Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add ability to restrict required-probes constraint to containers in pods selected by a service #273

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 1.1.0
name: k8srequiredprobes
displayName: Required Probes
createdAt: "2023-06-30T04:22:54Z"
description: Requires Pods to have readiness and/or liveness probes.
digest: 6d2764a5d1d398ab02d5aaf92a49393c10c951d55ebdf7d172a1f2941b490005
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredprobes
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Required Probes
Requires Pods to have readiness and/or liveness probes.
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/requiredprobes/1.1.0/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes-on-service
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
onlyServices: true
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]
customViolationMessage: "See https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes for more info."
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: allowed-pod-with-service
namespace: default
labels:
app.kubernetes.io/name: tomcat
spec:
containers:
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
name: tomcat-http
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: cache-volume
emptyDir: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: allowed-pod-without-service
namespace: default
labels:
app.kubernetes.io/name: tomcat-no-svc
second-label: "example"
spec:
containers:
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
volumes:
- name: cache-volume
emptyDir: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: v1
kind: Pod
metadata:
name: disallowed-pod-with-service
namespace: default
labels:
app.kubernetes.io/name: tomcat
second-label: "example"
spec:
containers:
- name: nginx-1
image: nginx:1.7.9
ports:
- containerPort: 80
livenessProbe:
# tcpSocket:
# port: 80
# initialDelaySeconds: 5
# periodSeconds: 10
ctrought marked this conversation as resolved.
Show resolved Hide resolved
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
name: tomcat-http
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: cache-volume
emptyDir: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: tomcat-service
namespace: default
spec:
selector:
app.kubernetes.io/name: tomcat
ports:
- name: name-of-service-port
protocol: TCP
port: 80
targetPort: tomcat-http
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredProbes
metadata:
name: must-have-probes
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
onlyServices: false
probes: ["readinessProbe", "livenessProbe"]
probeTypes: ["tcpSocket", "httpGet", "exec"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: cache-volume
emptyDir: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
spec:
containers:
- name: nginx-1
image: nginx:1.7.9
ports:
- containerPort: 80
livenessProbe:
# tcpSocket:
# port: 80
# initialDelaySeconds: 5
# periodSeconds: 10
ctrought marked this conversation as resolved.
Show resolved Hide resolved
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: cache-volume
emptyDir: {}
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
apiVersion: v1
kind: Pod
metadata:
name: test-pod2
spec:
containers:
- name: nginx-1
image: nginx:1.7.9
ports:
- containerPort: 80
readinessProbe:
# httpGet:
# path: /
# port: 80
# initialDelaySeconds: 5
# periodSeconds: 10
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 5
periodSeconds: 10
volumeMounts:
- mountPath: /tmp/cache
name: cache-volume
- name: tomcat
image: tomcat
ports:
- containerPort: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
# livenessProbe:
# tcpSocket:
# port: 8080
# initialDelaySeconds: 5
# periodSeconds: 10
volumes:
- name: cache-volume
emptyDir: {}
43 changes: 43 additions & 0 deletions artifacthub/library/general/requiredprobes/1.1.0/suite.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: requiredprobes
tests:
- name: required-probes
template: template.yaml
constraint: samples/must-have-probes/constraint.yaml
cases:
- name: example-allowed
object: samples/must-have-probes/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/must-have-probes/example_disallowed.yaml
assertions:
- violations: yes
- name: example-disallowed2
object: samples/must-have-probes/example_disallowed2.yaml
assertions:
- violations: yes
- name: required-probes-only-services
template: template.yaml
constraint: samples/must-have-probes-on-service/constraint.yaml
cases:
- name: example-allowed-without-service
object: samples/must-have-probes-on-service/example_allowed_without_service.yaml
inventory:
- samples/must-have-probes-on-service/example_inventory.yaml
assertions:
- violations: no
- name: example-allowed-with-service
object: samples/must-have-probes-on-service/example_allowed_with_service.yaml
inventory:
- samples/must-have-probes-on-service/example_inventory.yaml
assertions:
- violations: no
- name: example-disallowed-with-service
object: samples/must-have-probes-on-service/example_disallowed_with_service.yaml
inventory:
- samples/must-have-probes-on-service/example_inventory.yaml
assertions:
- violations: yes
11 changes: 11 additions & 0 deletions artifacthub/library/general/requiredprobes/1.1.0/sync.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
name: config
namespace: "gatekeeper-system"
spec:
sync:
syncOnly:
- group: ""
version: "v1"
kind: "Service"
Loading