add test pols
This commit is contained in:
@@ -26,8 +26,8 @@ kubectl get clusterpolicy my-policy -o yaml | grep -A 10 "status:"
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Kyverno CLI — самый быстрый способ проверить
|
# Kyverno CLI — самый быстрый способ проверить
|
||||||
kyverno apply my-policy.yaml \
|
kyverno apply test-pols/policy-require-labels.yaml \
|
||||||
--resource my-resource.yaml \
|
--resource test-deployment.yaml \
|
||||||
--detailed-results
|
--detailed-results
|
||||||
|
|
||||||
# Вывод:
|
# Вывод:
|
||||||
|
|||||||
@@ -0,0 +1,42 @@
|
|||||||
|
# Тестовые поды для демонстрации kyverno apply --detailed-results.
|
||||||
|
# Под good-pod — проходит обе политики.
|
||||||
|
# Под bad-pod — нарушает обе политики (нет limits, нет label 'owner').
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: good-pod
|
||||||
|
namespace: default
|
||||||
|
labels:
|
||||||
|
app: demo
|
||||||
|
owner: team-platform
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: app
|
||||||
|
image: nginx:1.25.3
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 64Mi
|
||||||
|
limits:
|
||||||
|
cpu: 200m
|
||||||
|
memory: 256Mi
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: bad-pod
|
||||||
|
namespace: default
|
||||||
|
labels:
|
||||||
|
app: demo
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: app
|
||||||
|
image: nginx:1.25.3
|
||||||
|
- name: sidecar
|
||||||
|
image: busybox:1.36
|
||||||
|
command: ["sh", "-c", "sleep 3600"]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 16Mi
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: require-labels-demo
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/title: "DEMO: Требовать обязательные labels"
|
||||||
|
policies.kyverno.io/description: >-
|
||||||
|
Демонстрационная политика для урока 6.2.
|
||||||
|
Проверяет наличие labels 'app' и 'owner' у Pod.
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Audit
|
||||||
|
background: true
|
||||||
|
rules:
|
||||||
|
- name: check-required-labels
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
validate:
|
||||||
|
message: "Pod must have labels 'app' and 'owner'."
|
||||||
|
pattern:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: "?*"
|
||||||
|
owner: "?*"
|
||||||
@@ -0,0 +1,30 @@
|
|||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: require-resource-limits-demo
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/title: "DEMO: Требовать resources.limits"
|
||||||
|
policies.kyverno.io/description: >-
|
||||||
|
Демонстрационная политика для урока 6.2.
|
||||||
|
Проверяет, что у всех контейнеров заданы CPU и memory limits.
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Audit
|
||||||
|
background: true
|
||||||
|
rules:
|
||||||
|
- name: check-container-limits
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Pod
|
||||||
|
validate:
|
||||||
|
foreach:
|
||||||
|
- list: "request.object.spec.containers"
|
||||||
|
message: >-
|
||||||
|
Container '{{ element.name }}' must have resources.limits.cpu
|
||||||
|
and resources.limits.memory defined.
|
||||||
|
pattern:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "?*"
|
||||||
|
memory: "?*"
|
||||||
Reference in New Issue
Block a user