add: policy, chainsaw test, kyverno test

nirmata · Feb 21, 2024 · bbeefc7 · bbeefc7
1 parent 106d05d
commit bbeefc7
Show file tree

Hide file tree

Showing 8 changed files with 145 additions and 0 deletions.
diff --git a/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-resource-quota
+status:
+  ready: true
diff --git a/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/chainsaw-test.yaml b/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: require-resource-quota
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ns-good.yaml
+    - script:
+        content: |
+          sed 's/validationFailureAction: audit/validationFailureAction: Audit/' ../require-resource-quota.yaml | kubectl create -f -
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: ns-bad.yaml
+  - name: step-99
+    try:
+    - delete:
+        ref:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          name: require-resource-quota
diff --git a/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/ns-bad.yaml b/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/ns-bad.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bad-ns
+spec: {}
diff --git a/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/ns-good.yaml b/multitenancy-benchmarks/require-resource-quota/.chainsaw-test/ns-good.yaml
@@ -0,0 +1,24 @@
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: good-ns
+spec: {}
+
+---
+
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: foo-resource-quota
+  namespace: good-ns
+spec:
+  hard:
+    cpu: "1000"
+    memory: 200Gi
+    pods: "10"
+  scopeSelector:
+    matchExpressions:
+    - operator : In
+      scopeName: PriorityClass
+      values: ["high"]
diff --git a/multitenancy-benchmarks/require-resource-quota/.kyverno-test/kyverno-test.yaml b/multitenancy-benchmarks/require-resource-quota/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,16 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: require-resource-quota
+policies:
+- ../require-resource-quota.yaml
+resources:
+- resource.yaml
+results:
+- kind: Namespace
+  policy: require-resource-quota
+  resources:
+  - ns-resource-quota
+  result: fail
+  rule: require-resource-quota
+variables: values.yaml
diff --git a/multitenancy-benchmarks/require-resource-quota/.kyverno-test/resource.yaml b/multitenancy-benchmarks/require-resource-quota/.kyverno-test/resource.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ns-resource-quota
+spec: {}
diff --git a/multitenancy-benchmarks/require-resource-quota/.kyverno-test/values.yaml b/multitenancy-benchmarks/require-resource-quota/.kyverno-test/values.yaml
@@ -0,0 +1,8 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+policies:
+- name: require-resource-quota
+  rules:
+  - name: require-resource-quota
+    values:
+      policies_count: "0"
diff --git a/multitenancy-benchmarks/require-resource-quota/require-resource-quota.yaml b/multitenancy-benchmarks/require-resource-quota/require-resource-quota.yaml
@@ -0,0 +1,51 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: require-resource-quota
+  annotations:
+    policies.kyverno.io/title: Require Resource Quota
+    policies.kyverno.io/category: Multitenancy Benchmarks
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/description: >-
+      In cases such as multi-tenancy where new Namespaces must be fully
+      provisioned before they can be used, it may not be easy to declare and
+      understand if/when the Namespace is ready. Having a policy which defines
+      all the resources which are required for each Namespace can assist in determining
+      compliance. This policy, expected to be run in background mode only, performs a Namespace
+      check to ensure that all Namespaces have a ResourceQuota.
+      Additional rules may be written to extend the check for your needs. By default, background
+      scans occur every one hour which may be changed with an additional container flag. Please
+      see the installation documentation for details.
+spec:
+  background: true
+  validationFailureAction: Audit
+  rules:
+  - name: resourcequotas
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kube-public
+          - kube-node-lease
+          - kyverno
+    context:
+    - name: resourcequotas
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{request.object.metadata.name}}/resourcequotas"
+        jmesPath: "items[] | length(@)"
+    validate:
+      message: "Every Namespace must have at least one ResourceQuota."
+      deny:
+        conditions:
+          all:
+          - key: "{{ resourcequotas }}"
+            operator: Equals
+            value: 0
+