feat: Demo rule and pod

Signed-off-by: Fredrik Klingenberg <[email protected]>

README.md

@@ -8,9 +8,8 @@ This demo shows how to use Kyverno to enforce policies on Kubernetes resources.
 ### Setting up the demo without the devcontainer
 First, you will need to have _kind_ installed. You can find instructions on how to install _kind_ [here](https://kind.sigs.k8s.io/docs/user/quick-start/).
 
-## Running the demo
 
-### Create a cluster
+## Create a cluster
 To create a cluster, run the following command:
 
 ```bash
@@ -28,4 +27,25 @@ To install Kyverno, run the following command:
 
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml
+```
+
+## Demo
+
+First we will create a namespace for our demo pods:
+
+```bash
+kubectl apply -f demo-pods/ns.yaml
+kubectl apply -f demo-pods/missing-tech-lead-label.yaml
+```
+
+We should then see the following output:
+
+```bash
+    Error from server: error when creating "demo-pods/missing-tech-lead-label.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 
+
+    policy Pod/demo-pods/failing-demo for resource violation: 
+
+    require-labels:
+    check-for-labels: 'validation error: The label `tech-lead` is required. rule check-for-labels
+        failed at path /metadata/labels/tech-lead/'
 ```

demo-pods/missing-tech-lead-label.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  namespace: demo-pods
+  labels:
+    run: failing-demo
+  name: failing-demo
+spec:
+  containers:
+  - image: nginx
+    name: failing-demo

demo-pods/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: demo-pods

policies/require-tech-lead-label.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+  annotations:
+    policies.kyverno.io/title: Require Labels
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod, Label
+    policies.kyverno.io/description: >-
+      Define and use labels that identify semantic attributes of your application or Deployment.
+      A common set of labels allows tools to work collaboratively, describing objects in a common manner that
+      all tools can understand. The recommended labels describe applications in a way that can be
+      queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.      
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+  - name: check-for-labels
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "The label `tech-lead` is required."
+      pattern:
+        metadata:
+          labels:
+            tech-lead: "?*"