Skip to content

Commit

Permalink
Merge pull request #21 from kcl-lang/add-more-mutation-models
Browse files Browse the repository at this point in the history
feat: add more mutation models
  • Loading branch information
Peefy authored Oct 12, 2023
2 parents d2338c4 + 42ae17b commit 0e1448b
Show file tree
Hide file tree
Showing 21 changed files with 262 additions and 0 deletions.
4 changes: 4 additions & 0 deletions examples/mutation/add-app-armor-annotation/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "add-app-armor-annotation"
edition = "*"
version = "0.0.1"
9 changes: 9 additions & 0 deletions examples/mutation/add-app-armor-annotation/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
capabilities: [str] = option("params")?.capabilities or ["SETUID", "SETFCAP"]
items = [item | {
if item.kind == "Pod":
spec.containers: [{
metadata.annotations: {
"container.apparmor.security.beta.kubernetes.io/${container.name}": "runtime/default"
}
} for container in item.spec.containers]
} for item in option("items") or []]
28 changes: 28 additions & 0 deletions examples/mutation/add-app-armor-annotation/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-app-armor-annotation
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
In the earlier Pod Security Policy controller, it was possible to define
a setting which would enable AppArmor for all the containers within a Pod so
they may be assigned the desired profile. Assigning an AppArmor profile, accomplished
via an annotation, is useful in that it allows secure defaults to be defined and may
also result in passing other validation rules such as those in the Pod Security Standards.
This policy mutates Pods to add an annotation for every container to enabled AppArmor
at the runtime/default level.
spec:
source: ./examples/mutation/add-app-armor-annotation/main.k
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
4 changes: 4 additions & 0 deletions examples/mutation/add-istio-sidecar-injection/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "add-istio-sidecar-injection"
edition = "*"
version = "0.0.1"
6 changes: 6 additions & 0 deletions examples/mutation/add-istio-sidecar-injection/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
items = [item | {
if item.kind == "Namespace":
metadata.labels: {
"istio-injection" = "enabled"
}
} for item in option("items")]
20 changes: 20 additions & 0 deletions examples/mutation/add-istio-sidecar-injection/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-istio-sidecar-injection
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
In order for Istio to inject sidecars to workloads deployed into Namespaces,
the label `istio-injection` must be set to `enabled`. As an alternative to
rejecting Namespace definitions which don't already contain this label,
it can be added automatically. This policy adds the label `istio-inject`
set to `enabled` for all new Namespaces.
spec:
source: ./examples/mutation/add-istio-sidecar-injection/main.k
---
apiVersion: v1
kind: Namespace
metadata:
name: sampleapp
4 changes: 4 additions & 0 deletions examples/mutation/add-linkerd-policy-annotation/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "add-linkerd-policy-annotation"
edition = "*"
version = "0.0.1"
5 changes: 5 additions & 0 deletions examples/mutation/add-linkerd-policy-annotation/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
items = [item | {
metadata.annotations: {
"config.linkerd.io/default-inbound-policy" = "deny"
}
} for item in option("items")]
22 changes: 22 additions & 0 deletions examples/mutation/add-linkerd-policy-annotation/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-linkerd-policy-annotation
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
Add Linkerd Policy Annotation
spec:
source: ./examples/mutation/add-linkerd-policy-annotation/main.k
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
4 changes: 4 additions & 0 deletions examples/mutation/add-ndots/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "add-ndots"
edition = "*"
version = "0.0.1"
9 changes: 9 additions & 0 deletions examples/mutation/add-ndots/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
items = [item | {
if item.kind == "Pod":
spec.dnsConfig.options += [
{
name = "ndots"
value: "1"
}
]
} for item in option("items")]
24 changes: 24 additions & 0 deletions examples/mutation/add-ndots/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-ndots
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
The ndots value controls where DNS lookups are first performed in a cluster
and needs to be set to a lower value than the default of 5 in some cases.
This policy mutates all Pods to add the ndots option with a value of 1.
spec:
source: ./examples/mutation/add-ndots/main.k
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
3 changes: 3 additions & 0 deletions examples/mutation/add-nodeselector/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[package]
name = "add-nodeselector"
version = "0.0.1"
7 changes: 7 additions & 0 deletions examples/mutation/add-nodeselector/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
params = option("params") or {}
# Use `k = v` to override existing selector
selector: {str:str} = {k = v for k, v in params.selector or {}}
items = [item | {
if item.kind == "Pod":
spec.nodeSelector: selector
} for item in option("items")]
25 changes: 25 additions & 0 deletions examples/mutation/add-nodeselector/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-nodeselector
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
Add nodeselector
spec:
params:
selector:
foo: bar
source: ./examples/mutation/add-nodeselector/main.k
---
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
4 changes: 4 additions & 0 deletions examples/mutation/add-psa-labels/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[package]
name = "add-psa-labels"
edition = "*"
version = "0.0.1"
7 changes: 7 additions & 0 deletions examples/mutation/add-psa-labels/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
items = [item | {
if item.kind == "Namespace":
metadata.labels: {
"pod-security.kubernetes.io/enforce" = "baseline"
"pod-security.kubernetes.io/warn" = "restricted"
}
} for item in option("items")]
22 changes: 22 additions & 0 deletions examples/mutation/add-psa-labels/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-psa-labels
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
Pod Security Admission (PSA) can be controlled via the assignment of labels
at the Namespace level which define the Pod Security Standard (PSS) profile
in use and the action to take. If not using a cluster-wide configuration
via an AdmissionConfiguration file, Namespaces must be explicitly labeled.
This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline`
and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if
those labels are not included.
spec:
source: ./examples/mutation/add-psa-labels/main.k
---
apiVersion: v1
kind: Namespace
metadata:
name: sampleapp
3 changes: 3 additions & 0 deletions examples/mutation/add-quota/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[package]
name = "add-quota"
version = "0.0.1"
36 changes: 36 additions & 0 deletions examples/mutation/add-quota/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
ns_list = [item.metadata.name for item in option("items") if item.kind == "Namespace"]

items = option("items") + [
{
apiVersion: "v1"
kind: "ResourceQuota"
name: "default-resourcequota"
synchronize: True
namespace: ns
data.spec.hard: {
'requests.cpu': '4'
'requests.memory': str(16Gi)
'limits.cpu': '4'
'limits.memory': str(16Gi)
}
} for ns in ns_list
] + [
{
apiVersion: "v1"
kind: "LimitRange"
name: "default-limitrange"
synchronize: True
namespace: ns
data.spec.limits = [{
default: {
cpu: str(500m)
memory: str(1Gi)
}
defaultRequest: {
cpu: str(200m)
memory: str(256Mi)
}
type: "Container"
}]
} for ns in ns_list
]
16 changes: 16 additions & 0 deletions examples/mutation/add-quota/suite/good.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
name: add-quota
annotations:
krm.kcl.dev/version: 0.0.1
krm.kcl.dev/type: mutation
documentation: >-
Add quota
spec:
source: ./examples/mutation/add-quota/main.k
---
apiVersion: v1
kind: Namespace
metadata:
name: sampleapp

0 comments on commit 0e1448b

Please sign in to comment.