Skip to content

Instantly share code, notes, and snippets.

@benjaminjb
Created August 31, 2023 14:41
Show Gist options
  • Save benjaminjb/784ff38f84d6c45ebbb7a9ce53ac6e12 to your computer and use it in GitHub Desktop.
Save benjaminjb/784ff38f84d6c45ebbb7a9ce53ac6e12 to your computer and use it in GitHub Desktop.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: alertmanager
spec:
validationFailureAction: Audit
rules:
- name: deployment
match:
any:
- resources:
kinds:
- Deployment
name: alertmanager
validate:
message: "Should have defined spec"
pattern:
spec:
template:
spec:
containers:
- args:
- --config.file=/etc/alertmanager/alertmanager.yml
- --storage.path=/alertmanager
- --log.level=info
- --cluster.advertise-address=0.0.0.0:9093
image: prom/alertmanager:v0.22.2
name: alertmanager
ports:
- containerPort: 9093
^(volumeMounts):
- name: alertmanagerconf
mountPath: /etc/alertmanager
- name: alertmanagerdata
mountPath: /alertmanager
^(volumes):
- configMap:
defaultMode: 420
name: alertmanager-config
name: alertmanagerconf
- name: alertmanagerdata
persistentVolumeClaim:
claimName: alertmanagerdata
apiVersion: apps/v1
kind: Deployment
metadata:
name: alertmanager
spec:
selector:
matchLabels:
app.kubernetes.io/component: alertmanager
template:
metadata:
labels:
app.kubernetes.io/component: alertmanager
spec:
containers:
- name: alertmanager
image: prom/alertmanager:v0.22.2
args:
- --config.file=/etc/alertmanager/alertmanager.yml
- --storage.path=/alertmanager
- --log.level=info
- --cluster.advertise-address=0.0.0.0:9093
ports:
- containerPort: 9093
volumeMounts:
- mountPath: /etc/alertmanager
name: alertmanagerconf
- mountPath: /alertmanager
name: alertmanagerdata
serviceAccountName: alertmanager
volumes:
- name: alertmanagerdata
persistentVolumeClaim:
claimName: alertmanagerdata
- name: alertmanagerconf
configMap:
defaultMode: 420
name: alertmanager-config
name: test
policies:
- alertmanager-deployment-policy.yaml
resources:
- alertmanager-deployment.yaml
results:
- policy: alertmanager
rule: deployment
resource: alertmanager
kind: Deployment
result: pass
$> kyverno test testing/kyverno -v3
Executing test...
I0831 09:36:11.401553 15656 common.go:346] "msg"="Defaulting request.operation to CREATE"
I0831 09:36:11.402529 15656 common.go:202] "msg"="read policies" "errors"=0 "policies"=1
applying 1 policy to 1 resource...
I0831 09:36:11.406374 15656 common.go:425] "msg"="applying policy on resource"
"policy"="alertmanager"
"resource"="default/Deployment/alertmanager"
...
I0831 09:36:11.408626 15656 validate_resource.go:274] engine.validate
"msg"="validation error"
"error"="resource value
'[--config.file=/etc/alertmanager/alertmanager.yml --storage.path=/alertmanager --log.level=info --cluster.advertise-address=0.0.0.0:9093]'
does not match
'--config.file=/etc/alertmanager/alertmanager.yml'
at path /spec/template/spec/containers/0/args/"
"new.kind"="Deployment"
"new.name"="alertmanager"
"new.namespace"="default"
"path"="/spec/template/spec/containers/0/args/"
"policy.apply"="All"
"policy.name"="alertmanager"
"policy.namespace"=""
"rule.name"="deployment"
I0831 09:36:11.409628 15656 test_command.go:1155] "msg"="result mismatch"
"expected"="pass"
"key"="alertmanager-deployment-Deployment-alertmanager"
"received"="fail"
## If I remove the `args` field from the policy file, it passes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment