| anydatacenter | ||
| modules/versions | ||
| .envrc.example | ||
| .gitignore | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
Rossum - Kyverno policy demo
This example assumes an existing and preconfigured access to k8s api server
Provide environment variables in the workdir as defined in the .envrc.example
anydatacenter directory represents a theoretical structure where the cluster would be located
Root modules
-
anydatacenter/10-devopsis a terraform root module providing prerequisites for kubernetes resources -
anydatacenter/30-policy-demois a set of deployments and policies to demonstrate automated topology spread of k8s pods
The reason for split root modules comes from the chicken or the egg dilemma with kubernetes manifests and CRDs
Because the kubernetes provider validates the manifests against CRDs during planning phase, it is not possible to do a single apply in which CRDs are installed and manifests are produced against those CRDs. Other solution would be using kubectl provider which is more error prone (opinionated statement) and using the kubernetes provider is preferred. This requires either a multi-apply approach (frowned upon!) or splitting root modules and applying one after another.
Policies
Policies are deliberately limited to rossum namespace
Tests
Kyverno tests are defined in the policy root module at ./anydatacenter/30-policy-demo/kyvernoPolicies/tests
Execute with nix and devenv
tests
Execute with kyverno cli
kyverno test ./anydatacenter/30-policy-demo