This is a demo project to showcase the capabilites of jspolicy for writing policies for APPUiO
Start k3d cluster
k3d cluster create jspolicy-test
Install jspolicy
helm install jspolicy jspolicy -n jspolicy --create-namespace --repo https://charts.loft.sh
Build and apply policies
npm install
npm run compile
kubectl apply -f policies/
src/policies/enforce-group-label
This policy ensures that each namespace belongs to a group.
- Enforce that every created namespace has a label
group
- Enforce that the user creating or editing the namespace is a member of the group in the label.
- Default groups can be specified in a configmap
default/default-groups
. If a user does not add a labelgroup
the policy will add the users default group as thegroup
label.
-
Try to create namespace without group.
kubectl create ns foo
This should be denied.
-
Create namspace with group
foo
when not in groupfoo
kubectl apply -f demo/group-label/ns-foo.yaml
This should be denied.
-
Create namspace with group
foo
# Act as user bob in group foo (and system:masters to have all necessary permissions) kubectl --as bob --as-group foo --as-group system:masters apply -f demo/group-label/ns-foo.yaml
This should succeed
-
Configure default groups
# Set `buzz` as bob's default group kubectl apply -f demo/group-label/default-groups.yaml
-
Create namespace without group as
bob
# Act as user bob in group buzz (and system:masters to have all necessary permissions) kubectl --as bob --as-group buzz --as-group system:masters create ns ns-buzz
This should succeed and add a label
group: buzz
.
src/policies/ensure-default-objects
This policy ensures that there is a LimitRange every user namespace. It currently just creates a hard coded limit range, but could easily be extendend to work differently.
-
Look at LimitRange in created
foo
namespacekubectl -n foo get limitrange
There is a
default
limit range -
Delete LimitRange in
foo
and observe it being recreatedkubectl -n foo delete limitrange default kubectl -n foo get limitrange
-
There is no LimitRange in non user namespace
default
kubectl get limitrange
src/policies/set-active-deadline-seconds
This policy ensures that all "runonce" pods have .spec.activeDeadlineSeconds set.
-
Create a runonce pod without a deadline
kubectl apply -f demo/active-deadline/hello.yaml
The pod will get a default value for
activeDeadlineSeconds
of1800
. You can observe this withkubectl get pod hello -o yaml
-
Create a runonce pod with a deadline
kubectl apply -f demo/active-deadline/hello-deadline.yaml
The pod will keep it's deadline of
activeDeadlineSeconds
of142
. You can observe this withkubectl get pod hello-deadline -o yaml
-
Create a job without a deadline
kubectl apply -f demo/active-deadline/job.yaml
The pod resulting from the job will get a default value for
activeDeadlineSeconds
of1800
. You can observe this with# Find pod created by job (similar to hello-2h2r) kubectl get pod kubectl get pod <job-pod> -o yaml
-
Create a long running job, i.e. with
restart: Always
.kubectl apply -f demo/active-deadline/nginx.yaml
The pod will not get a deadline. You can observe this with
kubectl get pod nginx -o yaml