| package policy["com.styra.kubernetes.validating"].test.test | |
| # import the rules from this system | |
| import data.policy["com.styra.kubernetes.validating"].rules.rules | |
| # Name the test something specifc | |
| test_excludedNamespaceGood { | |
| # `in` represents the JSON input that comes from the k8s admission controller | |
| # it doesn't have to be a full deployment, it only needs to represent the data point(s) being tested | |
| in := { |
| # List of namespaces to exclude | |
| excludedNamespaces = {"good", "ok"} | |
| imageSafety[decision] { | |
| # This rule compares the namespace from the admission controller | |
| # to the list of namespaces above | |
| not excludedNamespaces[input.request.namespace] | |
| data.library.v1.kubernetes.admission.workload.v1.block_latest_image_tag[message] | |
| decision := { |
| # List of namespaces to exclude | |
| excludedNamespaces = {"good", "ok"} | |
| imageSafety[decision] { | |
| # This rule compares the namespace from the admission controller | |
| # to the list of namespaces above | |
| not excludedNamespaces[input.request.namespace] | |
| data.library.v1.kubernetes.admission.workload.v1.block_latest_image_tag[message] | |
| decision := { |
| current_dir = File.dirname(__FILE__) | |
| log_level :info | |
| log_location STDOUT | |
| node_name "YOUR_CHEF_SERVER_USERNAME" | |
| client_key "#{current_dir}/#{node_name}.pem" | |
| chef_server_url "https://CHEF_SERVER_FQDN/organizations/CHEF_ORG_SHORT_NAME" | |
| cookbook_path ["#{current_dir}/../cookbooks"] | |
| #ssl_verify_mode :verify_none |
| # Make temp config.rb so we can ignore any ssl errors | |
| echo "ssl_verify_mode :verify_none" > temp_config.rb | |
| # Pull a list of all the orgs on the server | |
| # then loop through each one and make an api call to get the node count | |
| chef-server-ctl org-list -a | while read -r org ; do | |
| echo "Attempting to connect to the $org organization." | |
| /opt/opscode/embedded/bin/knife exec -E "puts api.get('/nodes').size" -s https://127.0.0.1/organizations/$org -u pivotal -k /etc/opscode/pivotal.pem --config temp_config.rb | |
| done |
| az vm create -n hostname -g rgname --public-ip-address-allocation dynamic --image UbuntuLTS --size Standard_D4s_v3 --nsg nsgname --admin-username admin --admin-password password |
PowerShell hack to reformat webhook payload from GitHub to MS Teams. I run it as an Azure Function. This same concept will also work for other applications that send complex payloads via webhook.
Github Webhook -> Azure Function -> MS Teams Webhook.
# Accept the data from the incoming webhook.
param (
[object]$WebhookData
)
Simple example of pushing the Chef Environment name over to Inspec
Control:
title 'Forwarders'
environments = yaml(content: inspec.profile.file('forwarders.yml')).params
chef_environment = attribute('chef_environment', description: 'The chef environment for the node', default: 'nope')
| add-type @" | |
| using System.Net; | |
| using System.Security.Cryptography.X509Certificates; | |
| public class TrustAllCertsPolicy : ICertificatePolicy { | |
| public bool CheckValidationResult( | |
| ServicePoint srvPoint, X509Certificate certificate, | |
| WebRequest request, int certificateProblem) { | |
| return true; | |
| } | |
| } |