kyverno/documentation/writing-policies.md

<small>*[documentation](/README.md#documentation) / Writing Policies*</small>

# Writing Policies

A Kyverno policy contains a set of rules. Each rule matches resources by kind, name, or selectors.

````yaml
apiVersion : kyverno.io/v1alpha1
kind : ClusterPolicy
metadata :
  name : policy
spec :
  # Each policy has a list of rules applied in declaration order
  rules:
    # Rules must have a unique name
    - name: "check-pod-controller-labels"      
      # Each rule matches specific resource described by "match" field.
      match:
        resources:
          kinds: # Required, list of kinds
          - Deployment
          - StatefulSet
          name: "mongo*" # Optional, a resource name is optional. Name supports wildcards * and ?
          namespaces: # Optional, list of namespaces
          - devtest2
          - devtest1
          selector: # Optional, a resource selector is optional. Selector values support wildcards * and ?
              matchLabels:
                  app: mongodb
              matchExpressions:
                  - {key: tier, operator: In, values: [database]}
      # Resources that need to be excluded
      exclude: # Optional, resources to be excluded from evaulation
        resources:
          kinds:
          - Daemonsets
          name: "*"
          namespaces:
          - devtest2
          selector:
              matchLabels:
                  app: mongodb
              matchExpressions:
                  - {key: tier, operator: In, values: [database]}
    
     # Each rule can contain a single validate, mutate, or generate directive
     ...
````

Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation.

**Resource description:**
* ```match``` is a required key that defines the parameters which identify the resources that need to matched

* ```exclude``` is an option key to exclude resources from the application of the rule

---
<small>*Read Next >> [Validate](/documentation/writing-policies-validate.md)*</small>
update links and consolidate test docs 2019-05-21 15:50:36 -07:00			`<small>[documentation](/README.md#documentation) / Writing Policies</small>`
update installation doc 2019-05-21 14:44:04 -07:00
add placeholders for docs 2019-05-21 11:06:03 -07:00			`# Writing Policies`
update installation doc 2019-05-21 14:44:04 -07:00
			`A Kyverno policy contains a set of rules. Each rule matches resources by kind, name, or selectors.`

			````yaml
			`apiVersion : kyverno.io/v1alpha1`
change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00			`kind : ClusterPolicy`
update installation doc 2019-05-21 14:44:04 -07:00			`metadata :`
			`name : policy`
			`spec :`
			`# Each policy has a list of rules applied in declaration order`
			`rules:`
fix indexing and update overlay docs 2019-06-12 13:50:08 -07:00			`# Rules must have a unique name`
			`- name: "check-pod-controller-labels"`
update documentation 2019-08-21 14:18:44 -07:00			`# Each rule matches specific resource described by "match" field.`
			`match:`
			`resources:`
update documentation 2019-08-21 15:49:34 -07:00			`kinds: # Required, list of kinds`
update documentation 2019-08-21 14:18:44 -07:00			`- Deployment`
			`- StatefulSet`
update documentation 2019-08-21 15:49:34 -07:00			`name: "mongo" # Optional, a resource name is optional. Name supports wildcards and ?`
			`namespaces: # Optional, list of namespaces`
			`- devtest2`
			`- devtest1`
			`selector: # Optional, a resource selector is optional. Selector values support wildcards * and ?`
			`matchLabels:`
			`app: mongodb`
			`matchExpressions:`
			`- {key: tier, operator: In, values: [database]}`
			`# Resources that need to be excluded`
			`exclude: # Optional, resources to be excluded from evaulation`
			`resources:`
			`kinds:`
			`- Daemonsets`
update documentation 2019-08-21 14:18:44 -07:00			`name: "*"`
update documentation 2019-08-21 15:49:34 -07:00			`namespaces:`
			`- devtest2`
update documentation 2019-08-21 14:18:44 -07:00			`selector:`
			`matchLabels:`
			`app: mongodb`
			`matchExpressions:`
			`- {key: tier, operator: In, values: [database]}`
update documentation 2019-08-21 15:49:34 -07:00
update installation doc 2019-05-21 14:44:04 -07:00			`# Each rule can contain a single validate, mutate, or generate directive`
			`...`
			````

34: Updated documentation 2019-05-22 18:14:10 +03:00			`Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single mutate, validate, or generate child node. These actions are applied to the resource in described order: mutation, validation and then generation.`
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00
update documentation 2019-08-21 14:18:44 -07:00			`Resource description:`
			* ```match``` is a required key that defines the parameters which identify the resources that need to matched

			* ```exclude``` is an option key to exclude resources from the application of the rule

- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`---`
update links and consolidate test docs 2019-05-21 15:50:36 -07:00			`<small>Read Next >> [Validate](/documentation/writing-policies-validate.md)</small>`