➕ Add new Kyverno exercise

2026-02-14 09:39:56 +00:00 · 2021-12-14 16:39:06 +01:00
parent 1d8062f1dc
commit 164651c461
7 changed files with 143 additions and 0 deletions
--- a/k8s/kyverno-ingress-domain-name-1.yaml
+++ b/k8s/kyverno-ingress-domain-name-1.yaml
@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-domain-name
+spec:
+  rules:
+  - name: create-ingress
+    match:
+      resources: 
+        kinds:
+        - Service
+    generate: 
+      kind: Ingress
+      name: "{{request.object.metadata.name}}"
+      namespace: "{{request.object.metadata.namespace}}"
+      data:
+        spec:
+          rules:
+          - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.A.B.C.D.nip.io"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: "{{request.object.metadata.name}}"
+                    port:
+                      number: 80
+                path: /
+                pathType: Prefix
--- a/k8s/kyverno-ingress-domain-name-2.yaml
+++ b/k8s/kyverno-ingress-domain-name-2.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-domain-name
+spec:
+  rules:
+  - name: create-ingress
+    match:
+      resources: 
+        kinds:
+        - Service
+    preconditions:
+    - key: "{{request.object.spec.ports[0].name}}"
+      operator: Equals
+      value: http
+    generate: 
+      kind: Ingress
+      name: "{{request.object.metadata.name}}"
+      namespace: "{{request.object.metadata.namespace}}"
+      data:
+        spec:
+          rules:
+          - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.A.B.C.D.nip.io"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: "{{request.object.metadata.name}}"
+                    port:
+                      name: http
+                path: /
+                pathType: Prefix
--- a/k8s/kyverno-ingress-domain-name-3.yaml
+++ b/k8s/kyverno-ingress-domain-name-3.yaml
@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: ingress-domain-name
+spec:
+  rules:
+  - name: create-ingress
+    context:
+    - name: configmap
+      configMap:
+        name: ingress-domain-name
+        namespace: "{{request.object.metadata.namespace}}"
+    match:
+      resources: 
+        kinds:
+        - Service
+    preconditions:
+    - key: "{{request.object.spec.ports[0].name}}"
+      operator: Equals
+      value: http
+    generate: 
+      kind: Ingress
+      name: "{{request.object.metadata.name}}"
+      namespace: "{{request.object.metadata.namespace}}"
+      data:
+        spec:
+          rules:
+          - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.{{configmap.data.domain}}"
+            http:
+              paths:
+              - backend:
+                  service:
+                    name: "{{request.object.metadata.name}}"
+                    port:
+                      name: http
+                path: /
+                pathType: Prefix
--- a/slides/exercises/ingress-secret-policy-brief.md
+++ b/slides/exercises/ingress-secret-policy-brief.md
@@ -1,3 +1,5 @@
+⚠️ BROKEN EXERCISE - DO NOT USE
+
 ## Exercise — Ingress Secret Policy

 *Implement policy to limit impact of ingress controller vulnerabilities.*
--- a/slides/exercises/ingress-secret-policy-details.md
+++ b/slides/exercises/ingress-secret-policy-details.md
@@ -1,3 +1,5 @@
+⚠️ BROKEN EXERCISE - DO NOT USE
+
 # Exercise — Ingress Secret Policy

 - Most ingress controllers have access to all Secrets
--- a/slides/exercises/kyverno-ingress-domain-name-brief.md
+++ b/slides/exercises/kyverno-ingress-domain-name-brief.md
@@ -0,0 +1,9 @@
+## Exercise — Generating Ingress With Kyverno
+
+- When a Service gets created, automatically generate an Ingress
+
+- Step 1: expose all services with a hard-coded domain name
+
+- Step 2: only expose services that have a port named `http`
+
+- Step 3: configure the domain name with a per-namespace ConfigMap
--- a/slides/exercises/kyverno-ingress-domain-name-details.md
+++ b/slides/exercises/kyverno-ingress-domain-name-details.md
@@ -0,0 +1,33 @@
+# Exercise — Generating Ingress With Kyverno
+
+When a Service gets created...
+
+*(for instance, Service `blue` in Namespace `rainbow`)*
+
+...Automatically generate an Ingress.
+
+*(for instance, with host name `blue.rainbow.MYDOMAIN.COM`)*
+
+---
+
+## Goals
+
+- Step 1: expose all services with a hard-coded domain name
+
+- Step 2: only expose services that have a port named `http`
+
+- Step 3: configure the domain name with a per-namespace ConfigMap
+
+  (e.g. `kubectl create configmap ingress-domain-name --from-literal=domain=1.2.3.4.nip.io`)
+
+---
+
+## Hints
+
+- We want to use a Kyverno `generate` ClusterPolicy
+
+- For step 1, check [Generate Resources](https://kyverno.io/docs/writing-policies/generate/) documentation
+
+- For step 2, check [Preconditions](https://kyverno.io/docs/writing-policies/preconditions/) documentation
+
+- For step 3, check [External Data Sources](https://kyverno.io/docs/writing-policies/external-data-sources/) documentation