Merge pull request #21 from kcl-lang/add-more-mutation-models

feat: add more mutation models

examples/mutation/add-app-armor-annotation/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "add-app-armor-annotation"
+edition = "*"
+version = "0.0.1"

examples/mutation/add-app-armor-annotation/main.k

@@ -0,0 +1,9 @@
+capabilities: [str] = option("params")?.capabilities or ["SETUID", "SETFCAP"]
+items = [item | {
+    if item.kind == "Pod":
+        spec.containers: [{
+            metadata.annotations: {
+                "container.apparmor.security.beta.kubernetes.io/${container.name}": "runtime/default"
+            }
+        } for container in item.spec.containers]
+} for item in option("items") or []]

examples/mutation/add-app-armor-annotation/suite/good.yaml

@@ -0,0 +1,28 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-app-armor-annotation
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      In the earlier Pod Security Policy controller, it was possible to define
+      a setting which would enable AppArmor for all the containers within a Pod so
+      they may be assigned the desired profile. Assigning an AppArmor profile, accomplished
+      via an annotation, is useful in that it allows secure defaults to be defined and may
+      also result in passing other validation rules such as those in the Pod Security Standards.
+      This policy mutates Pods to add an annotation for every container to enabled AppArmor
+      at the runtime/default level.
+spec:
+  source: ./examples/mutation/add-app-armor-annotation/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

examples/mutation/add-istio-sidecar-injection/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "add-istio-sidecar-injection"
+edition = "*"
+version = "0.0.1"

examples/mutation/add-istio-sidecar-injection/main.k

@@ -0,0 +1,6 @@
+items = [item | {
+    if item.kind == "Namespace":
+        metadata.labels: {
+            "istio-injection" = "enabled"
+        }
+} for item in option("items")]

examples/mutation/add-istio-sidecar-injection/suite/good.yaml

@@ -0,0 +1,20 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-istio-sidecar-injection
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      In order for Istio to inject sidecars to workloads deployed into Namespaces,
+      the label `istio-injection` must be set to `enabled`. As an alternative to
+      rejecting Namespace definitions which don't already contain this label,
+      it can be added automatically. This policy adds the label `istio-inject`
+      set to `enabled` for all new Namespaces.
+spec:
+  source: ./examples/mutation/add-istio-sidecar-injection/main.k
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sampleapp

examples/mutation/add-linkerd-policy-annotation/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "add-linkerd-policy-annotation"
+edition = "*"
+version = "0.0.1"

examples/mutation/add-linkerd-policy-annotation/main.k

@@ -0,0 +1,5 @@
+items = [item | {
+    metadata.annotations: {
+        "config.linkerd.io/default-inbound-policy" = "deny"
+    }
+} for item in option("items")]

examples/mutation/add-linkerd-policy-annotation/suite/good.yaml

@@ -0,0 +1,22 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-linkerd-policy-annotation
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      Add Linkerd Policy Annotation
+spec:
+  source: ./examples/mutation/add-linkerd-policy-annotation/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

examples/mutation/add-ndots/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "add-ndots"
+edition = "*"
+version = "0.0.1"

examples/mutation/add-ndots/main.k

@@ -0,0 +1,9 @@
+items = [item | {
+    if item.kind == "Pod":
+        spec.dnsConfig.options += [
+            {
+                name = "ndots"
+                value: "1"
+            }
+        ]
+} for item in option("items")]

examples/mutation/add-ndots/suite/good.yaml

@@ -0,0 +1,24 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-ndots
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      The ndots value controls where DNS lookups are first performed in a cluster
+      and needs to be set to a lower value than the default of 5 in some cases.
+      This policy mutates all Pods to add the ndots option with a value of 1.
+spec:
+  source: ./examples/mutation/add-ndots/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

examples/mutation/add-nodeselector/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "add-nodeselector"
+version = "0.0.1"

examples/mutation/add-nodeselector/main.k

@@ -0,0 +1,7 @@
+params = option("params") or {}
+# Use `k = v` to override existing selector
+selector: {str:str} = {k = v for k, v in params.selector or {}}
+items = [item | {
+    if item.kind == "Pod":
+        spec.nodeSelector: selector
+} for item in option("items")]

examples/mutation/add-nodeselector/suite/good.yaml

@@ -0,0 +1,25 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-nodeselector
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      Add nodeselector
+spec:
+  params:
+    selector:
+      foo: bar
+  source: ./examples/mutation/add-nodeselector/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

examples/mutation/add-psa-labels/kcl.mod

@@ -0,0 +1,4 @@
+[package]
+name = "add-psa-labels"
+edition = "*"
+version = "0.0.1"

examples/mutation/add-psa-labels/main.k

@@ -0,0 +1,7 @@
+items = [item | {
+    if item.kind == "Namespace":
+        metadata.labels: {
+            "pod-security.kubernetes.io/enforce" = "baseline"
+            "pod-security.kubernetes.io/warn" = "restricted"
+        }
+} for item in option("items")]

examples/mutation/add-psa-labels/suite/good.yaml

@@ -0,0 +1,22 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-psa-labels
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      Pod Security Admission (PSA) can be controlled via the assignment of labels
+      at the Namespace level which define the Pod Security Standard (PSS) profile
+      in use and the action to take. If not using a cluster-wide configuration
+      via an AdmissionConfiguration file, Namespaces must be explicitly labeled.
+      This policy assigns the labels `pod-security.kubernetes.io/enforce=baseline`
+      and `pod-security.kubernetes.io/warn=restricted` to all new Namespaces if
+      those labels are not included.
+spec:
+  source: ./examples/mutation/add-psa-labels/main.k
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sampleapp

examples/mutation/add-quota/kcl.mod

@@ -0,0 +1,3 @@
+[package]
+name = "add-quota"
+version = "0.0.1"

examples/mutation/add-quota/main.k

@@ -0,0 +1,36 @@
+ns_list = [item.metadata.name for item in option("items") if item.kind == "Namespace"]
+
+items = option("items") + [
+    {
+        apiVersion: "v1"
+        kind: "ResourceQuota"
+        name: "default-resourcequota"
+        synchronize: True
+        namespace: ns
+        data.spec.hard: {
+            'requests.cpu': '4'
+            'requests.memory': str(16Gi)
+            'limits.cpu': '4'
+            'limits.memory': str(16Gi)
+        }
+    } for ns in ns_list
+] + [
+    {
+        apiVersion: "v1"
+        kind: "LimitRange"
+        name: "default-limitrange"
+        synchronize: True
+        namespace: ns
+        data.spec.limits = [{
+            default: {
+                cpu: str(500m)
+                memory: str(1Gi)
+            }
+            defaultRequest: {
+                cpu: str(200m)
+                memory: str(256Mi)
+            }
+            type: "Container"
+        }]
+    } for ns in ns_list
+]

examples/mutation/add-quota/suite/good.yaml

@@ -0,0 +1,16 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-quota
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      Add quota
+spec:
+  source: ./examples/mutation/add-quota/main.k
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sampleapp