From c82565f14c1dab0a662cbd0da36bd4af4a6f8e78 Mon Sep 17 00:00:00 2001 From: Vinod Kumar Date: Fri, 18 Oct 2024 07:57:47 +0530 Subject: [PATCH] added kyverno examples --- iac/demo/keda/001-create-eks.yml | 11 ++++ iac/demo/keda/002-my-nginx-deploy.yml | 22 ++++++++ iac/demo/keda/003-sqs-scaler.yml | 52 +++++++++++++++++++ iac/demo/kyverno/1-kyverno-cluster-policy.yml | 18 +++++++ iac/demo/kyverno/2-development-namespace.yml | 6 +++ iac/demo/kyverno/3-kyverno-policy.yml | 47 +++++++++++++++++ iac/demo/kyverno/4-sample-app-invalid.yml | 23 ++++++++ iac/demo/kyverno/5-sample-app-valid.yml | 24 +++++++++ 8 files changed, 203 insertions(+) create mode 100644 iac/demo/keda/001-create-eks.yml create mode 100644 iac/demo/keda/002-my-nginx-deploy.yml create mode 100644 iac/demo/keda/003-sqs-scaler.yml create mode 100644 iac/demo/kyverno/1-kyverno-cluster-policy.yml create mode 100644 iac/demo/kyverno/2-development-namespace.yml create mode 100644 iac/demo/kyverno/3-kyverno-policy.yml create mode 100644 iac/demo/kyverno/4-sample-app-invalid.yml create mode 100644 iac/demo/kyverno/5-sample-app-valid.yml diff --git a/iac/demo/keda/001-create-eks.yml b/iac/demo/keda/001-create-eks.yml new file mode 100644 index 0000000..976d8f9 --- /dev/null +++ b/iac/demo/keda/001-create-eks.yml @@ -0,0 +1,11 @@ +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig +metadata: + name: eks-keda-demo + region: us-east-1 + version: '1.29' +managedNodeGroups: + - name: ng + instanceType: m4.xlarge + minSize: 1 + maxSize: 2 \ No newline at end of file diff --git a/iac/demo/keda/002-my-nginx-deploy.yml b/iac/demo/keda/002-my-nginx-deploy.yml new file mode 100644 index 0000000..98ba84c --- /dev/null +++ b/iac/demo/keda/002-my-nginx-deploy.yml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: my-nginx + name: my-nginx +spec: + replicas: 1 + selector: + matchLabels: + app: my-nginx + strategy: {} + template: + metadata: + labels: + app: my-nginx + spec: + containers: + - image: nginx + name: nginx + resources: {} +status: {} diff --git a/iac/demo/keda/003-sqs-scaler.yml b/iac/demo/keda/003-sqs-scaler.yml new file mode 100644 index 0000000..c7af689 --- /dev/null +++ b/iac/demo/keda/003-sqs-scaler.yml @@ -0,0 +1,52 @@ +# apiVersion: v1 +# kind: Secret +# metadata: +# name: test-secrets +# data: +# AWS_ACCESS_KEY_ID: # Required. +# AWS_SECRET_ACCESS_KEY: # Required. +# AWS_SESSION_TOKEN: # Required when using temporary credentials. +# --- +# apiVersion: keda.sh/v1alpha1 +# kind: TriggerAuthentication +# metadata: +# name: keda-trigger-auth-aws-credentials +# namespace: keda-test +# spec: +# secretTargetRef: +# - parameter: awsAccessKeyID # Required. +# name: test-secrets # Required. +# key: AWS_ACCESS_KEY_ID # Required. +# - parameter: awsSecretAccessKey # Required. +# name: test-secrets # Required. +# key: AWS_SECRET_ACCESS_KEY # Required. +# - parameter: awsSessionToken # Required when using temporary credentials. +# name: test-secrets # Required when using temporary credentials. +# key: AWS_SESSION_TOKEN # Required when using temporary credentials. +--- +apiVersion: keda.sh/v1alpha1 +kind: ScaledObject +metadata: + name: aws-sqs-queue-scaledobject + namespace: default +spec: + scaleTargetRef: + name: my-nginx + pollingInterval: 5 #Interval for polling + cooldownPeriod: 10 + idleReplicaCount: 0 # When idle, scale-in to 0 pods + minReplicaCount: 1 + maxReplicaCount: 3 + fallback: # Fallback strategy when metrics are unavailable for the apps + failureThreshold: 5 #when metrics are unavailable, match the desired state of replicas -> 2 + replicas: 2 #Keep this desired state when metrics are unavailable + triggers: + - type: aws-sqs-queue + authenticationRef: + name: keda-trigger-auth-aws-credentials + metadata: + queueURL: https://sqs.us-east-2.amazonaws.com/711164302624/my-sqs-keda + queueLength: "5" #batch size + awsRegion: "us-east-2" + #identityOwner: pod + identityOwner: operator #when node role has required permission \ No newline at end of file diff --git a/iac/demo/kyverno/1-kyverno-cluster-policy.yml b/iac/demo/kyverno/1-kyverno-cluster-policy.yml new file mode 100644 index 0000000..e7a8239 --- /dev/null +++ b/iac/demo/kyverno/1-kyverno-cluster-policy.yml @@ -0,0 +1,18 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-app-deployment-label +spec: + validationFailureAction: Enforce + rules: + - name: check-for-label + match: + resources: + kinds: + - Deployment + validate: + message: "You must have the label, 'app' for all deployments." + pattern: + metadata: + labels: + app: "?*" \ No newline at end of file diff --git a/iac/demo/kyverno/2-development-namespace.yml b/iac/demo/kyverno/2-development-namespace.yml new file mode 100644 index 0000000..30b5a9b --- /dev/null +++ b/iac/demo/kyverno/2-development-namespace.yml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: development +spec: {} +status: {} \ No newline at end of file diff --git a/iac/demo/kyverno/3-kyverno-policy.yml b/iac/demo/kyverno/3-kyverno-policy.yml new file mode 100644 index 0000000..790f83a --- /dev/null +++ b/iac/demo/kyverno/3-kyverno-policy.yml @@ -0,0 +1,47 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: enforce-deployment-label-replica-count + namespace: development +spec: + validationFailureAction: Enforce + rules: + - name: check-for-label + match: + resources: + kinds: + - Deployment + validate: + message: "You must have the label, team_name for all deployments." + pattern: + metadata: + labels: + team_name: "?*" + + - name: create-max-two + match: + any: + - resources: + kinds: + - Deployment + validate: + message: The replica count for this Deployment may not exceed 2. + pattern: + spec: + replicas: <= 2 + + # This rule can be used to limit scale operations based upon Deployment labels assuming the given label + # is also used as a selector. + # - name: scale-max-3 + # match: + # any: + # - resources: + # kinds: + # - Deployment/scale + # validate: + # message: The replica count for this Deployment may not exceed 3. + # pattern: + # (status): + # (selector): "*type=monitoring*" + # spec: + # replicas: <= 3 \ No newline at end of file diff --git a/iac/demo/kyverno/4-sample-app-invalid.yml b/iac/demo/kyverno/4-sample-app-invalid.yml new file mode 100644 index 0000000..ad93408 --- /dev/null +++ b/iac/demo/kyverno/4-sample-app-invalid.yml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: my-nginx + name: my-nginx + namespace: development +spec: + replicas: 3 + selector: + matchLabels: + app: my-nginx + strategy: {} + template: + metadata: + labels: + app: my-nginx + spec: + containers: + - image: nginx + name: nginx + resources: {} +status: {} diff --git a/iac/demo/kyverno/5-sample-app-valid.yml b/iac/demo/kyverno/5-sample-app-valid.yml new file mode 100644 index 0000000..4c22e1d --- /dev/null +++ b/iac/demo/kyverno/5-sample-app-valid.yml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: my-nginx + team_name: team-A + name: my-nginx + namespace: development +spec: + replicas: 2 + selector: + matchLabels: + app: my-nginx + strategy: {} + template: + metadata: + labels: + app: my-nginx + spec: + containers: + - image: nginx + name: nginx + resources: {} +status: {}