Demo for Kyverno

.gitignore

@@ -3,3 +3,6 @@
 webapp/node_modules/
 webapp/package-lock.json
 iac/aws/terraform/creating-custom-vpc/.terraform/
+iac/demo/textract/.terraform.lock.hcl
+iac/demo/textract/.terraform/*
+

iac/demo/kyverno/1.1-kyverno-policy-image-source.yml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: enforce-image-source
+  namespace: development
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: validate-image-source
+      match:
+        resources:
+          kinds:
+            - Deployment
+      validate:
+        message: "Only images from the Docker Hub account vinod827/ are allowed."
+        pattern:
+          spec:
+            template:
+              spec:
+                containers:
+                  - image: "vinod827/*"

iac/demo/kyverno/4-sample-app-invalid.yml → iac/demo/kyverno/1.2-sample-app-invalid-image-source.yml

@@ -2,22 +2,21 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: my-nginx    
-  name: my-nginx
+    app: myapp    
+  name: myapp
   namespace: development
 spec:
-  replicas: 3
+  replicas: 1
   selector:
     matchLabels:
-      app: my-nginx
+      app: myapp
   strategy: {}
   template:
     metadata:
       labels:
-        app: my-nginx
+        app: myapp
     spec:
       containers:
       - image: nginx
         name: nginx
-        resources: {}
 status: {}

iac/demo/kyverno/1.3-sample-app-valid-image-source.yml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: myapp    
+  name: myapp
+  namespace: development
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: myapp
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - image: vinod827/myapp:1.0.1
+        name: myapp
+status: {}

iac/demo/kyverno/7-mutate-policy.yml → iac/demo/kyverno/2.1-kyverno-clusterpolicy-mutate-label.yml

@@ -13,5 +13,7 @@ spec:
       mutate:
         patchStrategicMerge:
           metadata:
-            labels:
-              company: "mycompany"  # Adds this label if not provided
+            labels: # Adds these labels if not provided
+              company: "mycompany"  
+              app: "Observability"
+              cost: "shared-infra"

iac/demo/kyverno/3.1-kyverno-policy-generate-configmap.yml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-postgres-configmap
+spec:
+  rules:
+    - name: generate-postgres-configmap
+      match:
+        resources:
+          kinds:
+            - Namespace
+      preconditions:
+        - key: "{{ request.object.metadata.labels.team }}"
+          operator: Equals
+          value: "infra"
+      generate:
+        apiVersion: v1
+        kind: ConfigMap
+        name: postgres-config
+        namespace: "{{ request.object.metadata.name }}"
+        synchronize: true
+        data:
+          postgres.conf: |
+            # Sample PostgreSQL Configuration
+            listen_addresses = '*'
+            port = 5432
+            max_connections = 100
+            shared_buffers = 128MB
+            work_mem = 4MB
+            maintenance_work_mem = 64MB
+            timezone = 'UTC'
+            log_statement = 'ddl'

iac/demo/kyverno/3.2-sample-namespace.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-name-2
+  labels:
+    team: infra

iac/demo/kyverno/4.1-kyverno-policy-cleanup.yml

@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: cleanup-completed-jobs
+  namespace: development
+spec:
+  rules:
+    - name: cleanup-jobs
+      match:
+        any:
+          - resources:
+              kinds:
+                - Job
+              namespaces:
+                - development
+      exclude:
+        any:
+          - resources:
+              statuses:
+                - "!Succeeded"
+                - "!Failed"  # Exclude active Jobs
+      cleanup:
+        ttl: 60s  # Delete Jobs 1 minute after completion

iac/demo/kyverno/4.2-sample-job.yml

@@ -0,0 +1,13 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: test-job
+  namespace: development
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: busybox
+          image: busybox
+          command: ["echo", "Hello, Welcome to the DevOps Malayalam community! Let's deep dive into Kyverno today."]

iac/demo/kyverno/demo/1.1-kyverno-policy-image-source.yml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: enforce-image-source
+  namespace: development
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: validate-image-source
+      match:
+        resources:
+          kinds:
+            - Deployment
+      validate:
+        message: "Only images from the Docker Hub account vinod827/ are allowed."
+        pattern:
+          spec:
+            template:
+              spec:
+                containers:
+                  - image: "vinod827/*"

iac/demo/kyverno/5-sample-app-valid.yml → iac/demo/kyverno/demo/1.2-sample-app-invalid-image-source.yml

@@ -2,23 +2,21 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: my-nginx
-    team_name: team-A
-  name: my-nginx
+    app: myapp    
+  name: myapp
   namespace: development
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
-      app: my-nginx
+      app: myapp
   strategy: {}
   template:
     metadata:
       labels:
-        app: my-nginx
+        app: myapp
     spec:
       containers:
       - image: nginx
         name: nginx
-        resources: {}
 status: {}

iac/demo/kyverno/demo/1.3-sample-app-valid-image-source.yml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: myapp    
+  name: myapp
+  namespace: development
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: myapp
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: myapp
+    spec:
+      containers:
+      - image: vinod827/myapp:1.0.1
+        name: myapp
+status: {}

iac/demo/kyverno/demo/2.1-kyverno-clusterpolicy-mutate-label.yml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-app-label
+spec:
+  rules:
+    - name: add-app-label-to-pods-deployment
+      match:
+        resources:
+          kinds:
+            - Pod
+            - Deployment
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            labels: # Adds these labels if not provided
+              company: "mycompany"  
+              app: "Observability"
+              cost: "shared-infra"