Merge branch 'main' into convert-best-practices-to-cel

.github/workflows/test.yml

@@ -56,6 +56,7 @@ jobs:
           - ^other$/^[m-q]
           - ^other-cel$/^[m-q]
           - ^other$/^re[c-q]
+          - ^other-cel$/^re[c-q]
           - ^other$/^res
           - ^other$/^[s-z]
           - ^pod-security$
@@ -89,8 +90,6 @@ jobs:
           [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
           chmod +x ./kind
           sudo mv ./kind /usr/local/bin/kind
-      - name: Install oras CLI
-        uses: oras-project/setup-oras@ee7dbe1144cb00080a89497f937dae78f85fce29 # v1.1.0
       - name: Install latest Kyverno CLI
         uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
       - name: Create kind cluster
@@ -110,7 +109,7 @@ jobs:
           set -e
           kubectl apply -f ./.chainsaw/crds
       - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@995cddaee7702e849270b84fa44cdcebe7462da8 # v0.1.9
+        uses: kyverno/action-install-chainsaw@ef2517389320aae0fd7c067aa14b060eef08b76d # v0.2.3
       - name: Test with Chainsaw
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

kasten/kasten-3-2-1-backup/artifacthub-pkg.yml

@@ -4,7 +4,6 @@ displayName: Check Kasten 3-2-1 Backup Policy
 createdAt: "2023-05-07T00:00:00.000Z"
 description: >-
   The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository.
-
   This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'.
 install: |-
   ```shell
@@ -23,4 +22,4 @@ annotations:
   kyverno/category: "Veeam Kasten"
   kyverno/kubernetesVersion: "1.24-1.30"
   kyverno/subject: "Policy"
-digest: 45c8d345b2188ec47fe8b38a417726b7eae951edf18d770abdb602faec7d30a4
+digest: ae3f8af7d3708b5bcbc4e0a5fb368f5100441a85923dad8f096b367f279462a4

kasten/kasten-3-2-1-backup/kasten-3-2-1-backup.yaml

@@ -12,7 +12,6 @@ metadata:
     policies.kyverno.io/subject: Policy
     policies.kyverno.io/description: >-
       The 3-2-1 rule of data protection recommends that you have at least 3 copies of data, on 2 different storage targets, with 1 being offsite. This approach ensures a health mix of redundancy options for data recovery of the application for localized & multi-region cloud failures or compromise. In Kubernetes, this translates to the original running resources, a local snapshot, and a copy of all application resources and volume data exported to an external repository.
-
       This policy accomplishes 3-2-1 validation by ensuring each policy contains both 'action: backup' and 'action: export'.
 spec:
   validationFailureAction: Audit  

kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: kasten-data-protection-by-label
+status:
+  ready: true

kasten/k10-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml → kasten/kasten-data-protection-by-label/.chainsaw-test/chainsaw-test.yaml

@@ -3,19 +3,19 @@ apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
   creationTimestamp: null
-  name: k10-data-protection-by-label
+  name: kasten-data-protection-by-label
 spec:
   steps:
   - name: step-01
     try:
     - apply:
-        file: ../k10-data-protection-by-label.yaml
+        file: ../kasten-data-protection-by-label.yaml
     - patch:
         resource:
           apiVersion: kyverno.io/v1
           kind: ClusterPolicy
           metadata:
-            name: k10-data-protection-by-label
+            name: kasten-data-protection-by-label
           spec:
             validationFailureAction: Enforce
     - assert:

kasten/k10-data-protection-by-label/.chainsaw-test/deployment-good.yaml → kasten/kasten-data-protection-by-label/.chainsaw-test/deployment-good.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app: busybox
     purpose: production
-    dataprotection: k10-goldpolicy
+    dataprotection: kasten-example
 spec:
   replicas: 1
   selector:

kasten/k10-data-protection-by-label/.chainsaw-test/ss-good.yaml → kasten/kasten-data-protection-by-label/.chainsaw-test/ss-good.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: k10-dplabel-ns
   labels:
     purpose: production
-    dataprotection: k10-silverpolicy
+    dataprotection: kasten-example
 spec:
   selector:
     matchLabels:

kasten/kasten-data-protection-by-label/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,33 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno_data_protection_tests
+policies:
+- ../kasten-data-protection-by-label.yaml
+resources:
+- nginx-deployment.yaml
+results:
+- kind: Deployment
+  policy: kasten-data-protection-by-label
+  resources:
+  - nginx-deployment-invalid
+  result: fail
+  rule: kasten-data-protection-by-label
+- kind: Deployment
+  policy: kasten-data-protection-by-label
+  resources:
+  - nginx-deployment-pass
+  result: pass
+  rule: kasten-data-protection-by-label
+- kind: Deployment
+  policy: kasten-data-protection-by-label
+  resources:
+  - nginx-deployment-none
+  result: pass
+  rule: kasten-data-protection-by-label
+- kind: Deployment
+  policy: kasten-data-protection-by-label
+  resources:
+  - nginx-deployment-skipped
+  result: skip
+  rule: kasten-data-protection-by-label

kasten/kasten-data-protection-by-label/.kyverno-test/nginx-deployment.yaml

@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment-pass
+  namespace: nginx
+  labels:
+    app: nginx
+    purpose: production
+    dataprotection: kasten-example
+    immutable: enabled
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment-none
+  namespace: nginx
+  labels:
+    app: nginx
+    purpose: production
+    dataprotection: none
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment-invalid
+  namespace: nginx
+  labels:
+    app: nginx
+    purpose: production
+    dataprotection: invalid
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment-skipped
+  namespace: nginx
+  labels:
+    app: nginx
+    purpose: test
+    dataprotection: kasten-example
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80

kasten/kasten-data-protection-by-label/artifacthub-pkg.yml

@@ -0,0 +1,25 @@
+name: kasten-data-protection-by-label
+version: 1.0.1
+displayName: Check Data Protection By Label
+createdAt: "2023-05-07T00:00:00.000Z"
+description: >-
+  Check the 'dataprotection' label for production Deployments and StatefulSet workloads.
+  Use in combination with 'kasten-generate-example-backup-policy' policy to generate a Kasten policy for the workload namespace, if it doesn't already exist.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/kasten/kasten-data-protection-by-label/kasten-data-protection-by-label.yaml
+  ```
+keywords:
+  - kyverno
+  - Veeam Kasten
+readme: |
+  Check the 'dataprotection' label for production Deployments and StatefulSet workloads.
+      
+  Use in combination with 'kasten-generate-example-backup-policy' policy to generate a Kasten policy for the workload namespace, if it doesn't already exist.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Veeam Kasten"
+  kyverno/kubernetesVersion: "1.24-1.30"
+  kyverno/subject: "Deployment, StatefulSet"
+digest: 8751cca18f18d7a2cd1b923e84b805580af363b1aff8766fc4f3f231d6026601