added policies

Author: hackeramitkumar

pod.yml renamed to Deployment1.yml

@@ -0,0 +1,29 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-default-resources
+spec:
+  background: false
+  rules:
+  - name: add-default-requests
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    preconditions:
+      any:
+      - key: "{{request.operation}}"
+        operator: AnyIn
+        value:
+        - CREATE
+        - UPDATE
+    mutate:
+      patchStrategicMerge:
+        spec:
+          containers:
+            - (name): "*"
+              resources:
+                requests:
+                  +(memory): "100Mi"
+                  +(cpu): "100m"

pod2.yml renamed to Deployment2.yml

@@ -1,18 +1,19 @@
-name: verify_multiple_resources
+name: add-default-resources
 policies:
-  - policy3.yml
+  - add-default-resources.yaml
 resources:
-  # - pod3.yml
-  - pod4.yml
-variables: values.yml
+  - resource.yaml
+variables: values.yaml
 results:
-  # - policy: check-image
-  #   rule: check-image
-  #   resource: pod-3
-  #   kind: Pod
-  #   result: pass
-  - policy: check-image
-    rule: check-image
-    resource: pod-4
+  - policy: add-default-resources
+    rule: add-default-requests
+    resource: nginx-demo1
+    patchedResource: patchedResource1.yaml
     kind: Pod
-    result: pass
+    result: Fail
+  - policy: add-default-resources
+    rule: add-default-requests
+    resource: nginx-demo2
+    patchedResource: patchedResource2.yaml
+    kind: Pod
+    result: skip

pod5.yml renamed to Deployment5.yml

@@ -0,0 +1,18 @@
+name: verify_multiple_resources
+policies:
+  - policy3.yml
+resources:
+  # - pod3.yml
+  - pod3.yml
+variables: values.yml
+results:
+  # - policy: check-image
+  #   rule: check-image
+  #   resource: pod-3
+  #   kind: Pod
+  #   result: pass
+  - policy: check-image
+    rule: check-image
+    resource: pod-3
+    kind: Pod
+    result: pass

pod6.yml renamed to Deployment6.yml

@@ -5,9 +5,9 @@ metadata:
   namespace: default
 spec:
   containers:
-    - image: ghcr.io/hackeramitkumar/test6:app
-      name: bad-container
-      imagePullPolicy: Always
+    # - image: ghcr.io/hackeramitkumar/test6:app
+    #   name: bad-container
+    #   imagePullPolicy: Always
     - image: ghcr.io/hackeramitkumar/test5:app
       name: good-container
       imagePullPolicy: Always

add-default-resources.yaml

@@ -5,9 +5,9 @@ metadata:
   namespace: default
 spec:
   containers:
-    - image: ghcr.io/hackeramitkumar/test5:app
+    - image: ghcr.io/hackeramitkumar/test5:app2
       name: good-container
       imagePullPolicy: Always
-    - image: ghcr.io/hackeramitkumar/test6:app
-      name: bad-container
-      imagePullPolicy: Always
+    # - image: ghcr.io/hackeramitkumar/test6:app
+    #   name: bad-container
+    #   imagePullPolicy: Always

kyverno-test.yaml

@@ -13,6 +13,7 @@ spec:
         any:
         - resources:
             kinds:
+              - Deployment
               - Pod
       verifyImages:
       - imageReferences:

kyverno-test1.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-demo1
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-demo2
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+    resources:
+      requests:
+        memory: "200Mi" 
+        cpu: "200m"

pod3.yml

@@ -0,0 +1,9 @@
+policies:
+- name: add-default-resources
+  resources:
+  - name: nginx-demo1
+    values:
+      request.operation: CREATE
+  - name: nginx-demo2
+    values:
+      request.operation: UPDATE