2023-09-15 18:18:46 +02:00
|
|
|
---
|
2022-01-20 13:59:16 +05:30
|
|
|
apiVersion: kyverno.io/v1
|
|
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
|
|
|
|
annotations:
|
|
|
|
|
policies.kyverno.io/category: Labels
|
2023-09-15 18:18:46 +02:00
|
|
|
policies.kyverno.io/description: This policy prevents the use of an label beginning
|
|
|
|
|
with a common key name (in this case "platform.das-schiff.telekom.de/owner |
|
|
|
|
|
owner"). This can be useful to ensure users either don't set reserved labels
|
|
|
|
|
or to force them to use a newer version of an label.
|
2022-01-20 13:59:16 +05:30
|
|
|
policies.kyverno.io/minversion: 1.3.0
|
2023-09-15 18:18:46 +02:00
|
|
|
policies.kyverno.io/title: Restrict Labels on Namespaces
|
|
|
|
|
labels:
|
|
|
|
|
policy.schiff.telekom.de: enforced
|
|
|
|
|
name: restrict-labels
|
2022-01-20 13:59:16 +05:30
|
|
|
spec:
|
2023-09-15 18:18:46 +02:00
|
|
|
admission: true
|
2022-01-20 13:59:16 +05:30
|
|
|
background: false
|
|
|
|
|
rules:
|
2023-09-15 18:18:46 +02:00
|
|
|
- exclude:
|
|
|
|
|
any:
|
|
|
|
|
- clusterRoles:
|
|
|
|
|
- cluster-admin
|
|
|
|
|
resources: {}
|
2022-01-20 13:59:16 +05:30
|
|
|
match:
|
2023-09-15 18:18:46 +02:00
|
|
|
any:
|
|
|
|
|
- resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Namespace
|
|
|
|
|
name: restrict-labels
|
2022-01-20 13:59:16 +05:30
|
|
|
validate:
|
2023-09-15 18:18:46 +02:00
|
|
|
message: Every namespace has to have `platform.das-schiff.telekom.de/owner`
|
|
|
|
|
label. It must not have value `das-schiff` which is reserved for system namespaces
|
2022-01-20 13:59:16 +05:30
|
|
|
pattern:
|
|
|
|
|
metadata:
|
|
|
|
|
labels:
|
2023-09-15 18:18:46 +02:00
|
|
|
=(schiff.telekom.de/owner): '!schiff'
|
|
|
|
|
platform.das-schiff.telekom.de/owner: '!das-schiff'
|
2024-08-27 23:07:57 +03:00
|
|
|
failureAction: Enforce
|
