From 5fa81a3ce0cf48ebb9102d6b26c84b47562c73f2 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Wed, 24 Apr 2024 21:53:06 +0800 Subject: [PATCH 01/10] dongjiang, add volumeresources size limit Signed-off-by: dongjiang1989 --- .../volumeresources/1.0.0/artifacthub-pkg.yml | 22 +++ .../volumeresources/1.0.0/kustomization.yaml | 2 + .../container-emptydir-limit/constraint.yaml | 13 ++ .../example_allowed.yaml | 29 +++ .../example_disallowed.yaml | 27 +++ .../general/volumeresources/1.0.0/suite.yaml | 0 .../volumeresources/1.0.0/template.yaml | 165 ++++++++++++++++ .../volumeresources/kustomization.yaml | 2 + .../container-emptydir-limit/constraint.yaml | 13 ++ .../example_allowed.yaml | 29 +++ .../example_disallowed.yaml | 27 +++ library/general/volumeresources/suite.yaml | 0 library/general/volumeresources/template.yaml | 165 ++++++++++++++++ src/general/volumeresources/constraint.tmpl | 30 +++ .../volumeresources/lib_exempt_container.rego | 19 ++ src/general/volumeresources/src.rego | 118 +++++++++++ src/general/volumeresources/src_test.rego | 36 ++++ website/docs/validation/volumeresources.md | 185 ++++++++++++++++++ website/sidebars.js | 1 + 19 files changed, 883 insertions(+) create mode 100644 artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/kustomization.yaml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/suite.yaml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/template.yaml create mode 100644 library/general/volumeresources/kustomization.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml create mode 100644 library/general/volumeresources/suite.yaml create mode 100644 library/general/volumeresources/template.yaml create mode 100644 src/general/volumeresources/constraint.tmpl create mode 100644 src/general/volumeresources/lib_exempt_container.rego create mode 100644 src/general/volumeresources/src.rego create mode 100644 src/general/volumeresources/src_test.rego create mode 100644 website/docs/validation/volumeresources.md diff --git a/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml b/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml new file mode 100644 index 000000000..b8f23e7c6 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.0.0 +name: k8svolumeresources +displayName: Container emptyDir Volume Resources +createdAt: "2024-04-24T10:00:57Z" +description: Container emptyDir volume resources to be within the specified maximum values. +digest: 6332ca74d3e3e312d73e79f5d4bf294fccd732829a48a08d9adffa03c21826a0 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumeresources +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Container emptyDir Volume Resources + Container emptyDir volume resources to be within the specified maximum values. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/volumeresources/1.0.0/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/volumeresources/1.0.0/kustomization.yaml b/artifacthub/library/general/volumeresources/1.0.0/kustomization.yaml new file mode 100644 index 000000000..24dedaea1 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml \ No newline at end of file diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml new file mode 100644 index 000000000..8c94aa081 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sVolumeRequests +metadata: + name: container-emptydir-limit +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + - apiGroups: ["apps"] + kinds: ["Deployment", "DaemonSet", "StatefulSet"] + parameters: + volumesizelimit: 1Gi diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml new file mode 100644 index 000000000..4ecf62b79 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml new file mode 100644 index 000000000..18a89d151 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: {} \ No newline at end of file diff --git a/artifacthub/library/general/volumeresources/1.0.0/suite.yaml b/artifacthub/library/general/volumeresources/1.0.0/suite.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/artifacthub/library/general/volumeresources/1.0.0/template.yaml b/artifacthub/library/general/volumeresources/1.0.0/template.yaml new file mode 100644 index 000000000..6a75168ad --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/template.yaml @@ -0,0 +1,165 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8svolumerequests + annotations: + metadata.gatekeeper.sh/title: "Container emptyDir Volume Resources" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Container emptyDir volume resources to be within the specified maximum values. + +spec: + crd: + spec: + names: + kind: K8sVolumeRequests + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + volumesizelimit: + description: "The maximum allowed emptyDir size limit on a volume." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8svolumerequests + + violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir := vols.emptyDir + not has_key(emptydir, "sizeLimit") + msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) + } + + violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir_orig := vols.emptyDir.sizeLimit + size := canonify_size(emptydir_orig) + max_size_orig := input.parameters.volumesizelimit + max_size := canonify_size(max_size_orig) + size > max_size + msg := sprintf("volume <%v> size limit <%v> is higher than the maximum allowed of <%v>", [vols.name, emptydir_orig, max_size_orig]) + } + + has_key(object, key) { + type_name(object[key]) + } + + size_multiple("E") = 1000000000000000000000 + + # 10 ** 18 + size_multiple("P") = 1000000000000000000 + + # 10 ** 15 + size_multiple("T") = 1000000000000000 + + # 10 ** 12 + size_multiple("G") = 1000000000000 + + # 10 ** 9 + size_multiple("M") = 1000000000 + + # 10 ** 6 + size_multiple("k") = 1000000 + + # 10 ** 3 + size_multiple("") = 1000 + + # Kubernetes accepts millibyte precision when it probably shouldn't. + # https://github.com/kubernetes/kubernetes/issues/28741 + # 10 ** 0 + size_multiple("m") = 1 + + # 1000 * 2 ** 10 + size_multiple("Ki") = 1024000 + + # 1000 * 2 ** 20 + size_multiple("Mi") = 1048576000 + + # 1000 * 2 ** 30 + size_multiple("Gi") = 1073741824000 + + # 1000 * 2 ** 40 + size_multiple("Ti") = 1099511627776000 + + # 1000 * 2 ** 50 + size_multiple("Pi") = 1125899906842624000 + + # 1000 * 2 ** 60 + size_multiple("Ei") = 1152921504606846976000 + + canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 0 + suffix := substring(size, count(size) - 1, -1) + size_multiple(suffix) + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + suffix := substring(size, count(size) - 2, -1) + size_multiple(suffix) + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + not size_multiple(substring(size, count(size) - 1, -1)) + not size_multiple(substring(size, count(size) - 2, -1)) + suffix := "" + } + + get_suffix(size) = suffix { + is_string(size) + count(size) == 1 + not size_multiple(substring(size, count(size) - 1, -1)) + suffix := "" + } + + get_suffix(size) = suffix { + is_string(size) + count(size) == 0 + suffix := "" + } + + canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 + } + + canonify_size(orig) = new { + not is_number(orig) + suffix := get_suffix(orig) + raw := replace(orig, suffix, "") + re_match("^[0-9]+(\\.[0-9]+)?$", raw) + new := to_number(raw) * size_multiple(suffix) + } + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/library/general/volumeresources/kustomization.yaml b/library/general/volumeresources/kustomization.yaml new file mode 100644 index 000000000..24dedaea1 --- /dev/null +++ b/library/general/volumeresources/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml b/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml new file mode 100644 index 000000000..8c94aa081 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml @@ -0,0 +1,13 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sVolumeRequests +metadata: + name: container-emptydir-limit +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + - apiGroups: ["apps"] + kinds: ["Deployment", "DaemonSet", "StatefulSet"] + parameters: + volumesizelimit: 1Gi diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml new file mode 100644 index 000000000..4ecf62b79 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml new file mode 100644 index 000000000..18a89d151 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: {} \ No newline at end of file diff --git a/library/general/volumeresources/suite.yaml b/library/general/volumeresources/suite.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/library/general/volumeresources/template.yaml b/library/general/volumeresources/template.yaml new file mode 100644 index 000000000..6a75168ad --- /dev/null +++ b/library/general/volumeresources/template.yaml @@ -0,0 +1,165 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8svolumerequests + annotations: + metadata.gatekeeper.sh/title: "Container emptyDir Volume Resources" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Container emptyDir volume resources to be within the specified maximum values. + +spec: + crd: + spec: + names: + kind: K8sVolumeRequests + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + volumesizelimit: + description: "The maximum allowed emptyDir size limit on a volume." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8svolumerequests + + violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir := vols.emptyDir + not has_key(emptydir, "sizeLimit") + msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) + } + + violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir_orig := vols.emptyDir.sizeLimit + size := canonify_size(emptydir_orig) + max_size_orig := input.parameters.volumesizelimit + max_size := canonify_size(max_size_orig) + size > max_size + msg := sprintf("volume <%v> size limit <%v> is higher than the maximum allowed of <%v>", [vols.name, emptydir_orig, max_size_orig]) + } + + has_key(object, key) { + type_name(object[key]) + } + + size_multiple("E") = 1000000000000000000000 + + # 10 ** 18 + size_multiple("P") = 1000000000000000000 + + # 10 ** 15 + size_multiple("T") = 1000000000000000 + + # 10 ** 12 + size_multiple("G") = 1000000000000 + + # 10 ** 9 + size_multiple("M") = 1000000000 + + # 10 ** 6 + size_multiple("k") = 1000000 + + # 10 ** 3 + size_multiple("") = 1000 + + # Kubernetes accepts millibyte precision when it probably shouldn't. + # https://github.com/kubernetes/kubernetes/issues/28741 + # 10 ** 0 + size_multiple("m") = 1 + + # 1000 * 2 ** 10 + size_multiple("Ki") = 1024000 + + # 1000 * 2 ** 20 + size_multiple("Mi") = 1048576000 + + # 1000 * 2 ** 30 + size_multiple("Gi") = 1073741824000 + + # 1000 * 2 ** 40 + size_multiple("Ti") = 1099511627776000 + + # 1000 * 2 ** 50 + size_multiple("Pi") = 1125899906842624000 + + # 1000 * 2 ** 60 + size_multiple("Ei") = 1152921504606846976000 + + canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 0 + suffix := substring(size, count(size) - 1, -1) + size_multiple(suffix) + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + suffix := substring(size, count(size) - 2, -1) + size_multiple(suffix) + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + not size_multiple(substring(size, count(size) - 1, -1)) + not size_multiple(substring(size, count(size) - 2, -1)) + suffix := "" + } + + get_suffix(size) = suffix { + is_string(size) + count(size) == 1 + not size_multiple(substring(size, count(size) - 1, -1)) + suffix := "" + } + + get_suffix(size) = suffix { + is_string(size) + count(size) == 0 + suffix := "" + } + + canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 + } + + canonify_size(orig) = new { + not is_number(orig) + suffix := get_suffix(orig) + raw := replace(orig, suffix, "") + re_match("^[0-9]+(\\.[0-9]+)?$", raw) + new := to_number(raw) * size_multiple(suffix) + } + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } diff --git a/src/general/volumeresources/constraint.tmpl b/src/general/volumeresources/constraint.tmpl new file mode 100644 index 000000000..8bd339fb6 --- /dev/null +++ b/src/general/volumeresources/constraint.tmpl @@ -0,0 +1,30 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8svolumerequests + annotations: + metadata.gatekeeper.sh/title: "Container emptyDir Volume Resources" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Container emptyDir volume resources to be within the specified maximum values. + +spec: + crd: + spec: + names: + kind: K8sVolumeRequests + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + volumesizelimit: + description: "The maximum allowed emptyDir size limit on a volume." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | +{{ file.Read "src/general/volumeresources/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "src/general/volumeresources/lib_exempt_container.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/src/general/volumeresources/lib_exempt_container.rego b/src/general/volumeresources/lib_exempt_container.rego new file mode 100644 index 000000000..c483416be --- /dev/null +++ b/src/general/volumeresources/lib_exempt_container.rego @@ -0,0 +1,19 @@ +package lib.exempt_container + +is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) +} + +_matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img +} + +_matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) +} diff --git a/src/general/volumeresources/src.rego b/src/general/volumeresources/src.rego new file mode 100644 index 000000000..9e90193b1 --- /dev/null +++ b/src/general/volumeresources/src.rego @@ -0,0 +1,118 @@ +package k8svolumerequests + +violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir := vols.emptyDir + not has_key(emptydir, "sizeLimit") + msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) +} + +violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir_orig := vols.emptyDir.sizeLimit + size := canonify_size(emptydir_orig) + max_size_orig := input.parameters.volumesizelimit + max_size := canonify_size(max_size_orig) + size > max_size + msg := sprintf("volume <%v> size limit <%v> is higher than the maximum allowed of <%v>", [vols.name, emptydir_orig, max_size_orig]) +} + +has_key(object, key) { + type_name(object[key]) +} + +size_multiple("E") = 1000000000000000000000 + +# 10 ** 18 +size_multiple("P") = 1000000000000000000 + +# 10 ** 15 +size_multiple("T") = 1000000000000000 + +# 10 ** 12 +size_multiple("G") = 1000000000000 + +# 10 ** 9 +size_multiple("M") = 1000000000 + +# 10 ** 6 +size_multiple("k") = 1000000 + +# 10 ** 3 +size_multiple("") = 1000 + +# Kubernetes accepts millibyte precision when it probably shouldn't. +# https://github.com/kubernetes/kubernetes/issues/28741 +# 10 ** 0 +size_multiple("m") = 1 + +# 1000 * 2 ** 10 +size_multiple("Ki") = 1024000 + +# 1000 * 2 ** 20 +size_multiple("Mi") = 1048576000 + +# 1000 * 2 ** 30 +size_multiple("Gi") = 1073741824000 + +# 1000 * 2 ** 40 +size_multiple("Ti") = 1099511627776000 + +# 1000 * 2 ** 50 +size_multiple("Pi") = 1125899906842624000 + +# 1000 * 2 ** 60 +size_multiple("Ei") = 1152921504606846976000 + +canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 +} + +get_suffix(size) = suffix { + is_string(size) + count(size) > 0 + suffix := substring(size, count(size) - 1, -1) + size_multiple(suffix) +} + +get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + suffix := substring(size, count(size) - 2, -1) + size_multiple(suffix) +} + +get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + not size_multiple(substring(size, count(size) - 1, -1)) + not size_multiple(substring(size, count(size) - 2, -1)) + suffix := "" +} + +get_suffix(size) = suffix { + is_string(size) + count(size) == 1 + not size_multiple(substring(size, count(size) - 1, -1)) + suffix := "" +} + +get_suffix(size) = suffix { + is_string(size) + count(size) == 0 + suffix := "" +} + +canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 +} + +canonify_size(orig) = new { + not is_number(orig) + suffix := get_suffix(orig) + raw := replace(orig, suffix, "") + re_match("^[0-9]+(\\.[0-9]+)?$", raw) + new := to_number(raw) * size_multiple(suffix) +} \ No newline at end of file diff --git a/src/general/volumeresources/src_test.rego b/src/general/volumeresources/src_test.rego new file mode 100644 index 000000000..897e5ca15 --- /dev/null +++ b/src/general/volumeresources/src_test.rego @@ -0,0 +1,36 @@ +package k8svolumerequests + +test_input_no_sizeLimit { + input := {"review": container([{"emptyDir": {}, "name": "test"}]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as input + count(results) == 1 +} + +test_input_with_sizeLimit_lower { + input := {"review": container([vol("2Gi", "test")]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as input + count(results) == 0 +} + +test_input_with_sizeLimit_higher { + input := {"review": container([vol("5Gi", "test")]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as input + count(results) == 1 +} + +test_input_with_sizeLimit_muti_higher { + input := {"review": container([vol("5Gi", "test"), vol("1Gi", "test1")]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as input + count(results) == 1 +} + +container(volumes) = output { + output = {"object": {"spec": {"template": {"spec": {"volumes": volumes}}}}} +} + +vol(size, name) = out { + out = { + "emptyDir": {"sizeLimit": size}, + "name": name + } +} diff --git a/website/docs/validation/volumeresources.md b/website/docs/validation/volumeresources.md new file mode 100644 index 000000000..0780f61f9 --- /dev/null +++ b/website/docs/validation/volumeresources.md @@ -0,0 +1,185 @@ +--- +id: volumeresources +title: Container emptyDir Volume Resources +--- + +# Container emptyDir Volume Resources + +## Description +Container emptyDir volume resources to be within the specified maximum values. + +## Template +```yaml +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8svolumerequests + annotations: + metadata.gatekeeper.sh/title: "Container emptyDir Volume Resources" + metadata.gatekeeper.sh/version: 1.0.0 + description: >- + Container emptyDir volume resources to be within the specified maximum values. + +spec: + crd: + spec: + names: + kind: K8sVolumeRequests + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + volumesizelimit: + description: "The maximum allowed emptyDir size limit on a volume." + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8svolumerequests + + violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir := vols.emptyDir + not has_key(emptydir, "sizeLimit") + msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) + } + + violation[{"msg": msg}] { + vols := input.review.object.spec.template.spec.volumes[_] + emptydir_orig := vols.emptyDir.sizeLimit + size := canonify_size(emptydir_orig) + max_size_orig := input.parameters.volumesizelimit + max_size := canonify_size(max_size_orig) + size > max_size + msg := sprintf("volume <%v> size limit <%v> is higher than the maximum allowed of <%v>", [vols.name, emptydir_orig, max_size_orig]) + } + + has_key(object, key) { + type_name(object[key]) + } + + size_multiple("E") = 1000000000000000000000 + + # 10 ** 18 + size_multiple("P") = 1000000000000000000 + + # 10 ** 15 + size_multiple("T") = 1000000000000000 + + # 10 ** 12 + size_multiple("G") = 1000000000000 + + # 10 ** 9 + size_multiple("M") = 1000000000 + + # 10 ** 6 + size_multiple("k") = 1000000 + + # 10 ** 3 + size_multiple("") = 1000 + + # Kubernetes accepts millibyte precision when it probably shouldn't. + # https://github.com/kubernetes/kubernetes/issues/28741 + # 10 ** 0 + size_multiple("m") = 1 + + # 1000 * 2 ** 10 + size_multiple("Ki") = 1024000 + + # 1000 * 2 ** 20 + size_multiple("Mi") = 1048576000 + + # 1000 * 2 ** 30 + size_multiple("Gi") = 1073741824000 + + # 1000 * 2 ** 40 + size_multiple("Ti") = 1099511627776000 + + # 1000 * 2 ** 50 + size_multiple("Pi") = 1125899906842624000 + + # 1000 * 2 ** 60 + size_multiple("Ei") = 1152921504606846976000 + + canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 0 + suffix := substring(size, count(size) - 1, -1) + size_multiple(suffix) + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + suffix := substring(size, count(size) - 2, -1) + size_multiple(suffix) + } + + get_suffix(size) = suffix { + is_string(size) + count(size) > 1 + not size_multiple(substring(size, count(size) - 1, -1)) + not size_multiple(substring(size, count(size) - 2, -1)) + suffix := "" + } + + get_suffix(size) = suffix { + is_string(size) + count(size) == 1 + not size_multiple(substring(size, count(size) - 1, -1)) + suffix := "" + } + + get_suffix(size) = suffix { + is_string(size) + count(size) == 0 + suffix := "" + } + + canonify_size(orig) = new { + is_number(orig) + new := orig * 1000 + } + + canonify_size(orig) = new { + not is_number(orig) + suffix := get_suffix(orig) + raw := replace(orig, suffix, "") + re_match("^[0-9]+(\\.[0-9]+)?$", raw) + new := to_number(raw) * size_multiple(suffix) + } + libs: + - | + package lib.exempt_container + + is_exempt(container) { + exempt_images := object.get(object.get(input, "parameters", {}), "exemptImages", []) + img := container.image + exemption := exempt_images[_] + _matches_exemption(img, exemption) + } + + _matches_exemption(img, exemption) { + not endswith(exemption, "*") + exemption == img + } + + _matches_exemption(img, exemption) { + endswith(exemption, "*") + prefix := trim_suffix(exemption, "*") + startswith(img, prefix) + } + +``` + +### Usage +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/template.yaml +``` +## Examples diff --git a/website/sidebars.js b/website/sidebars.js index a14f9496c..b3fa809c3 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -47,6 +47,7 @@ module.exports = { 'validation/uniqueingresshost', 'validation/uniqueserviceselector', 'validation/verifydeprecatedapi', + 'validation/volumeresources', ], }, { From 7c1dbe0bb33a22936b9cc62849a51a0de7ea348e Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Wed, 24 Apr 2024 22:29:00 +0800 Subject: [PATCH 02/10] fix by opa check --strict Signed-off-by: dongjiang1989 --- src/general/volumeresources/src.rego | 2 +- src/general/volumeresources/src_test.rego | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/general/volumeresources/src.rego b/src/general/volumeresources/src.rego index 9e90193b1..8b2ab33b3 100644 --- a/src/general/volumeresources/src.rego +++ b/src/general/volumeresources/src.rego @@ -113,6 +113,6 @@ canonify_size(orig) = new { not is_number(orig) suffix := get_suffix(orig) raw := replace(orig, suffix, "") - re_match("^[0-9]+(\\.[0-9]+)?$", raw) + regex.match("^[0-9]+(\\.[0-9]+)?$", raw) new := to_number(raw) * size_multiple(suffix) } \ No newline at end of file diff --git a/src/general/volumeresources/src_test.rego b/src/general/volumeresources/src_test.rego index 897e5ca15..7580efb4b 100644 --- a/src/general/volumeresources/src_test.rego +++ b/src/general/volumeresources/src_test.rego @@ -1,26 +1,26 @@ package k8svolumerequests test_input_no_sizeLimit { - input := {"review": container([{"emptyDir": {}, "name": "test"}]), "parameters": {"volumesizelimit": "3Gi"}} - results := violation with input as input + inp := {"review": container([{"emptyDir": {}, "name": "test"}]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as inp count(results) == 1 } test_input_with_sizeLimit_lower { - input := {"review": container([vol("2Gi", "test")]), "parameters": {"volumesizelimit": "3Gi"}} - results := violation with input as input + inp := {"review": container([vol("2Gi", "test")]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as inp count(results) == 0 } test_input_with_sizeLimit_higher { - input := {"review": container([vol("5Gi", "test")]), "parameters": {"volumesizelimit": "3Gi"}} - results := violation with input as input + inp := {"review": container([vol("5Gi", "test")]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as inp count(results) == 1 } test_input_with_sizeLimit_muti_higher { - input := {"review": container([vol("5Gi", "test"), vol("1Gi", "test1")]), "parameters": {"volumesizelimit": "3Gi"}} - results := violation with input as input + inp := {"review": container([vol("5Gi", "test"), vol("1Gi", "test1")]), "parameters": {"volumesizelimit": "3Gi"}} + results := violation with input as inp count(results) == 1 } From 86c4eb22f325832dac7c6ef4b9e67b614324e1f4 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Wed, 24 Apr 2024 22:37:20 +0800 Subject: [PATCH 03/10] update make generate-all Signed-off-by: dongjiang1989 --- .../library/general/volumeresources/1.0.0/artifacthub-pkg.yml | 2 +- artifacthub/library/general/volumeresources/1.0.0/template.yaml | 2 +- library/general/volumeresources/template.yaml | 2 +- website/docs/validation/volumeresources.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml b/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml index b8f23e7c6..6518f2dbe 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml +++ b/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8svolumeresources displayName: Container emptyDir Volume Resources createdAt: "2024-04-24T10:00:57Z" description: Container emptyDir volume resources to be within the specified maximum values. -digest: 6332ca74d3e3e312d73e79f5d4bf294fccd732829a48a08d9adffa03c21826a0 +digest: 306b42db8c3d85fd748dd143c1b271624884519a4a18fe1292620d82e04bf4f7 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumeresources keywords: diff --git a/artifacthub/library/general/volumeresources/1.0.0/template.yaml b/artifacthub/library/general/volumeresources/1.0.0/template.yaml index 6a75168ad..479c3203e 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/template.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/template.yaml @@ -139,7 +139,7 @@ spec: not is_number(orig) suffix := get_suffix(orig) raw := replace(orig, suffix, "") - re_match("^[0-9]+(\\.[0-9]+)?$", raw) + regex.match("^[0-9]+(\\.[0-9]+)?$", raw) new := to_number(raw) * size_multiple(suffix) } libs: diff --git a/library/general/volumeresources/template.yaml b/library/general/volumeresources/template.yaml index 6a75168ad..479c3203e 100644 --- a/library/general/volumeresources/template.yaml +++ b/library/general/volumeresources/template.yaml @@ -139,7 +139,7 @@ spec: not is_number(orig) suffix := get_suffix(orig) raw := replace(orig, suffix, "") - re_match("^[0-9]+(\\.[0-9]+)?$", raw) + regex.match("^[0-9]+(\\.[0-9]+)?$", raw) new := to_number(raw) * size_multiple(suffix) } libs: diff --git a/website/docs/validation/volumeresources.md b/website/docs/validation/volumeresources.md index 0780f61f9..e837840b8 100644 --- a/website/docs/validation/volumeresources.md +++ b/website/docs/validation/volumeresources.md @@ -151,7 +151,7 @@ spec: not is_number(orig) suffix := get_suffix(orig) raw := replace(orig, suffix, "") - re_match("^[0-9]+(\\.[0-9]+)?$", raw) + regex.match("^[0-9]+(\\.[0-9]+)?$", raw) new := to_number(raw) * size_multiple(suffix) } libs: From 2a80aed73989e83a967c695a687f506a9a0c555d Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Thu, 25 Apr 2024 09:09:21 +0800 Subject: [PATCH 04/10] update suite.yaml and add new unittest case Signed-off-by: dongjiang1989 --- .../example-disallowed-muti.yaml | 34 +++++++++++++++++++ .../example_disallowed.yaml | 2 +- library/general/volumeresources/suite.yaml | 21 ++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml new file mode 100644 index 000000000..f4c8a0d78 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + - mountPath: /demo-1 + name: demo-volume-1 + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + - name: demo-volume-1 + emptyDir: + sizeLimit: 2Gi diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml index 18a89d151..2f62dd90e 100644 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml @@ -24,4 +24,4 @@ spec: name: demo-volume volumes: - name: demo-volume - emptyDir: {} \ No newline at end of file + emptyDir: {} diff --git a/library/general/volumeresources/suite.yaml b/library/general/volumeresources/suite.yaml index e69de29bb..e55232fa6 100644 --- a/library/general/volumeresources/suite.yaml +++ b/library/general/volumeresources/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: volumeresources +tests: +- name: volumeresources + template: template.yaml + constraint: samples/container-emptydir-limit/constraint.yaml + cases: + - name: example-allowed + object: samples/container-emptydir-limit/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/container-emptydir-limit/example-disallowed.yaml + assertions: + - violations: yes + - name: example-disallowed-muti + object: samples/container-emptydir-limit/example-disallowed-muti.yaml + assertions: + - violations: yes \ No newline at end of file From 9378ac8d24220f64166153fc6884d41973b79fe6 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Thu, 25 Apr 2024 14:03:16 +0800 Subject: [PATCH 05/10] make generate Signed-off-by: dongjiang1989 --- .../example_disallowed.yaml | 2 +- .../example_disallowed_muti.yaml | 0 .../general/volumeresources/1.0.0/suite.yaml | 21 +++ .../example_disallowed_muti.yaml | 34 ++++ library/general/volumeresources/suite.yaml | 4 +- website/docs/validation/volumeresources.md | 166 ++++++++++++++++++ 6 files changed, 224 insertions(+), 3 deletions(-) rename library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml => artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml (100%) create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml index 18a89d151..2f62dd90e 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml @@ -24,4 +24,4 @@ spec: name: demo-volume volumes: - name: demo-volume - emptyDir: {} \ No newline at end of file + emptyDir: {} diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml similarity index 100% rename from library/general/volumeresources/samples/container-emptydir-limit/example-disallowed-muti.yaml rename to artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml diff --git a/artifacthub/library/general/volumeresources/1.0.0/suite.yaml b/artifacthub/library/general/volumeresources/1.0.0/suite.yaml index e69de29bb..1f46a7530 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/suite.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: volumeresources +tests: +- name: volumeresources + template: template.yaml + constraint: samples/container-emptydir-limit/constraint.yaml + cases: + - name: example-allowed + object: samples/container-emptydir-limit/example_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/container-emptydir-limit/example_disallowed.yaml + assertions: + - violations: yes + - name: example-disallowed-muti + object: samples/container-emptydir-limit/example_disallowed_muti.yaml + assertions: + - violations: yes \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml new file mode 100644 index 000000000..f4c8a0d78 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + - mountPath: /demo-1 + name: demo-volume-1 + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + - name: demo-volume-1 + emptyDir: + sizeLimit: 2Gi diff --git a/library/general/volumeresources/suite.yaml b/library/general/volumeresources/suite.yaml index e55232fa6..1f46a7530 100644 --- a/library/general/volumeresources/suite.yaml +++ b/library/general/volumeresources/suite.yaml @@ -12,10 +12,10 @@ tests: assertions: - violations: no - name: example-disallowed - object: samples/container-emptydir-limit/example-disallowed.yaml + object: samples/container-emptydir-limit/example_disallowed.yaml assertions: - violations: yes - name: example-disallowed-muti - object: samples/container-emptydir-limit/example-disallowed-muti.yaml + object: samples/container-emptydir-limit/example_disallowed_muti.yaml assertions: - violations: yes \ No newline at end of file diff --git a/website/docs/validation/volumeresources.md b/website/docs/validation/volumeresources.md index e837840b8..e2c45bb86 100644 --- a/website/docs/validation/volumeresources.md +++ b/website/docs/validation/volumeresources.md @@ -183,3 +183,169 @@ spec: kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/template.yaml ``` ## Examples +
+volumeresources + +
+constraint + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sVolumeRequests +metadata: + name: container-emptydir-limit +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + - apiGroups: ["apps"] + kinds: ["Deployment", "DaemonSet", "StatefulSet"] + parameters: + volumesizelimit: 1Gi + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml +``` + +
+ +
+example-allowed + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml +``` + +
+
+example-disallowed + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: {} + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml +``` + +
+
+example-disallowed-muti + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + - mountPath: /demo-1 + name: demo-volume-1 + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + - name: demo-volume-1 + emptyDir: + sizeLimit: 2Gi + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml +``` + +
+ + +
\ No newline at end of file From 8e8e5deab5e3b40af582d142f8b689ceab38cb61 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Fri, 26 Apr 2024 11:14:09 +0800 Subject: [PATCH 06/10] fix ci Signed-off-by: dongjiang1989 --- library/general/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/library/general/kustomization.yaml b/library/general/kustomization.yaml index 5e7cf5c01..efbdf7a4a 100644 --- a/library/general/kustomization.yaml +++ b/library/general/kustomization.yaml @@ -30,3 +30,4 @@ resources: - uniqueserviceselector - verifydeprecatedapi - storageclass +- volumeresources From 70cac676e1f31d58d2919e451c66fd78623fe316 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Tue, 11 Jun 2024 19:42:58 +0800 Subject: [PATCH 07/10] add expansion.tmpl Signed-off-by: dongjiang1989 --- .../volumeresources/1.0.0/artifacthub-pkg.yml | 2 +- .../container-emptydir-limit/constraint.yaml | 3 ++- .../volumeresources/1.0.0/template.yaml | 5 ++-- .../container-emptydir-limit/constraint.yaml | 3 ++- .../example_allowed_pod.yaml | 20 +++++++++++++++ .../example_disallowed_pod.yaml | 25 +++++++++++++++++++ .../container-emptydir-limit/expansion.yaml | 14 +++++++++++ library/general/volumeresources/suite.yaml | 10 +++++++- library/general/volumeresources/template.yaml | 5 ++-- src/general/volumeresources/constraint.tmpl | 1 - src/general/volumeresources/expansion.tmpl | 14 +++++++++++ src/general/volumeresources/src.rego | 4 +-- src/general/volumeresources/src_test.rego | 2 +- website/docs/validation/volumeresources.md | 8 +++--- 14 files changed, 98 insertions(+), 18 deletions(-) create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml create mode 100644 src/general/volumeresources/expansion.tmpl diff --git a/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml b/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml index 6518f2dbe..72cd1ecd2 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml +++ b/artifacthub/library/general/volumeresources/1.0.0/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8svolumeresources displayName: Container emptyDir Volume Resources createdAt: "2024-04-24T10:00:57Z" description: Container emptyDir volume resources to be within the specified maximum values. -digest: 306b42db8c3d85fd748dd143c1b271624884519a4a18fe1292620d82e04bf4f7 +digest: cbff0bae172a3866c4097350e4c8b607b432356d1530873b011c127826792950 license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/volumeresources keywords: diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml index 8c94aa081..618c0d7b0 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml @@ -1,3 +1,4 @@ +--- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sVolumeRequests metadata: @@ -8,6 +9,6 @@ spec: - apiGroups: [""] kinds: ["Pod"] - apiGroups: ["apps"] - kinds: ["Deployment", "DaemonSet", "StatefulSet"] + kinds: ["Deployment", "DaemonSet", "ReplicaSet", "StatefulSet"] parameters: volumesizelimit: 1Gi diff --git a/artifacthub/library/general/volumeresources/1.0.0/template.yaml b/artifacthub/library/general/volumeresources/1.0.0/template.yaml index 479c3203e..a97436178 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/template.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/template.yaml @@ -7,7 +7,6 @@ metadata: metadata.gatekeeper.sh/version: 1.0.0 description: >- Container emptyDir volume resources to be within the specified maximum values. - spec: crd: spec: @@ -27,14 +26,14 @@ spec: package k8svolumerequests violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir := vols.emptyDir not has_key(emptydir, "sizeLimit") msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) } violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir_orig := vols.emptyDir.sizeLimit size := canonify_size(emptydir_orig) max_size_orig := input.parameters.volumesizelimit diff --git a/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml b/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml index 8c94aa081..618c0d7b0 100644 --- a/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml +++ b/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml @@ -1,3 +1,4 @@ +--- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sVolumeRequests metadata: @@ -8,6 +9,6 @@ spec: - apiGroups: [""] kinds: ["Pod"] - apiGroups: ["apps"] - kinds: ["Deployment", "DaemonSet", "StatefulSet"] + kinds: ["Deployment", "DaemonSet", "ReplicaSet", "StatefulSet"] parameters: volumesizelimit: 1Gi diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml new file mode 100644 index 000000000..0984249b9 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowed-pod + labels: + app: allowed-pod +spec: + containers: + - name: allowed-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml new file mode 100644 index 000000000..079659fa9 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowed-pod + labels: + app: allowed-pod +spec: + containers: + - name: allowed-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + - mountPath: /demo-1 + name: demo-volume-1 + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + - name: demo-volume-1 + emptyDir: + sizeLimit: 2Gi \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml b/library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml new file mode 100644 index 000000000..b34c7db81 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml @@ -0,0 +1,14 @@ +apiVersion: expansion.gatekeeper.sh/v1alpha1 +kind: ExpansionTemplate +metadata: + name: container-emptydir-limit +spec: + applyTo: + - groups: ["apps"] + kinds: ["DaemonSet", "Deployment", "ReplicaSet", "StatefulSet"] + versions: ["v1"] + templateSource: "spec.template" + generatedGVK: + kind: "Pod" + group: "" + version: "v1" diff --git a/library/general/volumeresources/suite.yaml b/library/general/volumeresources/suite.yaml index 1f46a7530..fa535a4c9 100644 --- a/library/general/volumeresources/suite.yaml +++ b/library/general/volumeresources/suite.yaml @@ -18,4 +18,12 @@ tests: - name: example-disallowed-muti object: samples/container-emptydir-limit/example_disallowed_muti.yaml assertions: - - violations: yes \ No newline at end of file + - violations: yes + - name: example-disallowed-pod + object: samples/container-emptydir-limit/example_disallowed_muti.yaml + assertions: + - violations: yes + - name: example-allowed-pod + object: samples/container-emptydir-limit/example_allowed_pod.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/library/general/volumeresources/template.yaml b/library/general/volumeresources/template.yaml index 479c3203e..a97436178 100644 --- a/library/general/volumeresources/template.yaml +++ b/library/general/volumeresources/template.yaml @@ -7,7 +7,6 @@ metadata: metadata.gatekeeper.sh/version: 1.0.0 description: >- Container emptyDir volume resources to be within the specified maximum values. - spec: crd: spec: @@ -27,14 +26,14 @@ spec: package k8svolumerequests violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir := vols.emptyDir not has_key(emptydir, "sizeLimit") msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) } violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir_orig := vols.emptyDir.sizeLimit size := canonify_size(emptydir_orig) max_size_orig := input.parameters.volumesizelimit diff --git a/src/general/volumeresources/constraint.tmpl b/src/general/volumeresources/constraint.tmpl index 8bd339fb6..65836fc69 100644 --- a/src/general/volumeresources/constraint.tmpl +++ b/src/general/volumeresources/constraint.tmpl @@ -7,7 +7,6 @@ metadata: metadata.gatekeeper.sh/version: 1.0.0 description: >- Container emptyDir volume resources to be within the specified maximum values. - spec: crd: spec: diff --git a/src/general/volumeresources/expansion.tmpl b/src/general/volumeresources/expansion.tmpl new file mode 100644 index 000000000..e8687dab2 --- /dev/null +++ b/src/general/volumeresources/expansion.tmpl @@ -0,0 +1,14 @@ +apiVersion: expansion.gatekeeper.sh/v1alpha1 +kind: ExpansionTemplate +metadata: + name: expand-apps +spec: + applyTo: + - groups: ["apps"] + kinds: ["DaemonSet", "Deployment", "ReplicaSet", "StatefulSet"] + versions: ["v1"] + templateSource: "spec.template" + generatedGVK: + kind: "Pod" + group: "" + version: "v1" \ No newline at end of file diff --git a/src/general/volumeresources/src.rego b/src/general/volumeresources/src.rego index 8b2ab33b3..fe70de726 100644 --- a/src/general/volumeresources/src.rego +++ b/src/general/volumeresources/src.rego @@ -1,14 +1,14 @@ package k8svolumerequests violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir := vols.emptyDir not has_key(emptydir, "sizeLimit") msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) } violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir_orig := vols.emptyDir.sizeLimit size := canonify_size(emptydir_orig) max_size_orig := input.parameters.volumesizelimit diff --git a/src/general/volumeresources/src_test.rego b/src/general/volumeresources/src_test.rego index 7580efb4b..3ba457a93 100644 --- a/src/general/volumeresources/src_test.rego +++ b/src/general/volumeresources/src_test.rego @@ -25,7 +25,7 @@ test_input_with_sizeLimit_muti_higher { } container(volumes) = output { - output = {"object": {"spec": {"template": {"spec": {"volumes": volumes}}}}} + output = {"object": {"spec": {"volumes": volumes}}} } vol(size, name) = out { diff --git a/website/docs/validation/volumeresources.md b/website/docs/validation/volumeresources.md index e2c45bb86..5dc7da306 100644 --- a/website/docs/validation/volumeresources.md +++ b/website/docs/validation/volumeresources.md @@ -19,7 +19,6 @@ metadata: metadata.gatekeeper.sh/version: 1.0.0 description: >- Container emptyDir volume resources to be within the specified maximum values. - spec: crd: spec: @@ -39,14 +38,14 @@ spec: package k8svolumerequests violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir := vols.emptyDir not has_key(emptydir, "sizeLimit") msg := sprintf("Volume '%v' is not allowed, do not have set sizelimit", [vols.name]) } violation[{"msg": msg}] { - vols := input.review.object.spec.template.spec.volumes[_] + vols := input.review.object.spec.volumes[_] emptydir_orig := vols.emptyDir.sizeLimit size := canonify_size(emptydir_orig) max_size_orig := input.parameters.volumesizelimit @@ -190,6 +189,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- constraint ```yaml +--- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sVolumeRequests metadata: @@ -200,7 +200,7 @@ spec: - apiGroups: [""] kinds: ["Pod"] - apiGroups: ["apps"] - kinds: ["Deployment", "DaemonSet", "StatefulSet"] + kinds: ["Deployment", "DaemonSet", "ReplicaSet", "StatefulSet"] parameters: volumesizelimit: 1Gi From f90dce071b66519d4d4c824920e76a591e1a5e73 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Tue, 11 Jun 2024 19:47:28 +0800 Subject: [PATCH 08/10] fix e2e casae Signed-off-by: dongjiang1989 --- .../container-emptydir-limit/example_disallowed_pod.yaml | 6 +++--- library/general/volumeresources/suite.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml index 079659fa9..fe918218b 100644 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml @@ -1,12 +1,12 @@ apiVersion: v1 kind: Pod metadata: - name: allowed-pod + name: disallowed-pod labels: - app: allowed-pod + app: disallowed-pod spec: containers: - - name: allowed-pod + - name: disallowed-pod image: nginx:1.14.2 ports: - containerPort: 80 diff --git a/library/general/volumeresources/suite.yaml b/library/general/volumeresources/suite.yaml index fa535a4c9..719c81d5d 100644 --- a/library/general/volumeresources/suite.yaml +++ b/library/general/volumeresources/suite.yaml @@ -20,7 +20,7 @@ tests: assertions: - violations: yes - name: example-disallowed-pod - object: samples/container-emptydir-limit/example_disallowed_muti.yaml + object: samples/container-emptydir-limit/example_disallowed_pod.yaml assertions: - violations: yes - name: example-allowed-pod From 973ebb926eec29dc6cf070a95f3682277e270038 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Mon, 17 Jun 2024 15:47:30 +0800 Subject: [PATCH 09/10] keep the policy applicable to pods Signed-off-by: dongjiang1989 --- .../container-emptydir-limit/constraint.yaml | 2 - .../example_allowed_pod.yaml | 20 +++ .../example_disallowed_miss_pod.yaml | 18 +++ .../example_disallowed_muti_pod.yaml | 6 +- .../general/volumeresources/1.0.0/suite.yaml | 14 +- .../container-emptydir-limit/constraint.yaml | 2 - .../example_allowed.yaml | 29 ---- .../example_allowed_pod.yaml | 2 +- .../example_disallowed.yaml | 27 ---- .../example_disallowed_miss_pod.yaml | 18 +++ .../example_disallowed_muti.yaml | 34 ---- .../example_disallowed_muti_pod.yaml | 25 +++ .../container-emptydir-limit/expansion.yaml | 14 -- library/general/volumeresources/suite.yaml | 20 +-- src/general/volumeresources/expansion.tmpl | 14 -- website/docs/validation/volumeresources.md | 152 +++++++----------- 16 files changed, 158 insertions(+), 239 deletions(-) create mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed_pod.yaml create mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml rename library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml => artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml (81%) delete mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml delete mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml delete mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml create mode 100644 library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml delete mode 100644 library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml delete mode 100644 src/general/volumeresources/expansion.tmpl diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml index 618c0d7b0..7d26e6a25 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/constraint.yaml @@ -8,7 +8,5 @@ spec: kinds: - apiGroups: [""] kinds: ["Pod"] - - apiGroups: ["apps"] - kinds: ["Deployment", "DaemonSet", "ReplicaSet", "StatefulSet"] parameters: volumesizelimit: 1Gi diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed_pod.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed_pod.yaml new file mode 100644 index 000000000..3c376e699 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed_pod.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowed-pod + labels: + app: allowed-pod +spec: + containers: + - name: allowed-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory \ No newline at end of file diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml new file mode 100644 index 000000000..8882601e3 --- /dev/null +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: disallowed-miss-pod + labels: + app: disallowed-miss-pod +spec: + containers: + - name: disallowed-miss-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: {} \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml similarity index 81% rename from library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml rename to artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml index fe918218b..440c32d07 100644 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_pod.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml @@ -1,12 +1,12 @@ apiVersion: v1 kind: Pod metadata: - name: disallowed-pod + name: disallowed-muti-pod labels: - app: disallowed-pod + app: disallowed-muti-pod spec: containers: - - name: disallowed-pod + - name: disallowed-muti-pod image: nginx:1.14.2 ports: - containerPort: 80 diff --git a/artifacthub/library/general/volumeresources/1.0.0/suite.yaml b/artifacthub/library/general/volumeresources/1.0.0/suite.yaml index 1f46a7530..4aa90a9e3 100644 --- a/artifacthub/library/general/volumeresources/1.0.0/suite.yaml +++ b/artifacthub/library/general/volumeresources/1.0.0/suite.yaml @@ -7,15 +7,15 @@ tests: template: template.yaml constraint: samples/container-emptydir-limit/constraint.yaml cases: - - name: example-allowed - object: samples/container-emptydir-limit/example_allowed.yaml + - name: example-allowed-pod + object: samples/container-emptydir-limit/example_allowed_pod.yaml assertions: - violations: no - - name: example-disallowed - object: samples/container-emptydir-limit/example_disallowed.yaml + - name: example-disallowed-miss-pod + object: samples/container-emptydir-limit/example_disallowed_miss_pod.yaml assertions: - violations: yes - - name: example-disallowed-muti - object: samples/container-emptydir-limit/example_disallowed_muti.yaml + - name: example-disallowed-muti-pod + object: samples/container-emptydir-limit/example_disallowed_muti_pod.yaml assertions: - - violations: yes \ No newline at end of file + - violations: yes diff --git a/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml b/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml index 618c0d7b0..7d26e6a25 100644 --- a/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml +++ b/library/general/volumeresources/samples/container-emptydir-limit/constraint.yaml @@ -8,7 +8,5 @@ spec: kinds: - apiGroups: [""] kinds: ["Pod"] - - apiGroups: ["apps"] - kinds: ["Deployment", "DaemonSet", "ReplicaSet", "StatefulSet"] parameters: volumesizelimit: 1Gi diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml deleted file mode 100644 index 4ecf62b79..000000000 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: allowed-deployment - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - volumes: - - name: demo-volume - emptyDir: - sizeLimit: 16Mi - medium: Memory diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml index 0984249b9..3c376e699 100644 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml @@ -17,4 +17,4 @@ spec: - name: demo-volume emptyDir: sizeLimit: 16Mi - medium: Memory + medium: Memory \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml deleted file mode 100644 index 2f62dd90e..000000000 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: disallowed-deployment - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - volumes: - - name: demo-volume - emptyDir: {} diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml new file mode 100644 index 000000000..8882601e3 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: disallowed-miss-pod + labels: + app: disallowed-miss-pod +spec: + containers: + - name: disallowed-miss-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: {} \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml deleted file mode 100644 index f4c8a0d78..000000000 --- a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: disallowed-deployment - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - - mountPath: /demo-1 - name: demo-volume-1 - volumes: - - name: demo-volume - emptyDir: - sizeLimit: 16Mi - medium: Memory - - name: demo-volume-1 - emptyDir: - sizeLimit: 2Gi diff --git a/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml new file mode 100644 index 000000000..440c32d07 --- /dev/null +++ b/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: disallowed-muti-pod + labels: + app: disallowed-muti-pod +spec: + containers: + - name: disallowed-muti-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + - mountPath: /demo-1 + name: demo-volume-1 + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + - name: demo-volume-1 + emptyDir: + sizeLimit: 2Gi \ No newline at end of file diff --git a/library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml b/library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml deleted file mode 100644 index b34c7db81..000000000 --- a/library/general/volumeresources/samples/container-emptydir-limit/expansion.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: expansion.gatekeeper.sh/v1alpha1 -kind: ExpansionTemplate -metadata: - name: container-emptydir-limit -spec: - applyTo: - - groups: ["apps"] - kinds: ["DaemonSet", "Deployment", "ReplicaSet", "StatefulSet"] - versions: ["v1"] - templateSource: "spec.template" - generatedGVK: - kind: "Pod" - group: "" - version: "v1" diff --git a/library/general/volumeresources/suite.yaml b/library/general/volumeresources/suite.yaml index 719c81d5d..4aa90a9e3 100644 --- a/library/general/volumeresources/suite.yaml +++ b/library/general/volumeresources/suite.yaml @@ -7,23 +7,15 @@ tests: template: template.yaml constraint: samples/container-emptydir-limit/constraint.yaml cases: - - name: example-allowed - object: samples/container-emptydir-limit/example_allowed.yaml + - name: example-allowed-pod + object: samples/container-emptydir-limit/example_allowed_pod.yaml assertions: - violations: no - - name: example-disallowed - object: samples/container-emptydir-limit/example_disallowed.yaml - assertions: - - violations: yes - - name: example-disallowed-muti - object: samples/container-emptydir-limit/example_disallowed_muti.yaml + - name: example-disallowed-miss-pod + object: samples/container-emptydir-limit/example_disallowed_miss_pod.yaml assertions: - violations: yes - - name: example-disallowed-pod - object: samples/container-emptydir-limit/example_disallowed_pod.yaml + - name: example-disallowed-muti-pod + object: samples/container-emptydir-limit/example_disallowed_muti_pod.yaml assertions: - violations: yes - - name: example-allowed-pod - object: samples/container-emptydir-limit/example_allowed_pod.yaml - assertions: - - violations: no \ No newline at end of file diff --git a/src/general/volumeresources/expansion.tmpl b/src/general/volumeresources/expansion.tmpl deleted file mode 100644 index e8687dab2..000000000 --- a/src/general/volumeresources/expansion.tmpl +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: expansion.gatekeeper.sh/v1alpha1 -kind: ExpansionTemplate -metadata: - name: expand-apps -spec: - applyTo: - - groups: ["apps"] - kinds: ["DaemonSet", "Deployment", "ReplicaSet", "StatefulSet"] - versions: ["v1"] - templateSource: "spec.template" - generatedGVK: - kind: "Pod" - group: "" - version: "v1" \ No newline at end of file diff --git a/website/docs/validation/volumeresources.md b/website/docs/validation/volumeresources.md index 5dc7da306..bd320c7b1 100644 --- a/website/docs/validation/volumeresources.md +++ b/website/docs/validation/volumeresources.md @@ -199,8 +199,6 @@ spec: kinds: - apiGroups: [""] kinds: ["Pod"] - - apiGroups: ["apps"] - kinds: ["Deployment", "DaemonSet", "ReplicaSet", "StatefulSet"] parameters: volumesizelimit: 1Gi @@ -215,134 +213,104 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
-example-allowed +example-allowed-pod ```yaml -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Pod metadata: - name: allowed-deployment + name: allowed-pod labels: - app: nginx + app: allowed-pod spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - volumes: - - name: demo-volume - emptyDir: - sizeLimit: 16Mi - medium: Memory - + containers: + - name: allowed-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory ``` Usage ```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_allowed.yaml +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_allowed_pod.yaml ```
-example-disallowed +example-disallowed-miss-pod ```yaml -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Pod metadata: - name: disallowed-deployment + name: disallowed-miss-pod labels: - app: nginx + app: disallowed-miss-pod spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - volumes: - - name: demo-volume - emptyDir: {} - + containers: + - name: disallowed-miss-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + volumes: + - name: demo-volume + emptyDir: {} ``` Usage ```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed.yaml +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_miss_pod.yaml ```
-example-disallowed-muti +example-disallowed-muti-pod ```yaml -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Pod metadata: - name: disallowed-deployment + name: disallowed-muti-pod labels: - app: nginx + app: disallowed-muti-pod spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - - mountPath: /demo-1 - name: demo-volume-1 - volumes: - - name: demo-volume - emptyDir: - sizeLimit: 16Mi - medium: Memory - - name: demo-volume-1 - emptyDir: - sizeLimit: 2Gi - + containers: + - name: disallowed-muti-pod + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /demo + name: demo-volume + - mountPath: /demo-1 + name: demo-volume-1 + volumes: + - name: demo-volume + emptyDir: + sizeLimit: 16Mi + medium: Memory + - name: demo-volume-1 + emptyDir: + sizeLimit: 2Gi ``` Usage ```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti.yaml +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/volumeresources/samples/container-emptydir-limit/example_disallowed_muti_pod.yaml ```
From 98612c0d6f9593d8475a6f9c063395467a3ece96 Mon Sep 17 00:00:00 2001 From: dongjiang1989 Date: Tue, 18 Jun 2024 15:03:11 +0800 Subject: [PATCH 10/10] remove examples Signed-off-by: dongjiang1989 --- .../example_allowed.yaml | 29 ---------------- .../example_disallowed.yaml | 27 --------------- .../example_disallowed_muti.yaml | 34 ------------------- 3 files changed, 90 deletions(-) delete mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml delete mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml delete mode 100644 artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml deleted file mode 100644 index 4ecf62b79..000000000 --- a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_allowed.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: allowed-deployment - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - volumes: - - name: demo-volume - emptyDir: - sizeLimit: 16Mi - medium: Memory diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml deleted file mode 100644 index 2f62dd90e..000000000 --- a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: disallowed-deployment - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - volumes: - - name: demo-volume - emptyDir: {} diff --git a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml b/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml deleted file mode 100644 index f4c8a0d78..000000000 --- a/artifacthub/library/general/volumeresources/1.0.0/samples/container-emptydir-limit/example_disallowed_muti.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: disallowed-deployment - labels: - app: nginx -spec: - replicas: 3 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 - volumeMounts: - - mountPath: /demo - name: demo-volume - - mountPath: /demo-1 - name: demo-volume-1 - volumes: - - name: demo-volume - emptyDir: - sizeLimit: 16Mi - medium: Memory - - name: demo-volume-1 - emptyDir: - sizeLimit: 2Gi