feat: add other policies in CEL expressions - Part 4

other-cel/require-annotations/.chainsaw-test/chainsaw-step-01-assert-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-annotations
+status:
+  ready: true

other-cel/require-annotations/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: require-annotations
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../require-annotations.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: require-annotations
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-step-01-assert-1.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: pod-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: pod-bad.yaml
+    - apply:
+        file: podcontroller-good.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: podcontroller-bad.yaml

other-cel/require-annotations/.chainsaw-test/pod-bad.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    corp.org/department: ""
+  name: badpod01
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod02
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35

other-cel/require-annotations/.chainsaw-test/pod-good.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    corp.org/department: "foo"
+  name: goodpod01
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.35

other-cel/require-annotations/.chainsaw-test/podcontroller-bad.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: baddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        corp.org/department: ""
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: badcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+        spec:
+          containers:
+          - name: busybox
+            image: busybox:1.35
+          restartPolicy: OnFailure

other-cel/require-annotations/.chainsaw-test/podcontroller-good.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: busybox
+  name: gooddeployment01
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: busybox
+  strategy: {}
+  template:
+    metadata:
+      annotations:
+        corp.org/department: "foo"
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: goodcronjob01
+spec:
+  schedule: "* * * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          annotations:
+            corp.org/department: "foo"
+        spec:
+          containers:
+          - name: busybox
+            image: busybox:1.35
+          restartPolicy: OnFailure

other-cel/require-annotations/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: require-annotations
+version: 1.0.0
+displayName: Require Annotations
+createdAt: "2023-04-10T20:30:05.000Z"
+description: >-
+  Define and use annotations that identify semantic attributes of your application or Deployment. A common set of annotations allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended annotations describe applications in a way that can be queried. This policy validates that the annotation `corp.org/department` is specified with some value.      
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/require-annotations/require-annotations.yaml
+  ```
+keywords:
+  - kyverno
+  - Other
+readme: |
+  Define and use annotations that identify semantic attributes of your application or Deployment. A common set of annotations allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended annotations describe applications in a way that can be queried. This policy validates that the annotation `corp.org/department` is specified with some value.      
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/subject: "Pod, Annotation"
+digest: fafe53fa9a2931eba4755bff2e2a8dfeced08c3fa02593c966d9a07fdd4ae604

other-cel/require-annotations/require-annotations.yaml

@@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-annotations
+  annotations:
+    policies.kyverno.io/title: Require Annotations
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod, Annotation
+    policies.kyverno.io/description: >-
+      Define and use annotations that identify semantic attributes of your application or Deployment.
+      A common set of annotations allows tools to work collaboratively, describing objects in a common manner that
+      all tools can understand. The recommended annotations describe applications in a way that can be
+      queried. This policy validates that the annotation `corp.org/department` is specified with some value.      
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: check-for-annotation
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "The annotation `corp.org/department` is required."
+      pattern:
+        metadata:
+          annotations:
+            corp.org/department: "?*"