Merge pull request #16 from kcl-lang/add-all-models-on-github-packages

feat: add all model source code on github packages

.gitignore

@@ -1 +1,17 @@
-.vscode/
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+vendor/
+.kclvm
+.DS_store

add-app-armor-annotation/README.md

@@ -0,0 +1,38 @@
+## Introduction
+
+`add-app-armor-annotation` is a kcl mutation package, which can be used to add apparmor annotations for the Kubernetes resources.
+
+In the earlier Pod Security Policy controller, it was possible to define
+a setting which would enable AppArmor for all the containers within a Pod so
+they may be assigned the desired profile. Assigning an AppArmor profile, accomplished
+via an annotation, is useful in that it allows secure defaults to be defined and may
+also result in passing other validation rules such as those in the Pod Security Standards.
+This policy mutates Pods to add an annotation for every container to enabled AppArmor
+at the runtime/default level.
+
+The KCL code is as follows:
+
+```python
+capabilities: [str] = option("params")?.capabilities or ["SETUID", "SETFCAP"]
+items = [item | {
+    if item.kind == "Pod":
+        spec.containers: [{
+            metadata.annotations: {
+                "container.apparmor.security.beta.kubernetes.io/${container.name}": "runtime/default"
+            }
+        } for container in item.spec.containers]
+} for item in option("items") or []]
+```
+
+## How to Use
+
+Add the source into your `KCLRun` resource and use the [kubectl kcl plugin](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kubectl-kcl-plugin) or the [kcl operator](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kcl-operator) to integrate this model.
+
+```yaml
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-app-armor-annotation
+spec:
+  source: oci://ghcr.io/kcl-lang/add-app-armor-annotation
+```

add-app-armor-annotation/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-app-armor-annotation"
+edition = "*"
+version = "0.1.0"
+description = "`add-app-armor-annotation` is a kcl mutation package, which can be used to add apparmor annotations for the Kubernetes resources."

add-app-armor-annotation/main.k

@@ -0,0 +1,9 @@
+capabilities: [str] = option("params")?.capabilities or ["SETUID", "SETFCAP"]
+items = [item | {
+    if item.kind == "Pod":
+        spec.containers: [{
+            metadata.annotations: {
+                "container.apparmor.security.beta.kubernetes.io/${container.name}": "runtime/default"
+            }
+        } for container in item.spec.containers]
+} for item in option("items") or []]

add-app-armor-annotation/suite/good.yaml

@@ -0,0 +1,28 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-app-armor-annotation
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      In the earlier Pod Security Policy controller, it was possible to define
+      a setting which would enable AppArmor for all the containers within a Pod so
+      they may be assigned the desired profile. Assigning an AppArmor profile, accomplished
+      via an annotation, is useful in that it allows secure defaults to be defined and may
+      also result in passing other validation rules such as those in the Pod Security Standards.
+      This policy mutates Pods to add an annotation for every container to enabled AppArmor
+      at the runtime/default level.
+spec:
+  source: ./examples/mutation/add-app-armor-annotation/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

add-capabilities/README.md

@@ -0,0 +1,16 @@
+## Introduction
+
+`add-capabilities` is a kcl mutation package.
+
+## How to Use
+
+Add the source into your `KCLRun` resource and use the [kubectl kcl plugin](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kubectl-kcl-plugin) or the [kcl operator](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kcl-operator) to integrate this model.
+
+```yaml
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-capabilities
+spec:
+  source: oci://ghcr.io/kcl-lang/add-capabilities
+```

add-capabilities/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-capabilities"
+edition = "*"
+version = "0.1.0"
+description = "`add-capabilities` is a kcl mutation package."

add-capabilities/main.k

@@ -0,0 +1,7 @@
+capabilities: [str] = option("params")?.capabilities or ["SETUID", "SETFCAP"]
+items = [item | {
+    if item.kind == "Pod":
+        spec.containers: [{
+            "securityContext": {"capabilities": {"add" += [c] if c not in (container?.securityContext?.capabilities?.drop or []) else [] for c in capabilities}}
+        } for container in item.spec.containers]
+} for item in option("items") or []]

add-capabilities/suite/good.yaml

@@ -0,0 +1,26 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-capabilities
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      In the earlier Pod Security Policy controller, it was possible to configure a policy
+      to add capabilities to containers within a Pod. This made it easier to assign some basic defaults
+      rather than blocking Pods or to simply provide capabilities for certain workloads if not specified.
+      This policy mutates Pods to add the capabilities SETFCAP and SETUID so long as they are not listed
+      as dropped capabilities first.
+spec:
+  source: ./examples/mutation/add-capabilities/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

add-certificates-volume/README.md

@@ -0,0 +1,16 @@
+## Introduction
+
+`add-certificates-volume` is a kcl mutation package.
+
+## How to Use
+
+Add the source into your `KCLRun` resource and use the [kubectl kcl plugin](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kubectl-kcl-plugin) or the [kcl operator](https://kcl-lang.io/docs/user_docs/guides/working-with-k8s/mutate-manifests/kcl-operator) to integrate this model.
+
+```yaml
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-certificates-volume
+spec:
+  source: oci://ghcr.io/kcl-lang/add-certificates-volume
+```

add-certificates-volume/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-certificates-volume"
+edition = "*"
+version = "0.1.0"
+description = "`add-certificates-volume` is a kcl mutation package."

add-certificates-volume/main.k

@@ -0,0 +1,13 @@
+items = [item | {
+    if item.kind == "Pod":
+        spec.volumes += [{
+            name = "etc-ssl-certs"
+            configMap.name = "ca-pemstore"
+        }]
+        spec.containers: [{
+            volumeMounts += [{
+                name = "etc-ssl-certs"
+                mountPath = "/etc/ssl/certs"
+            }]
+        } for container in item.spec.containers]
+} for item in option("items") or []]

add-certificates-volume/suite/good.yaml

@@ -0,0 +1,27 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-certificates-volume
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      In some cases you would need to trust custom CA certificates for all the containers of a Pod.
+      It makes sense to be in a ConfigMap so that you can automount them by only setting an annotation.
+      This policy adds a volume to all containers in a Pod containing the certificate if the annotation
+      called `inject-certs` with value `enabled` is found.
+spec:
+  source: ./examples/mutation/add-certificates-volume/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  annotations:
+    inject-certs: "enabled"
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80

add-default-resources/README.md

@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/add-default-resources)

add-default-resources/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-default-resources"
+edition = "*"
+version = "0.1.0"
+description = "`add-default-resources` is a kcl mutation package"

add-default-resources/main.k

@@ -0,0 +1,9 @@
+items = [item | {
+    if item.kind == "Pod":
+        spec.containers: [{
+            resources.requests: {
+                memory = "100Mi"
+                cpu = "100m"
+            }
+        } for container in item.spec.containers]
+} for item in option("items") or []]

add-default-resources/suite/good.yaml

@@ -0,0 +1,28 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-default-resources
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      Pods which don't specify at least resource requests are assigned a QoS class
+      of BestEffort which can hog resources for other Pods on Nodes. At a minimum,
+      all Pods should specify resource requests in order to be labeled as the QoS
+      class Burstable. This sample mutates any container in a Pod which doesn't
+      specify memory or cpu requests to apply some sane defaults.
+spec:
+  source: ./examples/mutation/add-default-resources/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+  - name: kcl
+    image: kcllang/kcl

add-default-securitycontext/README.md

@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/add-default-securitycontext)

add-default-securitycontext/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-default-securitycontext"
+edition = "*"
+version = "0.1.0"
+description = "`add-default-securitycontext` is a kcl mutation package"

add-default-securitycontext/main.k

@@ -0,0 +1,9 @@
+items = [item | {
+    if item.kind == "Pod":
+        spec.securityContext: {
+            runAsNonRoot = True
+            runAsUser = 1000
+            runAsGroup = 3000
+            fsGroup = 2000   
+        }
+} for item in option("items") or []]

add-default-securitycontext/suite/good.yaml

@@ -0,0 +1,27 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-default-securitycontext
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      A Pod securityContext entry defines fields such as the user and group which should be used to run the Pod.
+      Sometimes choosing default values for users rather than blocking is a better alternative to not impede
+      such Pod definitions. This policy will mutate a Pod to set `runAsNonRoot`, `runAsUser`, `runAsGroup`, and 
+      `fsGroup` fields within the Pod securityContext if they are not already set.
+spec:
+  source: ./examples/mutation/add-default-securitycontext/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+  - name: kcl
+    image: kcllang/kcl

add-emptydir-sizelimit/README.md

@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/add-emptydir-sizelimit)

add-emptydir-sizelimit/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-emptydir-sizelimit"
+edition = "*"
+version = "0.1.0"
+description = "`add-emptydir-sizelimit` is a kcl mutation package"

add-emptydir-sizelimit/main.k

@@ -0,0 +1,7 @@
+items = [item | {
+    if item.kind == "Pod":
+        spec.volumes: [{
+            if "emptyDir" in v and (v?.emptyDir?.sizeLimit or "") != "100Mi":
+                emptyDir.sizeLimit = "100Mi"
+        } for v in item.spec.volumes or []] or Undefined
+} for item in option("items") or []]

add-emptydir-sizelimit/suite/good.yaml

@@ -0,0 +1,31 @@
+apiVersion: krm.kcl.dev/v1alpha1
+kind: KCLRun
+metadata:
+  name: add-emptydir-sizelimit
+  annotations: 
+    krm.kcl.dev/version: 0.0.1
+    krm.kcl.dev/type: mutation
+    documentation: >-
+      When a Pod requests an emptyDir, by default it does not have a size limit which
+      may allow it to consume excess or all of the space in the medium backing the volume.
+      This can quickly overrun a Node and may result in a denial of service for other
+      workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir
+      volumes, if not present, and sets it to 100Mi.
+spec:
+  source: ./examples/mutation/add-emptydir-sizelimit/main.k
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+spec:
+  containers:
+  - name: nginx
+    image: nginx:1.14.2
+    ports:
+    - containerPort: 80
+  - name: kcl
+    image: kcllang/kcl
+  volumes:
+  - emptyDir: {}
+    name: wordpress-persistent-storage

add-image-as-env-var/README.md

@@ -0,0 +1,5 @@
+## Introduction
+
+## Resource
+
+Code source and document is [here](https://github.com/kcl-lang/artifacthub/tree/main/add-image-as-env-var)

add-image-as-env-var/kcl.mod

@@ -0,0 +1,5 @@
+[package]
+name = "add-image-as-env-var"
+edition = "*"
+version = "0.1.0"
+description = "`add-image-as-env-var` is a kcl mutation package"