2020-09-23 02:41:49 +05:30
< small > *[documentation ](/README.md#documentation ) / [Writing Policies ](/documentation/writing-policies.md ) / Configmap Lookup*</ small >
# Configmap Reference in Kyverno Policy
There are many cases where the values that are passed into kyverno policies are dynamic, In such a cases the values are added/ modified inside policy itself.
The Configmap Reference allows the reference of configmap values inside kyverno policy rules as a JMESPATH, So for any required changes in the values of a policy, a modification has to be done on the referred configmap.
# Defining Rule Context
2020-09-22 19:54:41 -07:00
To reference values from a ConfigMap inside any Rule, define a context inside the rule with one or more ConfigMap declarations.
2020-09-23 02:41:49 +05:30
2020-09-22 18:28:21 -07:00
````yaml
2020-09-23 02:41:49 +05:30
rules:
2020-09-22 18:28:21 -07:00
- name: example-configmap-lookup
2020-09-23 02:41:49 +05:30
# added context to define the configmap information which will be referred
context:
# unique name to identify configmap
2020-09-22 18:28:21 -07:00
- name: dictionary
2020-09-23 02:41:49 +05:30
configMap:
# configmap name - name of the configmap which will be referred
name: mycmap
# configmap namepsace - namespace of the configmap which will be referred
2020-09-22 18:28:21 -07:00
namespace: test
````
2020-09-23 02:41:49 +05:30
Referenced Configmap Definition
2020-09-22 18:28:21 -07:00
````yaml
2020-09-23 02:41:49 +05:30
apiVersion: v1
data:
2020-09-22 18:28:21 -07:00
env: production
2020-09-23 02:41:49 +05:30
kind: ConfigMap
metadata:
name: mycmap
2020-09-22 18:28:21 -07:00
````
2020-09-23 02:41:49 +05:30
# Referring Value
2020-09-22 19:54:41 -07:00
A ConfigMap that is defined inside the rule context can be referred to using its unique name within the context.
2020-09-23 02:41:49 +05:30
2020-09-22 19:54:41 -07:00
ConfigMap values can be references using a JMESPATH expression `{{<name>.<data>.<key>}}` .
2020-09-23 02:41:49 +05:30
2020-09-22 19:54:41 -07:00
For the example above, we can refer to a ConfigMap value using {{dictionary.data.env}}. The variable will be substituted with production during policy execution.
2020-09-23 02:41:49 +05:30
2020-09-22 19:54:41 -07:00
# Handling Array Values
2020-09-23 02:41:49 +05:30
2020-09-22 19:54:41 -07:00
The ConfigMap value can be an array of string values in JSON format. Kyverno will parse the JSON string to a list of strings, so set operations like In and NotIn can then be applied.
2020-09-22 18:28:21 -07:00
2020-09-22 19:54:41 -07:00
For example, a list of allowed roles can be stored in a ConfigMap, and the Kyverno policy can refer to this list to deny the requests where the role does not match the one of the values in the list.
2020-09-22 18:28:21 -07:00
2020-09-22 19:54:41 -07:00
Here are the allowed roles in the ConfigMap
2020-09-22 18:28:21 -07:00
````yaml
apiVersion: v1
data:
allowed-roles: "[\"cluster-admin\", \"cluster-operator\", \"tenant-admin\"]"
kind: ConfigMap
metadata:
name: roles-dictionary
namespace: test
````
This is a rule to deny the Deployment operation, if the value of annotation `role` is not in the allowed list:
````yaml
spec:
validationFailureAction: enforce
rules:
- name: validate-role-annotation
context:
- name: roles-dictionary
configMap:
name: roles-dictionary
namespace: test
match:
resources:
kinds:
- Deployment
preconditions:
- key: "{{ request.object.metadata.annotations.role }}"
operator: NotEquals
value: ""
validate:
message: "role {{ request.object.metadata.annotations.role }} is not in the allowed list {{ \"roles-dictionary\".data.\"allowed-roles\" }}"
deny:
conditions:
- key: "{{ request.object.metadata.annotations.role }}"
operator: NotIn
value: "{{ \"roles-dictionary\".data.\"allowed-roles\" }}"
````
2020-09-23 02:41:49 +05:30
< small > *Read Next >> [Testing Policies ](/documentation/testing-policies.md )*</ small >
