kyverno/test/more/ensure_probes_different.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: validate-probes
  annotations:
    # Only applies to pods originating from DaemonSet, Deployment, or StatefulSet.
    pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
spec:
  validationFailureAction: enforce
  background: false
  rules:
    # Checks the first container in a Pod.
    - name: validate-probes-c0
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Liveness and readiness probes cannot be the same."
        # A `deny` rule is different in structure than a `validate` rule and inverts the check. It uses `conditions` written in JMESPath notation upon which to base its decisions.
        deny:
          conditions:
          # In this condition, it checks the entire map structure of the `readinessProbe` against that of the `livenessProbe`. If both are found to be equal, the Pod creation
          # request will be denied.
          - key: "{{ request.object.spec.containers[0].readinessProbe }}"
            operator: Equals
            value: "{{ request.object.spec.containers[0].livenessProbe }}"
    # Checks the second container in a Pod.
    - name: validate-probes-c1
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Liveness and readiness probes cannot be the same."
        deny:
          conditions:
          - key: "{{ request.object.spec.containers[1].readinessProbe }}"
            operator: Equals
            value: "{{ request.object.spec.containers[1].livenessProbe }}"
    # Checks the third container in a Pod.
    - name: validate-probes-c2
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Liveness and readiness probes cannot be the same."
        deny:
          conditions:
          - key: "{{ request.object.spec.containers[2].readinessProbe }}"
            operator: Equals
            value: "{{ request.object.spec.containers[2].livenessProbe }}"
    # Checks the fourth container in a Pod.
    - name: validate-probes-c3
      match:
        resources:
          kinds:
            - Pod
      validate:
        message: "Liveness and readiness probes cannot be the same."
        deny:
          conditions:
          - key: "{{ request.object.spec.containers[3].readinessProbe }}"
            operator: Equals
            value: "{{ request.object.spec.containers[3].livenessProbe }}"
Add new sample policies (#1272) * new samples; updates * typos * add policy to restrict LoadBalancer * correct sample numbering * fix typos * add EnsurePodProbesDifferent * add DisallowSecrets policy * add AddDefaultLabels policy * typo 2020-11-18 17:58:32 -05:00			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: validate-probes`
			`annotations:`
			`# Only applies to pods originating from DaemonSet, Deployment, or StatefulSet.`
			`pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet`
			`spec:`
			`validationFailureAction: enforce`
			`background: false`
			`rules:`
			`# Checks the first container in a Pod.`
			`- name: validate-probes-c0`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Liveness and readiness probes cannot be the same."`
			# A `deny` rule is different in structure than a `validate` rule and inverts the check. It uses `conditions` written in JMESPath notation upon which to base its decisions.
			`deny:`
			`conditions:`
			# In this condition, it checks the entire map structure of the `readinessProbe` against that of the `livenessProbe`. If both are found to be equal, the Pod creation
			`# request will be denied.`
			`- key: "{{ request.object.spec.containers[0].readinessProbe }}"`
			`operator: Equals`
			`value: "{{ request.object.spec.containers[0].livenessProbe }}"`
			`# Checks the second container in a Pod.`
			`- name: validate-probes-c1`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Liveness and readiness probes cannot be the same."`
			`deny:`
			`conditions:`
			`- key: "{{ request.object.spec.containers[1].readinessProbe }}"`
			`operator: Equals`
			`value: "{{ request.object.spec.containers[1].livenessProbe }}"`
			`# Checks the third container in a Pod.`
			`- name: validate-probes-c2`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Liveness and readiness probes cannot be the same."`
			`deny:`
			`conditions:`
			`- key: "{{ request.object.spec.containers[2].readinessProbe }}"`
			`operator: Equals`
			`value: "{{ request.object.spec.containers[2].livenessProbe }}"`
			`# Checks the fourth container in a Pod.`
			`- name: validate-probes-c3`
			`match:`
			`resources:`
			`kinds:`
			`- Pod`
			`validate:`
			`message: "Liveness and readiness probes cannot be the same."`
			`deny:`
			`conditions:`
			`- key: "{{ request.object.spec.containers[3].readinessProbe }}"`
			`operator: Equals`
			`value: "{{ request.object.spec.containers[3].livenessProbe }}"`