kyverno/crd/policy-example.yaml

apiVersion : policy.nirmata.io/v1alpha1
kind : Policy
metadata :
  name : examples
spec :
  # failurePolicy is optional. Defaults to stopOnError
  failurePolicy: continueOnError, stopOnError 
  # The spec contains a list of rules. Each rule has a resource and an operation. 
  # Allowed operations are:
  #   - patch, configMapGenerator, secretGenerator 
  rules:
    - resource:
        #  Allowed resource kinds:
        #   ConfigMap
        #   CronJob
        #   DaemonSet
        #   Deployment
        #   Endpoint
        #   HorizontalPodAutoscaler
        #   Ingress
        #   Job
        #   LimitRange
        #   Namespace
        #   NetworkPolicy
        #   PersistentVolumeClaim
        #   PodDisruptionBudget
        #   PodTemplate
        #   ResourceQuota
        #   Secret
        #   Service
        #   StatefulSet
        kind : PodTemplateSpec 
        # name is optional. Either a name or selector must be specified.
        name:
        # selector is optional. Either a name or a selector must be specified.
        selector: 
          matchLabels :
            nirmata.io/environment.name : production
          matchExpressions:
      # a patch contains multiple entries of path, operation, value
      #   path: starts with the resource. if blank selects resource.
      #   operation: Add | Replace | Delete
      #   value: text, number, JSON string
      patch : 
      - path : spec/terminationGracePeriodSeconds
        operation : Add
        value : 20
      - path : spec/containers/0/imagePullPolicy
        operation : Add
        value : Always
    - resource:
        # Kind needs to be Namespace, when operation is configMapGenerator
        kind: Namespace
        name: foo
      configMapGenerator :
        name: game-config-env-file
        # copyFrom is optional. If specified, must point to a valid config map
        copyFrom: 
          namespace: some-ns
          name: some-other-config-map
        data:
          foo: bar
          app.properties: /
            foo1=bar1
            foo2=bar2
          ui.properties: /
            foo1=bar1
            foo2=bar2
    - resource:
        # Kind needs to be Namespace, when operation is secretGenerator
        kind: Namespace 
        name: foo
      secretGenerator :
        name: game-secrets
        copyFrom: 
          namespace: some-ns
          name: some-other-secrets
        data: # data is optional
status:
  events: 
  # log of applied policies. We will need a way to distingush between failed 
  # and succeeded operations
NK2: Added script for code-generator, YAMLs with CRDs and stub for main.go 2019-02-06 12:52:09 +00:00			`apiVersion : policy.nirmata.io/v1alpha1`
			`kind : Policy`
			`metadata :`
			`name : examples`
			`spec :`
			`# failurePolicy is optional. Defaults to stopOnError`
			`failurePolicy: continueOnError, stopOnError`
			`# The spec contains a list of rules. Each rule has a resource and an operation.`
			`# Allowed operations are:`
			`# - patch, configMapGenerator, secretGenerator`
			`rules:`
			`- resource:`
			`# Allowed resource kinds:`
			`# ConfigMap`
			`# CronJob`
			`# DaemonSet`
			`# Deployment`
			`# Endpoint`
			`# HorizontalPodAutoscaler`
			`# Ingress`
			`# Job`
			`# LimitRange`
			`# Namespace`
			`# NetworkPolicy`
			`# PersistentVolumeClaim`
			`# PodDisruptionBudget`
			`# PodTemplate`
			`# ResourceQuota`
			`# Secret`
			`# Service`
			`# StatefulSet`
			`kind : PodTemplateSpec`
			`# name is optional. Either a name or selector must be specified.`
			`name:`
			`# selector is optional. Either a name or a selector must be specified.`
			`selector:`
			`matchLabels :`
			`nirmata.io/environment.name : production`
			`matchExpressions:`
			`# a patch contains multiple entries of path, operation, value`
			`# path: starts with the resource. if blank selects resource.`
			`# operation: Add \| Replace \| Delete`
			`# value: text, number, JSON string`
			`patch :`
			`- path : spec/terminationGracePeriodSeconds`
			`operation : Add`
			`value : 20`
			`- path : spec/containers/0/imagePullPolicy`
			`operation : Add`
			`value : Always`
			`- resource:`
			`# Kind needs to be Namespace, when operation is configMapGenerator`
			`kind: Namespace`
			`name: foo`
			`configMapGenerator :`
			`name: game-config-env-file`
			`# copyFrom is optional. If specified, must point to a valid config map`
			`copyFrom:`
			`namespace: some-ns`
			`name: some-other-config-map`
			`data:`
			`foo: bar`
			`app.properties: /`
			`foo1=bar1`
			`foo2=bar2`
			`ui.properties: /`
			`foo1=bar1`
			`foo2=bar2`
			`- resource:`
			`# Kind needs to be Namespace, when operation is secretGenerator`
			`kind: Namespace`
			`name: foo`
			`secretGenerator :`
			`name: game-secrets`
			`copyFrom:`
			`namespace: some-ns`
			`name: some-other-secrets`
			`data: # data is optional`
			`status:`
			`events:`
			`# log of applied policies. We will need a way to distingush between failed`
			`# and succeeded operations`