Adds deprecated resources for showing the deprecation validation with the schema validator

bundles/simple.yaml

@@ -33,5 +33,5 @@ spec:
   ports:
     - name: http-web
       protocol: TCP
-      port: "this-should-be-a-number"
+      port: 81
       targetPort: 8080

crd-validation-rules/crd.yaml

@@ -0,0 +1,32 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: mycustomresources.example.com
+spec:
+  group: example.com
+  names:
+    kind: MyCustomResource
+    plural: mycustomresources
+    singular: mycustomresource
+    shortNames:
+      - mcr
+  scope: Namespaced
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          type: object
+          properties:
+            spec:
+              type: object
+              x-kubernetes-validation:
+                - rule: "self.replicas <= self.maxReplicas"
+                  message: "replicas must be less than or equal to maxReplicas"
+              properties:
+                replicas:
+                  type: integer
+                maxReplicas:
+                  type: integer
+              required:
+                - replicas
+                - maxReplicas

crd-validation-rules/custom-resource.yaml

@@ -0,0 +1,7 @@
+apiVersion: example.com/v1
+kind: MyCustomResource
+metadata:
+  name: example-demo
+spec:
+  replicas: 10
+  maxReplicas: 20

kustomize-happy-cms/base/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     monokle.io/demo: kustomize-happy-cms
 spec:
-  replicas: 1
+  replicas: 6
   selector:
     matchLabels:
       app: happy-cms

standalone/deployment.yaml

@@ -1,31 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: panda-blog
+  name: bear-blog
   namespace: third-branch
   labels:
-    monokle.io/demo: vanilla-panda-blog
+    monokle.io/demo: vanilla-bear-blog
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: panda-blog
+      app: bear-blog
   template:
     metadata:
       labels:
-        app: panda-blog
+        app: bear-blog
     spec:
       securityContext:
         runAsUser: 12000
         runAsGroup: 11000
       containers:
-        - name: panda-blog
-          image: panda-blog:latest
+        - name: bear-blog
+          image: bear-blog:latest
           ports:
             - name: http-web
               containerPort: 8080
-        - name: panda-sidecar
-          image: panda-sidecar:latest
+        - name: bear-sidecar
+          image: bear-sidecar:latest
           securityContext:
             runAsUser: 650
           ports:

standalone/deprecated.yaml

@@ -0,0 +1,100 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: job-1
+  labels:
+    app: cj
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: hello
+              image: busybox:1.28
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/sh
+                - -c
+                - date; echo Hello from the Kubernetes cluster
+          restartPolicy: OnFailure
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 5
+  rollbackTo:
+    revision: 0
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          ports:
+            - containerPort: 80
+---
+apiVersion: v1
+kind: FlowSchema
+metadata:
+  name: health-for-strangers
+spec:
+  matchingPrecedence: 1000
+  priorityLevelConfiguration:
+    name: exempt
+  rules:
+    - nonResourceRules:
+        - nonResourceURLs:
+            - "/healthz"
+            - "/livez"
+            - "/readyz"
+          verbs:
+            - "*"
+      subjects:
+        - kind: Group
+          group:
+            name: "system:unauthenticated"
+---
+apiVersion: apps/v1beta1
+kind: ReplicaSet
+metadata:
+  name: frontend
+  labels:
+    app: guestbook
+    tier: frontend
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      tier: frontend
+  template:
+    metadata:
+      labels:
+        tier: frontend
+    spec:
+      containers:
+        - name: php-redis
+          image: gcr.io/google_samples/gb-frontend:v3
+---
+apiVersion: storage.k8s.io/v1beta1
+kind: StorageClass
+metadata:
+  name: standard
+provisioner: kubernetes.io/aws-ebs
+parameters:
+  type: gp2
+reclaimPolicy: Retain
+allowVolumeExpansion: true
+mountOptions:
+  - debug
+volumeBindingMode: Immediate

validating-admission-policies/demo.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: demo
+  labels:
+    env: production
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  namespace: demo
+  labels:
+    app: nginx
+    env: production
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.14.2
+          ports:
+            - containerPort: 80

validating-admission-policies/ha-params.policy.yaml

@@ -0,0 +1,42 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: high-available-params
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: v1
+    kind: ConfigMap
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [ "apps" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE", "UPDATE" ]
+        resources: [ "deployments" ]
+  validations:
+    - expression: "object.spec.replicas <= params.data.maxReplicas"
+      message: "replicas must be less or equal to than maxReplicas"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rule-config
+  namespace: demo
+data:
+  maxReplicas: 4
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: high-available-params
+spec:
+  policyName: high-available-params
+  validationActions:
+    - Deny
+  paramRef:
+    name: rule-config
+    namespace: demo
+  matchResources:
+    namespaceSelector:
+      matchLabels:
+        env: production

validating-admission-policies/ha.policy.yaml

@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: high-available
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [ "apps" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE", "UPDATE" ]
+        resources: [ "deployments" ]
+  validations:
+    - expression: "object.spec.replicas > 2"
+      message: "replicas must be greater than 2"
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: high-available
+spec:
+  policyName: high-available
+  validationActions: [Deny]

validating-admission-policies/labels.policy.yaml

@@ -0,0 +1,24 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: env-label
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [ "apps" ]
+        apiVersions: [ "v1" ]
+        operations: [ "CREATE", "UPDATE" ]
+        resources: [ "deployments" ]
+  validations:
+    - expression: "has(object.metadata.labels) && has(object.metadata.labels.env) &&
+        object.metadata.labels.env in ['production', 'staging']"
+      message: Missing expected env label
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: env-label
+spec:
+  policyName: env-label
+  validationActions: [ Deny ]

vanilla-panda-blog/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     monokle.io/demo: vanilla-panda-blog
 spec:
-  replicas: 1
+  replicas: 5
   selector:
     matchLabels:
       app: panda-blog