diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index fe6a541..ccd5f37 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kyverno-policies description: OSC Kyverno policies deployment type: application -version: 0.26.0 +version: 0.27.0 appVersion: "v1.11.4" maintainers: - name: treydock diff --git a/charts/kyverno-policies/templates/add-annotations.yaml b/charts/kyverno-policies/templates/add-annotations.yaml new file mode 100644 index 0000000..8b5cfa4 --- /dev/null +++ b/charts/kyverno-policies/templates/add-annotations.yaml @@ -0,0 +1,26 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-annotations +spec: + validationFailureAction: Enforce + background: true + rules: + - name: paas-disable-scrape + match: + any: + - resources: + kinds: + - Pod + - Service + namespaceSelector: + matchExpressions: + - key: osc.edu/role + operator: In + values: + - paas + mutate: + patchStrategicMerge: + metadata: + annotations: + prometheus.io/scrape: 'false' diff --git a/charts/kyverno-policies/templates/add-role.yaml b/charts/kyverno-policies/templates/add-role.yaml index f67110d..c1a2465 100644 --- a/charts/kyverno-policies/templates/add-role.yaml +++ b/charts/kyverno-policies/templates/add-role.yaml @@ -12,6 +12,8 @@ spec: - resources: kinds: - Pod + - Service + - Ingress namespaceSelector: matchExpressions: - key: osc.edu/role @@ -22,4 +24,4 @@ spec: patchStrategicMerge: metadata: labels: - role: paas + osc.edu/role: paas diff --git a/charts/kyverno-policies/templates/pod-role-validation.yaml b/charts/kyverno-policies/templates/role-validation.yaml similarity index 83% rename from charts/kyverno-policies/templates/pod-role-validation.yaml rename to charts/kyverno-policies/templates/role-validation.yaml index 03b44c7..e6903c2 100644 --- a/charts/kyverno-policies/templates/pod-role-validation.yaml +++ b/charts/kyverno-policies/templates/role-validation.yaml @@ -1,7 +1,7 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: pod-role-validation + name: role-validation spec: background: false validationFailureAction: Enforce @@ -12,6 +12,8 @@ spec: - resources: kinds: - Pod + - Service + - Ingress namespaceSelector: matchExpressions: - key: osc.edu/role @@ -23,4 +25,4 @@ spec: pattern: metadata: labels: - role: "paas" + osc.edu/role: "paas" diff --git a/charts/prometheus/Chart.yaml b/charts/prometheus/Chart.yaml index 479a7d8..52648ec 100644 --- a/charts/prometheus/Chart.yaml +++ b/charts/prometheus/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: prometheus description: OSC Prometheus deployment type: application -version: 0.18.3 +version: 0.18.4 appVersion: "v2.44.0" maintainers: - name: treydock diff --git a/charts/prometheus/templates/config.yaml b/charts/prometheus/templates/config.yaml index e70a5c8..4330fa0 100644 --- a/charts/prometheus/templates/config.yaml +++ b/charts/prometheus/templates/config.yaml @@ -153,9 +153,6 @@ data: - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_match_metrics,__meta_kubernetes_service_port_name] action: drop regex: 'true;.*[^metrics].*' - - source_labels: [__meta_kubernetes_service_label_role] - regex: 'paas' - action: drop - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] action: replace target_label: __metrics_path__ @@ -190,9 +187,6 @@ data: kubernetes_sd_configs: - role: pod relabel_configs: - - source_labels: [__meta_kubernetes_pod_label_role] - action: drop - regex: 'paas' - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] action: keep regex: 'true' @@ -280,6 +274,9 @@ data: kubernetes_sd_configs: - role: ingress relabel_configs: + - source_labels: [__meta_kubernetes_ingress_annotation_prometheus_io_probe_skip] + action: drop + regex: 'true' - source_labels: [__meta_kubernetes_ingress_scheme] action: keep regex: https @@ -321,11 +318,11 @@ data: target_label: receiver - regex: "label_receiver" action: labeldrop - - source_labels: [label_role] + - source_labels: [label_osc_edu_role] regex: '(.+)' replacement: '$1' - target_label: role - - regex: "label_role" + target_label: osc_edu_role + - regex: "label_osc_edu_role" action: labeldrop - job_name: kube-state-metrics-telemetry metrics_path: /metrics diff --git a/tests/kyverno-policies/add-annotations/kyverno-test.yaml b/tests/kyverno-policies/add-annotations/kyverno-test.yaml new file mode 100644 index 0000000..d431302 --- /dev/null +++ b/tests/kyverno-policies/add-annotations/kyverno-test.yaml @@ -0,0 +1,29 @@ +--- +name: add-annotations +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: add-annotations + rule: paas-disable-scrape + resources: + - test-paas-pod + patchedResource: test-paas-pod-mutated.yaml + kind: Pod + result: pass + - policy: add-annotations + rule: paas-disable-scrape + resources: + - test-paas-service + patchedResource: test-paas-service-mutated.yaml + kind: Service + result: pass + - policy: add-annotations + rule: paas-disable-scrape + resources: + - test-skip + - test-skip-webservice + kind: Pod + result: skip diff --git a/tests/kyverno-policies/add-annotations/resources.yaml b/tests/kyverno-policies/add-annotations/resources.yaml new file mode 100644 index 0000000..f99cc0a --- /dev/null +++ b/tests/kyverno-policies/add-annotations/resources.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-pod + namespace: paas +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Service +metadata: + name: test-paas-service + namespace: paas +spec: + ports: + - name: test + port: 8080 + protocol: TCP + targetPort: http + selector: + app: test + type: ClusterIP +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-skip + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-skip-webservice + namespace: webservice +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/tests/kyverno-policies/add-annotations/test-paas-pod-mutated.yaml b/tests/kyverno-policies/add-annotations/test-paas-pod-mutated.yaml new file mode 100644 index 0000000..81a7840 --- /dev/null +++ b/tests/kyverno-policies/add-annotations/test-paas-pod-mutated.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-paas-pod + namespace: paas + annotations: + prometheus.io/scrape: 'false' +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/tests/kyverno-policies/add-annotations/test-paas-service-mutated.yaml b/tests/kyverno-policies/add-annotations/test-paas-service-mutated.yaml new file mode 100644 index 0000000..8dbba61 --- /dev/null +++ b/tests/kyverno-policies/add-annotations/test-paas-service-mutated.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: test-paas-service + namespace: paas + annotations: + prometheus.io/scrape: 'false' +spec: + ports: + - name: test + port: 8080 + protocol: TCP + targetPort: http + selector: + app: test + type: ClusterIP diff --git a/tests/kyverno-policies/pod-role-validation/variables.yaml b/tests/kyverno-policies/add-annotations/variables.yaml similarity index 100% rename from tests/kyverno-policies/pod-role-validation/variables.yaml rename to tests/kyverno-policies/add-annotations/variables.yaml diff --git a/tests/kyverno-policies/add-role/test-paas-mutated.yaml b/tests/kyverno-policies/add-role/test-paas-mutated.yaml index bfc545c..1b866e7 100644 --- a/tests/kyverno-policies/add-role/test-paas-mutated.yaml +++ b/tests/kyverno-policies/add-role/test-paas-mutated.yaml @@ -5,7 +5,7 @@ metadata: name: test-paas namespace: paas labels: - role: paas + osc.edu/role: paas spec: containers: - name: nginx diff --git a/tests/kyverno-policies/pod-role-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-role-validation/kyverno-test.yaml deleted file mode 100644 index 5000041..0000000 --- a/tests/kyverno-policies/pod-role-validation/kyverno-test.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -name: pod-role-validation -policies: - - policy.yaml -resources: - - resources.yaml -variables: variables.yaml -results: - - policy: pod-role-validation - rule: paas-require-role - resources: - - test-skip - - test-skip-webservice - kind: Pod - result: skip - - policy: pod-role-validation - rule: paas-require-role - resources: - - test-pass - kind: Pod - namespace: user-test - result: pass - - policy: pod-role-validation - rule: paas-require-role - resources: - - test-fail - kind: Pod - namespace: user-test - result: fail diff --git a/tests/kyverno-policies/pod-role-validation/resources.yaml b/tests/kyverno-policies/pod-role-validation/resources.yaml deleted file mode 100644 index 05a109b..0000000 --- a/tests/kyverno-policies/pod-role-validation/resources.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-skip - namespace: user-test -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-skip-webservice - namespace: webservice -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-pass - namespace: paas - labels: - role: paas -spec: - containers: - - name: nginx - image: nginx:1.12 ---- -apiVersion: v1 -kind: Pod -metadata: - name: test-fail - namespace: paas - labels: - role: test -spec: - containers: - - name: nginx - image: nginx:1.12 diff --git a/tests/kyverno-policies/role-validation/kyverno-test.yaml b/tests/kyverno-policies/role-validation/kyverno-test.yaml new file mode 100644 index 0000000..c84be9f --- /dev/null +++ b/tests/kyverno-policies/role-validation/kyverno-test.yaml @@ -0,0 +1,51 @@ +--- +name: role-validation +policies: + - policy.yaml +resources: + - resources.yaml +variables: variables.yaml +results: + - policy: role-validation + rule: paas-require-role + resources: + - test-skip + - test-skip-webservice + kind: Pod + result: skip + - policy: role-validation + rule: paas-require-role + resources: + - test-pass-pod + kind: Pod + result: pass + - policy: role-validation + rule: paas-require-role + resources: + - test-pass-service + kind: Service + result: pass + - policy: role-validation + rule: paas-require-role + resources: + - test-pass-ingress + kind: Ingress + result: pass + - policy: role-validation + rule: paas-require-role + resources: + - test-fail-pod + kind: Pod + result: fail + - policy: role-validation + rule: paas-require-role + resources: + - test-fail-service + kind: Service + result: fail + - policy: role-validation + rule: paas-require-role + resources: + - test-fail-ingress + kind: Ingress + result: fail diff --git a/tests/kyverno-policies/role-validation/resources.yaml b/tests/kyverno-policies/role-validation/resources.yaml new file mode 100644 index 0000000..26411a3 --- /dev/null +++ b/tests/kyverno-policies/role-validation/resources.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-skip + namespace: user-test +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-skip-webservice + namespace: webservice +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pass-pod + namespace: paas + labels: + osc.edu/role: paas +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Service +metadata: + name: test-pass-service + namespace: paas + labels: + osc.edu/role: paas +spec: + ports: + - name: test + port: 8080 + protocol: TCP + targetPort: http + selector: + app: test + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: test-pass-ingress + namespace: paas + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/server-alias: test + labels: + app: web + osc.edu/role: paas +spec: + rules: + - host: test + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 8080 + tls: + - hosts: + - test.example.com + secretName: test +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-fail-pod + namespace: paas + labels: + osc.edu/role: test +spec: + containers: + - name: nginx + image: nginx:1.12 +--- +apiVersion: v1 +kind: Service +metadata: + name: test-fail-service + namespace: paas +spec: + ports: + - name: test + port: 8080 + protocol: TCP + targetPort: http + selector: + app: test + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: test-fail-ingress + namespace: paas + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/server-alias: test + labels: + app: web +spec: + rules: + - host: test + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: web + port: + number: 8080 + tls: + - hosts: + - test.example.com + secretName: test diff --git a/tests/kyverno-policies/role-validation/variables.yaml b/tests/kyverno-policies/role-validation/variables.yaml new file mode 100644 index 0000000..7b02968 --- /dev/null +++ b/tests/kyverno-policies/role-validation/variables.yaml @@ -0,0 +1,12 @@ +namespaceSelector: + - name: user-test + labels: + foo: bar + - name: webservice + labels: + osc.edu/role: webservice + - name: paas + labels: + osc.edu/role: paas + osc.edu/service-account: test + account: test