From 5a62aad88ce51d8ab12f663f2b7dcc9c2219290e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20H=C3=A4usler?= <794584+corvus-ch@users.noreply.github.com> Date: Fri, 31 Mar 2023 11:08:03 +0200 Subject: [PATCH 1/2] Switch CodeOwners to Aldebaran Tech --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index bb3227a..52c10ce 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,2 +1,2 @@ -* @appuio/aldebaran +* @appuio/aldebaran-tech From 44430d0e4b1e97e78c96ff86c2b56a4ada2fa86d Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Fri, 31 Mar 2023 11:12:14 +0200 Subject: [PATCH 2/2] Compile golden with newer Commodore version --- .../appuio-cloud/01_agent/01_config_map.yaml | 54 ++++++++++++------- .../01_agent/02_webhook_cert_secret.yaml | 36 ++----------- .../02_disallow_reserved_namespaces.yaml | 34 ++++-------- .../02_organization_namespaces.yaml | 33 ++++-------- .../02_organization_projects.yaml | 33 ++++-------- .../02_organization_sa_namespaces.yaml | 31 ++++------- .../02_validate_namespace_metadata.yaml | 45 +++++++--------- .../appuio-cloud/03_projectrequest.yaml | 21 +++----- .../11_generate_quota_limit_range_in_ns.yaml | 22 ++------ .../12_namespace_quota_per_zone.yaml | 43 +++++---------- ..._disallow_docker_build_strategy_patch.yaml | 7 ++- .../30_set_runonce_activedeadlineseconds.yaml | 16 ++---- 12 files changed, 126 insertions(+), 249 deletions(-) diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml index 8bd8f29..709a779 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/01_config_map.yaml @@ -1,23 +1,41 @@ apiVersion: v1 data: - config.yaml: "\"DefaultNamespaceNodeSelectorAnnotation\": \"appuio.io/default-node-selector\"\ - \n\"DefaultNodeSelector\": {}\n\"DefaultOrganizationClusterRoles\":\n \"admin\"\ - : \"admin\"\n \"alert-routing-edit\": \"alert-routing-edit\"\n \"monitoring-edit\"\ - : \"monitoring-edit\"\n \"monitoring-edit-probe\": \"monitoring-edit-probe\"\n\ - \ \"namespace-owner\": \"namespace-owner\"\n\"MemoryPerCoreLimit\": \"4Gi\"\n\ - \"OrganizationLabel\": \"appuio.io/organization\"\n\"PrivilegedClusterRoles\"\ - :\n- \"cluster-admin\"\n- \"cluster-image-registry-operator\"\n- \"cluster-node-tuning-operator\"\ - \n- \"kyverno:generatecontroller\"\n- \"kyverno:policycontroller\"\n- \"multus-admission-controller-webhook\"\ - \n- \"openshift-dns-operator\"\n- \"openshift-ingress-operator\"\n- \"syn-admin\"\ - \n- \"syn-argocd-application-controller\"\n- \"syn-argocd-server\"\n- \"system:controller:generic-garbage-collector\"\ - \n- \"system:controller:operator-lifecycle-manager\"\n- \"system:master\"\n- \"\ - system:openshift:controller:namespace-security-allocation-controller\"\n- \"system:openshift:controller:podsecurity-admission-label-syncer-controller\"\ - \n\"PrivilegedGroups\": []\n\"PrivilegedUsers\":\n- \"system:serviceaccount:argocd:argocd-application-controller\"\ - \n- \"system:serviceaccount:openshift-logging:cluster-logging-operator\"\n- \"\ - system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount\"\ - \n- \"system:serviceaccount:syn-resource-locker:namespace-openshift-config-2c8343f13594d63-manager\"\ - \n- \"system:serviceaccount:syn-resource-locker:namespace-default-d6a0af6dd07e8a3-manager\"\ - \n- \"system:serviceaccount:syn-resource-locker:namespace-openshift-monitoring-c4273dc15ddfdf7-manager\"" + config.yaml: |- + "DefaultNamespaceNodeSelectorAnnotation": "appuio.io/default-node-selector" + "DefaultNodeSelector": {} + "DefaultOrganizationClusterRoles": + "admin": "admin" + "alert-routing-edit": "alert-routing-edit" + "monitoring-edit": "monitoring-edit" + "monitoring-edit-probe": "monitoring-edit-probe" + "namespace-owner": "namespace-owner" + "MemoryPerCoreLimit": "4Gi" + "OrganizationLabel": "appuio.io/organization" + "PrivilegedClusterRoles": + - "cluster-admin" + - "cluster-image-registry-operator" + - "cluster-node-tuning-operator" + - "kyverno:generatecontroller" + - "kyverno:policycontroller" + - "multus-admission-controller-webhook" + - "openshift-dns-operator" + - "openshift-ingress-operator" + - "syn-admin" + - "syn-argocd-application-controller" + - "syn-argocd-server" + - "system:controller:generic-garbage-collector" + - "system:controller:operator-lifecycle-manager" + - "system:master" + - "system:openshift:controller:namespace-security-allocation-controller" + - "system:openshift:controller:podsecurity-admission-label-syncer-controller" + "PrivilegedGroups": [] + "PrivilegedUsers": + - "system:serviceaccount:argocd:argocd-application-controller" + - "system:serviceaccount:openshift-logging:cluster-logging-operator" + - "system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount" + - "system:serviceaccount:syn-resource-locker:namespace-openshift-config-2c8343f13594d63-manager" + - "system:serviceaccount:syn-resource-locker:namespace-default-d6a0af6dd07e8a3-manager" + - "system:serviceaccount:syn-resource-locker:namespace-openshift-monitoring-c4273dc15ddfdf7-manager" kind: ConfigMap metadata: annotations: {} diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_webhook_cert_secret.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_webhook_cert_secret.yaml index 8a5daf5..9e93192 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_webhook_cert_secret.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_agent/02_webhook_cert_secret.yaml @@ -8,68 +8,38 @@ metadata: name: webhook-service-tls namespace: appuio-cloud stringData: - tls.crt: '-----BEGIN CERTIFICATE----- - + tls.crt: |- + -----BEGIN CERTIFICATE----- MIIFeDCCA2CgAwIBAgIUH+xWxqMcAYp2t9jmRZ8SlZ3mkNswDQYJKoZIhvcNAQEL - BQAwMTEvMC0GA1UEAwwmd2ViaG9vay1zZXJ2aWNlLmFwcHVpby1jb250cm9sLWFw - aS5zdmMwHhcNMjIwMzI5MDkyNTM1WhcNMzIwMzI2MDkyNTM1WjAxMS8wLQYDVQQD - DCZ3ZWJob29rLXNlcnZpY2UuYXBwdWlvLWNvbnRyb2wtYXBpLnN2YzCCAiIwDQYJ - KoZIhvcNAQEBBQADggIPADCCAgoCggIBANuLXjhC1YyO4AjKRdrKa4aYIr93wtQU - FhGavZU5+NsD4DaeuBtAylnQ2i2y6ltUlX8LWTwDKGYa2zLiWONXdZMXXad+hYz6 - fVTJ681GH4/ko2dMcU7IAIRKDQ8cL8rb3GUXsOGRLQM1E4fNCbGi6oURyxcAGRqQ - Ym18PfGfqjXC0HUVjkWAPQuc9lGzKjFTR58pVEo5po4gShrG7QOdZosVxVrI8qHY - ZTgKeZseoDWo4IeHpke9uZg20K/mPYSWyA4Q1C1bhXyvbAonhz0eE0jzRoyNlRfg - 0gJFDo8HcaPLgS3xGNxIQtHXF4gZv8VhVjM4CALEp4M4j3bNJ2MN+tBoEvy7eaa5 - HDnFRbskTrgaSO6GVdH2QNeYQw1wxf1WzBL/GftARn8maRyzJe4/piKykx6+U51S - ozwvExvc7UOnuALFKhzZMZyiSRDR+ryhMskvk4zPzlYq246ssCSnfdos2ChMivhq - /Hfs57R6UjC3H2aLypdyx3aifAJwZiDwZ0LijcoWfXfHsjk+F9a1+vtGAxFft5Ao - dDswcet4gnzR2lDpIha0f6Q7065sEgWQA/Xz0ghiGg94UsBJTk8U6qGrsngafxHh - rmCFZOOexn2v6FpkYaNFHSvJ8fckWYR7MlTZi3ihv2OdZUS8MtnZqgzrDfjWZ/oh - yr6V7Hj1r1ttAgMBAAGjgYcwgYQwHQYDVR0OBBYEFCfDCDwxYs3XeeW45jEU+B6K - H3M0MB8GA1UdIwQYMBaAFCfDCDwxYs3XeeW45jEU+B6KH3M0MA8GA1UdEwEB/wQF - MAMBAf8wMQYDVR0RBCowKIImd2ViaG9vay1zZXJ2aWNlLmFwcHVpby1jb250cm9s - LWFwaS5zdmMwDQYJKoZIhvcNAQELBQADggIBAIeZ9lJhPyA7FI98Z8bLP3kC/a6n - pbzt9exkzc+ERiNmUy9n3Q1ykIDpMMlDmtzci3EejuHL82i/A4Jtuj+B/iRgIkGY - L3Ph8BsJNSZhsvEvhqJU02/Nr04SYify4dqe4SjZLnvd45wdHNaCmloRcKtz0QTN - E0tnbJISvpTlR8patftEN4ru1amd+GMUPunoykERZTftHw0SO/lVOlVATDjLpNJP - 0IWbBrZJTLSF7uhkGfpR2aIukqUi0QvDRQJ4D77Va3DqwetmWSEABlg1rfxuvP0k - 3kbD1/JX1I3A26Sqs9X5lSqXTq1sTKzd+2gtEulIJ5z0Et2y0rOWnPvXxJ4Ld4C/ - zAcro9aM11yqP/BjmdL+l3rYRj8N38s39EzhAY3MvYnSy1P2RmL/p4BsrOEvN5Mq - /E9zKEXsTQXviZc56J+iCrMAuRfQHXDIkwtID2oRuP0t4xtatQorf4JV/PRMAw0i - ZvrGMzX61r0eqn1t3bEJ49P+YvzawErH/l3zdITMc13sOWZQ1NayekxeVIOa6hyd - SFObMdLVJCUWcdz52EAk4jlqN0vN8iMSFnB8mBT4X+8reauopfWAnFH8VWfN8tyN - m2j6L7Lb2uwBCq2NaOY9HNSi52N/J6DnQZegogQxCUiT7YJr4Xtkabv99c6mn230 - al+L9+1VcdfaZsPI - - -----END CERTIFICATE-----' + -----END CERTIFICATE----- tls.key: t-silent-test-1234/c-green-test-1234/appuio-cloud/webhook-key type: kubernetes.io/tls diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_disallow_reserved_namespaces.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_disallow_reserved_namespaces.yaml index ab3f7c3..bc9fede 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_disallow_reserved_namespaces.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_disallow_reserved_namespaces.yaml @@ -3,35 +3,19 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check if the namespace name of the request matches one of the disallowed namespace patterns. + - Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces. - - Check if the namespace name of the request matches one of the disallowed namespace - patterns. + If the namespace matches a disallowed pattern and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied. + The policy is applied for requests to create `Namespace` and `ProjectRequest` resources. + This ensures that unprivileged users can't use disallowed patterns regardless of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web console. - - Check if the requesting user/serviceaccount has a cluster role that allows - them to create reserved namespaces. + The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component parameter `reservedNamespaces`]. - - If the namespace matches a disallowed pattern and the requester doesn''t have - a cluster role which allows them to bypass the policy, the request is denied. - - The policy is applied for requests to create `Namespace` and `ProjectRequest` - resources. - - This ensures that unprivileged users can''t use disallowed patterns regardless - of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web - console. - - - The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component - parameter `reservedNamespaces`]. - - - Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. - - ' + Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml index c03c8e1..911b613 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_namespaces.yaml @@ -3,37 +3,22 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check that each namespace created by a user without cluster-admin permissions has a label appuio.io/organization which isn't empty. + - Check that the creating user is in the organization it tries to create a namespace for. - - Check that each namespace created by a user without cluster-admin permissions - has a label appuio.io/organization which isn''t empty. - - - Check that the creating user is in the organization it tries to create a namespace - for. - - - The user''s organization membership is checked by: - + The user's organization membership is checked by: - Fetching all OpenShift groups + - Reading the `appuio.io/organization` label of the request and finding a group with the same name - - Reading the `appuio.io/organization` label of the request and finding a group - with the same name - - - If a group matching the label value exists, the policy checks that the user - which issued the request is a member of that group. - - - If the label `appuio.io/organization` is missing or empty or the user isn''t - a member of the group, the request is denied. - + If a group matching the label value exists, the policy checks that the user which issued the request is a member of that group. - Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. + If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied. - ' + Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_projects.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_projects.yaml index 68f40a3..378b60e 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_projects.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_projects.yaml @@ -3,36 +3,21 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check that each project created by a user without cluster-admin permissions has a label appuio.io/organization which isn't empty. + - Check that the creating user is in the organization they try to create a project for. - - Check that each project created by a user without cluster-admin permissions - has a label appuio.io/organization which isn''t empty. - - - Check that the creating user is in the organization they try to create a project - for. - - - The user''s organization membership is checked by: - - - - Reading the project''s annotation `openshift.io/requester` which contains - the username of the user who originally requested the project. + The user's organization membership is checked by: + - Reading the project's annotation `openshift.io/requester` which contains the username of the user who originally requested the project. - Fetching all OpenShift groups + - Reading the `appuio.io/organization` label of the request and finding a group with the same name - - Reading the `appuio.io/organization` label of the request and finding a group - with the same name - - - If a group matching the label value exists, the policy checks that the user - which requested the project is a member of that group. - - - If the label `appuio.io/organization` is missing or empty or the user isn''t - a member of the group, the request is denied. + If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group. - ' + If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_sa_namespaces.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_sa_namespaces.yaml index 9b64e8e..7c085d3 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_sa_namespaces.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_organization_sa_namespaces.yaml @@ -3,33 +3,20 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: + policies.kyverno.io/description: | + This policy will: + - Check that each namespace created by a serviceaccount without cluster-admin permissions has a label appuio.io/organization which isn't empty. + - Check that the creating serviceaccount is part of the organization it tries to create a namespace for. - - Check that each namespace created by a serviceaccount without cluster-admin - permissions has a label appuio.io/organization which isn''t empty. + The serviceaccount's organization membership is checked by: - - Check that the creating serviceaccount is part of the organization it tries - to create a namespace for. + - Fetching the serviceaccount's namespace + - Comparing that namespace's `appuio.io/organization` label value with the request's `appuio.io/organization` label value. + If the label `appuio.io/organization` is missing or empty or the serviceaccount's organization doesn't match the request's organization the request is denied. - The serviceaccount''s organization membership is checked by: - - - - Fetching the serviceaccount''s namespace - - - Comparing that namespace''s `appuio.io/organization` label value with the - request''s `appuio.io/organization` label value. - - - If the label `appuio.io/organization` is missing or empty or the serviceaccount''s - organization doesn''t match the request''s organization the request is denied. - - - Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. - - ' + Serviceaccounts which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_validate_namespace_metadata.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_validate_namespace_metadata.yaml index 5dc73ca..688ed40 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/02_validate_namespace_metadata.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/02_validate_namespace_metadata.yaml @@ -4,26 +4,16 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will: - + policies.kyverno.io/description: | + This policy will: - Check annotations and labels on new and modified namespaces against a whitelist. + If the namespace has an annotation or label which isn't whitelisted and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied. - If the namespace has an annotation or label which isn''t whitelisted and the - requester doesn''t have a cluster role which allows them to bypass the policy, - the request is denied. - - - The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component - parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component - parameter `allowedNamespaceLabels`] respectively. - - - Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. + The list of allowed namespace annotations and labels is configured with xref:references/parameters#_allowednamespaceannotations[component parameter `allowedNamespaceAnnotations`] and xref:references/parameters#_allowednamespacelabels[component parameter `allowedNamespaceLabels`] respectively. - ' + Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations @@ -109,11 +99,13 @@ spec: list: 'request.object&& merge( not_null(request.object.metadata.labels, `{}`) ,not_null(request.oldObject.metadata.labels, `{}`)) | map(&{key: @}, keys(@))' - message: "The following labels can be modified:\n appuio.io/organization,\ - \ custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults,\ - \ network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu.\n\ - labels given:\n {{request.object.metadata.labels}}.\nlabels before modification:\n\ - \ {{request.oldObject.metadata.labels}}." + message: |- + The following labels can be modified: + appuio.io/organization, custom.appuio.io/*, kubernetes.io/metadata.name, network-policies.syn.tools/no-defaults, network-policies.syn.tools/purge-defaults, test.appuio.io/*, compute.test.appuio.io/cpu. + labels given: + {{request.object.metadata.labels}}. + labels before modification: + {{request.oldObject.metadata.labels}}. - exclude: any: - clusterRoles: @@ -187,10 +179,11 @@ spec: list: 'request.object&& merge( not_null(request.object.metadata.annotations, `{}`) ,not_null(request.oldObject.metadata.annotations, `{}`)) | map(&{key: @}, keys(@))' - message: "The following annotations can be modified:\n custom.appuio.io/*,\ - \ appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration,\ - \ policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override,\ - \ test.appuio.io/*, compute.test.appuio.io/cpu.\nannotations given:\n \ - \ {{request.object.metadata.annotations}}.\nannotations before modification:\n\ - \ {{request.oldObject.metadata.annotations}}." + message: |- + The following annotations can be modified: + custom.appuio.io/*, appuio.io/default-node-selector, kubectl.kubernetes.io/last-applied-configuration, policies.kyverno.io/last-applied-patches, appuio.io/active-deadline-seconds-override, test.appuio.io/*, compute.test.appuio.io/cpu. + annotations given: + {{request.object.metadata.annotations}}. + annotations before modification: + {{request.oldObject.metadata.annotations}}. validationFailureAction: enforce diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/03_projectrequest.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/03_projectrequest.yaml index 202b72e..ab69923 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/03_projectrequest.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/03_projectrequest.yaml @@ -3,23 +3,14 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Namespace Ownership - policies.kyverno.io/description: 'This policy will check that the requesting user - has the `appuio.io/default-organization` annotation. + policies.kyverno.io/description: | + This policy will check that the requesting user has the `appuio.io/default-organization` annotation. + The content of the annotation isn't validated. + Instead the policy assumes that any default organization annotations which are present on user objects are valid. - The content of the annotation isn''t validated. + If the requesting user doesn't have the `appuio.io/default-organization` annotation, the project request is denied. - Instead the policy assumes that any default organization annotations which are - present on user objects are valid. - - - If the requesting user doesn''t have the `appuio.io/default-organization` annotation, - the project request is denied. - - - Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. - - ' + Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy. policies.kyverno.io/jsonnet: component/project-policies.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/11_generate_quota_limit_range_in_ns.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/11_generate_quota_limit_range_in_ns.yaml index be9113b..2aba7fb 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/11_generate_quota_limit_range_in_ns.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/11_generate_quota_limit_range_in_ns.yaml @@ -3,26 +3,14 @@ kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Resource Quota - policies.kyverno.io/description: 'This policy generates `ResourceQuota` and `LimitRange` - objects in namespaces which have the `appuio.io/organization` label. + policies.kyverno.io/description: | + This policy generates `ResourceQuota` and `LimitRange` objects in namespaces which have the `appuio.io/organization` label. + The default values for the generated `ResourceQuota` and `LimitRange` objects are configured in component parameters xref:references/parameters.adoc#_generatedresourcequota[`generatedResourceQuota`] and xref:references/parameters.adoc#_generatedlimitrange[`generatedLimitRange`] respectively. - The default values for the generated `ResourceQuota` and `LimitRange` objects - are configured in component parameters xref:references/parameters.adoc#_generatedresourcequota[`generatedResourceQuota`] - and xref:references/parameters.adoc#_generatedlimitrange[`generatedLimitRange`] - respectively. + Quota entries can be overridden for single namespaces by annotating the namespace, see the xref:references/parameters.adoc#_generatedresourcequota_spec[parameter docs] for an example. - - Quota entries can be overridden for single namespaces by annotating the namespace, - see the xref:references/parameters.adoc#_generatedresourcequota_spec[parameter - docs] for an example. - - - If field `synchronize` in the `ResourceQuota` or `LimitRange` component parameter - is set to `true`, the policy is configured to continuously keep the generated - objects in sync with the specification in the policy. - - ' + If field `synchronize` in the `ResourceQuota` or `LimitRange` component parameter is set to `true`, the policy is configured to continuously keep the generated objects in sync with the specification in the policy. policies.kyverno.io/jsonnet: component/quota-limitrange.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/12_namespace_quota_per_zone.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/12_namespace_quota_per_zone.yaml index 5880b54..e599d8e 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/12_namespace_quota_per_zone.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/12_namespace_quota_per_zone.yaml @@ -4,39 +4,22 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Namespace Management - policies.kyverno.io/description: 'This policy will deny creation of the new namespace - if the number of existing namespaces for the requester''s organization is greater - or equal a certain number. + policies.kyverno.io/description: | + This policy will deny creation of the new namespace if the number of existing namespaces for the requester's organization is greater or equal a certain number. + The number of allowed namespaces is either the default defined in this component, or it can be overridden for a specific organization. - The number of allowed namespaces is either the default defined in this component, - or it can be overridden for a specific organization. - - - To create an override, create a config map in the component namespace with name - pattern `override-` with `.data.namespaceOverride` being - the number. - + To create an override, create a config map in the component namespace with name pattern `override-` with `.data.namespaceOverride` being the number. For example, to set the namespace quota for organization foo to `4`: - [source,bash] - ---- - kubectl -n appuio-cloud create cm override-foo --from-literal=namespaceQuota=4 - ---- + The default number of allowed namespaces per organization is configured with xref:references/parameters#_maxnamespacequota[component parameter `maxNamespaceQuota`]. - The default number of allowed namespaces per organization is configured with - xref:references/parameters#_maxnamespacequota[component parameter `maxNamespaceQuota`]. - - - Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component - parameter `bypassNamespaceRestrictions`] are allowed to bypass this policy. - - ' + Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass this policy. policies.kyverno.io/jsonnet: component/namespace-quota.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations @@ -122,10 +105,9 @@ spec: - key: '{{nsCount}}' operator: GreaterThanOrEquals value: '{{override || `3`}}' - message: 'You cannot create more than {{override || `3`}} namespaces for organization - ''{{request.object.metadata.labels."appuio.io/organization"}}''. - - Please contact support to have your quota raised.' + message: |- + You cannot create more than {{override || `3`}} namespaces for organization '{{request.object.metadata.labels."appuio.io/organization"}}'. + Please contact support to have your quota raised. - context: - apiCall: jmesPath: metadata.annotations."appuio.io/default-organization" || "" @@ -198,8 +180,7 @@ spec: - key: '{{nsCount}}' operator: GreaterThanOrEquals value: '{{override || `3`}}' - message: 'You cannot create more than {{override || `3`}} namespaces for organization - ''{{organization}}''. - - Please contact support to have your quota raised.' + message: |- + You cannot create more than {{override || `3`}} namespaces for organization '{{organization}}'. + Please contact support to have your quota raised. validationFailureAction: enforce diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/15_disallow_docker_build_strategy_patch.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/15_disallow_docker_build_strategy_patch.yaml index 7d6f6cf..6cea28b 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/15_disallow_docker_build_strategy_patch.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/15_disallow_docker_build_strategy_patch.yaml @@ -78,8 +78,11 @@ metadata: spec: patches: - id: patch1 - patchTemplate: "\"metadata\":\n \"annotations\":\n \"rbac.authorization.kubernetes.io/autoupdate\"\ - : \"false\"\n\"subjects\": []" + patchTemplate: |- + "metadata": + "annotations": + "rbac.authorization.kubernetes.io/autoupdate": "false" + "subjects": [] patchType: application/strategic-merge-patch+json targetObjectRef: apiVersion: rbac.authorization.k8s.io/v1 diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/30_set_runonce_activedeadlineseconds.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/30_set_runonce_activedeadlineseconds.yaml index 1e20412..1b31b1a 100644 --- a/tests/golden/defaults/appuio-cloud/appuio-cloud/30_set_runonce_activedeadlineseconds.yaml +++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/30_set_runonce_activedeadlineseconds.yaml @@ -4,20 +4,12 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Resource Quota - policies.kyverno.io/description: 'This policy ensures that all "runonce" pods - have `.spec.activeDeadlineSeconds` set. + policies.kyverno.io/description: | + This policy ensures that all "runonce" pods have `.spec.activeDeadlineSeconds` set. + The value for `.spec.activeDeadlineSeconds` for a namepsace can be overridden by adding annotation `appuio.io/active-deadline-seconds-override` with the desired default value on a namespace. - The value for `.spec.activeDeadlineSeconds` for a namepsace can be overridden - by adding annotation `appuio.io/active-deadline-seconds-override` with the desired - default value on a namespace. - - - Pods can be excluded from the policy by configuring label match expressions - in xref:references/parameters.adoc#_runonceactivedeadlineseconds_podmatchexpressions[component - parameter `runOnceActiveDeadlineSeconds.podMatchExpressions`]. - - ' + Pods can be excluded from the policy by configuring label match expressions in xref:references/parameters.adoc#_runonceactivedeadlineseconds_podmatchexpressions[component parameter `runOnceActiveDeadlineSeconds.podMatchExpressions`]. policies.kyverno.io/jsonnet: component/runonce-activedeadlineseconds.jsonnet policies.kyverno.io/minversion: v1 policies.kyverno.io/subject: APPUiO Organizations