kyverno/documentation/writing-policies-validate.md

<small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Validate*</small>


# Validate Configurations 

A validation rule is expressed as an overlay pattern that expresses the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern:

1. Validation will fail if a field is defined in the pattern and if the field does not exist in the configuration. 
2. Undefined fields are treated as wildcards. 
3. A validation pattern field with the wildcard value '*' will match zero or more alphanumeric characters. Empty values are matched. Missing fields are not matched.
4. A validation pattern field with the wildcard value '?' will match any single alphanumeric character. Empty or missing fields are not matched. 
5. A validation pattern field with the wildcard value '?*' will match any alphanumeric characters and requires the field to be present with non-empty values.
6. A validation pattern field with the value `null` or "" (empty string) requires that the field not be defined or has no value.
7. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'.
8. Validation of child values is only performed if the parent matches the pattern.

## Patterns

### Wildcards
1. `*` - matches zero or more alphanumeric characters
2. `?` - matches a single alphanumeric character

### Operators

| Operator   | Meaning                   |
|------------|---------------------------| 
| `>`        | greater than              | 
| `<`        | less than                 | 
| `>=`       | greater than or equals to |
| `<=`       | less than or equals to    | 
| `!`        | not equals                |
|  \|        | logical or                |

There is no operator for `equals` as providing a field value in the pattern requires equality to the value.

## Example
The next rule prevents the creation of Deployment, StatefuleSet and DaemonSet resources without label 'app' in selector:
````yaml

apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
  name : validation-example
spec :
  rules:
    - name: check-label
      match:
        resources:
          # Kind specifies one or more resource types to match
          kinds:
            - Deployment
            - StatefuleSet
            - DaemonSet
          # Name is optional and can use wildcards
          name: "*"
          # Selector is optional
          selector:
      validate:
        # Message is optional
        message: "The label app is required"    
        pattern:
          spec:
            template:
              metadata:
                labels:
                  app: "?*"

````

### Check if one exist
A variation of an anchor, is to check existance of one element. This is done by using the ^(...) notation for the field.

For example, this pattern will check the existance of "name" field in the list:

````yaml
apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
  name : validation-example2
spec :
  rules:
    - name: check-memory_requests_link_in_yaml_relative
      match:
        resources:
          # Kind specifies one or more resource types to match
          kinds:
            - Deployment
          # Name is optional and can use wildcards
          name: "*"
          # Selector is optional
          selector:
      validate:
        pattern:
          spec:
            containers:
              - ^(name): "*"
                resources:
                  requests:
                    memory: "$(<=./../../lim(its/mem)ory)"
                  lim(its:
                    mem)ory: "2048Mi"
````

### Allow OR across overlay pattern
In some cases one content can be defined at a different level. For example, a security context can be defined at the Pod or Container level. The validation rule should pass if one of the conditions is met. 
`anyPattern` can be used to check on at least one of condition, it is the array of pattern, and the rule will be passed if at least one pattern is true.

<small>*Note: either `pattern` or `anyPattern` is allowed in each rule, they can't be decalred in the same rule.*</small>

````yaml
apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
  name: check-container-security-context
spec:
  rules:
  - name: check-root-user
    exclude:
      resources:
        namespaces: 
        - kube-system
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Root user is not allowed. Set runAsNonRoot to true."
      anyPattern:
        - spec:
            securityContext:
              runAsNonRoot: true
        - spec:
            containers:
            - name: "*"
              securityContext:
                runAsNonRoot: true
````


Additional examples are available in [examples](/examples/)


---
<small>*Read Next >> [Generate](/documentation/writing-policies-mutate.md)*</small>
fix links 2019-05-21 15:56:01 -07:00			`<small>[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Validate</small>`
update installation doc 2019-05-21 14:44:04 -07:00

fix links 2019-05-21 15:56:01 -07:00			`# Validate Configurations`
update installation doc 2019-05-21 14:44:04 -07:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`A validation rule is expressed as an overlay pattern that expresses the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern:`
update installation doc 2019-05-21 14:44:04 -07:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`1. Validation will fail if a field is defined in the pattern and if the field does not exist in the configuration.`
			`2. Undefined fields are treated as wildcards.`
Update writing-policies-validate.md 2019-06-21 17:37:38 +03:00			`3. A validation pattern field with the wildcard value '*' will match zero or more alphanumeric characters. Empty values are matched. Missing fields are not matched.`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`4. A validation pattern field with the wildcard value '?' will match any single alphanumeric character. Empty or missing fields are not matched.`
34: Fixed Validate documentation 2019-05-22 19:37:30 +03:00			`5. A validation pattern field with the wildcard value '?*' will match any alphanumeric characters and requires the field to be present with non-empty values.`
			6. A validation pattern field with the value `null` or "" (empty string) requires that the field not be defined or has no value.
			`7. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'.`
			`8. Validation of child values is only performed if the parent matches the pattern.`
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`## Patterns`
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`### Wildcards`
			1. `*` - matches zero or more alphanumeric characters
fix sp 2019-05-22 00:27:20 -07:00			2. `?` - matches a single alphanumeric character
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`### Operators`

			`\| Operator \| Meaning \|`
			`\|------------\|---------------------------\|`
			\| `>` \| greater than \|
			\| `<` \| less than \|
			\| `>=` \| greater than or equals to \|
			\| `<=` \| less than or equals to \|
			\| `!` \| not equals \|
fix sp 2019-05-22 00:27:20 -07:00			`\| \\| \| logical or \|`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00
			There is no operator for `equals` as providing a field value in the pattern requires equality to the value.

			`## Example`
Update writing-policies-validate.md 2019-05-22 20:03:25 +03:00			`The next rule prevents the creation of Deployment, StatefuleSet and DaemonSet resources without label 'app' in selector:`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			````yaml

			`apiVersion : kyverno.io/v1alpha1`
			`kind : Policy`
			`metadata :`
			`name : validation-example`
			`spec :`
			`rules:`
fix label example 2019-06-12 21:06:15 -07:00			`- name: check-label`
update documentation 2019-08-21 15:49:34 -07:00			`match:`
			`resources:`
			`# Kind specifies one or more resource types to match`
			`kinds:`
			`- Deployment`
			`- StatefuleSet`
			`- DaemonSet`
			`# Name is optional and can use wildcards`
			`name: "*"`
			`# Selector is optional`
			`selector:`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`validate:`
			`# Message is optional`
fix label example 2019-06-12 21:06:15 -07:00			`message: "The label app is required"`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`pattern:`
			`spec:`
fix label example 2019-06-12 21:06:15 -07:00			`template:`
			`metadata:`
			`labels:`
			`app: "?*"`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00
			````

Update writing-policies-validate.md 2019-06-24 11:06:39 +03:00			`### Check if one exist`
			`A variation of an anchor, is to check existance of one element. This is done by using the ^(...) notation for the field.`

			`For example, this pattern will check the existance of "name" field in the list:`

			````yaml
			`apiVersion : kyverno.io/v1alpha1`
			`kind : Policy`
			`metadata :`
			`name : validation-example2`
			`spec :`
			`rules:`
			`- name: check-memory_requests_link_in_yaml_relative`
update documentation 2019-08-21 15:49:34 -07:00			`match:`
			`resources:`
			`# Kind specifies one or more resource types to match`
			`kinds:`
			`- Deployment`
			`# Name is optional and can use wildcards`
			`name: "*"`
			`# Selector is optional`
			`selector:`
Update writing-policies-validate.md 2019-06-24 11:06:39 +03:00			`validate:`
			`pattern:`
			`spec:`
			`containers:`
			`- ^(name): "*"`
			`resources:`
			`requests:`
			`memory: "$(<=./../../lim(its/mem)ory)"`
			`lim(its:`
			`mem)ory: "2048Mi"`
			````

update document 2019-08-21 18:47:49 -07:00			`### Allow OR across overlay pattern`
			`In some cases one content can be defined at a different level. For example, a security context can be defined at the Pod or Container level. The validation rule should pass if one of the conditions is met.`
			`anyPattern` can be used to check on at least one of condition, it is the array of pattern, and the rule will be passed if at least one pattern is true.

			<small>Note: either `pattern` or `anyPattern` is allowed in each rule, they can't be decalred in the same rule.</small>

			````yaml
			`apiVersion: kyverno.io/v1alpha1`
			`kind: Policy`
			`metadata:`
			`name: check-container-security-context`
			`spec:`
			`rules:`
			`- name: check-root-user`
			`exclude:`
			`resources:`
			`namespaces:`
			`- kube-system`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Root user is not allowed. Set runAsNonRoot to true."`
			`anyPattern:`
			`- spec:`
			`securityContext:`
			`runAsNonRoot: true`
			`- spec:`
			`containers:`
			`- name: "*"`
			`securityContext:`
			`runAsNonRoot: true`
			````


add link to examples folder 2019-05-22 00:15:06 -07:00			`Additional examples are available in [examples](/examples/)`

- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00
			`---`
fix indexing and update overlay docs 2019-06-12 13:50:08 -07:00			`<small>Read Next >> [Generate](/documentation/writing-policies-mutate.md)</small>`