kyverno/documentation/writing-policies-generate.md

<small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate Resources*</small>

# Generating Resources 

The ```generate``` rule can used to create additional resources when a new resource is created. This is useful to create supporting resources, such as new role bindings for a new namespace.

The `generate` rule supports `match` and `exclude` blocks, like other rules. Hence, the trigger for applying this rule can be the creation of any resource and its possible to match or exclude API requests based on subjects, roles, etc. 

The generate rule triggers during a API CREATE operation and does not support [background processing](/documentation/writing-policies-background.md). To keep resources synchronized across changes you can use `synchronize : true`.

This policy sets the Zookeeper and Kafka connection strings for all namespaces.

```yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "zk-kafka-address"
spec:
  rules:
    - name: "zk-kafka-address"
      match:
        resources:
          kinds:
            - Namespace
      generate:
        synchronize: true
        kind: ConfigMap
        name: zk-kafka-address
        # generate the resource in the new namespace
        namespace: "{{request.object.metadata.name}}"
        data:
          kind: ConfigMap
          data:
            ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
            KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
```

## Example 1

````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: basic-policy
spec:
  rules:
    - name: "Generate ConfigMap"
      match:
        resources:
          kinds: 
          - Namespace
      generate:
        kind: ConfigMap # Kind of resource 
        name: default-config # Name of the new Resource
        namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
        synchronize : true
        clone:
          namespace: default
          name: config-template
    - name: "Generate Secret (insecure)"
      match:
        resources:
          kinds: 
          - Namespace
      generate:
        kind: Secret
        name: mongo-creds
        namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
        data:
          data:
            DB_USER: YWJyYWthZGFicmE=
            DB_PASSWORD: YXBwc3dvcmQ=
        metadata:
          labels:
            purpose: mongo
````

In this example new namespaces will receive 2 new resources after its creation:
  * A `ConfigMap` cloned from `default/config-template`.
  * A `Secret` with values `DB_USER` and `DB_PASSWORD`, and label `purpose: mongo`.


## Example 2
````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: "default"
spec:
  rules:
  - name: "deny-all-traffic"
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    generate: 
      kind: NetworkPolicy
      name: deny-all-traffic
      namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          policyTypes: 
          - Ingress
        metadata:
          labels:
            policyname: "default"
````

In this example new namespaces will receive a `NetworkPolicy` that by default denies all inbound and outbound traffic.

---

<small>*Read Next >> [Variables](/documentation/writing-policies-variables.md)*</small>
update titles 2020-02-06 00:10:36 -08:00			`<small>[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate Resources</small>`
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
Bugfix/update docs for deny rules (#886) * - support wildcards for namespaces * do not annotate resource, unless policy is an autogen policy * close HTTP body * improve messages * - update docs for deny rules - add presentations and videos to README.md 2020-05-28 11:22:47 -07:00			`# Generating Resources`
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
Update writing-policies-generate.md 2020-02-07 10:21:47 -08:00			The ```generate``` rule can used to create additional resources when a new resource is created. This is useful to create supporting resources, such as new role bindings for a new namespace.

			The `generate` rule supports `match` and `exclude` blocks, like other rules. Hence, the trigger for applying this rule can be the creation of any resource and its possible to match or exclude API requests based on subjects, roles, etc.

update README.md - community and restructure 2020-07-03 08:40:24 -07:00			The generate rule triggers during a API CREATE operation and does not support [background processing](/documentation/writing-policies-background.md). To keep resources synchronized across changes you can use `synchronize : true`.
Synchronize data for generated resources (#933) * Generate request added fro update resource * synchronize flag added * documentation added for keeping resource synchronized Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com> 2020-06-22 18:49:43 -07:00
update README.md - community and restructure 2020-07-03 08:40:24 -07:00			`This policy sets the Zookeeper and Kafka connection strings for all namespaces.`

			```yaml
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: "zk-kafka-address"`
			`spec:`
			`rules:`
			`- name: "zk-kafka-address"`
			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
			`generate:`
			`synchronize: true`
			`kind: ConfigMap`
			`name: zk-kafka-address`
			`# generate the resource in the new namespace`
			`namespace: "{{request.object.metadata.name}}"`
			`data:`
			`kind: ConfigMap`
			`data:`
			`ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"`
			`KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"`
			```
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`## Example 1`
update examples and log text 2020-02-06 22:51:16 -08:00
34: Updated documentation 2019-05-22 18:14:10 +03:00			````yaml
update api in doc 2019-11-13 13:55:27 -08:00			`apiVersion: kyverno.io/v1`
change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00			`kind: ClusterPolicy`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`metadata:`
			`name: basic-policy`
			`spec:`
34: Updated documentation 2019-05-22 18:14:10 +03:00			`rules:`
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test 2020-01-07 15:13:57 -08:00			`- name: "Generate ConfigMap"`
update documentation 2019-08-21 15:49:34 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
34: Updated documentation 2019-05-22 18:14:10 +03:00			`generate:`
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test 2020-01-07 15:13:57 -08:00			`kind: ConfigMap # Kind of resource`
			`name: default-config # Name of the new Resource`
update examples and log text 2020-02-06 22:51:16 -08:00			`namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule`
Synchronize data for generated resources (#933) * Generate request added fro update resource * synchronize flag added * documentation added for keeping resource synchronized Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com> 2020-06-22 18:49:43 -07:00			`synchronize : true`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`clone:`
34: Updated documentation 2019-05-22 18:14:10 +03:00			`namespace: default`
			`name: config-template`
update examples and log text 2020-02-06 22:51:16 -08:00			`- name: "Generate Secret (insecure)"`
update documentation 2019-08-21 15:49:34 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`generate:`
			`kind: Secret`
34: Updated documentation 2019-05-22 18:14:10 +03:00			`name: mongo-creds`
update examples and log text 2020-02-06 22:51:16 -08:00			`namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule`
34: Updated documentation 2019-05-22 18:14:10 +03:00			`data:`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`data:`
			`DB_USER: YWJyYWthZGFicmE=`
			`DB_PASSWORD: YXBwc3dvcmQ=`
			`metadata:`
			`labels:`
			`purpose: mongo`
34: Updated documentation 2019-05-22 18:14:10 +03:00			````

update examples and log text 2020-02-06 22:51:16 -08:00			`In this example new namespaces will receive 2 new resources after its creation:`
fixed some typos 2020-04-02 22:28:09 -07:00			* A `ConfigMap` cloned from `default/config-template`.
			* A `Secret` with values `DB_USER` and `DB_PASSWORD`, and label `purpose: mongo`.
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00
Update writing-policies-generate.md 2019-05-22 18:15:35 +03:00
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`## Example 2`
			````yaml
update api in doc 2019-11-13 13:55:27 -08:00			`apiVersion: kyverno.io/v1`
change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00			`kind: ClusterPolicy`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`metadata:`
			`name: "default"`
			`spec:`
			`rules:`
			`- name: "deny-all-traffic"`
update documentation 2019-08-21 15:49:34 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
			`name: "*"`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`generate:`
			`kind: NetworkPolicy`
			`name: deny-all-traffic`
update examples and log text 2020-02-06 22:51:16 -08:00			`namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`data:`
			`spec:`
update examples 2020-02-07 12:03:53 -08:00			`# select all pods in the namespace`
			`podSelector: {}`
			`policyTypes:`
			`- Ingress`
update namespace trigger + update documentation 2019-06-03 16:02:34 -07:00			`metadata:`
			`labels:`
			`policyname: "default"`
			````
fix name and text 2019-06-12 16:47:22 -07:00
fixed some typos 2020-04-02 22:28:09 -07:00			In this example new namespaces will receive a `NetworkPolicy` that by default denies all inbound and outbound traffic.
update links and consolidate test docs 2019-05-21 15:50:36 -07:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`---`
update docs for new features 2020-02-06 00:04:19 -08:00
			`<small>Read Next >> [Variables](/documentation/writing-policies-variables.md)</small>`
update links and consolidate test docs 2019-05-21 15:50:36 -07:00