Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add best practices check-deprecated-apis policy in CEL expressions #1042

Merged
merged 7 commits into from
Aug 2, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
convert policy
Signed-off-by: Chandan-DK <chandandk468@gmail.com>
Chandan-DK committed May 31, 2024
commit b7295d1332ba057f9cb64e1ec73d102f826aeb83
19 changes: 10 additions & 9 deletions best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -1,22 +1,23 @@
name: check-deprecated-apis
name: check-deprecated-apis-cel
version: 1.0.0
displayName: Check deprecated APIs
createdAt: "2023-04-10T19:47:15.000Z"
displayName: Check deprecated APIs in CEL expressions
description: >-
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/check-deprecated-apis/check-deprecated-apis.yaml
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml
```
keywords:
- kyverno
- Best Practices
- CEL Expressions
readme: |
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly.
Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+.

Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/category: "Best Practices in CEL"
kyverno/kubernetesVersion: "1.26-1.27"
kyverno/subject: "Kubernetes APIs"
digest: 9dedc3fa982568993975fdc213018f1eca5e0a6bea9bab2111bcfb5b86cdbb7a
digest: da368de7982e748983a14198e8f8ef46d455023e8938031444f832919fabba6e
createdAt: "2024-05-31T09:44:23Z"
110 changes: 42 additions & 68 deletions best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml
Original file line number Diff line number Diff line change
@@ -3,25 +3,20 @@ kind: ClusterPolicy
metadata:
name: check-deprecated-apis
annotations:
policies.kyverno.io/title: Check deprecated APIs
policies.kyverno.io/category: Best Practices
policies.kyverno.io/title: Check deprecated APIs in CEL expressions
policies.kyverno.io/category: Best Practices in CEL
policies.kyverno.io/subject: Kubernetes APIs
kyverno.io/kyverno-version: 1.7.4
policies.kyverno.io/minversion: 1.7.4
kyverno.io/kubernetes-version: "1.23"
kyverno.io/kyverno-version: 1.12.1
kyverno.io/kubernetes-version: "1.26-1.27"
policies.kyverno.io/description: >-
Kubernetes APIs are sometimes deprecated and removed after a few releases.
As a best practice, older API versions should be replaced with newer versions.
This policy validates for APIs that are deprecated or scheduled for removal.
Note that checking for some of these resources may require modifying the Kyverno
ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind
has been commented out due to a check for this kind having a performance penalty
on Kubernetes clusters with many leases. Its enabling should be attended carefully
and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25
ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25
so therefore the validate-v1-25-removals rule may not completely work on 1.25+.
This policy requires Kyverno v1.7.4+ to function properly.
spec:
validationFailureAction: audit
validationFailureAction: Audit
background: true
rules:
- name: validate-v1-25-removals
@@ -36,24 +31,16 @@ spec:
- policy/*/PodDisruptionBudget
- policy/*/PodSecurityPolicy
- node.k8s.io/*/RuntimeClass
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- batch/v1beta1
- discovery.k8s.io/v1beta1
- events.k8s.io/v1beta1
- policy/v1beta1
- node.k8s.io/v1beta1
celPreconditions:
- name: "allowed-api-versions"
expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']"
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
cel:
expressions:
- expression: "false"
MariamFahmy98 marked this conversation as resolved.
Show resolved Hide resolved
messageExpression: >-
object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
- name: validate-v1-26-removals
match:
any:
@@ -62,60 +49,47 @@ spec:
- flowcontrol.apiserver.k8s.io/*/FlowSchema
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
- autoscaling/*/HorizontalPodAutoscaler
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- flowcontrol.apiserver.k8s.io/v1beta1
- autoscaling/v2beta2
celPreconditions:
- name: "allowed-api-versions"
expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']"
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
cel:
expressions:
- expression: "false"
messageExpression: >-
object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
- name: validate-v1-27-removals
match:
any:
- resources:
kinds:
- storage.k8s.io/*/CSIStorageCapacity
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- storage.k8s.io/v1beta1
celPreconditions:
- name: "allowed-api-versions"
expression: "object.apiVersion in ['storage.k8s.io/v1beta1']"
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
cel:
expressions:
- expression: "false"
messageExpression: >-
object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
- name: validate-v1-29-removals
match:
any:
- resources:
kinds:
- flowcontrol.apiserver.k8s.io/*/FlowSchema
- flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration
preconditions:
all:
- key: "{{ request.operation || 'BACKGROUND' }}"
operator: NotEquals
value: DELETE
- key: "{{request.object.apiVersion}}"
operator: AnyIn
value:
- flowcontrol.apiserver.k8s.io/v1beta2
celPreconditions:
- name: "object.apiVersion"
expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']"
validate:
message: >-
{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/
deny: {}
cel:
expressions:
- expression: "false"
messageExpression: >-
object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29.
See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'