Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add kyverno/kyverno #7216

Merged
merged 2 commits into from Oct 19, 2022
Merged

feat: add kyverno/kyverno #7216

merged 2 commits into from Oct 19, 2022

Conversation

ponkio-o
Copy link
Sponsor Contributor

@ponkio-o ponkio-o commented Oct 19, 2022
edited

#7216 kyverno/kyverno: Kubernetes Native Policy Management

$ aqua g -i kyverno/kyverno

How to confirm if this package works well

Reviewers aren't necessarily familiar with this package, so please describe how to confirm if this package works well.
Please confirm if this package works well yourself as much as possible.

Command and output

$ kyverno --help
Kubernetes Native Policy Management

Usage:
  kyverno [command]

Available Commands:
  apply       applies policies on resources
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  jp          Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions
  test        run tests from directory
  version     Shows current version of kyverno

Flags:
      --add_dir_header           If true, adds the file directory to the header of the log messages
  -h, --help                     help for kyverno
      --log_file string          If non-empty, use this log file
      --log_file_max_size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --one_output               If true, only write logs to their native severity level (vs also writing to each lower severity level)
      --skip_headers             If true, avoid header prefixes in the log messages
      --skip_log_headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kyverno [command] --help" for more information about a command.

If files such as configuration file are needed, please share them.

Create disallow_latest_tag.yaml

$ cat disallow_latest_tag.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
  annotations:
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      The ':latest' tag is mutable and can lead to unexpected errors if the 
      image changes. A best practice is to use an immutable tag that maps to 
      a specific version of an application pod.      
spec:
  validationFailureAction: audit
  rules:
  - name: require-image-tag
    match:
      any:
      - resources:
          kinds:
          - Pod
      clusterRoles:
      - cluster-admin
    validate:
      message: "An image tag is required."  
      pattern:
        spec:
          containers:
          - image: "*:*"
  - name: validate-image-tag
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: "Using a mutable image tag e.g. 'latest' is not allowed."
      pattern:
        spec:
          containers:
          - image: "!*:latest"

Create resource.yaml

$ cat resource.yaml
apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    app: myapp
spec: 
  containers:
  - name: nginx
    image: nginx:1.12

Create kyverno-test.yaml

name: disallow_latest_tag
policies:
  - disallow_latest_tag.yaml
resources:
  - resource.yaml
results:
  - policy: disallow-latest-tag
    rule: require-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass
  - policy: disallow-latest-tag
    rule: validate-image-tag
    resource: myapp-pod
    kind: Pod
    result: pass

Run kyverno test

$ kyverno test .
Executing disallow_latest_tag...
applying 1 policy to 1 resource...

│───│─────────────────────│────────────────────│───────────────────────│────────│
│ # │ POLICY              │ RULE               │ RESOURCE              │ RESULT │
│───│─────────────────────│────────────────────│───────────────────────│────────│
│ 1 │ disallow-latest-tag │ require-image-tag  │ default/Pod/myapp-pod │ Pass   │
│ 2 │ disallow-latest-tag │ validate-image-tag │ default/Pod/myapp-pod │ Pass   │
│───│─────────────────────│────────────────────│───────────────────────│────────│

Test Summary: 2 tests passed and 0 tests failed

Reference

@ponkio-o
feat: add kyverno/kyverno
d0b2bde 
[kyverno/kyverno](https://github.com/kyverno/kyverno): Kubernetes Native Policy Management

```console
$ aqua g -i kyverno/kyverno
```

## How to confirm if this package works well

Reviewers aren't necessarily familiar with this package, so please describe how to confirm if this package works well.
Please confirm if this package works well yourself as much as possible.

Command and output

```console
$
```

If files such as configuration file are needed, please share them.

```
```

Reference

-
@ponkio-o
Merge branch 'main' into feat/kyverno/kyverno
9967ec7
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Oct 19, 2022
@suzuki-shunsuke suzuki-shunsuke added this to the v3.78.0 milestone Oct 19, 2022
@suzuki-shunsuke suzuki-shunsuke merged commit ea95b20 into aquaproj:main Oct 19, 2022
@suzuki-shunsuke
Copy link
Member

Released. https://github.com/aquaproj/aqua-registry/releases/tag/v3.78.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v3.78.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ponkio-o @suzuki-shunsuke