38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
# Rossum - Kyverno policy demo
|
|
|
|
This example assumes an existing and preconfigured access to k8s api server
|
|
|
|
Provide environment variables in the workdir as defined in the `.envrc.example`
|
|
|
|
`anydatacenter` directory represents a theoretical structure where the cluster would be located
|
|
|
|
## Root modules
|
|
- `anydatacenter/10-devops` is a terraform root module providing prerequisites for kubernetes resources
|
|
|
|
- `anydatacenter/30-policy-demo` is a root module with deployments and policies to demonstrate automated topology spread of k8s pods
|
|
|
|
The reason for split root modules comes from the chicken or the egg dilemma with kubernetes manifests and CRDs
|
|
|
|
Because the kubernetes provider validates the manifests against CRDs during planning phase, it is not possible to do a single apply
|
|
in which CRDs are installed and manifests are produced against those CRDs. Other solution would be using kubectl provider which is
|
|
more error prone (opinionated statement) and using the kubernetes provider is preferred. This requires either a multi-apply
|
|
approach (frowned upon!) or splitting root modules and applying one after another.
|
|
|
|
## Policies
|
|
|
|
Policies are deliberately limited to `rossum` namespace
|
|
|
|
## Tests
|
|
|
|
Kyverno tests are defined in the policy root module at [./anydatacenter/30-policy-demo/kyvernoPolicies/tests](./anydatacenter/30-policy-demo/kyvernoPolicies/tests)
|
|
|
|
Execute with nix and devenv
|
|
```sh
|
|
tests
|
|
```
|
|
|
|
Execute with kyverno cli
|
|
```sh
|
|
kyverno test ./anydatacenter/30-policy-demo
|
|
```
|