copy imagepullpolicy-always

Signed-off-by: Chandan-DK <[email protected]>

other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: imagepullpolicy-always
+status:
+  ready: true

other-cel/imagepullpolicy-always/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: imagepullpolicy-always
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../imagepullpolicy-always.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: imagepullpolicy-always
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml

other-cel/imagepullpolicy-always/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+    - name: pod01
+      image: busybox:latest
+      imagePullPolicy: Never
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  containers:
+    - name: pod01
+      image: busybox
+      imagePullPolicy: IfNotPresent
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod03
+spec:
+  containers:
+    - name: pod01
+      image: busybox:latest
+      imagePullPolicy: Always
+    - name: pod02
+      image: busybox:latest
+      imagePullPolicy: IfNotPresent
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod04
+spec:
+  containers:
+    - name: pod01
+      image: busybox:latest
+      imagePullPolicy: Never
+    - name: pod02
+      image: busybox:1.35

other-cel/imagepullpolicy-always/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+    - name: pod01
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod02
+spec:
+  containers:
+    - name: pod01
+      image: busybox # by default, imagePullPolicy: Always
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod03
+spec:
+  containers:
+    - name: pod01
+      image: busybox:latest # by default, imagePullPolicy: Always
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod04
+spec:
+  containers:
+    - name: pod01
+      image: busybox:latest
+      imagePullPolicy: Always
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod05
+spec:
+  containers:
+    - name: pod01
+      image: busybox:latest
+      imagePullPolicy: Always
+    - name: pod02
+      image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod06
+spec:
+  containers:
+    - name: pod01
+      image: busybox:1.35
+      imagePullPolicy: IfNotPresent
+    - name: pod02
+      image: busybox:latest
+      imagePullPolicy: Always

other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-bad.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: bb01
+        image: busybox:1.35
+      - name: bb02
+        image: busybox:latest
+        imagePullPolicy: Never
+      - name: bb03
+        image: busybox
+        imagePullPolicy: IfNotPresent
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: bb01
+            image: busybox:latest
+            imagePullPolicy: Never
+          - name: bb02
+            image: busybox:1.35
+          - name: bb03
+            image: busybox
+            imagePullPolicy: IfNotPresent
+          restartPolicy: OnFailure

other-cel/imagepullpolicy-always/.chainsaw-test/podcontroller-good.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: bb01
+        image: busybox:1.35
+      - name: bb02
+        image: busybox:latest
+      - name: bb03
+        image: busybox
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: bb01
+            image: busybox:1.35
+          - name: bb02
+            image: busybox:latest
+          - name: bb03
+            image: busybox
+          restartPolicy: OnFailure

other-cel/imagepullpolicy-always/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,33 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: imagepullpolicy-always
+policies:
+- ../imagepullpolicy-always.yaml
+resources:
+- resource.yaml
+results:
+- kind: Deployment
+  policy: imagepullpolicy-always
+  resources:
+  - mydeploy1
+  result: fail
+  rule: imagepullpolicy-always
+- kind: Pod
+  policy: imagepullpolicy-always
+  resources:
+  - myapp-pod-2
+  result: fail
+  rule: imagepullpolicy-always
+- kind: Deployment
+  policy: imagepullpolicy-always
+  resources:
+  - mydeploy2
+  result: pass
+  rule: imagepullpolicy-always
+- kind: Pod
+  policy: imagepullpolicy-always
+  resources:
+  - myapp-pod-1
+  result: pass
+  rule: imagepullpolicy-always

other-cel/imagepullpolicy-always/.kyverno-test/resource.yaml

@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod-1
+  labels:
+    app: myapp-1
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+    imagePullPolicy: "Always"
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod-2
+  labels:
+    app: myapp-2
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mydeploy1
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        ports:
+        - containerPort: 80
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mydeploy2
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: myapp
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        imagePullPolicy: "Always"
+        ports:
+        - containerPort: 80

other-cel/imagepullpolicy-always/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: imagepullpolicy-always
+version: 1.0.0
+displayName: Require imagePullPolicy Always
+createdAt: "2023-04-10T20:30:04.000Z"
+description: >-
+  If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/imagepullpolicy-always/imagepullpolicy-always.yaml
+  ```
+keywords:
+  - kyverno
+  - Sample
+readme: |
+  If the `latest` tag is allowed for images, it is a good idea to have the imagePullPolicy field set to `Always` to ensure should that tag be overwritten that future pulls will get the updated image. This policy validates the imagePullPolicy is set to `Always` when the `latest` tag is specified explicitly or where a tag is not defined at all.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Sample"
+  kyverno/subject: "Pod"
+digest: 6c540bf67eeab51987b0021acffd73333d5eff22f14e10204b8c2c543222758d