From e9957706955558b41f675e9e6944130b7fed6b60 Mon Sep 17 00:00:00 2001 From: Vassiliy Yegorov Date: Tue, 19 May 2026 16:37:43 +0700 Subject: [PATCH] add test pols --- 06-monitoring/02-debugging/README.md | 4 +- .../02-debugging/test-deployment.yaml | 42 +++++++++++++++++++ .../test-pols/policy-require-labels.yaml | 26 ++++++++++++ .../test-pols/policy-require-limits.yaml | 30 +++++++++++++ 4 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 06-monitoring/02-debugging/test-deployment.yaml create mode 100644 06-monitoring/02-debugging/test-pols/policy-require-labels.yaml create mode 100644 06-monitoring/02-debugging/test-pols/policy-require-limits.yaml diff --git a/06-monitoring/02-debugging/README.md b/06-monitoring/02-debugging/README.md index cb0c130..9a0da66 100644 --- a/06-monitoring/02-debugging/README.md +++ b/06-monitoring/02-debugging/README.md @@ -26,8 +26,8 @@ kubectl get clusterpolicy my-policy -o yaml | grep -A 10 "status:" ```bash # Kyverno CLI — самый быстрый способ проверить -kyverno apply my-policy.yaml \ - --resource my-resource.yaml \ +kyverno apply test-pols/policy-require-labels.yaml \ + --resource test-deployment.yaml \ --detailed-results # Вывод: diff --git a/06-monitoring/02-debugging/test-deployment.yaml b/06-monitoring/02-debugging/test-deployment.yaml new file mode 100644 index 0000000..b862f5d --- /dev/null +++ b/06-monitoring/02-debugging/test-deployment.yaml @@ -0,0 +1,42 @@ +# Тестовые поды для демонстрации kyverno apply --detailed-results. +# Под good-pod — проходит обе политики. +# Под bad-pod — нарушает обе политики (нет limits, нет label 'owner'). +--- +apiVersion: v1 +kind: Pod +metadata: + name: good-pod + namespace: default + labels: + app: demo + owner: team-platform +spec: + containers: + - name: app + image: nginx:1.25.3 + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 256Mi +--- +apiVersion: v1 +kind: Pod +metadata: + name: bad-pod + namespace: default + labels: + app: demo +spec: + containers: + - name: app + image: nginx:1.25.3 + - name: sidecar + image: busybox:1.36 + command: ["sh", "-c", "sleep 3600"] + resources: + requests: + cpu: 10m + memory: 16Mi diff --git a/06-monitoring/02-debugging/test-pols/policy-require-labels.yaml b/06-monitoring/02-debugging/test-pols/policy-require-labels.yaml new file mode 100644 index 0000000..aa393ff --- /dev/null +++ b/06-monitoring/02-debugging/test-pols/policy-require-labels.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels-demo + annotations: + policies.kyverno.io/title: "DEMO: Требовать обязательные labels" + policies.kyverno.io/description: >- + Демонстрационная политика для урока 6.2. + Проверяет наличие labels 'app' и 'owner' у Pod. +spec: + validationFailureAction: Audit + background: true + rules: + - name: check-required-labels + match: + any: + - resources: + kinds: + - Pod + validate: + message: "Pod must have labels 'app' and 'owner'." + pattern: + metadata: + labels: + app: "?*" + owner: "?*" diff --git a/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml b/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml new file mode 100644 index 0000000..ae06d6a --- /dev/null +++ b/06-monitoring/02-debugging/test-pols/policy-require-limits.yaml @@ -0,0 +1,30 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-resource-limits-demo + annotations: + policies.kyverno.io/title: "DEMO: Требовать resources.limits" + policies.kyverno.io/description: >- + Демонстрационная политика для урока 6.2. + Проверяет, что у всех контейнеров заданы CPU и memory limits. +spec: + validationFailureAction: Audit + background: true + rules: + - name: check-container-limits + match: + any: + - resources: + kinds: + - Pod + validate: + foreach: + - list: "request.object.spec.containers" + message: >- + Container '{{ element.name }}' must have resources.limits.cpu + and resources.limits.memory defined. + pattern: + resources: + limits: + cpu: "?*" + memory: "?*"