diff --git a/examples/mutation/add-app-armor-annotation/kcl.mod b/examples/mutation/add-app-armor-annotation/kcl.mod new file mode 100644 index 0000000..2e443f3 --- /dev/null +++ b/examples/mutation/add-app-armor-annotation/kcl.mod @@ -0,0 +1,4 @@ +[package] +name = "add-app-armor-annotation" +edition = "*" +version = "0.0.1" diff --git a/examples/mutation/add-app-armor-annotation/main.k b/examples/mutation/add-app-armor-annotation/main.k new file mode 100644 index 0000000..979d14e --- /dev/null +++ b/examples/mutation/add-app-armor-annotation/main.k @@ -0,0 +1,9 @@ +capabilities: [str] = option("params")?.capabilities or ["SETUID", "SETFCAP"] +items = [item | { + if item.kind == "Pod": + spec.containers: [{ + metadata.annotations: { + "container.apparmor.security.beta.kubernetes.io/${container.name}": "runtime/default" + } + } for container in item.spec.containers] +} for item in option("items") or []] diff --git a/examples/mutation/add-app-armor-annotation/suite/good.yaml b/examples/mutation/add-app-armor-annotation/suite/good.yaml new file mode 100644 index 0000000..acb3479 --- /dev/null +++ b/examples/mutation/add-app-armor-annotation/suite/good.yaml @@ -0,0 +1,28 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-app-armor-annotation + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + In the earlier Pod Security Policy controller, it was possible to define + a setting which would enable AppArmor for all the containers within a Pod so + they may be assigned the desired profile. Assigning an AppArmor profile, accomplished + via an annotation, is useful in that it allows secure defaults to be defined and may + also result in passing other validation rules such as those in the Pod Security Standards. + This policy mutates Pods to add an annotation for every container to enabled AppArmor + at the runtime/default level. +spec: + source: ./examples/mutation/add-app-armor-annotation/main.k +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/mutation/add-istio-sidecar-injection/kcl.mod b/examples/mutation/add-istio-sidecar-injection/kcl.mod new file mode 100644 index 0000000..41bce69 --- /dev/null +++ b/examples/mutation/add-istio-sidecar-injection/kcl.mod @@ -0,0 +1,4 @@ +[package] +name = "add-istio-sidecar-injection" +edition = "*" +version = "0.0.1" diff --git a/examples/mutation/add-istio-sidecar-injection/main.k b/examples/mutation/add-istio-sidecar-injection/main.k new file mode 100644 index 0000000..3d170e9 --- /dev/null +++ b/examples/mutation/add-istio-sidecar-injection/main.k @@ -0,0 +1,6 @@ +items = [item | { + if item.kind == "Namespace": + metadata.labels: { + "istio-injection" = "enabled" + } +} for item in option("items")] diff --git a/examples/mutation/add-istio-sidecar-injection/suite/good.yaml b/examples/mutation/add-istio-sidecar-injection/suite/good.yaml new file mode 100644 index 0000000..8db96d7 --- /dev/null +++ b/examples/mutation/add-istio-sidecar-injection/suite/good.yaml @@ -0,0 +1,20 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-istio-sidecar-injection + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + In order for Istio to inject sidecars to workloads deployed into Namespaces, + the label `istio-injection` must be set to `enabled`. As an alternative to + rejecting Namespace definitions which don't already contain this label, + it can be added automatically. This policy adds the label `istio-inject` + set to `enabled` for all new Namespaces. +spec: + source: ./examples/mutation/add-istio-sidecar-injection/main.k +--- +apiVersion: v1 +kind: Namespace +metadata: + name: sampleapp diff --git a/examples/mutation/add-linkerd-policy-annotation/kcl.mod b/examples/mutation/add-linkerd-policy-annotation/kcl.mod new file mode 100644 index 0000000..f4d28c4 --- /dev/null +++ b/examples/mutation/add-linkerd-policy-annotation/kcl.mod @@ -0,0 +1,4 @@ +[package] +name = "add-linkerd-policy-annotation" +edition = "*" +version = "0.0.1" diff --git a/examples/mutation/add-linkerd-policy-annotation/main.k b/examples/mutation/add-linkerd-policy-annotation/main.k new file mode 100644 index 0000000..96710f0 --- /dev/null +++ b/examples/mutation/add-linkerd-policy-annotation/main.k @@ -0,0 +1,5 @@ +items = [item | { + metadata.annotations: { + "config.linkerd.io/default-inbound-policy" = "deny" + } +} for item in option("items")] diff --git a/examples/mutation/add-linkerd-policy-annotation/suite/good.yaml b/examples/mutation/add-linkerd-policy-annotation/suite/good.yaml new file mode 100644 index 0000000..1df9b6d --- /dev/null +++ b/examples/mutation/add-linkerd-policy-annotation/suite/good.yaml @@ -0,0 +1,22 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-linkerd-policy-annotation + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + Add Linkerd Policy Annotation +spec: + source: ./examples/mutation/add-linkerd-policy-annotation/main.k +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/mutation/add-ndots/kcl.mod b/examples/mutation/add-ndots/kcl.mod new file mode 100644 index 0000000..c2c7553 --- /dev/null +++ b/examples/mutation/add-ndots/kcl.mod @@ -0,0 +1,4 @@ +[package] +name = "add-ndots" +edition = "*" +version = "0.0.1" diff --git a/examples/mutation/add-ndots/main.k b/examples/mutation/add-ndots/main.k new file mode 100644 index 0000000..a5c73c1 --- /dev/null +++ b/examples/mutation/add-ndots/main.k @@ -0,0 +1,9 @@ +items = [item | { + if item.kind == "Pod": + spec.dnsConfig.options += [ + { + name = "ndots" + value: "1" + } + ] +} for item in option("items")] diff --git a/examples/mutation/add-ndots/suite/good.yaml b/examples/mutation/add-ndots/suite/good.yaml new file mode 100644 index 0000000..6fcddbf --- /dev/null +++ b/examples/mutation/add-ndots/suite/good.yaml @@ -0,0 +1,24 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-ndots + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + The ndots value controls where DNS lookups are first performed in a cluster + and needs to be set to a lower value than the default of 5 in some cases. + This policy mutates all Pods to add the ndots option with a value of 1. +spec: + source: ./examples/mutation/add-ndots/main.k +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/mutation/add-nodeselector/kcl.mod b/examples/mutation/add-nodeselector/kcl.mod new file mode 100644 index 0000000..151a63c --- /dev/null +++ b/examples/mutation/add-nodeselector/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "add-nodeselector" +version = "0.0.1" diff --git a/examples/mutation/add-nodeselector/main.k b/examples/mutation/add-nodeselector/main.k new file mode 100644 index 0000000..00b2c5f --- /dev/null +++ b/examples/mutation/add-nodeselector/main.k @@ -0,0 +1,7 @@ +params = option("params") or {} +# Use `k = v` to override existing selector +selector: {str:str} = {k = v for k, v in params.selector or {}} +items = [item | { + if item.kind == "Pod": + spec.nodeSelector: selector +} for item in option("items")] diff --git a/examples/mutation/add-nodeselector/suite/good.yaml b/examples/mutation/add-nodeselector/suite/good.yaml new file mode 100644 index 0000000..618e12c --- /dev/null +++ b/examples/mutation/add-nodeselector/suite/good.yaml @@ -0,0 +1,25 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-nodeselector + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + Add nodeselector +spec: + params: + selector: + foo: bar + source: ./examples/mutation/add-nodeselector/main.k +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/examples/mutation/add-psa-labels/kcl.mod b/examples/mutation/add-psa-labels/kcl.mod new file mode 100644 index 0000000..d070780 --- /dev/null +++ b/examples/mutation/add-psa-labels/kcl.mod @@ -0,0 +1,4 @@ +[package] +name = "add-psa-labels" +edition = "*" +version = "0.0.1" diff --git a/examples/mutation/add-psa-labels/main.k b/examples/mutation/add-psa-labels/main.k new file mode 100644 index 0000000..69ca7dc --- /dev/null +++ b/examples/mutation/add-psa-labels/main.k @@ -0,0 +1,7 @@ +items = [item | { + if item.kind == "Namespace": + metadata.labels: { + "pod-security.kubernetes.io/enforce" = "baseline" + "pod-security.kubernetes.io/warn" = "restricted" + } +} for item in option("items")] diff --git a/examples/mutation/add-psa-labels/suite/good.yaml b/examples/mutation/add-psa-labels/suite/good.yaml new file mode 100644 index 0000000..d874774 --- /dev/null +++ b/examples/mutation/add-psa-labels/suite/good.yaml @@ -0,0 +1,22 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-psa-labels + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + Pod Security Admission (PSA) can be controlled via the assignment of labels + at the Namespace level which define the Pod Security Standard (PSS) profile + in use and the action to take. If not using a cluster-wide configuration + via an AdmissionConfiguration file, Namespaces must be explicitly labeled. + This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline` + and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if + those labels are not included. +spec: + source: ./examples/mutation/add-psa-labels/main.k +--- +apiVersion: v1 +kind: Namespace +metadata: + name: sampleapp diff --git a/examples/mutation/add-quota/kcl.mod b/examples/mutation/add-quota/kcl.mod new file mode 100644 index 0000000..d53edbd --- /dev/null +++ b/examples/mutation/add-quota/kcl.mod @@ -0,0 +1,3 @@ +[package] +name = "add-quota" +version = "0.0.1" diff --git a/examples/mutation/add-quota/main.k b/examples/mutation/add-quota/main.k new file mode 100644 index 0000000..4a92322 --- /dev/null +++ b/examples/mutation/add-quota/main.k @@ -0,0 +1,36 @@ +ns_list = [item.metadata.name for item in option("items") if item.kind == "Namespace"] + +items = option("items") + [ + { + apiVersion: "v1" + kind: "ResourceQuota" + name: "default-resourcequota" + synchronize: True + namespace: ns + data.spec.hard: { + 'requests.cpu': '4' + 'requests.memory': str(16Gi) + 'limits.cpu': '4' + 'limits.memory': str(16Gi) + } + } for ns in ns_list +] + [ + { + apiVersion: "v1" + kind: "LimitRange" + name: "default-limitrange" + synchronize: True + namespace: ns + data.spec.limits = [{ + default: { + cpu: str(500m) + memory: str(1Gi) + } + defaultRequest: { + cpu: str(200m) + memory: str(256Mi) + } + type: "Container" + }] + } for ns in ns_list +] diff --git a/examples/mutation/add-quota/suite/good.yaml b/examples/mutation/add-quota/suite/good.yaml new file mode 100644 index 0000000..a04029c --- /dev/null +++ b/examples/mutation/add-quota/suite/good.yaml @@ -0,0 +1,16 @@ +apiVersion: krm.kcl.dev/v1alpha1 +kind: KCLRun +metadata: + name: add-quota + annotations: + krm.kcl.dev/version: 0.0.1 + krm.kcl.dev/type: mutation + documentation: >- + Add quota +spec: + source: ./examples/mutation/add-quota/main.k +--- +apiVersion: v1 +kind: Namespace +metadata: + name: sampleapp