Add mutate policy for PAAS to add imagePullSecrets for osc-registry

charts/kyverno-policies/templates/add-image-pull-secret.yaml

@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-image-pull-secret
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: paas-osc-registry
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
+      context:
+      - name: secret
+        apiCall:
+          urlPath: "/api/v1/namespaces/{{`{{ request.namespace }}`}}/secrets/osc-registry"
+          jmesPath: "metadata.name || ''"
+      preconditions:
+      - key: "{{`{{ secret || '' }}`}}"
+        operator: NotEquals
+        value: ""
+      mutate:
+        patchStrategicMerge:
+          spec:
+            imagePullSecrets:
+            - name: "{{`{{ secret }}`}}"

tests/kyverno-policies/add-image-pull-secret/kyverno-test.yaml

@@ -0,0 +1,22 @@
+---
+name: add-image-pull-secret
+policies:
+  - policy.yaml
+resources:
+  - resources.yaml
+variables: variables.yaml
+results:
+  - policy: add-image-pull-secret
+    rule: paas-osc-registry
+    resources:
+      - test-paas
+    patchedResource: paas-mutated.yaml
+    kind: Pod
+    result: pass
+  - policy: add-image-pull-secret
+    rule: paas-osc-registry
+    resources:
+      - test-paas-skip
+      - test-paas-skip-no-secret
+    kind: Pod
+    result: skip

tests/kyverno-policies/add-image-pull-secret/paas-mutated.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas
+  namespace: paas
+spec:
+  imagePullSecrets:
+  - name: osc-registry
+  containers:
+    - name: nginx
+      image: nginx:latest
+  initContainers:
+    - name: init
+      image: busybox

tests/kyverno-policies/add-image-pull-secret/resources.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas
+  namespace: paas
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+  initContainers:
+    - name: init
+      image: busybox
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-skip-no-secret
+  namespace: paas
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-skip
+  namespace: user-test
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest

tests/kyverno-policies/add-image-pull-secret/variables.yaml

@@ -0,0 +1,22 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+metadata:
+  name: values
+policies:
+- name: add-image-pull-secret
+  resources:
+    - name: test-paas
+      values:
+        secret: osc-registry
+    - name: test-paas-skip
+      values:
+        secret: osc-registry
+    - name: test-paas-skip-no-secret
+namespaceSelector:
+  - name: user-test
+    labels:
+      foo: bar
+  - name: paas
+    labels:
+      osc.edu/role: paas
+      osc.edu/service-account: test