From 33b39e14c906837b5bd409e63a9cf878890893bc Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Thu, 26 Oct 2023 17:49:26 -0700 Subject: [PATCH 1/6] Fix replicalimits ConstraintTemplate to handle scaling to zero properly. Fixes #419 Signed-off-by: Paul Krizak --- .../samples/replicalimits/constraint.yaml | 2 ++ .../replicalimits/example_scale_allowed.yaml | 6 ++++ .../example_scale_disallowed.yaml | 6 ++++ .../replicalimits_zero/constraint.yaml | 15 ++++++++++ .../replicalimits_zero/example_allowed.yaml | 19 +++++++++++++ .../example_disallowed.yaml | 19 +++++++++++++ .../example_scale_allowed.yaml | 7 +++++ .../example_scale_disallowed.yaml | 6 ++++ library/general/replicalimits/suite.yaml | 28 +++++++++++++++++++ library/general/replicalimits/template.yaml | 4 +-- src/general/replicalimits/constraint.tmpl | 2 +- src/general/replicalimits/src.rego | 2 +- src/general/replicalimits/src_test.rego | 22 +++++++++++++-- website/docs/validation/replicalimits.md | 4 +-- 14 files changed, 133 insertions(+), 9 deletions(-) create mode 100644 library/general/replicalimits/samples/replicalimits/example_scale_allowed.yaml create mode 100644 library/general/replicalimits/samples/replicalimits/example_scale_disallowed.yaml create mode 100644 library/general/replicalimits/samples/replicalimits_zero/constraint.yaml create mode 100644 library/general/replicalimits/samples/replicalimits_zero/example_allowed.yaml create mode 100644 library/general/replicalimits/samples/replicalimits_zero/example_disallowed.yaml create mode 100644 library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed.yaml create mode 100644 library/general/replicalimits/samples/replicalimits_zero/example_scale_disallowed.yaml diff --git a/library/general/replicalimits/samples/replicalimits/constraint.yaml b/library/general/replicalimits/samples/replicalimits/constraint.yaml index b496235f3..db3488afe 100644 --- a/library/general/replicalimits/samples/replicalimits/constraint.yaml +++ b/library/general/replicalimits/samples/replicalimits/constraint.yaml @@ -7,6 +7,8 @@ spec: kinds: - apiGroups: ["apps"] kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] parameters: ranges: - min_replicas: 3 diff --git a/library/general/replicalimits/samples/replicalimits/example_scale_allowed.yaml b/library/general/replicalimits/samples/replicalimits/example_scale_allowed.yaml new file mode 100644 index 000000000..4ec230bd3 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits/example_scale_allowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 3 diff --git a/library/general/replicalimits/samples/replicalimits/example_scale_disallowed.yaml b/library/general/replicalimits/samples/replicalimits/example_scale_disallowed.yaml new file mode 100644 index 000000000..7baf42c62 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits/example_scale_disallowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 diff --git a/library/general/replicalimits/samples/replicalimits_zero/constraint.yaml b/library/general/replicalimits/samples/replicalimits_zero/constraint.yaml new file mode 100644 index 000000000..28f0b6d09 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits_zero/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sReplicaLimits +metadata: + name: replica-limits +spec: + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] + parameters: + ranges: + - min_replicas: 0 + max_replicas: 50 diff --git a/library/general/replicalimits/samples/replicalimits_zero/example_allowed.yaml b/library/general/replicalimits/samples/replicalimits_zero/example_allowed.yaml new file mode 100644 index 000000000..ac33574d9 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits_zero/example_allowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 0 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/library/general/replicalimits/samples/replicalimits_zero/example_disallowed.yaml b/library/general/replicalimits/samples/replicalimits_zero/example_disallowed.yaml new file mode 100644 index 000000000..1c4899d20 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits_zero/example_disallowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 100 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed.yaml b/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed.yaml new file mode 100644 index 000000000..55cef478b --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed.yaml @@ -0,0 +1,7 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: {} diff --git a/library/general/replicalimits/samples/replicalimits_zero/example_scale_disallowed.yaml b/library/general/replicalimits/samples/replicalimits_zero/example_scale_disallowed.yaml new file mode 100644 index 000000000..7baf42c62 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits_zero/example_scale_disallowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 diff --git a/library/general/replicalimits/suite.yaml b/library/general/replicalimits/suite.yaml index 598efb814..5790e3add 100644 --- a/library/general/replicalimits/suite.yaml +++ b/library/general/replicalimits/suite.yaml @@ -11,7 +11,35 @@ tests: object: samples/replicalimits/example_allowed.yaml assertions: - violations: no + - name: example-scale-allowed + object: samples/replicalimits/example_scale_allowed.yaml + assertions: + - violations: no - name: example-disallowed object: samples/replicalimits/example_disallowed.yaml assertions: - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits/example_scale_disallowed.yaml + assertions: + - violations: yes +- name: replica-limit-zero + template: template.yaml + constraint: samples/replicalimits_zero/constraint.yaml + cases: + - name: example-allowed + object: samples/replicalimits_zero/example_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/replicalimits_zero/example_disallowed.yaml + assertions: + - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits_zero/example_scale_disallowed.yaml + assertions: + - violations: yes diff --git a/library/general/replicalimits/template.yaml b/library/general/replicalimits/template.yaml index 540abc67f..4fee9e4ea 100644 --- a/library/general/replicalimits/template.yaml +++ b/library/general/replicalimits/template.yaml @@ -4,7 +4,7 @@ metadata: name: k8sreplicalimits annotations: metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. @@ -46,7 +46,7 @@ spec: } input_replica_limit(spec) { - provided := input.review.object.spec.replicas + provided := object.get(spec, "replicas", 0) count(input.parameters.ranges) > 0 range := input.parameters.ranges[_] value_within_range(range, provided) diff --git a/src/general/replicalimits/constraint.tmpl b/src/general/replicalimits/constraint.tmpl index 2b4dc9183..657a3b528 100644 --- a/src/general/replicalimits/constraint.tmpl +++ b/src/general/replicalimits/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8sreplicalimits annotations: metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. diff --git a/src/general/replicalimits/src.rego b/src/general/replicalimits/src.rego index 796000da2..4a2666d71 100644 --- a/src/general/replicalimits/src.rego +++ b/src/general/replicalimits/src.rego @@ -10,7 +10,7 @@ violation[{"msg": msg}] { } input_replica_limit(spec) { - provided := input.review.object.spec.replicas + provided := object.get(spec, "replicas", 0) count(input.parameters.ranges) > 0 range := input.parameters.ranges[_] value_within_range(range, provided) diff --git a/src/general/replicalimits/src_test.rego b/src/general/replicalimits/src_test.rego index 26a9a201b..dc4e6ad4a 100644 --- a/src/general/replicalimits/src_test.rego +++ b/src/general/replicalimits/src_test.rego @@ -51,6 +51,7 @@ empty = { } review(replicas) = output { + replicas > 0 output = { "kind": { "kind": "Deployment", @@ -58,16 +59,31 @@ review(replicas) = output { "group": "apps", }, "object": { - "metadata": { + "metadata": { "name": "nginx" - }, + }, "spec": { "replicas": replicas, }, } } } - +review(replicas) = output { + replicas == 0 + output = { + "kind": { + "kind": "Deployment", + "version": "v1", + "group": "apps", + }, + "object": { + "metadata": { + "name": "nginx" + }, + "spec": { }, + } + } +} input_parameters_valid_range = { "ranges": [ { diff --git a/website/docs/validation/replicalimits.md b/website/docs/validation/replicalimits.md index 74e16a4dd..4f458dd2b 100644 --- a/website/docs/validation/replicalimits.md +++ b/website/docs/validation/replicalimits.md @@ -16,7 +16,7 @@ metadata: name: k8sreplicalimits annotations: metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.0.1 + metadata.gatekeeper.sh/version: 1.1.0 description: >- Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. @@ -58,7 +58,7 @@ spec: } input_replica_limit(spec) { - provided := input.review.object.spec.replicas + provided := object.get(spec, "replicas", 0) count(input.parameters.ranges) > 0 range := input.parameters.ranges[_] value_within_range(range, provided) From f1d93280deed2920d0f4e90e86791d7b5e74fa5c Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Fri, 27 Oct 2023 15:43:13 -0700 Subject: [PATCH 2/6] Add missing build artifacts Signed-off-by: Paul Krizak --- .../replicalimits/1.1.0/artifacthub-pkg.yml | 22 +++ .../replicalimits/1.1.0/kustomization.yaml | 2 + .../samples/replicalimits/constraint.yaml | 15 ++ .../replicalimits/example_allowed.yaml | 19 ++ .../replicalimits/example_disallowed.yaml | 19 ++ .../replicalimits/example_scale_allowed.yaml | 6 + .../example_scale_disallowed.yaml | 6 + .../replicalimits_zero/constraint.yaml | 15 ++ .../replicalimits_zero/example_allowed.yaml | 19 ++ .../example_disallowed.yaml | 19 ++ .../example_scale_allowed.yaml | 7 + .../example_scale_disallowed.yaml | 6 + .../general/replicalimits/1.1.0/suite.yaml | 45 +++++ .../general/replicalimits/1.1.0/template.yaml | 58 ++++++ website/docs/validation/replicalimits.md | 184 ++++++++++++++++++ 15 files changed, 442 insertions(+) create mode 100644 artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/suite.yaml create mode 100644 artifacthub/library/general/replicalimits/1.1.0/template.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml b/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml new file mode 100644 index 000000000..1d7aa86dd --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +version: 1.1.0 +name: k8sreplicalimits +displayName: Replica Limits +createdAt: "2023-10-27T22:42:28Z" +description: Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. +digest: 30c15576b26d9b879d5c2486f72478a36e39404510117734cb11f8570a2285a7 +license: Apache-2.0 +homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/replicalimits +keywords: + - gatekeeper + - open-policy-agent + - policies +readme: |- + # Replica Limits + Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. +install: |- + ### Usage + ```shell + kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/replicalimits/1.1.0/template.yaml + ``` +provider: + name: Gatekeeper Library diff --git a/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml b/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml new file mode 100644 index 000000000..7d70d11b7 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - template.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml new file mode 100644 index 000000000..db3488afe --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sReplicaLimits +metadata: + name: replica-limits +spec: + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] + parameters: + ranges: + - min_replicas: 3 + max_replicas: 50 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml new file mode 100644 index 000000000..f5a2b1d8c --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 3 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml new file mode 100644 index 000000000..1c4899d20 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 100 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml new file mode 100644 index 000000000..4ec230bd3 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 3 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml new file mode 100644 index 000000000..7baf42c62 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml new file mode 100644 index 000000000..28f0b6d09 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sReplicaLimits +metadata: + name: replica-limits +spec: + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] + parameters: + ranges: + - min_replicas: 0 + max_replicas: 50 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml new file mode 100644 index 000000000..ac33574d9 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 0 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml new file mode 100644 index 000000000..1c4899d20 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 100 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml new file mode 100644 index 000000000..55cef478b --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml @@ -0,0 +1,7 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: {} diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml new file mode 100644 index 000000000..7baf42c62 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml @@ -0,0 +1,6 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 diff --git a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml new file mode 100644 index 000000000..5790e3add --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml @@ -0,0 +1,45 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: replicalimits +tests: +- name: replica-limit + template: template.yaml + constraint: samples/replicalimits/constraint.yaml + cases: + - name: example-allowed + object: samples/replicalimits/example_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits/example_scale_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/replicalimits/example_disallowed.yaml + assertions: + - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits/example_scale_disallowed.yaml + assertions: + - violations: yes +- name: replica-limit-zero + template: template.yaml + constraint: samples/replicalimits_zero/constraint.yaml + cases: + - name: example-allowed + object: samples/replicalimits_zero/example_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/replicalimits_zero/example_disallowed.yaml + assertions: + - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits_zero/example_scale_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/replicalimits/1.1.0/template.yaml b/artifacthub/library/general/replicalimits/1.1.0/template.yaml new file mode 100644 index 000000000..4fee9e4ea --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/template.yaml @@ -0,0 +1,58 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sreplicalimits + annotations: + metadata.gatekeeper.sh/title: "Replica Limits" + metadata.gatekeeper.sh/version: 1.1.0 + description: >- + Requires that objects with the field `spec.replicas` (Deployments, + ReplicaSets, etc.) specify a number of replicas within defined ranges. +spec: + crd: + spec: + names: + kind: K8sReplicaLimits + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + ranges: + type: array + description: Allowed ranges for numbers of replicas. Values are inclusive. + items: + type: object + description: A range of allowed replicas. Values are inclusive. + properties: + min_replicas: + description: The minimum number of replicas allowed, inclusive. + type: integer + max_replicas: + description: The maximum number of replicas allowed, inclusive. + type: integer + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sreplicalimits + + object_name = input.review.object.metadata.name + object_kind = input.review.kind.kind + + violation[{"msg": msg}] { + spec := input.review.object.spec + not input_replica_limit(spec) + msg := sprintf("The provided number of replicas is not allowed for %v: %v. Allowed ranges: %v", [object_kind, object_name, input.parameters]) + } + + input_replica_limit(spec) { + provided := object.get(spec, "replicas", 0) + count(input.parameters.ranges) > 0 + range := input.parameters.ranges[_] + value_within_range(range, provided) + } + + value_within_range(range, value) { + range.min_replicas <= value + range.max_replicas >= value + } diff --git a/website/docs/validation/replicalimits.md b/website/docs/validation/replicalimits.md index 4f458dd2b..343e99059 100644 --- a/website/docs/validation/replicalimits.md +++ b/website/docs/validation/replicalimits.md @@ -92,6 +92,8 @@ spec: kinds: - apiGroups: ["apps"] kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] parameters: ranges: - min_replicas: 3 @@ -139,6 +141,26 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits/example_allowed.yaml ``` + +
+example-scale-allowed + +```yaml +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 3 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits/example_scale_allowed.yaml +``` +
example-disallowed @@ -172,6 +194,168 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits/example_disallowed.yaml ``` +
+
+example-scale-disallowed + +```yaml +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits/example_scale_disallowed.yaml +``` + +
+ + +
+replica-limit-zero
+ +
+constraint + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sReplicaLimits +metadata: + name: replica-limits +spec: + match: + kinds: + - apiGroups: ["apps"] + kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] + parameters: + ranges: + - min_replicas: 0 + max_replicas: 50 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/constraint.yaml +``` + +
+ +
+example-allowed + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: allowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 0 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/example_allowed.yaml +``` + +
+
+example-scale-allowed + +```yaml +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: {} + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed.yaml +``` + +
+
+example-disallowed + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: disallowed-deployment +spec: + selector: + matchLabels: + app: nginx + replicas: 100 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/example_disallowed.yaml +``` + +
+
+example-scale-disallowed + +```yaml +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +spec: + replicas: 100 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/example_scale_disallowed.yaml +``` +
From 68ff2ce9f1b4df2b06055856559a4aee869054ab Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Fri, 27 Oct 2023 20:26:42 -0700 Subject: [PATCH 3/6] Add explicit test for spec.replicas=0 Signed-off-by: Paul Krizak --- .../replicalimits_zero/example_scale_allowed2.yaml | 8 ++++++++ library/general/replicalimits/suite.yaml | 4 ++++ 2 files changed, 12 insertions(+) create mode 100644 library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed2.yaml diff --git a/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed2.yaml b/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed2.yaml new file mode 100644 index 000000000..0beba2784 --- /dev/null +++ b/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed2.yaml @@ -0,0 +1,8 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: + replicas: 0 diff --git a/library/general/replicalimits/suite.yaml b/library/general/replicalimits/suite.yaml index 5790e3add..c5a7b480a 100644 --- a/library/general/replicalimits/suite.yaml +++ b/library/general/replicalimits/suite.yaml @@ -35,6 +35,10 @@ tests: object: samples/replicalimits_zero/example_scale_allowed.yaml assertions: - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed2.yaml + assertions: + - violations: no - name: example-disallowed object: samples/replicalimits_zero/example_disallowed.yaml assertions: From 90ee21f1cf39bb9182791893280150e5ba4ad56a Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Sun, 5 Nov 2023 10:28:02 -0800 Subject: [PATCH 4/6] Sync with upstream and rerun docker build --build-arg GOMPLATE_VERSION=3.11.5 -f build/gomplate/Dockerfile -t gomplate-container . Sending build context to Docker daemon 6.362MB Step 1/6 : FROM golang:1.20@sha256:cfc9d1b07b1ef4f7a4571f0b60a99646a92ef76adb7d9943f4cb7b606c6554e2 ---> e69c1df674bc Step 2/6 : ARG GOMPLATE_VERSION ---> Using cache ---> 751f5c31a643 Step 3/6 : RUN go install github.com/hairyhenderson/gomplate/v3/cmd/gomplate@v${GOMPLATE_VERSION} ---> Using cache ---> d93d01668b95 Step 4/6 : RUN mkdir /gatekeeper-library ---> Using cache ---> 7e08e5a42a41 Step 5/6 : WORKDIR /gatekeeper-library ---> Using cache ---> 2f47b827d027 Step 6/6 : ENTRYPOINT ["/bin/bash"] ---> Using cache ---> 72ede59d508b Successfully built 72ede59d508b Successfully tagged gomplate-container:latest docker run \ -u 1000:1000 \ -v /tmp/gatekeeper-library:/gatekeeper-library \ gomplate-container ./scripts/generate.sh Generating library/pod-security-policy/selinux/template.yaml Generating library/pod-security-policy/host-filesystem/template.yaml Generating library/pod-security-policy/forbidden-sysctls/template.yaml Generating library/pod-security-policy/users/template.yaml Generating library/pod-security-policy/fsgroup/template.yaml Generating library/pod-security-policy/host-network-ports/template.yaml Generating library/pod-security-policy/flexvolume-drivers/template.yaml Generating library/pod-security-policy/privileged-containers/template.yaml Generating library/pod-security-policy/allow-privilege-escalation/template.yaml Generating library/pod-security-policy/apparmor/template.yaml Generating library/pod-security-policy/capabilities/template.yaml Generating library/pod-security-policy/host-namespaces/template.yaml Generating library/pod-security-policy/seccomp/template.yaml Generating library/pod-security-policy/proc-mount/template.yaml Generating library/pod-security-policy/volumes/template.yaml Generating library/pod-security-policy/read-only-root-filesystem/template.yaml Generating library/general/allowedrepos/template.yaml Generating library/general/containerlimits/template.yaml Generating library/general/block-wildcard-ingress/template.yaml Generating library/general/disallowedrepos/template.yaml Generating library/general/poddisruptionbudget/template.yaml Generating library/general/uniqueingresshost/template.yaml Generating library/general/containerrequests/template.yaml Generating library/general/block-endpoint-edit-default-role/template.yaml Generating library/general/uniqueserviceselector/template.yaml Generating library/general/block-loadbalancer-services/template.yaml Generating library/general/replicalimits/template.yaml Generating library/general/horizontalpodautoscaler/template.yaml Generating library/general/externalip/template.yaml Generating library/general/imagedigests/template.yaml Generating library/general/httpsonly/template.yaml Generating library/general/block-nodeport-services/template.yaml Generating library/general/storageclass/template.yaml Generating library/general/automount-serviceaccount-token/template.yaml Generating library/general/ephemeralstoragelimit/template.yaml Generating library/general/disallowedtags/template.yaml Generating library/general/requiredlabels/template.yaml Generating library/general/noupdateserviceaccount/template.yaml Generating library/general/verifydeprecatedapi/template.yaml Generating library/general/requiredannotations/template.yaml Generating library/general/disallowanonymous/template.yaml Generating library/general/containerresources/template.yaml Generating library/general/containerresourceratios/template.yaml Generating library/general/requiredprobes/template.yaml cd /tmp/gatekeeper-library/scripts/website; go run generate.go Generating markdown for /tmp/gatekeeper-library/library/general/allowedrepos Generating markdown for /tmp/gatekeeper-library/library/general/automount-serviceaccount-token Generating markdown for /tmp/gatekeeper-library/library/general/block-endpoint-edit-default-role Generating markdown for /tmp/gatekeeper-library/library/general/block-loadbalancer-services Generating markdown for /tmp/gatekeeper-library/library/general/block-nodeport-services Generating markdown for /tmp/gatekeeper-library/library/general/block-wildcard-ingress Generating markdown for /tmp/gatekeeper-library/library/general/containerlimits Generating markdown for /tmp/gatekeeper-library/library/general/containerrequests Generating markdown for /tmp/gatekeeper-library/library/general/containerresourceratios Generating markdown for /tmp/gatekeeper-library/library/general/containerresources Generating markdown for /tmp/gatekeeper-library/library/general/disallowanonymous Generating markdown for /tmp/gatekeeper-library/library/general/disallowedrepos Generating markdown for /tmp/gatekeeper-library/library/general/disallowedtags Generating markdown for /tmp/gatekeeper-library/library/general/ephemeralstoragelimit Generating markdown for /tmp/gatekeeper-library/library/general/externalip Generating markdown for /tmp/gatekeeper-library/library/general/horizontalpodautoscaler Generating markdown for /tmp/gatekeeper-library/library/general/httpsonly Generating markdown for /tmp/gatekeeper-library/library/general/imagedigests Generating markdown for /tmp/gatekeeper-library/library/general/noupdateserviceaccount Generating markdown for /tmp/gatekeeper-library/library/general/poddisruptionbudget Generating markdown for /tmp/gatekeeper-library/library/general/replicalimits Generating markdown for /tmp/gatekeeper-library/library/general/requiredannotations Generating markdown for /tmp/gatekeeper-library/library/general/requiredlabels Generating markdown for /tmp/gatekeeper-library/library/general/requiredprobes Generating markdown for /tmp/gatekeeper-library/library/general/storageclass Generating markdown for /tmp/gatekeeper-library/library/general/uniqueingresshost Generating markdown for /tmp/gatekeeper-library/library/general/uniqueserviceselector Generating markdown for /tmp/gatekeeper-library/library/general/verifydeprecatedapi Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/allow-privilege-escalation Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/apparmor Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/capabilities Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/flexvolume-drivers Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/forbidden-sysctls Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/fsgroup Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/host-filesystem Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/host-namespaces Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/host-network-ports Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/privileged-containers Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/proc-mount Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/read-only-root-filesystem Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/seccomp Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/selinux Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/users Generating markdown for /tmp/gatekeeper-library/library/pod-security-policy/volumes Generating markdown for /tmp/gatekeeper-library/mutation/pod-security-policy/allow-privilege-escalation Generating markdown for /tmp/gatekeeper-library/mutation/pod-security-policy/capabilities Generating markdown for /tmp/gatekeeper-library/mutation/pod-security-policy/read-only-root-filesystem Generating markdown for /tmp/gatekeeper-library/mutation/pod-security-policy/seccomp Generating markdown for /tmp/gatekeeper-library/mutation/pod-security-policy/selinux Generating markdown for /tmp/gatekeeper-library/mutation/pod-security-policy/users Updating README.md Updating PSP README.md Updating sidebar cd /tmp/gatekeeper-library/scripts/artifacthub; go run hub.go Generating artifact hub content for /tmp/gatekeeper-library/library/general/allowedrepos Generating artifact hub content for /tmp/gatekeeper-library/library/general/automount-serviceaccount-token Generating artifact hub content for /tmp/gatekeeper-library/library/general/block-endpoint-edit-default-role Generating artifact hub content for /tmp/gatekeeper-library/library/general/block-loadbalancer-services Generating artifact hub content for /tmp/gatekeeper-library/library/general/block-nodeport-services Generating artifact hub content for /tmp/gatekeeper-library/library/general/block-wildcard-ingress Generating artifact hub content for /tmp/gatekeeper-library/library/general/containerlimits Generating artifact hub content for /tmp/gatekeeper-library/library/general/containerrequests Generating artifact hub content for /tmp/gatekeeper-library/library/general/containerresourceratios Generating artifact hub content for /tmp/gatekeeper-library/library/general/containerresources Generating artifact hub content for /tmp/gatekeeper-library/library/general/disallowanonymous Generating artifact hub content for /tmp/gatekeeper-library/library/general/disallowedrepos Generating artifact hub content for /tmp/gatekeeper-library/library/general/disallowedtags Generating artifact hub content for /tmp/gatekeeper-library/library/general/ephemeralstoragelimit Generating artifact hub content for /tmp/gatekeeper-library/library/general/externalip Generating artifact hub content for /tmp/gatekeeper-library/library/general/horizontalpodautoscaler Generating artifact hub content for /tmp/gatekeeper-library/library/general/httpsonly Generating artifact hub content for /tmp/gatekeeper-library/library/general/imagedigests Generating artifact hub content for /tmp/gatekeeper-library/library/general/noupdateserviceaccount Generating artifact hub content for /tmp/gatekeeper-library/library/general/poddisruptionbudget Generating artifact hub content for /tmp/gatekeeper-library/library/general/replicalimits Generating artifact hub content for /tmp/gatekeeper-library/library/general/requiredannotations Generating artifact hub content for /tmp/gatekeeper-library/library/general/requiredlabels Generating artifact hub content for /tmp/gatekeeper-library/library/general/requiredprobes Generating artifact hub content for /tmp/gatekeeper-library/library/general/storageclass Generating artifact hub content for /tmp/gatekeeper-library/library/general/uniqueingresshost Generating artifact hub content for /tmp/gatekeeper-library/library/general/uniqueserviceselector Generating artifact hub content for /tmp/gatekeeper-library/library/general/verifydeprecatedapi Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/allow-privilege-escalation Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/apparmor Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/capabilities Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/flexvolume-drivers Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/forbidden-sysctls Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/fsgroup Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/host-filesystem Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/host-namespaces Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/host-network-ports Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/privileged-containers Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/proc-mount Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/read-only-root-filesystem Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/seccomp Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/selinux Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/users Generating artifact hub content for /tmp/gatekeeper-library/library/pod-security-policy/volumes Signed-off-by: Paul Krizak --- .../example_scale_allowed2.yaml | 8 +++++++ .../general/replicalimits/1.1.0/suite.yaml | 4 ++++ website/docs/validation/replicalimits.md | 22 +++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed2.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed2.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed2.yaml new file mode 100644 index 000000000..0beba2784 --- /dev/null +++ b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed2.yaml @@ -0,0 +1,8 @@ +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: + replicas: 0 diff --git a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml index 5790e3add..c5a7b480a 100644 --- a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml +++ b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml @@ -35,6 +35,10 @@ tests: object: samples/replicalimits_zero/example_scale_allowed.yaml assertions: - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed2.yaml + assertions: + - violations: no - name: example-disallowed object: samples/replicalimits_zero/example_disallowed.yaml assertions: diff --git a/website/docs/validation/replicalimits.md b/website/docs/validation/replicalimits.md index 343e99059..fe61f354a 100644 --- a/website/docs/validation/replicalimits.md +++ b/website/docs/validation/replicalimits.md @@ -303,6 +303,28 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed.yaml ``` +
+
+example-scale-allowed + +```yaml +apiVersion: autoscaling/v1 +kind: Scale +metadata: + name: allowed-deployment +# kubectl scale deploy --replicas=0 creates a Scale +# resource with an empty spec, not replicas:0 +spec: + replicas: 0 + +``` + +Usage + +```shell +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/replicalimits/samples/replicalimits_zero/example_scale_allowed2.yaml +``` +
example-disallowed From 74c4f9aa8a72f95b754cd125a1e43c1503551ad7 Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Tue, 19 Dec 2023 19:37:44 -0800 Subject: [PATCH 5/6] Update src/general/replicalimits/constraint.tmpl Co-authored-by: Andrew Peabody Signed-off-by: Paul Krizak --- src/general/replicalimits/constraint.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/general/replicalimits/constraint.tmpl b/src/general/replicalimits/constraint.tmpl index 657a3b528..55a380360 100644 --- a/src/general/replicalimits/constraint.tmpl +++ b/src/general/replicalimits/constraint.tmpl @@ -4,7 +4,7 @@ metadata: name: k8sreplicalimits annotations: metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.1.0 + metadata.gatekeeper.sh/version: 1.0.2 description: >- Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. From d1851d27e0282611ef8197d2d670628b5fa00e5c Mon Sep 17 00:00:00 2001 From: Paul Krizak Date: Tue, 19 Dec 2023 19:43:54 -0800 Subject: [PATCH 6/6] Regenerate artifacts for version 1.0.2 Signed-off-by: Paul Krizak --- .../replicalimits/1.0.2/artifacthub-pkg.yml | 2 +- .../samples/replicalimits/constraint.yaml | 2 + .../replicalimits/example_scale_allowed.yaml | 0 .../example_scale_disallowed.yaml | 0 .../replicalimits_zero/constraint.yaml | 0 .../replicalimits_zero/example_allowed.yaml | 0 .../example_disallowed.yaml | 0 .../example_scale_allowed.yaml | 0 .../example_scale_allowed2.yaml | 0 .../example_scale_disallowed.yaml | 0 .../general/replicalimits/1.0.2/suite.yaml | 32 ++++++++++ .../general/replicalimits/1.0.2/template.yaml | 2 +- .../replicalimits/1.1.0/artifacthub-pkg.yml | 22 ------- .../replicalimits/1.1.0/kustomization.yaml | 2 - .../samples/replicalimits/constraint.yaml | 15 ----- .../replicalimits/example_allowed.yaml | 19 ------ .../example_disallowed.yaml | 19 ------ .../general/replicalimits/1.1.0/suite.yaml | 49 ---------------- .../general/replicalimits/1.1.0/template.yaml | 58 ------------------- 19 files changed, 36 insertions(+), 186 deletions(-) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits/example_scale_allowed.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits/example_scale_disallowed.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits_zero/constraint.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits_zero/example_allowed.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0/samples/replicalimits => 1.0.2/samples/replicalimits_zero}/example_disallowed.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits_zero/example_scale_allowed.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits_zero/example_scale_allowed2.yaml (100%) rename artifacthub/library/general/replicalimits/{1.1.0 => 1.0.2}/samples/replicalimits_zero/example_scale_disallowed.yaml (100%) delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/suite.yaml delete mode 100644 artifacthub/library/general/replicalimits/1.1.0/template.yaml diff --git a/artifacthub/library/general/replicalimits/1.0.2/artifacthub-pkg.yml b/artifacthub/library/general/replicalimits/1.0.2/artifacthub-pkg.yml index 3b46cf798..e951d5230 100644 --- a/artifacthub/library/general/replicalimits/1.0.2/artifacthub-pkg.yml +++ b/artifacthub/library/general/replicalimits/1.0.2/artifacthub-pkg.yml @@ -3,7 +3,7 @@ name: k8sreplicalimits displayName: Replica Limits createdAt: "2023-10-30T21:00:00Z" description: Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. -digest: 858bf59f6c7408f2fb390a181b2f6db5e4d8fbe5eb580aa45b5601d6ae2d4064 +digest: ae243682840ce6d52554ff467a90a953bd010355b0410d82380fb6a34a9cda4a license: Apache-2.0 homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/replicalimits keywords: diff --git a/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/constraint.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/constraint.yaml index b496235f3..db3488afe 100644 --- a/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/constraint.yaml +++ b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/constraint.yaml @@ -7,6 +7,8 @@ spec: kinds: - apiGroups: ["apps"] kinds: ["Deployment"] + - apiGroups: ["autoscaling"] + kinds: ["Scale"] parameters: ranges: - min_replicas: 3 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/example_scale_allowed.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_allowed.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/example_scale_allowed.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/example_scale_disallowed.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_scale_disallowed.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits/example_scale_disallowed.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/constraint.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/constraint.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/constraint.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_allowed.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_allowed.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_allowed.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_disallowed.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_disallowed.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_disallowed.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_scale_allowed.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_scale_allowed.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed2.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_scale_allowed2.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_allowed2.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_scale_allowed2.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml b/artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_scale_disallowed.yaml similarity index 100% rename from artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_scale_disallowed.yaml rename to artifacthub/library/general/replicalimits/1.0.2/samples/replicalimits_zero/example_scale_disallowed.yaml diff --git a/artifacthub/library/general/replicalimits/1.0.2/suite.yaml b/artifacthub/library/general/replicalimits/1.0.2/suite.yaml index 598efb814..c5a7b480a 100644 --- a/artifacthub/library/general/replicalimits/1.0.2/suite.yaml +++ b/artifacthub/library/general/replicalimits/1.0.2/suite.yaml @@ -11,7 +11,39 @@ tests: object: samples/replicalimits/example_allowed.yaml assertions: - violations: no + - name: example-scale-allowed + object: samples/replicalimits/example_scale_allowed.yaml + assertions: + - violations: no - name: example-disallowed object: samples/replicalimits/example_disallowed.yaml assertions: - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits/example_scale_disallowed.yaml + assertions: + - violations: yes +- name: replica-limit-zero + template: template.yaml + constraint: samples/replicalimits_zero/constraint.yaml + cases: + - name: example-allowed + object: samples/replicalimits_zero/example_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed.yaml + assertions: + - violations: no + - name: example-scale-allowed + object: samples/replicalimits_zero/example_scale_allowed2.yaml + assertions: + - violations: no + - name: example-disallowed + object: samples/replicalimits_zero/example_disallowed.yaml + assertions: + - violations: yes + - name: example-scale-disallowed + object: samples/replicalimits_zero/example_scale_disallowed.yaml + assertions: + - violations: yes diff --git a/artifacthub/library/general/replicalimits/1.0.2/template.yaml b/artifacthub/library/general/replicalimits/1.0.2/template.yaml index 2e44fb2c1..8366de834 100644 --- a/artifacthub/library/general/replicalimits/1.0.2/template.yaml +++ b/artifacthub/library/general/replicalimits/1.0.2/template.yaml @@ -46,7 +46,7 @@ spec: } input_replica_limit(spec) { - provided := spec.replicas + provided := object.get(spec, "replicas", 0) count(input.parameters.ranges) > 0 range := input.parameters.ranges[_] value_within_range(range, provided) diff --git a/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml b/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml deleted file mode 100644 index 1d7aa86dd..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/artifacthub-pkg.yml +++ /dev/null @@ -1,22 +0,0 @@ -version: 1.1.0 -name: k8sreplicalimits -displayName: Replica Limits -createdAt: "2023-10-27T22:42:28Z" -description: Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. -digest: 30c15576b26d9b879d5c2486f72478a36e39404510117734cb11f8570a2285a7 -license: Apache-2.0 -homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/replicalimits -keywords: - - gatekeeper - - open-policy-agent - - policies -readme: |- - # Replica Limits - Requires that objects with the field `spec.replicas` (Deployments, ReplicaSets, etc.) specify a number of replicas within defined ranges. -install: |- - ### Usage - ```shell - kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/replicalimits/1.1.0/template.yaml - ``` -provider: - name: Gatekeeper Library diff --git a/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml b/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml deleted file mode 100644 index 7d70d11b7..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: - - template.yaml diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml deleted file mode 100644 index db3488afe..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/constraint.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: constraints.gatekeeper.sh/v1beta1 -kind: K8sReplicaLimits -metadata: - name: replica-limits -spec: - match: - kinds: - - apiGroups: ["apps"] - kinds: ["Deployment"] - - apiGroups: ["autoscaling"] - kinds: ["Scale"] - parameters: - ranges: - - min_replicas: 3 - max_replicas: 50 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml deleted file mode 100644 index f5a2b1d8c..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits/example_allowed.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: allowed-deployment -spec: - selector: - matchLabels: - app: nginx - replicas: 3 - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml b/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml deleted file mode 100644 index 1c4899d20..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/samples/replicalimits_zero/example_disallowed.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: disallowed-deployment -spec: - selector: - matchLabels: - app: nginx - replicas: 100 - template: - metadata: - labels: - app: nginx - spec: - containers: - - name: nginx - image: nginx:1.14.2 - ports: - - containerPort: 80 diff --git a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml b/artifacthub/library/general/replicalimits/1.1.0/suite.yaml deleted file mode 100644 index c5a7b480a..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/suite.yaml +++ /dev/null @@ -1,49 +0,0 @@ -kind: Suite -apiVersion: test.gatekeeper.sh/v1alpha1 -metadata: - name: replicalimits -tests: -- name: replica-limit - template: template.yaml - constraint: samples/replicalimits/constraint.yaml - cases: - - name: example-allowed - object: samples/replicalimits/example_allowed.yaml - assertions: - - violations: no - - name: example-scale-allowed - object: samples/replicalimits/example_scale_allowed.yaml - assertions: - - violations: no - - name: example-disallowed - object: samples/replicalimits/example_disallowed.yaml - assertions: - - violations: yes - - name: example-scale-disallowed - object: samples/replicalimits/example_scale_disallowed.yaml - assertions: - - violations: yes -- name: replica-limit-zero - template: template.yaml - constraint: samples/replicalimits_zero/constraint.yaml - cases: - - name: example-allowed - object: samples/replicalimits_zero/example_allowed.yaml - assertions: - - violations: no - - name: example-scale-allowed - object: samples/replicalimits_zero/example_scale_allowed.yaml - assertions: - - violations: no - - name: example-scale-allowed - object: samples/replicalimits_zero/example_scale_allowed2.yaml - assertions: - - violations: no - - name: example-disallowed - object: samples/replicalimits_zero/example_disallowed.yaml - assertions: - - violations: yes - - name: example-scale-disallowed - object: samples/replicalimits_zero/example_scale_disallowed.yaml - assertions: - - violations: yes diff --git a/artifacthub/library/general/replicalimits/1.1.0/template.yaml b/artifacthub/library/general/replicalimits/1.1.0/template.yaml deleted file mode 100644 index 4fee9e4ea..000000000 --- a/artifacthub/library/general/replicalimits/1.1.0/template.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1 -kind: ConstraintTemplate -metadata: - name: k8sreplicalimits - annotations: - metadata.gatekeeper.sh/title: "Replica Limits" - metadata.gatekeeper.sh/version: 1.1.0 - description: >- - Requires that objects with the field `spec.replicas` (Deployments, - ReplicaSets, etc.) specify a number of replicas within defined ranges. -spec: - crd: - spec: - names: - kind: K8sReplicaLimits - validation: - # Schema for the `parameters` field - openAPIV3Schema: - type: object - properties: - ranges: - type: array - description: Allowed ranges for numbers of replicas. Values are inclusive. - items: - type: object - description: A range of allowed replicas. Values are inclusive. - properties: - min_replicas: - description: The minimum number of replicas allowed, inclusive. - type: integer - max_replicas: - description: The maximum number of replicas allowed, inclusive. - type: integer - targets: - - target: admission.k8s.gatekeeper.sh - rego: | - package k8sreplicalimits - - object_name = input.review.object.metadata.name - object_kind = input.review.kind.kind - - violation[{"msg": msg}] { - spec := input.review.object.spec - not input_replica_limit(spec) - msg := sprintf("The provided number of replicas is not allowed for %v: %v. Allowed ranges: %v", [object_kind, object_name, input.parameters]) - } - - input_replica_limit(spec) { - provided := object.get(spec, "replicas", 0) - count(input.parameters.ranges) > 0 - range := input.parameters.ranges[_] - value_within_range(range, provided) - } - - value_within_range(range, value) { - range.min_replicas <= value - range.max_replicas >= value - }