From 8aef45a4e9a892d72904095dfd882071c081c4a7 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Thu, 30 May 2024 16:42:58 +0000 Subject: [PATCH 1/2] copy check-deprecated-apis Signed-off-by: Chandan-DK --- .../.kyverno-test/kyverno-test.yaml | 27 ++++ .../.kyverno-test/resource.yaml | 52 ++++++++ .../check-deprecated-apis/artifacthub-pkg.yml | 22 ++++ .../check-deprecated-apis.yaml | 121 ++++++++++++++++++ 4 files changed, 222 insertions(+) create mode 100644 best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml create mode 100644 best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml create mode 100644 best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml create mode 100644 best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..7b7f6b6b4 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,27 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: check-deprecated-apis +policies: +- ../check-deprecated-apis.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: check-deprecated-apis + resources: + - bad-cronjob + result: fail + rule: validate-v1-25-removals +- kind: CronJob + policy: check-deprecated-apis + resources: + - good-cronjob + result: skip + rule: validate-v1-25-removals +- kind: FlowSchema + policy: check-deprecated-apis + resources: + - bad-flowschema + result: fail + rule: validate-v1-29-removals diff --git a/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml new file mode 100644 index 000000000..c62c18ee1 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/.kyverno-test/resource.yaml @@ -0,0 +1,52 @@ +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: bad-cronjob +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.28 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +--- + +apiVersion: batch/v1 +kind: CronJob +metadata: + name: good-cronjob +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox:1.28 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +--- +apiVersion: flowcontrol.apiserver.k8s.io/v1beta2 +kind: FlowSchema +metadata: + name: bad-flowschema +spec: + matchingPrecedence: 1000 + priorityLevelConfiguration: + name: exempt + \ No newline at end of file diff --git a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml new file mode 100644 index 000000000..a3eb252f5 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: check-deprecated-apis +version: 1.0.0 +displayName: Check deprecated APIs +createdAt: "2023-04-10T19:47:15.000Z" +description: >- + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/check-deprecated-apis/check-deprecated-apis.yaml + ``` +keywords: + - kyverno + - Best Practices +readme: | + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Best Practices" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Kubernetes APIs" +digest: 9dedc3fa982568993975fdc213018f1eca5e0a6bea9bab2111bcfb5b86cdbb7a diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml new file mode 100644 index 000000000..2b49b4421 --- /dev/null +++ b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml @@ -0,0 +1,121 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-deprecated-apis + annotations: + policies.kyverno.io/title: Check deprecated APIs + policies.kyverno.io/category: Best Practices + policies.kyverno.io/subject: Kubernetes APIs + kyverno.io/kyverno-version: 1.7.4 + policies.kyverno.io/minversion: 1.7.4 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Kubernetes APIs are sometimes deprecated and removed after a few releases. + As a best practice, older API versions should be replaced with newer versions. + This policy validates for APIs that are deprecated or scheduled for removal. + Note that checking for some of these resources may require modifying the Kyverno + ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind + has been commented out due to a check for this kind having a performance penalty + on Kubernetes clusters with many leases. Its enabling should be attended carefully + and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 + so therefore the validate-v1-25-removals rule may not completely work on 1.25+. + This policy requires Kyverno v1.7.4+ to function properly. +spec: + validationFailureAction: audit + background: true + rules: + - name: validate-v1-25-removals + match: + any: + - resources: + # NOTE: PodSecurityPolicy is completely removed in 1.25. + kinds: + - batch/*/CronJob + - discovery.k8s.io/*/EndpointSlice + - events.k8s.io/*/Event + - policy/*/PodDisruptionBudget + - policy/*/PodSecurityPolicy + - node.k8s.io/*/RuntimeClass + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - batch/v1beta1 + - discovery.k8s.io/v1beta1 + - events.k8s.io/v1beta1 + - policy/v1beta1 + - node.k8s.io/v1beta1 + validate: + message: >- + {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ + deny: {} + - name: validate-v1-26-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + - autoscaling/*/HorizontalPodAutoscaler + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - flowcontrol.apiserver.k8s.io/v1beta1 + - autoscaling/v2beta2 + validate: + message: >- + {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ + deny: {} + - name: validate-v1-27-removals + match: + any: + - resources: + kinds: + - storage.k8s.io/*/CSIStorageCapacity + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - storage.k8s.io/v1beta1 + validate: + message: >- + {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ + deny: {} + - name: validate-v1-29-removals + match: + any: + - resources: + kinds: + - flowcontrol.apiserver.k8s.io/*/FlowSchema + - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration + preconditions: + all: + - key: "{{ request.operation || 'BACKGROUND' }}" + operator: NotEquals + value: DELETE + - key: "{{request.object.apiVersion}}" + operator: AnyIn + value: + - flowcontrol.apiserver.k8s.io/v1beta2 + validate: + message: >- + {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ + deny: {} + From b7295d1332ba057f9cb64e1ec73d102f826aeb83 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Fri, 31 May 2024 09:45:25 +0000 Subject: [PATCH 2/2] convert policy Signed-off-by: Chandan-DK --- .../check-deprecated-apis/artifacthub-pkg.yml | 19 +-- .../check-deprecated-apis.yaml | 110 +++++++----------- 2 files changed, 52 insertions(+), 77 deletions(-) diff --git a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml index a3eb252f5..1c20b08fa 100644 --- a/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml +++ b/best-practices-cel/check-deprecated-apis/artifacthub-pkg.yml @@ -1,22 +1,23 @@ -name: check-deprecated-apis +name: check-deprecated-apis-cel version: 1.0.0 -displayName: Check deprecated APIs -createdAt: "2023-04-10T19:47:15.000Z" +displayName: Check deprecated APIs in CEL expressions description: >- - Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/check-deprecated-apis/check-deprecated-apis.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml ``` keywords: - kyverno - Best Practices + - CEL Expressions readme: | - Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind has been commented out due to a check for this kind having a performance penalty on Kubernetes clusters with many leases. Its enabling should be attended carefully and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. This policy requires Kyverno v1.7.4+ to function properly. + Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Best Practices" - kyverno/kubernetesVersion: "1.23" + kyverno/category: "Best Practices in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Kubernetes APIs" -digest: 9dedc3fa982568993975fdc213018f1eca5e0a6bea9bab2111bcfb5b86cdbb7a +digest: da368de7982e748983a14198e8f8ef46d455023e8938031444f832919fabba6e +createdAt: "2024-05-31T09:44:23Z" diff --git a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml index 2b49b4421..f01488b1e 100644 --- a/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml +++ b/best-practices-cel/check-deprecated-apis/check-deprecated-apis.yaml @@ -3,25 +3,20 @@ kind: ClusterPolicy metadata: name: check-deprecated-apis annotations: - policies.kyverno.io/title: Check deprecated APIs - policies.kyverno.io/category: Best Practices + policies.kyverno.io/title: Check deprecated APIs in CEL expressions + policies.kyverno.io/category: Best Practices in CEL policies.kyverno.io/subject: Kubernetes APIs - kyverno.io/kyverno-version: 1.7.4 - policies.kyverno.io/minversion: 1.7.4 - kyverno.io/kubernetes-version: "1.23" + kyverno.io/kyverno-version: 1.12.1 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Kubernetes APIs are sometimes deprecated and removed after a few releases. As a best practice, older API versions should be replaced with newer versions. This policy validates for APIs that are deprecated or scheduled for removal. Note that checking for some of these resources may require modifying the Kyverno - ConfigMap to remove filters. In the validate-v1-22-removals rule, the Lease kind - has been commented out due to a check for this kind having a performance penalty - on Kubernetes clusters with many leases. Its enabling should be attended carefully - and is not recommended on large clusters. PodSecurityPolicy is removed in v1.25 + ConfigMap to remove filters. PodSecurityPolicy is removed in v1.25 so therefore the validate-v1-25-removals rule may not completely work on 1.25+. - This policy requires Kyverno v1.7.4+ to function properly. spec: - validationFailureAction: audit + validationFailureAction: Audit background: true rules: - name: validate-v1-25-removals @@ -36,24 +31,16 @@ spec: - policy/*/PodDisruptionBudget - policy/*/PodSecurityPolicy - node.k8s.io/*/RuntimeClass - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE - - key: "{{request.object.apiVersion}}" - operator: AnyIn - value: - - batch/v1beta1 - - discovery.k8s.io/v1beta1 - - events.k8s.io/v1beta1 - - policy/v1beta1 - - node.k8s.io/v1beta1 + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['batch/v1beta1', 'discovery.k8s.io/v1beta1', 'events.k8s.io/v1beta1', 'policy/v1beta1', 'node.k8s.io/v1beta1']" validate: - message: >- - {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.25. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ - deny: {} + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.25. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - name: validate-v1-26-removals match: any: @@ -62,41 +49,32 @@ spec: - flowcontrol.apiserver.k8s.io/*/FlowSchema - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration - autoscaling/*/HorizontalPodAutoscaler - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE - - key: "{{request.object.apiVersion}}" - operator: AnyIn - value: - - flowcontrol.apiserver.k8s.io/v1beta1 - - autoscaling/v2beta2 + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta1', 'autoscaling/v2beta2']" validate: - message: >- - {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.26. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ - deny: {} + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.26. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - name: validate-v1-27-removals match: any: - resources: kinds: - storage.k8s.io/*/CSIStorageCapacity - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE - - key: "{{request.object.apiVersion}}" - operator: AnyIn - value: - - storage.k8s.io/v1beta1 + celPreconditions: + - name: "allowed-api-versions" + expression: "object.apiVersion in ['storage.k8s.io/v1beta1']" validate: - message: >- - {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.27. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ - deny: {} + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.27. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/' - name: validate-v1-29-removals match: any: @@ -104,18 +82,14 @@ spec: kinds: - flowcontrol.apiserver.k8s.io/*/FlowSchema - flowcontrol.apiserver.k8s.io/*/PriorityLevelConfiguration - preconditions: - all: - - key: "{{ request.operation || 'BACKGROUND' }}" - operator: NotEquals - value: DELETE - - key: "{{request.object.apiVersion}}" - operator: AnyIn - value: - - flowcontrol.apiserver.k8s.io/v1beta2 + celPreconditions: + - name: "object.apiVersion" + expression: "object.apiVersion in ['flowcontrol.apiserver.k8s.io/v1beta2']" validate: - message: >- - {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated and will be removed in v1.29. - See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/ - deny: {} + cel: + expressions: + - expression: "false" + messageExpression: >- + object.apiVersion + '/' + object.kind + ' is deprecated and will be removed in v1.29. + See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'