add playground samples (#200)

* add playground samples Signed-off-by: Jim Bugwadia <[email protected]> * make codegen Signed-off-by: Jim Bugwadia <[email protected]> --------- Signed-off-by: Jim Bugwadia <[email protected]>
kyverno · Nov 6, 2023 · 6b96903 · 6b96903
1 parent 6eaf6cd
commit 6b96903
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 4 deletions.
diff --git a/pkg/server/ui/dist/assets/data.json b/pkg/server/ui/dist/assets/data.json
@@ -1,7 +1,19 @@
 {
   "examples": [
     {
-      "category": "dockerfile",
+      "category": "Terraform",
+      "name": "terraform-s3",
+      "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: s3\nspec:\n  rules:\n    - name: check-tags\n      assert:\n        all:\n        - check:\n            planned_values:\n              root_module:\n                ~.resources:\n                  values:\n                    (keys(tags_all)):\n                      (contains(@, 'Environment')): true\n                      (contains(@, 'Name')): true\n                      (contains(@, 'Team')): true",
+      "payload": "configuration:\n  provider_config:\n    aws:\n      expressions:\n        region:\n          constant_value: us-west-2\n      full_name: registry.terraform.io/hashicorp/aws\n      name: aws\n      version_constraint: ~\u003e 4.16\n  root_module:\n    resources:\n    - address: aws_s3_bucket.example\n      expressions:\n        bucket:\n          constant_value: my-tf-test-bucket\n        tags:\n          constant_value:\n            Environment: Dev\n            Name: My bucket\n      mode: managed\n      name: example\n      provider_config_key: aws\n      schema_version: 0\n      type: aws_s3_bucket\nformat_version: \"1.2\"\nplanned_values:\n  root_module:\n    resources:\n    - address: aws_s3_bucket.example\n      mode: managed\n      name: example\n      provider_name: registry.terraform.io/hashicorp/aws\n      schema_version: 0\n      sensitive_values:\n        cors_rule: []\n        grant: []\n        lifecycle_rule: []\n        logging: []\n        object_lock_configuration: []\n        replication_configuration: []\n        server_side_encryption_configuration: []\n        tags: {}\n        tags_all: {}\n        versioning: []\n        website: []\n      type: aws_s3_bucket\n      values:\n        bucket: my-tf-test-bucket\n        force_destroy: false\n        tags:\n          Environment: Dev\n          Name: My bucket\n        tags_all:\n          Environment: Dev\n          Name: My bucket\n        timeouts: null\nresource_changes:\n- address: aws_s3_bucket.example\n  change:\n    actions:\n    - create\n    after:\n      bucket: my-tf-test-bucket\n      force_destroy: false\n      tags:\n        Environment: Dev\n        Name: My bucket\n      tags_all:\n        Environment: Dev\n        Name: My bucket\n      timeouts: null\n    after_sensitive:\n      cors_rule: []\n      grant: []\n      lifecycle_rule: []\n      logging: []\n      object_lock_configuration: []\n      replication_configuration: []\n      server_side_encryption_configuration: []\n      tags: {}\n      tags_all: {}\n      versioning: []\n      website: []\n    after_unknown:\n      acceleration_status: true\n      acl: true\n      arn: true\n      bucket_domain_name: true\n      bucket_prefix: true\n      bucket_regional_domain_name: true\n      cors_rule: true\n      grant: true\n      hosted_zone_id: true\n      id: true\n      lifecycle_rule: true\n      logging: true\n      object_lock_configuration: true\n      object_lock_enabled: true\n      policy: true\n      region: true\n      replication_configuration: true\n      request_payer: true\n      server_side_encryption_configuration: true\n      tags: {}\n      tags_all: {}\n      versioning: true\n      website: true\n      website_domain: true\n      website_endpoint: true\n    before: null\n    before_sensitive: false\n  mode: managed\n  name: example\n  provider_name: registry.terraform.io/hashicorp/aws\n  type: aws_s3_bucket\nterraform_version: 1.5.7\ntimestamp: \"2023-10-26T08:15:54Z\"\n"
+    },
+    {
+      "category": "Kubernetes",
+      "name": "pod-no-latest",
+      "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: pod-no-latest\n      context:\n        - name: tag\n          variable: :latest\n      match:\n        any:\n        - apiVersion: v1\n          kind: Pod\n      identifier: \"metadata.name\"\n      assert:\n        all:\n        - check:\n            spec:\n              ~foo.containers-\u003efoos:\n                (at($foos, $foo).image)-\u003efoo:\n                  # an image tag is required\n                  (contains($foo, ':')): true\n                  # using a mutable image tag e.g. 'latest' is not allowed\n                  (ends_with($foo, $tag)): false\n        - check:\n            spec:\n              ~.containers-\u003efoo:\n                image:\n                  # an image tag is required\n                  (contains(@, ':')): true\n                  # using a mutable image tag e.g. 'latest' is not allowed\n                  (ends_with(@, ':latest')): false\n        - check:\n            ~index.(spec.containers[*].image)-\u003eimages:\n              # an image tag is required\n              (contains(@, ':')): true\n              # using a mutable image tag e.g. 'latest' is not allowed\n              (ends_with(@, ':latest')): false\n",
+      "payload": "apiVersion: v1\nkind: Pod\nmetadata:\n  name: webserver\nspec:\n  containers:\n  - name: webserver-1\n    image: nginx:latest\n    ports:\n    - containerPort: 80\n  - name: webserver-2\n    image: nginx:latest\n    ports:\n    - containerPort: 80\n  - name: webserver-3\n    image: nginx:latest\n    ports:\n    - containerPort: 80\n"
+    },
+    {
+      "category": "Dockerfile",
       "name": "check-dockerfile",
       "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: check-dockerfile\nspec:\n  rules:\n    - name: deny-external-calls\n      assert:\n        all:\n        - message: \"HTTP calls are not allowed\"\n          check:\n            ~.(Stages[].Commands[].Args[].Value):\n              (contains(@, 'https://') || contains(@, 'http://')): false\n        - message: \"HTTP calls are not allowed\"\n          check:\n            ~.(Stages[].Commands[].CmdLine[]):\n              (contains(@, 'https://') || contains(@, 'http://')): false\n        - message: \"curl is not allowed\"\n          check:\n            ~.(Stages[].Commands[].CmdLine[]):\n              (contains(@, 'curl')): false\n        - message: \"wget is not allowed\"\n          check:\n            ~.(Stages[].Commands[].CmdLine[]):\n              (contains(@, 'wget')): false",
       "payload": "MetaArgs:\n- DefaultValue: '\"linux/amd64\"'\n  Key: BUILD_PLATFORM\n  ProvidedValue: null\n  Value: '\"linux/amd64\"'\n- DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n  Key: BUILDER_IMAGE\n  ProvidedValue: null\n  Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- As: builder\n  BaseName: '\"golang:1.20.6-alpine3.18\"'\n  Commands:\n  - Name: WORKDIR\n    Path: /\n  - Chmod: \"\"\n    Chown: \"\"\n    DestPath: ./\n    From: \"\"\n    Link: false\n    Name: COPY\n    SourceContents: null\n    SourcePaths:\n    - .\n  - Args:\n    - Comment: \"\"\n      Key: SIGNER_BINARY_LINK\n      Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n    Name: ARG\n  - Args:\n    - Comment: \"\"\n      Key: SIGNER_BINARY_FILE\n      Value: '\"notation-aws-signer-plugin.zip\"'\n    Name: ARG\n  - CmdLine:\n    - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n    Files: null\n    FlagsUsed: []\n    Name: RUN\n    PrependShell: true\n  - CmdLine:\n    - apk update \u0026\u0026     apk add unzip \u0026\u0026     unzip -o ${SIGNER_BINARY_FILE}\n    Files: null\n    FlagsUsed: []\n    Name: RUN\n    PrependShell: true\n  - CmdLine:\n    - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n      .\n    Files: null\n    FlagsUsed: []\n    Name: RUN\n    PrependShell: true\n  Comment: \"\"\n  From:\n    Image: '\"golang:1.20.6-alpine3.18\"'\n  Location:\n  - End:\n      Character: 0\n      Line: 4\n    Start:\n      Character: 0\n      Line: 4\n  Name: builder\n  Platform: $BUILD_PLATFORM\n  SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n- BaseName: gcr.io/distroless/static:nonroot\n  Commands:\n  - Name: WORKDIR\n    Path: /\n  - Env:\n    - Key: PLUGINS_DIR\n      Value: /plugins\n    Name: ENV\n  - Chmod: \"\"\n    Chown: \"\"\n    DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n    From: builder\n    Link: false\n    Name: COPY\n    SourceContents: null\n    SourcePaths:\n    - notation-com.amazonaws.signer.notation.plugin\n  - Chmod: \"\"\n    Chown: \"\"\n    DestPath: kyverno-notation-aws\n    From: builder\n    Link: false\n    Name: COPY\n    SourceContents: null\n    SourcePaths:\n    - kyverno-notation-aws\n  - CmdLine:\n    - /kyverno-notation-aws\n    Files: null\n    Name: ENTRYPOINT\n    PrependShell: false\n  Comment: \"\"\n  From:\n    Image: gcr.io/distroless/static:nonroot\n  Location:\n  - End:\n      Character: 0\n      Line: 20\n    Start:\n      Character: 0\n      Line: 20\n  Name: \"\"\n  Platform: \"\"\n  SourceCode: FROM gcr.io/distroless/static:nonroot\n"

diff --git a/playground-examples.yaml b/playground-examples.yaml
@@ -1,6 +1,13 @@
 # categories
-dockerfile:
-  # names
+Dockerfile:
   check-dockerfile:
     policy:   test/commands/scan/dockerfile/policy.yaml
     payload:  test/commands/scan/dockerfile/payload.json
+Terraform:
+  terraform-s3:
+    policy:   test/commands/scan/tf-s3/policy.yaml
+    payload:  test/commands/scan/tf-s3/payload.json
+Kubernetes:
+  pod-no-latest:
+    policy:   test/commands/scan/pod-no-latest/policy.yaml
+    payload:  test/commands/scan/pod-no-latest/payload.yaml
diff --git a/website/playground/assets/data.json b/website/playground/assets/data.json
@@ -1,7 +1,19 @@
 {
   "examples": [
     {
-      "category": "dockerfile",
+      "category": "Terraform",
+      "name": "terraform-s3",
+      "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: s3\nspec:\n  rules:\n    - name: check-tags\n      assert:\n        all:\n        - check:\n            planned_values:\n              root_module:\n                ~.resources:\n                  values:\n                    (keys(tags_all)):\n                      (contains(@, 'Environment')): true\n                      (contains(@, 'Name')): true\n                      (contains(@, 'Team')): true",
+      "payload": "configuration:\n  provider_config:\n    aws:\n      expressions:\n        region:\n          constant_value: us-west-2\n      full_name: registry.terraform.io/hashicorp/aws\n      name: aws\n      version_constraint: ~\u003e 4.16\n  root_module:\n    resources:\n    - address: aws_s3_bucket.example\n      expressions:\n        bucket:\n          constant_value: my-tf-test-bucket\n        tags:\n          constant_value:\n            Environment: Dev\n            Name: My bucket\n      mode: managed\n      name: example\n      provider_config_key: aws\n      schema_version: 0\n      type: aws_s3_bucket\nformat_version: \"1.2\"\nplanned_values:\n  root_module:\n    resources:\n    - address: aws_s3_bucket.example\n      mode: managed\n      name: example\n      provider_name: registry.terraform.io/hashicorp/aws\n      schema_version: 0\n      sensitive_values:\n        cors_rule: []\n        grant: []\n        lifecycle_rule: []\n        logging: []\n        object_lock_configuration: []\n        replication_configuration: []\n        server_side_encryption_configuration: []\n        tags: {}\n        tags_all: {}\n        versioning: []\n        website: []\n      type: aws_s3_bucket\n      values:\n        bucket: my-tf-test-bucket\n        force_destroy: false\n        tags:\n          Environment: Dev\n          Name: My bucket\n        tags_all:\n          Environment: Dev\n          Name: My bucket\n        timeouts: null\nresource_changes:\n- address: aws_s3_bucket.example\n  change:\n    actions:\n    - create\n    after:\n      bucket: my-tf-test-bucket\n      force_destroy: false\n      tags:\n        Environment: Dev\n        Name: My bucket\n      tags_all:\n        Environment: Dev\n        Name: My bucket\n      timeouts: null\n    after_sensitive:\n      cors_rule: []\n      grant: []\n      lifecycle_rule: []\n      logging: []\n      object_lock_configuration: []\n      replication_configuration: []\n      server_side_encryption_configuration: []\n      tags: {}\n      tags_all: {}\n      versioning: []\n      website: []\n    after_unknown:\n      acceleration_status: true\n      acl: true\n      arn: true\n      bucket_domain_name: true\n      bucket_prefix: true\n      bucket_regional_domain_name: true\n      cors_rule: true\n      grant: true\n      hosted_zone_id: true\n      id: true\n      lifecycle_rule: true\n      logging: true\n      object_lock_configuration: true\n      object_lock_enabled: true\n      policy: true\n      region: true\n      replication_configuration: true\n      request_payer: true\n      server_side_encryption_configuration: true\n      tags: {}\n      tags_all: {}\n      versioning: true\n      website: true\n      website_domain: true\n      website_endpoint: true\n    before: null\n    before_sensitive: false\n  mode: managed\n  name: example\n  provider_name: registry.terraform.io/hashicorp/aws\n  type: aws_s3_bucket\nterraform_version: 1.5.7\ntimestamp: \"2023-10-26T08:15:54Z\"\n"
+    },
+    {
+      "category": "Kubernetes",
+      "name": "pod-no-latest",
+      "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: test\nspec:\n  rules:\n    - name: pod-no-latest\n      context:\n        - name: tag\n          variable: :latest\n      match:\n        any:\n        - apiVersion: v1\n          kind: Pod\n      identifier: \"metadata.name\"\n      assert:\n        all:\n        - check:\n            spec:\n              ~foo.containers-\u003efoos:\n                (at($foos, $foo).image)-\u003efoo:\n                  # an image tag is required\n                  (contains($foo, ':')): true\n                  # using a mutable image tag e.g. 'latest' is not allowed\n                  (ends_with($foo, $tag)): false\n        - check:\n            spec:\n              ~.containers-\u003efoo:\n                image:\n                  # an image tag is required\n                  (contains(@, ':')): true\n                  # using a mutable image tag e.g. 'latest' is not allowed\n                  (ends_with(@, ':latest')): false\n        - check:\n            ~index.(spec.containers[*].image)-\u003eimages:\n              # an image tag is required\n              (contains(@, ':')): true\n              # using a mutable image tag e.g. 'latest' is not allowed\n              (ends_with(@, ':latest')): false\n",
+      "payload": "apiVersion: v1\nkind: Pod\nmetadata:\n  name: webserver\nspec:\n  containers:\n  - name: webserver-1\n    image: nginx:latest\n    ports:\n    - containerPort: 80\n  - name: webserver-2\n    image: nginx:latest\n    ports:\n    - containerPort: 80\n  - name: webserver-3\n    image: nginx:latest\n    ports:\n    - containerPort: 80\n"
+    },
+    {
+      "category": "Dockerfile",
       "name": "check-dockerfile",
       "policy": "apiVersion: json.kyverno.io/v1alpha1\nkind: ValidatingPolicy\nmetadata:\n  name: check-dockerfile\nspec:\n  rules:\n    - name: deny-external-calls\n      assert:\n        all:\n        - message: \"HTTP calls are not allowed\"\n          check:\n            ~.(Stages[].Commands[].Args[].Value):\n              (contains(@, 'https://') || contains(@, 'http://')): false\n        - message: \"HTTP calls are not allowed\"\n          check:\n            ~.(Stages[].Commands[].CmdLine[]):\n              (contains(@, 'https://') || contains(@, 'http://')): false\n        - message: \"curl is not allowed\"\n          check:\n            ~.(Stages[].Commands[].CmdLine[]):\n              (contains(@, 'curl')): false\n        - message: \"wget is not allowed\"\n          check:\n            ~.(Stages[].Commands[].CmdLine[]):\n              (contains(@, 'wget')): false",
       "payload": "MetaArgs:\n- DefaultValue: '\"linux/amd64\"'\n  Key: BUILD_PLATFORM\n  ProvidedValue: null\n  Value: '\"linux/amd64\"'\n- DefaultValue: '\"golang:1.20.6-alpine3.18\"'\n  Key: BUILDER_IMAGE\n  ProvidedValue: null\n  Value: '\"golang:1.20.6-alpine3.18\"'\nStages:\n- As: builder\n  BaseName: '\"golang:1.20.6-alpine3.18\"'\n  Commands:\n  - Name: WORKDIR\n    Path: /\n  - Chmod: \"\"\n    Chown: \"\"\n    DestPath: ./\n    From: \"\"\n    Link: false\n    Name: COPY\n    SourceContents: null\n    SourcePaths:\n    - .\n  - Args:\n    - Comment: \"\"\n      Key: SIGNER_BINARY_LINK\n      Value: '\"https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip\"'\n    Name: ARG\n  - Args:\n    - Comment: \"\"\n      Key: SIGNER_BINARY_FILE\n      Value: '\"notation-aws-signer-plugin.zip\"'\n    Name: ARG\n  - CmdLine:\n    - wget -O ${SIGNER_BINARY_FILE} ${SIGNER_BINARY_LINK}\n    Files: null\n    FlagsUsed: []\n    Name: RUN\n    PrependShell: true\n  - CmdLine:\n    - apk update \u0026\u0026     apk add unzip \u0026\u0026     unzip -o ${SIGNER_BINARY_FILE}\n    Files: null\n    FlagsUsed: []\n    Name: RUN\n    PrependShell: true\n  - CmdLine:\n    - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"-w -s\" -o kyverno-notation-aws\n      .\n    Files: null\n    FlagsUsed: []\n    Name: RUN\n    PrependShell: true\n  Comment: \"\"\n  From:\n    Image: '\"golang:1.20.6-alpine3.18\"'\n  Location:\n  - End:\n      Character: 0\n      Line: 4\n    Start:\n      Character: 0\n      Line: 4\n  Name: builder\n  Platform: $BUILD_PLATFORM\n  SourceCode: FROM --platform=$BUILD_PLATFORM $BUILDER_IMAGE as builder\n- BaseName: gcr.io/distroless/static:nonroot\n  Commands:\n  - Name: WORKDIR\n    Path: /\n  - Env:\n    - Key: PLUGINS_DIR\n      Value: /plugins\n    Name: ENV\n  - Chmod: \"\"\n    Chown: \"\"\n    DestPath: plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin\n    From: builder\n    Link: false\n    Name: COPY\n    SourceContents: null\n    SourcePaths:\n    - notation-com.amazonaws.signer.notation.plugin\n  - Chmod: \"\"\n    Chown: \"\"\n    DestPath: kyverno-notation-aws\n    From: builder\n    Link: false\n    Name: COPY\n    SourceContents: null\n    SourcePaths:\n    - kyverno-notation-aws\n  - CmdLine:\n    - /kyverno-notation-aws\n    Files: null\n    Name: ENTRYPOINT\n    PrependShell: false\n  Comment: \"\"\n  From:\n    Image: gcr.io/distroless/static:nonroot\n  Location:\n  - End:\n      Character: 0\n      Line: 20\n    Start:\n      Character: 0\n      Line: 20\n  Name: \"\"\n  Platform: \"\"\n  SourceCode: FROM gcr.io/distroless/static:nonroot\n"