Establish /library and /src directory structure

library/general/allowedrepos/constraint.yaml → library/general/allowedrepos/samples/repo-must-be-openpolicyagent/constraint.yaml

@@ -1,14 +1,14 @@
 apiVersion: constraints.gatekeeper.sh/v1beta1
 kind: K8sAllowedRepos
 metadata:
-  name: prod-repo-is-openpolicyagent
+  name: repo-is-openpolicyagent
 spec:
   match:
     kinds:
       - apiGroups: [""]
         kinds: ["Pod"]
     namespaces:
-      - "production"
+      - "default"
   parameters:
     repos:
-      - "only-this-repo"
+      - "openpolicyagent"

library/general/allowedrepos/example.yaml → library/general/allowedrepos/samples/repo-must-be-openpolicyagent/example_allowed.yaml

@@ -1,10 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: opa
-  namespace: production
-  labels:
-    owner: me.agilebank.demo
+  name: opa-allowed
 spec:
   containers:
     - name: opa
@@ -16,4 +13,4 @@ spec:
       resources:
         limits:
           cpu: "100m"
-          memory: "30Mi"
+          memory: "30Mi"

library/general/allowedrepos/samples/repo-must-be-openpolicyagent/example_disallowed.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-disallowed
+spec:
+  containers:
+    - name: nginx
+      image: nginx
+      resources:
+        limits:
+          cpu: "100m"
+          memory: "30Mi"

library/general/block-nodeport-services/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

library/general/block-nodeport-services/example.yaml → library/general/block-nodeport-services/samples/block-node-port/example_disallowed.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: my-service
+  name: my-service-disallowed
 spec:
   type: NodePort
   ports:

library/general/containerlimits/example.yaml → library/general/containerlimits/samples/container-must-have-limits/example_disallowed.yaml

@@ -1,8 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: opa
-  namespace: production
+  name: opa-disallowed
   labels:
     owner: me.agilebank.demo
 spec:

library/general/containerresourceratios/constraint.yaml → library/general/containerresourceratios/samples/container-must-meet-ratio/constraint.yaml

@@ -8,4 +8,4 @@ spec:
       - apiGroups: [""]
         kinds: ["Pod"]
   parameters:
-    ratio: 2
+    ratio: "2"

library/general/containerresourceratios/example.yaml → library/general/containerresourceratios/samples/container-must-meet-ratio/example_disallowed.yaml

@@ -1,8 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: opa
-  namespace: production
+  name: opa-disallowed
   labels:
     owner: me.agilebank.demo
 spec:

library/general/httpsonly/example.yaml → library/general/httpsonly/samples/ingress-https-only/example_disallowed.yaml

@@ -1,7 +1,7 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: ingress-demo
+  name: ingress-demo-disallowed
 spec:
   rules:
     - host: example-host.example.com

library/general/imagedigests/constraint.yaml → library/general/imagedigests/samples/container-image-must-have-digest/constraint.yaml

@@ -8,4 +8,4 @@ spec:
       - apiGroups: [""]
         kinds: ["Pod"]
     namespaces:
-      - "digest-required"
+      - "default"

library/general/imagedigests/samples/container-image-must-have-digest/example_allowed.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-allowed
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2@sha256:04ff8fce2afd1a3bc26260348e5b290e8d945b1fad4b4c16d22834c2f3a1814a
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"

library/general/imagedigests/samples/container-image-must-have-digest/example_disallowed.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: opa-disallowed
+spec:
+  containers:
+    - name: opa
+      image: openpolicyagent/opa:0.9.2
+      args:
+        - "run"
+        - "--server"
+        - "--addr=localhost:8080"

library/general/kustomization.yaml

@@ -1,8 +1,10 @@
 resources:
   - allowedrepos
+  - block-nodeport-services
   - containerlimits
   - httpsonly
   - imagedigests
   - requiredlabels
+  - requiredprobes
   - uniqueingresshost
   - uniqueserviceselector

library/general/requiredlabels/example.yaml → library/general/requiredlabels/samples/all-must-have-owner/example_disallowed.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: bad-namespace
+  name: disallowed-namespace

library/general/uniqueingresshost/samples/unique-ingress-host/example_disallowed.yaml

@@ -0,0 +1,32 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ingress-host-example
+spec:
+  rules:
+  - host: example-host.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: nginx
+          servicePort: 80
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ingress-host-disallowed
+spec:
+  rules:
+  - host: example-host.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: nginx
+          servicePort: 80
+  - host: example-host1.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: nginx2
+          servicePort: 80

library/general/uniqueingresshost/example2.yaml → library/general/uniqueingresshost/samples/unique-ingress-host/example_disallowed2.yaml

@@ -1,7 +1,20 @@
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
-  name: ingress-host2
+  name: ingress-host-example2
+spec:
+  rules:
+  - host: example-host.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: nginx
+          servicePort: 80
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: ingress-host-disallowed2
 spec:
   rules:
   - host: example-host.example.com

library/general/uniqueserviceselector/example.yaml → library/general/uniqueserviceselector/samples/unique-service-selector/example_disallowed.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: gatekeeper-test-service
+  name: gatekeeper-test-service-disallowed
   namespace: gatekeeper-system
 spec:
   ports:

library/pod-security-policy/allow-privilege-escalation/example.yaml → library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/example_allowed.yaml

@@ -1,12 +1,12 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-privilege-escalation
+  name: nginx-privilege-escalation-allowed
   labels:
     app: nginx-privilege-escalation
 spec:
   containers:
   - name: nginx
     image: nginx
     securityContext:
-      allowPrivilegeEscalation: true #false
+      allowPrivilegeEscalation: false

library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/example_disallowed.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-privilege-escalation-disallowed
+  labels:
+    app: nginx-privilege-escalation
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    securityContext:
+      allowPrivilegeEscalation: true

library/pod-security-policy/apparmor/samples/psp-apparmor/example_allowed.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-apparmor-allowed
+  annotations:
+    # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: runtime/default
+  labels:
+    app: nginx-apparmor
+spec:
+  containers:
+  - name: nginx
+    image: nginx

library/pod-security-policy/apparmor/example.yaml → library/pod-security-policy/apparmor/samples/psp-apparmor/example_disallowed.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-apparmor
+  name: nginx-apparmor-disallowed
   annotations:
     # apparmor.security.beta.kubernetes.io/pod: unconfined # runtime/default
-    container.apparmor.security.beta.kubernetes.io/nginx: unconfined # runtime/default
+    container.apparmor.security.beta.kubernetes.io/nginx: unconfined
   labels:
     app: nginx-apparmor
 spec:

library/pod-security-policy/capabilities/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

library/pod-security-policy/capabilities/constraint.yaml → library/pod-security-policy/capabilities/samples/capabilities-demo/constraint.yaml

@@ -8,7 +8,7 @@ spec:
       - apiGroups: [""]
         kinds: ["Pod"]
     namespaces:
-      - "production"
+      - "default"
   parameters:
     allowedCapabilities: ["something"]
     requiredDropCapabilities: ["must_drop"]

library/pod-security-policy/capabilities/example.yaml → library/pod-security-policy/capabilities/samples/capabilities-demo/example_disallowed.yaml

@@ -1,8 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: opa
-  namespace: production
+  name: opa-disallowed
   labels:
     owner: me.agilebank.demo
 spec:

library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_allowed.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-flexvolume-driver-allowed
+  labels:
+    app: nginx-flexvolume-driver
+spec:
+  containers:
+  - name: nginx
+    image: nginx
+    volumeMounts:
+    - mountPath: /test
+      name: test-volume
+      readOnly: true
+  volumes:
+  - name: test-volume
+    flexVolume:
+      driver: "example/lvm"

library/pod-security-policy/flexvolume-drivers/example.yaml → library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_disallowed.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-flexvolume-driver
+  name: nginx-flexvolume-driver-disallowed
   labels:
     app: nginx-flexvolume-driver
 spec:

library/pod-security-policy/forbidden-sysctls/example.yaml → library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_disallowed.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: nginx-forbidden-sysctls
+  name: nginx-forbidden-sysctls-disallowed
   labels:
     app: nginx-forbidden-sysctls
 spec:

library/pod-security-policy/fsgroup/example.yaml → library/pod-security-policy/fsgroup/samples/psp-fsgroup/example_disallowed.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: fsgroup-demo
+  name: fsgroup-disallowed
 spec:
   securityContext:
     fsGroup: 2000                           # directory will have group ID 2000

library/pod-security-policy/host-filesystem/example.yaml → library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/example_disallowed.yaml

@@ -3,7 +3,7 @@ kind: Pod
 metadata:
   name: nginx-host-filesystem
   labels:
-    app: nginx-host-filesystem
+    app: nginx-host-filesystem-disallowed
 spec:
   containers:
   - name: nginx