Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make CRDs optional #443

Open
JimBugwadia opened this issue Jun 29, 2023 · 0 comments
Open

Make CRDs optional #443

JimBugwadia opened this issue Jun 29, 2023 · 0 comments

Comments

@JimBugwadia
Copy link
Member

The CLI does not require CRDs:

Here is a resource that represents a TF plan:

apiVersion: nirmata.io/terraform
kind: Plan
metadata:
  annotations:
  labels:
    run: pod
  name: aws-instance
spec:
  outputs:
    private_ip:
      value: 192.168.3.2
      type: string
      sensitive: false
  root_module:
    resources:
    - address: aws_instance.example[1]
      mode: managed
      type: aws_instance
      name: example
      index: 1
      provider_name: aws
      schema_version: 2
      values:
        id: i-abc123
        instance_type: t2.micro
      sensitive_values:
        id: true
    child_modules:
    - address: module.child
      resources:
      - address: module.child.aws_instance.foo
      child_modules: []

Here is a policy that validates the Plan:

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: validate-instance
spec:
  validationFailureAction: audit
  rules:
  - name: check-instance-type
    match:
      any:
      - resources:
          kinds:
          - nirmata.io/terraform/Plan
    context:
    - name: instanceTypes
      variable:
        jmesPath: "request.object.spec.root_module.resources[].values[].instance_type"
    validate:
      message: "invalid instance type"
      deny:
        conditions:
          all:
          - key: "{{ instanceTypes }}"
            operator: AllNotIn
            value: ["m5.large", "m4.large	"]
            message: "{{instanceTypes}} not allowed"

The CLI processes as follows:

./cmd/cli/kubectl-kyverno/kubectl-kyverno apply  /tmp/policy.yaml -r /tmp/resource.yaml

Applying 1 policy rule to 1 resource...

policy validate-instance -> resource default/Plan/aws-instance failed:
1. check-instance-type: invalid instance type; ["t2.micro"] not allowed

pass: 0, fail: 2, warn: 0, error: 0, skip: 0

However, on the Playground I get this error:

ServerError: failed to locate OpenAPI spec for GV: nirmata.io/terraform

Here is a link:

https://playground.kyverno.io/#/?content=N4IgDg9gNglgxgTxALhAQzDAagUwE4DOMEAdsgAQDWCAbviRAHTED0NAjADomUwkAmFAArR4CbgFscAFzT80s5N3LkSaKRRppY86TgC0fArJJwc3AmBxwlJFVp0LiJAGJoYUAK54cAQTjSzhRonvww0srkeJ5QOAS2Kvqq6jgUcAAW1pSGJMZopgbSCFaRKhIKGQkq1fkIVdXkST4EEN5m8aUN1bwCHXZdDUkkMHjlsswQLHp4eGgAZhCjLEJQ%2BZ1wpHoAHtL1jcka5EYmZgAqxXGd9mh4MGgARrF7DQBWUgRCCukUnCA%2BAI6eOLSRgQe4vawgyzWRh4CAQaQAfQkEH4MRwsLirTw7QA2gBdRgOIEEAnMXInHCIoolECdBwwXSpK7kd4ENAAc1S5F%2BfAZ/COFPyZnINPMdP6DX4OBIdRZKg2AnCzj6Awa2igzy6SUoODqPJAwGAgryBXOVgI5AAvlbfvKuhArLNpIsKL4oFAAHIIgCSJHtDWJ3NxvwkAFZGKs8FzfgAaA0SAAskZuMYiIHxAeqbM53N%2BRoBJJBYIhAUY0LgsPhSJRaNimJabTiZKDpMJx2FVLFNqOloY0nIGogAHccPw7f6SCBY38sU2UOhMLhCEFVCMxmgJlN8LMFqNuD1BOQVmsSFJZLo0FV8v2nKRVeRVvccFAHypomRyJBx/01Ic0MOBA5KaZgWFYNiRK00hgJ40hvl%2BtxaHoiIwGAWpBhQ7AAJwAEyMOwABsAAcjAAMyMDhLJihQxi3CQHIsgQMpEIEdAUHM2hMZEcIIsiqLonszTYu0exJHI/DNPEg6AShQoFIwOBbOoYCxLi7CZpK2aoty5RqFyP4DNR0kELJIHmJpKh/tyinKbELJ8NKWyYSyYBwjQjL4IiVnBIBjEZDg5SInQK6kBQlEWeQrZaiojIUDA%2BgPHA7A4aR9odgU1IXBQ0h4RI8BwoxzHKnQQXaCS0VHEe0jROZDQZB4/B8XWcSiYO/ASXEUm1uijD1VABldEJTbwYkbUdQQXX8fWfX8IwAEmelZiMAsEAsjNTXolJBLTiA0D8AASnOOI4AuO1wJ4xgQBIh2NsdAAiOBzHwyr3qdM5wF4xj4DdwlxG9ICKWYYCBK9qAgFaQA===
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JimBugwadia