added kyverno examples

vinod827 · Oct 19, 2024 · 9331c49 · 9331c49
1 parent 11a70f6
commit 9331c49
Show file tree

Hide file tree

Showing 11 changed files with 259 additions and 0 deletions.
diff --git a/iac/demo/keda/001-create-eks.yml b/iac/demo/keda/001-create-eks.yml
@@ -0,0 +1,11 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+metadata:
+  name: eks-keda-demo
+  region: us-east-1
+  version: '1.29'
+managedNodeGroups:
+  - name: ng
+    instanceType: m4.xlarge
+    minSize: 1
+    maxSize: 2
diff --git a/iac/demo/keda/002-my-nginx-deploy.yml b/iac/demo/keda/002-my-nginx-deploy.yml
@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: my-nginx
+  name: my-nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: my-nginx
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: my-nginx
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        resources: {}
+status: {}
diff --git a/iac/demo/keda/003-sqs-scaler.yml b/iac/demo/keda/003-sqs-scaler.yml
@@ -0,0 +1,52 @@
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: test-secrets
+# data:
+#   AWS_ACCESS_KEY_ID: <encoded-user-id> # Required.
+#   AWS_SECRET_ACCESS_KEY: <encoded-key> # Required.
+#   AWS_SESSION_TOKEN: <encoded-session-token> # Required when using temporary credentials.
+# ---
+# apiVersion: keda.sh/v1alpha1
+# kind: TriggerAuthentication
+# metadata:
+#   name: keda-trigger-auth-aws-credentials
+#   namespace: keda-test
+# spec:
+#   secretTargetRef:
+#   - parameter: awsAccessKeyID     # Required.
+#     name: test-secrets            # Required.
+#     key: AWS_ACCESS_KEY_ID        # Required.
+#   - parameter: awsSecretAccessKey # Required.
+#     name: test-secrets            # Required.
+#     key: AWS_SECRET_ACCESS_KEY    # Required.
+#   - parameter: awsSessionToken    # Required when using temporary credentials.
+#     name: test-secrets            # Required when using temporary credentials.
+#     key: AWS_SESSION_TOKEN        # Required when using temporary credentials.
+---
+apiVersion: keda.sh/v1alpha1
+kind: ScaledObject
+metadata:
+  name: aws-sqs-queue-scaledobject
+  namespace: default
+spec:
+  scaleTargetRef:
+    name: my-nginx
+  pollingInterval: 5 #Interval for polling
+  cooldownPeriod: 10
+  idleReplicaCount: 0 # When idle, scale-in to 0 pods
+  minReplicaCount: 1
+  maxReplicaCount: 3
+  fallback: # Fallback strategy when metrics are unavailable for the apps
+    failureThreshold: 5 #when metrics are unavailable, match the desired state of replicas -> 2
+    replicas: 2 #Keep this desired state when metrics are unavailable
+  triggers:
+  - type: aws-sqs-queue
+    authenticationRef:
+      name: keda-trigger-auth-aws-credentials
+    metadata:
+      queueURL: https://sqs.us-east-2.amazonaws.com/711164302624/my-sqs-keda
+      queueLength: "5" #batch size
+      awsRegion: "us-east-2"
+      #identityOwner: pod
+      identityOwner: operator #when node role has required permission
diff --git a/iac/demo/kyverno/1-kyverno-cluster-policy.yml b/iac/demo/kyverno/1-kyverno-cluster-policy.yml
@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-app-deployment-label
+spec:
+  validationFailureAction: Enforce 
+  rules:
+    - name: check-for-label
+      match:
+        resources:
+          kinds:            
+            - Deployment
+      validate:
+        message: "You must have the label, 'app' for all deployments."
+        pattern:
+          metadata:
+            labels:
+              app: "?*"
diff --git a/iac/demo/kyverno/2-development-namespace.yml b/iac/demo/kyverno/2-development-namespace.yml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: development
+spec: {}
+status: {}
diff --git a/iac/demo/kyverno/3-kyverno-policy.yml b/iac/demo/kyverno/3-kyverno-policy.yml
@@ -0,0 +1,47 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: enforce-deployment-label-replica-count
+  namespace: development
+spec:
+  validationFailureAction: Enforce 
+  rules:
+    - name: check-for-label
+      match:
+        resources:
+          kinds:            
+            - Deployment
+      validate:
+        message: "You must have the label, team_name for all deployments."
+        pattern:
+          metadata:
+            labels:
+              team_name: "?*"
+
+    - name: create-max-two
+      match:
+        any:
+        - resources:
+            kinds:
+            - Deployment
+      validate:
+        message: The replica count for this Deployment may not exceed 2.
+        pattern:
+          spec:
+            replicas: <= 2
+
+    # This rule can be used to limit scale operations based upon Deployment labels assuming the given label
+    # is also used as a selector.
+    # - name: scale-max-3
+    #   match:
+    #     any:
+    #     - resources:
+    #         kinds:
+    #         - Deployment/scale
+    #   validate:
+    #     message: The replica count for this Deployment may not exceed 3.
+    #     pattern:
+    #       (status):
+    #         (selector): "*type=monitoring*"
+    #       spec:
+    #         replicas: <= 3
diff --git a/iac/demo/kyverno/4-sample-app-invalid.yml b/iac/demo/kyverno/4-sample-app-invalid.yml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: my-nginx    
+  name: my-nginx
+  namespace: development
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: my-nginx
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: my-nginx
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        resources: {}
+status: {}
diff --git a/iac/demo/kyverno/5-sample-app-valid.yml b/iac/demo/kyverno/5-sample-app-valid.yml
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: my-nginx
+    team_name: team-A
+  name: my-nginx
+  namespace: development
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: my-nginx
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: my-nginx
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        resources: {}
+status: {}
diff --git a/iac/demo/kyverno/6-clean-up-policy.yml b/iac/demo/kyverno/6-clean-up-policy.yml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cleanup-completed-jobs
+spec:
+  rules:
+    - name: cleanup-jobs
+      match:
+        resources:
+          kinds:
+            - Job
+      preconditions:
+        all:
+          - key: "{{ request.operation }}"
+            operator: In
+            value: ["DELETE"]
+      mutate:
+        patchStrategicMerge:
+          spec:
+            ttlSecondsAfterFinished: 86400 # Clean up after 24 hours
diff --git a/iac/demo/kyverno/7-mutate-policy.yml b/iac/demo/kyverno/7-mutate-policy.yml
@@ -0,0 +1,17 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-app-label
+spec:
+  rules:
+    - name: add-app-label-to-pods-deployment
+      match:
+        resources:
+          kinds:
+            - Pod
+            - Deployment
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            labels:
+              company: "mycompany"  # Adds this label if not provided
diff --git a/iac/demo/kyverno/8-generate.yml b/iac/demo/kyverno/8-generate.yml
@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-configmap
+spec:
+  rules:
+    - name: generate-default-configmap
+      match:
+        resources:
+          kinds:
+            - Namespace
+      generate:
+        kind: ConfigMap
+        name: default-config
+        namespace: "{{ request.object.metadata.name }}"
+        synchronize: true
+        data:
+          data:
+            configKey: "configValue"