Skip to content

Commit 49b406c

Browse files
committed
update k8s policy
1 parent 48c4cd5 commit 49b406c

File tree

11 files changed

+144
-123
lines changed

11 files changed

+144
-123
lines changed
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
apiVersion: rds.services.k8s.aws/v1alpha1
2+
kind: DBInstance
3+
metadata:
4+
name: rds-should-be-encrypted-0
5+
labels:
6+
mycompany.com/policy-version: "1.0.0"
7+
spec:
8+
allocatedStorage:
9+
autoMinorVersionUpgrade: true
10+
backupRetentionPeriod: 7
11+
dbInstanceClass:
12+
dbInstanceIdentifier:
13+
dbName: demo
14+
dbSubnetGroupName:
15+
enablePerformanceInsights: true
16+
engine: postgres
17+
engineVersion: "13"
18+
masterUsername:
19+
masterUserPassword:
20+
namespace:
21+
name: demo-postgres-creds
22+
key: password
23+
multiAZ: true
24+
publiclyAccessible: false
25+
storageEncrypted: false
26+
storageType: gp2
27+
vpcSecurityGroupIDs:
28+
- EKS_VPC_ID
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
apiVersion: rds.services.k8s.aws/v1alpha1
2+
kind: DBInstance
3+
metadata:
4+
name: rds-should-be-encrypted-1
5+
labels:
6+
mycompany.com/policy-version: "1.0.0"
7+
spec:
8+
allocatedStorage:
9+
autoMinorVersionUpgrade: true
10+
backupRetentionPeriod: 7
11+
dbInstanceClass:
12+
dbInstanceIdentifier:
13+
dbName: demo
14+
dbSubnetGroupName:
15+
enablePerformanceInsights: true
16+
engine: postgres
17+
engineVersion: "13"
18+
masterUsername:
19+
masterUserPassword:
20+
namespace:
21+
name: demo-postgres-creds
22+
key: password
23+
multiAZ: true
24+
publiclyAccessible: false
25+
storageType: gp2
26+
vpcSecurityGroupIDs:
27+
- EKS_VPC_ID
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
apiVersion: rds.services.k8s.aws/v1alpha1
2+
kind: DBInstance
3+
metadata:
4+
name: rds-should-be-encrypted-2
5+
labels:
6+
mycompany.com/policy-version: "1.0.0"
7+
spec:
8+
allocatedStorage:
9+
autoMinorVersionUpgrade: true
10+
backupRetentionPeriod: 7
11+
dbInstanceClass:
12+
dbInstanceIdentifier:
13+
dbName: demo
14+
dbSubnetGroupName:
15+
enablePerformanceInsights: true
16+
engine: postgres
17+
engineVersion: "13"
18+
masterUsername:
19+
masterUserPassword:
20+
namespace:
21+
name: demo-postgres-creds
22+
key: password
23+
multiAZ: true
24+
publiclyAccessible: false
25+
storageEncrypted: true
26+
storageType: gp2
27+
vpcSecurityGroupIDs:
28+
- EKS_VPC_ID
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
apiVersion: kyverno.io/v1
2+
kind: ClusterPolicy
3+
metadata:
4+
name: rds-should-be-encrypted
5+
annotations:
6+
policies.kyverno.io/title: RDS should be encrypted
7+
policies.kyverno.io/category: Example Org Policy
8+
policies.kyverno.io/severity: medium
9+
policies.kyverno.io/subject: Label
10+
pod-policies.kyverno.io/autogen-controllers: none
11+
spec:
12+
validationFailureAction: enforce
13+
background: false
14+
rules:
15+
- name: rds-should-be-encrypted
16+
exclude:
17+
any:
18+
- resources:
19+
namespaces:
20+
- kube-system
21+
match:
22+
all:
23+
- resources:
24+
namespaces:
25+
- "*?"
26+
kinds:
27+
- "DBInstance"
28+
selector:
29+
matchLabels:
30+
mycompany.com/policy-version: "1.0.0"
31+
validate:
32+
message: "RDS volumes must be encrypted."
33+
pattern:
34+
spec:
35+
storageEncrypted: true
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
2+
name: tests
3+
4+
policies:
5+
- policy.yaml
6+
resources:
7+
- fail0.yaml
8+
- fail1.yaml
9+
- pass0.yaml
10+
11+
results:
12+
- policy: rds-should-be-encrypted
13+
rule: rds-should-be-encrypted
14+
resource: rds-should-be-encrypted-0
15+
kind: DBInstance
16+
result: fail
17+
- policy: rds-should-be-encrypted
18+
rule: rds-should-be-encrypted
19+
resource: rds-should-be-encrypted-1
20+
kind: DBInstance
21+
result: fail
22+
- policy: rds-should-be-encrypted
23+
rule: rds-should-be-encrypted
24+
resource: rds-should-be-encrypted-2
25+
kind: DBInstance
26+
result: pass

kubernetes/kyverno/require-department-label/fail0.yaml

Lines changed: 0 additions & 10 deletions
This file was deleted.

kubernetes/kyverno/require-department-label/pass0.yaml

Lines changed: 0 additions & 11 deletions
This file was deleted.

kubernetes/kyverno/require-department-label/policy.yaml

Lines changed: 0 additions & 48 deletions
This file was deleted.

kubernetes/kyverno/require-department-label/skip0.yaml

Lines changed: 0 additions & 11 deletions
This file was deleted.

kubernetes/kyverno/require-department-label/skip1.yaml

Lines changed: 0 additions & 11 deletions
This file was deleted.

kubernetes/kyverno/require-department-label/test.yaml

Lines changed: 0 additions & 32 deletions
This file was deleted.

0 commit comments

Comments
 (0)