example-policy-org-demo
diff --git a/‎kubernetes/kyverno/rds-should-be-encrypted/fail0.yaml
Lines changed: 28 additions & 0 deletions b/‎kubernetes/kyverno/rds-should-be-encrypted/fail0.yaml
Lines changed: 28 additions & 0 deletions
diff --git a/‎kubernetes/kyverno/rds-should-be-encrypted/fail1.yaml
Lines changed: 27 additions & 0 deletions b/‎kubernetes/kyverno/rds-should-be-encrypted/fail1.yaml
Lines changed: 27 additions & 0 deletions
diff --git a/‎kubernetes/kyverno/rds-should-be-encrypted/pass0.yaml
Lines changed: 28 additions & 0 deletions b/‎kubernetes/kyverno/rds-should-be-encrypted/pass0.yaml
Lines changed: 28 additions & 0 deletions
diff --git a/‎kubernetes/kyverno/rds-should-be-encrypted/policy.yaml
Lines changed: 35 additions & 0 deletions b/‎kubernetes/kyverno/rds-should-be-encrypted/policy.yaml
Lines changed: 35 additions & 0 deletions
diff --git a/‎kubernetes/kyverno/rds-should-be-encrypted/test.yaml
Lines changed: 26 additions & 0 deletions b/‎kubernetes/kyverno/rds-should-be-encrypted/test.yaml
Lines changed: 26 additions & 0 deletions
diff --git a/‎kubernetes/kyverno/require-department-label/fail0.yaml
Lines changed: 0 additions & 10 deletions b/‎kubernetes/kyverno/require-department-label/fail0.yaml
Lines changed: 0 additions & 10 deletions
diff --git a/‎kubernetes/kyverno/require-department-label/pass0.yaml
Lines changed: 0 additions & 11 deletions b/‎kubernetes/kyverno/require-department-label/pass0.yaml
Lines changed: 0 additions & 11 deletions
diff --git a/‎kubernetes/kyverno/require-department-label/policy.yaml
Lines changed: 0 additions & 48 deletions b/‎kubernetes/kyverno/require-department-label/policy.yaml
Lines changed: 0 additions & 48 deletions
diff --git a/‎kubernetes/kyverno/require-department-label/skip0.yaml
Lines changed: 0 additions & 11 deletions b/‎kubernetes/kyverno/require-department-label/skip0.yaml
Lines changed: 0 additions & 11 deletions
diff --git a/‎kubernetes/kyverno/require-department-label/skip1.yaml
Lines changed: 0 additions & 11 deletions b/‎kubernetes/kyverno/require-department-label/skip1.yaml
Lines changed: 0 additions & 11 deletions
@@ -0,0 +1,28 @@
+apiVersion: rds.services.k8s.aws/v1alpha1
+kind: DBInstance
+metadata:
+  name: rds-should-be-encrypted-0
+  labels:
+    mycompany.com/policy-version: "1.0.0"
+spec:
+  allocatedStorage: 
+  autoMinorVersionUpgrade: true
+  backupRetentionPeriod: 7
+  dbInstanceClass: 
+  dbInstanceIdentifier: 
+  dbName: demo
+  dbSubnetGroupName: 
+  enablePerformanceInsights: true
+  engine: postgres
+  engineVersion: "13"
+  masterUsername: 
+  masterUserPassword:
+    namespace: 
+    name: demo-postgres-creds
+    key: password
+  multiAZ: true
+  publiclyAccessible: false
+  storageEncrypted: false
+  storageType: gp2
+  vpcSecurityGroupIDs:
+    - EKS_VPC_ID
@@ -0,0 +1,27 @@
+apiVersion: rds.services.k8s.aws/v1alpha1
+kind: DBInstance
+metadata:
+  name: rds-should-be-encrypted-1
+  labels:
+    mycompany.com/policy-version: "1.0.0"
+spec:
+  allocatedStorage: 
+  autoMinorVersionUpgrade: true
+  backupRetentionPeriod: 7
+  dbInstanceClass: 
+  dbInstanceIdentifier: 
+  dbName: demo
+  dbSubnetGroupName: 
+  enablePerformanceInsights: true
+  engine: postgres
+  engineVersion: "13"
+  masterUsername: 
+  masterUserPassword:
+    namespace: 
+    name: demo-postgres-creds
+    key: password
+  multiAZ: true
+  publiclyAccessible: false
+  storageType: gp2
+  vpcSecurityGroupIDs:
+    - EKS_VPC_ID
@@ -0,0 +1,28 @@
+apiVersion: rds.services.k8s.aws/v1alpha1
+kind: DBInstance
+metadata:
+  name: rds-should-be-encrypted-2
+  labels:
+    mycompany.com/policy-version: "1.0.0"
+spec:
+  allocatedStorage: 
+  autoMinorVersionUpgrade: true
+  backupRetentionPeriod: 7
+  dbInstanceClass: 
+  dbInstanceIdentifier: 
+  dbName: demo
+  dbSubnetGroupName: 
+  enablePerformanceInsights: true
+  engine: postgres
+  engineVersion: "13"
+  masterUsername: 
+  masterUserPassword:
+    namespace: 
+    name: demo-postgres-creds
+    key: password
+  multiAZ: true
+  publiclyAccessible: false
+  storageEncrypted: true
+  storageType: gp2
+  vpcSecurityGroupIDs:
+    - EKS_VPC_ID
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: rds-should-be-encrypted
+  annotations:
+    policies.kyverno.io/title: RDS should be encrypted
+    policies.kyverno.io/category: Example Org Policy
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Label
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: rds-should-be-encrypted
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+    match:
+      all:
+      - resources:
+          namespaces:
+            - "*?"
+          kinds:
+            - "DBInstance"
+          selector:
+            matchLabels:
+              mycompany.com/policy-version: "1.0.0"
+    validate:
+      message: "RDS volumes must be encrypted."
+      pattern:
+        spec:
+          storageEncrypted: true
@@ -0,0 +1,26 @@
+
+name: tests
+
+policies:
+  - policy.yaml
+resources:
+  - fail0.yaml
+  - fail1.yaml
+  - pass0.yaml
+
+results:
+- policy: rds-should-be-encrypted
+  rule: rds-should-be-encrypted
+  resource: rds-should-be-encrypted-0
+  kind: DBInstance
+  result: fail
+- policy: rds-should-be-encrypted
+  rule: rds-should-be-encrypted
+  resource: rds-should-be-encrypted-1
+  kind: DBInstance
+  result: fail
+- policy: rds-should-be-encrypted
+  rule: rds-should-be-encrypted
+  resource: rds-should-be-encrypted-2
+  kind: DBInstance
+  result: pass