded Kubernetes labels](cel/M0001-metadata-labels) | -| [portefaix-M0002 - Metadata should have a8r.io annotations](cel/M0002-metadata-annotations) | -| [portefaix-M0003 - Metadata should have portefaix.xyz labels](cel/M0003-metadata-portefaix-labels) | -| [portefaix-N0001 - Disallow Default Namespace](cel/N0001-namespace-default) | +| [m0001.metadata.portefaix.xyz - Metadata must set recommanded Kubernetes labels](cel/M0001-metadata-labels) | +| [m0002.metadata.portefaix.xyz - Metadata should have a8r.io annotations](cel/M0002-metadata-annotations) | +| [m0003.metadata.portefaix.xyz - Metadata should have portefaix.xyz labels](cel/M0003-metadata-portefaix-labels) | +| [n0001.metadata.portefaix.xyz - Disallow Default Namespace](cel/N0001-namespace-default) | +| [c0001.metadata.portefaix.xyz - Container must not use latest image tag](cel/C0001-container-image-tag) | +| [c0002.metadata.portefaix.xyz - Container must set liveness probe](cel/C0003-container-liveness-probe) | +| [c0003.metadata.portefaix.xyz - Container must set readiness probe](cel/C0002-container-readiness-probe) | +| [c0008.metadata.portefaix.xyz - Container resource constraints must be specified](cel/C0008-container-resources) | From 0966ca11fd85414fdcd71073e9132832433174ef Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 2 Jul 2024 13:45:05 +0200 Subject: [PATCH 3/4] fix(cel): naming Signed-off-by: Nicolas Lamirault --- cel/C0001-container-image-tag/policy-C0001.yaml | 2 +- cel/C0002-container-liveness-probe/policy-C0002.yaml | 2 +- cel/C0003-container-readiness-probe/policy-C0003.yaml | 2 +- cel/C0008-container-resources/policy-C0008.yaml | 2 +- .../{policy-M0001.yaml => policy-N0001.yaml} | 2 +- cel/README.md | 10 +++++----- 6 files changed, 10 insertions(+), 10 deletions(-) rename cel/N0001-namespace-default/{policy-M0001.yaml => policy-N0001.yaml} (97%) diff --git a/cel/C0001-container-image-tag/policy-C0001.yaml b/cel/C0001-container-image-tag/policy-C0001.yaml index 7ecc427..9f731c0 100644 --- a/cel/C0001-container-image-tag/policy-C0001.yaml +++ b/cel/C0001-container-image-tag/policy-C0001.yaml @@ -17,7 +17,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: c0001.metadata.portefaix.xyz + name: c0001.container.portefaix.xyz spec: matchConstraints: resourceRules: diff --git a/cel/C0002-container-liveness-probe/policy-C0002.yaml b/cel/C0002-container-liveness-probe/policy-C0002.yaml index e47d8bb..e259743 100644 --- a/cel/C0002-container-liveness-probe/policy-C0002.yaml +++ b/cel/C0002-container-liveness-probe/policy-C0002.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: c0002.metadata.portefaix.xyz + name: c0002.container.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/C0003-container-readiness-probe/policy-C0003.yaml b/cel/C0003-container-readiness-probe/policy-C0003.yaml index 2cac76a..c3fbff4 100644 --- a/cel/C0003-container-readiness-probe/policy-C0003.yaml +++ b/cel/C0003-container-readiness-probe/policy-C0003.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: c0003.metadata.portefaix.xyz + name: c0003.container.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/C0008-container-resources/policy-C0008.yaml b/cel/C0008-container-resources/policy-C0008.yaml index 7f10fea..e815df0 100644 --- a/cel/C0008-container-resources/policy-C0008.yaml +++ b/cel/C0008-container-resources/policy-C0008.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: c0008.metadata.portefaix.xyz + name: c0008.container.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/N0001-namespace-default/policy-M0001.yaml b/cel/N0001-namespace-default/policy-N0001.yaml similarity index 97% rename from cel/N0001-namespace-default/policy-M0001.yaml rename to cel/N0001-namespace-default/policy-N0001.yaml index 34056d4..312f5c6 100644 --- a/cel/N0001-namespace-default/policy-M0001.yaml +++ b/cel/N0001-namespace-default/policy-N0001.yaml @@ -18,7 +18,7 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: - name: n0001.metadata.portefaix.xyz + name: n0001.namespace.portefaix.xyz spec: failurePolicy: Fail matchConstraints: diff --git a/cel/README.md b/cel/README.md index 0e28d78..85ee442 100644 --- a/cel/README.md +++ b/cel/README.md @@ -7,10 +7,10 @@ | [m0001.metadata.portefaix.xyz - Metadata must set recommanded Kubernetes labels](cel/M0001-metadata-labels) | | [m0002.metadata.portefaix.xyz - Metadata should have a8r.io annotations](cel/M0002-metadata-annotations) | | [m0003.metadata.portefaix.xyz - Metadata should have portefaix.xyz labels](cel/M0003-metadata-portefaix-labels) | -| [n0001.metadata.portefaix.xyz - Disallow Default Namespace](cel/N0001-namespace-default) | -| [c0001.metadata.portefaix.xyz - Container must not use latest image tag](cel/C0001-container-image-tag) | -| [c0002.metadata.portefaix.xyz - Container must set liveness probe](cel/C0003-container-liveness-probe) | -| [c0003.metadata.portefaix.xyz - Container must set readiness probe](cel/C0002-container-readiness-probe) | -| [c0008.metadata.portefaix.xyz - Container resource constraints must be specified](cel/C0008-container-resources) | +| [n0001.namespace.portefaix.xyz - Disallow Default Namespace](cel/N0001-namespace-default) | +| [c0001.container.portefaix.xyz - Container must not use latest image tag](cel/C0001-container-image-tag) | +| [c0002.container.portefaix.xyz - Container must set liveness probe](cel/C0003-container-liveness-probe) | +| [c0003.container.portefaix.xyz - Container must set readiness probe](cel/C0002-container-readiness-probe) | +| [c0008.container.portefaix.xyz - Container resource constraints must be specified](cel/C0008-container-resources) | From 3a03f476ff3341016e1fda5ad0b8a483c06bfddd Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 2 Jul 2024 13:46:00 +0200 Subject: [PATCH 4/4] fix(cel): naming Signed-off-by: Nicolas Lamirault --- cel/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cel/README.md b/cel/README.md index 85ee442..dc5b477 100644 --- a/cel/README.md +++ b/cel/README.md @@ -4,13 +4,13 @@ | Policy | | --------------------------------------------------------------------------------------------------- | -| [m0001.metadata.portefaix.xyz - Metadata must set recommanded Kubernetes labels](cel/M0001-metadata-labels) | -| [m0002.metadata.portefaix.xyz - Metadata should have a8r.io annotations](cel/M0002-metadata-annotations) | -| [m0003.metadata.portefaix.xyz - Metadata should have portefaix.xyz labels](cel/M0003-metadata-portefaix-labels) | -| [n0001.namespace.portefaix.xyz - Disallow Default Namespace](cel/N0001-namespace-default) | -| [c0001.container.portefaix.xyz - Container must not use latest image tag](cel/C0001-container-image-tag) | -| [c0002.container.portefaix.xyz - Container must set liveness probe](cel/C0003-container-liveness-probe) | -| [c0003.container.portefaix.xyz - Container must set readiness probe](cel/C0002-container-readiness-probe) | -| [c0008.container.portefaix.xyz - Container resource constraints must be specified](cel/C0008-container-resources) | +| [m0001.metadata.portefaix.xyz - Metadata must set recommanded Kubernetes labels](M0001-metadata-labels) | +| [m0002.metadata.portefaix.xyz - Metadata should have a8r.io annotations](M0002-metadata-annotations) | +| [m0003.metadata.portefaix.xyz - Metadata should have portefaix.xyz labels](M0003-metadata-portefaix-labels) | +| [n0001.namespace.portefaix.xyz - Disallow Default Namespace](N0001-namespace-default) | +| [c0001.container.portefaix.xyz - Container must not use latest image tag](C0001-container-image-tag) | +| [c0002.container.portefaix.xyz - Container must set liveness probe](C0003-container-liveness-probe) | +| [c0003.container.portefaix.xyz - Container must set readiness probe](C0002-container-readiness-probe) | +| [c0008.container.portefaix.xyz - Container resource constraints must be specified](C0008-container-resources) |