docs: add expansion and warn to demo (#2368)

* demo: add expansion and warn Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com> * demo: add prereq to readme Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com> Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
open-policy-agent · Nov 1, 2022 · 5abfb8d · 5abfb8d
1 parent 8cedcfc
commit 5abfb8d
Show file tree

Hide file tree

Showing 7 changed files with 118 additions and 1 deletion.
diff --git a/demo/agilebank/README.md b/demo/agilebank/README.md
@@ -1,4 +1,7 @@
-> NOTE: Be sure to look at the [prerequisite](https://open-policy-agent.github.io/gatekeeper/website/docs/install#prerequisites) and Gatekeeper [installation](https://open-policy-agent.github.io/gatekeeper/website/docs/install#installation) steps before attempting to run the script.
+> NOTE: 
+Be sure to look at the [prerequisite](https://open-policy-agent.github.io/gatekeeper/website/docs/install#prerequisites) and Gatekeeper [installation](https://open-policy-agent.github.io/gatekeeper/website/docs/install#installation) steps before attempting to run the script. 
+
+> NOTE: Use the latest version of Gatekeeper as some of the features are only available in the latest Gatekeeper release and some of the features are only compatible with Kubernetes v1.19+.
 
 > TIP: If you are new to k8s, you can stand up a simple cluster using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/): `kind create cluster`.
 

diff --git a/demo/agilebank/bad_resources/deployment_nolimit.yaml b/demo/agilebank/bad_resources/deployment_nolimit.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+        args:
+        - "/bin/sh"
diff --git a/demo/agilebank/demo.sh b/demo/agilebank/demo.sh
@@ -106,6 +106,32 @@ echo
 wait
 clear
 
+echo
+p "This works great for pod resources, but what about workload resources that generate pod? For example, how do we enforce resource limits at the deployment level and audit them?"
+read
+p "Let's use the Validation of Workload Resources feature."
+read
+
+pe "kubectl apply -f expansion_templates"
+echo
+
+pe "cat expansion_templates/expand_deployment_expansiontemplate.yaml"
+echo
+
+echo "===== ENTER developer ======"
+echo
+
+pe "cat bad_resources/deployment_nolimit.yaml"
+echo
+
+pe "kubectl apply -f bad_resources/deployment_nolimit.yaml"
+echo
+
+NO_WAIT=false
+echo
+wait
+clear
+
 p "Weeks gone by, the company now has a new policy to rollout to production."
 echo
 
@@ -150,14 +176,31 @@ echo
 pe "kubectl apply -f dryrun/bad_resource/duplicate_ing.yaml"
 echo
 
+p "What if we rollout the policy in warn mode?"
+echo
+
+pe "kubectl apply -f warn/unique-ingress-host.yaml"
+echo
+
+pe "cat warn/unique-ingress-host.yaml"
+echo
+
+pe "cat warn/bad_resource/duplicate_ing.yaml"
+echo
+
+pe "kubectl apply -f warn/bad_resource/duplicate_ing.yaml"
+echo
 
 p "THE END"
 
 kubectl delete -f dryrun/existing_resources
 kubectl delete -f dryrun/bad_resource/
+kubectl delete -f warn/bad_resource/
 kubectl delete -f dryrun
 kubectl delete -f good_resources
 kubectl delete ns advanced-transaction-system
+kubectl delete -f bad_resources/deployment_nolimit.yaml
+kubectl delete -f expansion_templates
 kubectl delete -f constraints
 kubectl delete -f templates
 kubectl delete -f sync.yaml
diff --git a/demo/agilebank/expansion_templates/expand_deployment_expansiontemplate.yaml b/demo/agilebank/expansion_templates/expand_deployment_expansiontemplate.yaml
@@ -0,0 +1,14 @@
+apiVersion: expansion.gatekeeper.sh/v1alpha1
+kind: ExpansionTemplate
+metadata:
+  name: expand-deployments
+spec:
+  applyTo:
+    - groups: ["apps"]
+      kinds: ["DaemonSet", "Deployment", "Job", "ReplicaSet", "ReplicationController", "StatefulSet"]
+      versions: ["v1"]
+  templateSource: "spec.template"
+  generatedGVK:
+    kind: "Pod"
+    group: ""
+    version: "v1"
diff --git a/demo/agilebank/good_resources/opa.yaml b/demo/agilebank/good_resources/opa.yaml
@@ -13,6 +13,14 @@ spec:
         - "run"
         - "--server"
         - "--addr=localhost:8080"
+      livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+      readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 9090
       resources:
         limits:
           cpu: "100m"

diff --git a/demo/agilebank/warn/bad_resource/duplicate_ing.yaml b/demo/agilebank/warn/bad_resource/duplicate_ing.yaml
@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host3
+spec:
+  rules:
+  - host: example-host.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nginx4
+            port:
+              number: 80
diff --git a/demo/agilebank/warn/unique-ingress-host.yaml b/demo/agilebank/warn/unique-ingress-host.yaml
@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sUniqueIngressHost 
+metadata:
+  name: unique-ingress-host
+spec:
+  enforcementAction: warn
+  match:
+    kinds:
+      - apiGroups: ["extensions", "networking.k8s.io"]
+        kinds: ["Ingress"]