From c547e0e34bbf1c1ac8fe4ff2966688be30e08ddd Mon Sep 17 00:00:00 2001 From: anuddeeph1 Date: Fri, 19 Jul 2024 22:14:38 +0530 Subject: [PATCH 1/5] added policy to check HPA Signed-off-by: anuddeeph1 --- .../chainsaw-step-01-assert-1.yaml | 6 +++ .../.chainsaw-test/chainsaw-test.yaml | 32 +++++++++++++++ .../deployment-with-hpa-good.yaml | 29 ++++++++++++++ .../deployment-without-hpa-bad.yaml | 28 +++++++++++++ .../check-hpa-exists/.chainsaw-test/hpa.yaml | 11 +++++ other/check-hpa-exists/.chainsaw.yaml | 17 ++++++++ other/check-hpa-exists/artifacthub-pkg.yml | 22 ++++++++++ other/check-hpa-exists/check-hpa-exists.yaml | 40 +++++++++++++++++++ 8 files changed, 185 insertions(+) create mode 100755 other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml create mode 100644 other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml create mode 100644 other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml create mode 100644 other/check-hpa-exists/.chainsaw-test/hpa.yaml create mode 100644 other/check-hpa-exists/.chainsaw.yaml create mode 100644 other/check-hpa-exists/artifacthub-pkg.yml create mode 100644 other/check-hpa-exists/check-hpa-exists.yaml diff --git a/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..c7e2ac55c --- /dev/null +++ b/other/check-hpa-exists/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-hpa-exists +status: + ready: true diff --git a/other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml b/other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..598d6c7a8 --- /dev/null +++ b/other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-hpa-exists +spec: + steps: + - name: step-01 + try: + - apply: + file: ../check-hpa-exists.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: check-hpa-exists + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: hpa.yaml + - apply: + file: deployment-with-hpa-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: deployment-without-hpa-bad.yaml diff --git a/other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml b/other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml new file mode 100644 index 000000000..aba909034 --- /dev/null +++ b/other/check-hpa-exists/.chainsaw-test/deployment-with-hpa-good.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-uses-hpa + labels: + app: httpd-app +spec: + replicas: 1 + selector: + matchLabels: + app: httpd-app + template: + metadata: + labels: + app: httpd-app + spec: + containers: + - name: httpd-container + image: httpd:latest + ports: + - containerPort: 80 + resources: + requests: + cpu: "10m" + memory: "12Mi" + limits: + cpu: "25m" + memory: "25Mi" diff --git a/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml b/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml new file mode 100644 index 000000000..a9ef9299d --- /dev/null +++ b/other/check-hpa-exists/.chainsaw-test/deployment-without-hpa-bad.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-without-hpa + labels: + app: app-without-hpa +spec: + replicas: 1 + selector: + matchLabels: + app: app-without-hpa + template: + metadata: + labels: + app: app-without-hpa + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + requests: + cpu: "10m" + memory: "12Mi" + limits: + cpu: "25m" + memory: "25Mi" diff --git a/other/check-hpa-exists/.chainsaw-test/hpa.yaml b/other/check-hpa-exists/.chainsaw-test/hpa.yaml new file mode 100644 index 000000000..29cfff2b5 --- /dev/null +++ b/other/check-hpa-exists/.chainsaw-test/hpa.yaml @@ -0,0 +1,11 @@ +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: httpd-deployment +spec: + maxReplicas: 3 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: deployment-uses-hpa diff --git a/other/check-hpa-exists/.chainsaw.yaml b/other/check-hpa-exists/.chainsaw.yaml new file mode 100644 index 000000000..d1db10123 --- /dev/null +++ b/other/check-hpa-exists/.chainsaw.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + creationTimestamp: null + name: configuration +spec: + parallel: 1 + timeouts: + apply: 1m30s + assert: 1m30s + cleanup: 1m30s + delete: 1m30s + error: 1m30s + exec: 1m30s + fullName: true + forceTerminationGracePeriod: 5s + delayBeforeCleanup: 3s diff --git a/other/check-hpa-exists/artifacthub-pkg.yml b/other/check-hpa-exists/artifacthub-pkg.yml new file mode 100644 index 000000000..ea9e5d56d --- /dev/null +++ b/other/check-hpa-exists/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: check-hpa-exists +version: 1.0.0 +displayName: Ensure HPA for Deployments +createdAt: "2024-07-19T13:02:58Z" +description: >- + This policy ensures that Deployments are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the Deployment and denies the creation or update of the Deployment if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-hpa-exists/check-hpa-exists.yaml + ``` +keywords: + - kyverno + - Other +readme: | + This policy ensures that Deployments are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the Deployment and denies the creation or update of the Deployment if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.28" + kyverno/subject: "Deployment" +digest: e70332ef27c8bb6ac9679df55f690a72de54fe030011f7f08eebcd48c0bb298b diff --git a/other/check-hpa-exists/check-hpa-exists.yaml b/other/check-hpa-exists/check-hpa-exists.yaml new file mode 100644 index 000000000..dc5e2690b --- /dev/null +++ b/other/check-hpa-exists/check-hpa-exists.yaml @@ -0,0 +1,40 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-hpa-exists + annotations: + policies.kyverno.io/title: Ensure HPA for Deployments + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.11.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.28" + policies.kyverno.io/subject: Deployment + policies.kyverno.io/description: >- + This policy ensures that Deployments are only allowed if they have a corresponding + Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks + for the presence of an HPA that targets the Deployment and denies the creation or update + of the Deployment if no such HPA exists. This policy helps enforce scaling practices + and ensures that resources are managed efficiently. +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-hpa + match: + resources: + kinds: + - Deployment + context: + - name: hpas + apiCall: + urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers" + jmesPath: "items[].spec.scaleTargetRef.name" + validate: + message: "Deployment is not allowed without a corresponding HPA." + deny: + conditions: + all: + - key: "{{ request.object.metadata.name }}" + operator: NotIn + value: "{{ hpas }}" From c5f440288beee827e7648b70587d052da2889d5d Mon Sep 17 00:00:00 2001 From: anuddeeph1 Date: Mon, 22 Jul 2024 18:17:10 +0530 Subject: [PATCH 2/5] deleted .chainsaw.yaml Signed-off-by: anuddeeph1 --- other/check-hpa-exists/.chainsaw.yaml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 other/check-hpa-exists/.chainsaw.yaml diff --git a/other/check-hpa-exists/.chainsaw.yaml b/other/check-hpa-exists/.chainsaw.yaml deleted file mode 100644 index d1db10123..000000000 --- a/other/check-hpa-exists/.chainsaw.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Configuration -metadata: - creationTimestamp: null - name: configuration -spec: - parallel: 1 - timeouts: - apply: 1m30s - assert: 1m30s - cleanup: 1m30s - delete: 1m30s - error: 1m30s - exec: 1m30s - fullName: true - forceTerminationGracePeriod: 5s - delayBeforeCleanup: 3s From f6d703694d711f6016418e996aee0e6887a00629 Mon Sep 17 00:00:00 2001 From: anuddeeph1 Date: Mon, 22 Jul 2024 19:24:55 +0530 Subject: [PATCH 3/5] modified changes in policies Signed-off-by: anuddeeph1 --- other/check-hpa-exists/artifacthub-pkg.yml | 7 +++---- other/check-hpa-exists/check-hpa-exists.yaml | 20 ++++++++++++-------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/other/check-hpa-exists/artifacthub-pkg.yml b/other/check-hpa-exists/artifacthub-pkg.yml index ea9e5d56d..aa2bfc108 100644 --- a/other/check-hpa-exists/artifacthub-pkg.yml +++ b/other/check-hpa-exists/artifacthub-pkg.yml @@ -3,7 +3,7 @@ version: 1.0.0 displayName: Ensure HPA for Deployments createdAt: "2024-07-19T13:02:58Z" description: >- - This policy ensures that Deployments are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the Deployment and denies the creation or update of the Deployment if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. + This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the resource and denies the creation or update of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. install: |- ```shell kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-hpa-exists/check-hpa-exists.yaml @@ -12,11 +12,10 @@ keywords: - kyverno - Other readme: | - This policy ensures that Deployments are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the Deployment and denies the creation or update of the Deployment if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. - + This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the resource and denies the creation or update of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.28" kyverno/subject: "Deployment" -digest: e70332ef27c8bb6ac9679df55f690a72de54fe030011f7f08eebcd48c0bb298b +digest: 2827afa34284ab3e998e8181dd82dae9d02bd73447e62f87bb4d2d303b983f10 diff --git a/other/check-hpa-exists/check-hpa-exists.yaml b/other/check-hpa-exists/check-hpa-exists.yaml index dc5e2690b..ddf3dbe9f 100644 --- a/other/check-hpa-exists/check-hpa-exists.yaml +++ b/other/check-hpa-exists/check-hpa-exists.yaml @@ -11,10 +11,10 @@ metadata: kyverno.io/kubernetes-version: "1.28" policies.kyverno.io/subject: Deployment policies.kyverno.io/description: >- - This policy ensures that Deployments are only allowed if they have a corresponding - Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks - for the presence of an HPA that targets the Deployment and denies the creation or update - of the Deployment if no such HPA exists. This policy helps enforce scaling practices + This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed + if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. + The policy checks for the presence of an HPA that targets the resource and denies the creation or update + of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently. spec: validationFailureAction: Audit @@ -22,9 +22,13 @@ spec: rules: - name: validate-hpa match: - resources: - kinds: - - Deployment + any: + - resources: + kinds: + - Deployment + - ReplicaSet + - StatefulSet + - DaemonSet context: - name: hpas apiCall: @@ -36,5 +40,5 @@ spec: conditions: all: - key: "{{ request.object.metadata.name }}" - operator: NotIn + operator: AnyNotIn value: "{{ hpas }}" From 35bddd3267638c0348bd256c7856e158ac3aeb25 Mon Sep 17 00:00:00 2001 From: anuddeeph1 Date: Mon, 5 Aug 2024 19:29:44 +0530 Subject: [PATCH 4/5] modified subject in check-hpa-exists.yaml Signed-off-by: anuddeeph1 --- other/check-hpa-exists/artifacthub-pkg.yml | 2 +- other/check-hpa-exists/check-hpa-exists.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/other/check-hpa-exists/artifacthub-pkg.yml b/other/check-hpa-exists/artifacthub-pkg.yml index aa2bfc108..4d82519a5 100644 --- a/other/check-hpa-exists/artifacthub-pkg.yml +++ b/other/check-hpa-exists/artifacthub-pkg.yml @@ -18,4 +18,4 @@ annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.28" kyverno/subject: "Deployment" -digest: 2827afa34284ab3e998e8181dd82dae9d02bd73447e62f87bb4d2d303b983f10 +digest: 4b4c29dcaa05ad8967b2d1707c882aca05e622be135dff2e5c0c2decce3047c8 diff --git a/other/check-hpa-exists/check-hpa-exists.yaml b/other/check-hpa-exists/check-hpa-exists.yaml index ddf3dbe9f..58d8eb274 100644 --- a/other/check-hpa-exists/check-hpa-exists.yaml +++ b/other/check-hpa-exists/check-hpa-exists.yaml @@ -9,7 +9,7 @@ metadata: kyverno.io/kyverno-version: 1.11.0 policies.kyverno.io/minversion: 1.9.0 kyverno.io/kubernetes-version: "1.28" - policies.kyverno.io/subject: Deployment + policies.kyverno.io/subject: Deployment,ReplicaSet,StatefulSet,DaemonSet policies.kyverno.io/description: >- This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. From 34dfdfec53a3b5a6d10b3961280b397a82948ab4 Mon Sep 17 00:00:00 2001 From: anuddeeph1 Date: Tue, 6 Aug 2024 11:33:37 +0530 Subject: [PATCH 5/5] modified subject in artifacthub-pkg.yml Signed-off-by: anuddeeph1 --- other/check-hpa-exists/artifacthub-pkg.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/other/check-hpa-exists/artifacthub-pkg.yml b/other/check-hpa-exists/artifacthub-pkg.yml index 4d82519a5..e097f6f1c 100644 --- a/other/check-hpa-exists/artifacthub-pkg.yml +++ b/other/check-hpa-exists/artifacthub-pkg.yml @@ -17,5 +17,5 @@ readme: | annotations: kyverno/category: "Other" kyverno/kubernetesVersion: "1.28" - kyverno/subject: "Deployment" + kyverno/subject: "Deployment,ReplicaSet,StatefulSet,DaemonSet" digest: 4b4c29dcaa05ad8967b2d1707c882aca05e622be135dff2e5c0c2decce3047c8