kyverno/documentation/writing-policies.md

<small>*[documentation](/README.md#documentation) / Writing Policies*</small>

# Writing Policies

The following picture shows the structure of a Kyverno Policy:

![KyvernoPolicy](images/Kyverno-Policy-Structure.png)

Each Kyverno policy contains one or more rules. Each rule has a `match` clause, an optional `exclude` clause, and one of a `mutate`, `validate`, or `generate` clause.

The match / exclude clauses have the same structure, and can contain the following elements:
* resources: select resources by name, namespaces, kinds, and label selectors.
* subjects: select users, user groups, and service accounts
* roles: select namespaced roles
* clusterroles: select cluster wide roles

When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied.

The following YAML provides an example for a match clause.

````yaml
apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
  name : policy
spec :
  # 'enforce' to block resource request if any rules fail
  # 'audit' to allow resource request on failure of rules, but create policy violations to report them
  validationFailureAction: enforce
  # Each policy has a list of rules applied in declaration order
  rules:
    # Rules must have a unique name
    - name: "check-pod-controller-labels"      
      # Each rule matches specific resource described by "match" field.
      match:
        resources:
          kinds: # Required, list of kinds
          - Deployment
          - StatefulSet
          name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?)
          namespaces: # Optional, list of namespaces. Supports wildcards (* and ?)
          - "dev*"
          - test
          selector: # Optional, a resource selector is optional. Values support wildcards (* and ?)
              matchLabels:
                  app: mongodb
              matchExpressions:
                  - {key: tier, operator: In, values: [database]}
        # Optional, subjects to be matched
        subjects:
        - kind: User
          name: mary@somecorp.com
        # Optional, roles to be matched
        roles:
        # Optional, clusterroles to be matched
        clusterroles: cluster-admin

        ...

````

Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation.


---
<small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small>
update links and consolidate test docs 2019-05-21 15:50:36 -07:00			`<small>[documentation](/README.md#documentation) / Writing Policies</small>`
update installation doc 2019-05-21 14:44:04 -07:00
add placeholders for docs 2019-05-21 11:06:03 -07:00			`# Writing Policies`
update installation doc 2019-05-21 14:44:04 -07:00
add docs for rule structure match / exclude 2019-11-13 14:18:28 -08:00			`The following picture shows the structure of a Kyverno Policy:`

fix link 2019-11-13 14:22:54 -08:00			`![KyvernoPolicy](images/Kyverno-Policy-Structure.png)`
add docs for rule structure match / exclude 2019-11-13 14:18:28 -08:00
update docs for new features 2020-02-06 00:04:19 -08:00			Each Kyverno policy contains one or more rules. Each rule has a `match` clause, an optional `exclude` clause, and one of a `mutate`, `validate`, or `generate` clause.

			`The match / exclude clauses have the same structure, and can contain the following elements:`
			`* resources: select resources by name, namespaces, kinds, and label selectors.`
add service accounts to subjects 2020-02-06 00:42:01 -08:00			`* subjects: select users, user groups, and service accounts`
update docs for new features 2020-02-06 00:04:19 -08:00			`* roles: select namespaced roles`
			`* clusterroles: select cluster wide roles`
add docs for rule structure match / exclude 2019-11-13 14:18:28 -08:00
			`When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied.`

update docs for new features 2020-02-06 00:04:19 -08:00			`The following YAML provides an example for a match clause.`
update installation doc 2019-05-21 14:44:04 -07:00
			````yaml
update api in doc 2019-11-13 13:55:27 -08:00			`apiVersion : kyverno.io/v1`
change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00			`kind : ClusterPolicy`
update installation doc 2019-05-21 14:44:04 -07:00			`metadata :`
			`name : policy`
			`spec :`
set default ValidationFailureAction to 'audit' 2019-09-06 10:18:45 -07:00			`# 'enforce' to block resource request if any rules fail`
			`# 'audit' to allow resource request on failure of rules, but create policy violations to report them`
			`validationFailureAction: enforce`
update installation doc 2019-05-21 14:44:04 -07:00			`# Each policy has a list of rules applied in declaration order`
			`rules:`
fix indexing and update overlay docs 2019-06-12 13:50:08 -07:00			`# Rules must have a unique name`
			`- name: "check-pod-controller-labels"`
update documentation 2019-08-21 14:18:44 -07:00			`# Each rule matches specific resource described by "match" field.`
			`match:`
			`resources:`
update documentation 2019-08-21 15:49:34 -07:00			`kinds: # Required, list of kinds`
update documentation 2019-08-21 14:18:44 -07:00			`- Deployment`
			`- StatefulSet`
update docs for new features 2020-02-06 00:04:19 -08:00			`name: "mongo" # Optional, a resource name is optional. Name supports wildcards ( and ?)`
			`namespaces: # Optional, list of namespaces. Supports wildcards (* and ?)`
support wild cards for namespaces in rule resource description 2019-09-12 17:11:55 -07:00			`- "dev*"`
			`- test`
update docs for new features 2020-02-06 00:04:19 -08:00			`selector: # Optional, a resource selector is optional. Values support wildcards (* and ?)`
update documentation 2019-08-21 15:49:34 -07:00			`matchLabels:`
			`app: mongodb`
			`matchExpressions:`
			`- {key: tier, operator: In, values: [database]}`
add docs for rule structure match / exclude 2019-11-13 14:18:28 -08:00			`# Optional, subjects to be matched`
			`subjects:`
fix doc 2019-11-14 13:34:41 -08:00			`- kind: User`
add docs for rule structure match / exclude 2019-11-13 14:18:28 -08:00			`name: mary@somecorp.com`
			`# Optional, roles to be matched`
			`roles:`
			`# Optional, clusterroles to be matched`
update docs for new features 2020-02-06 00:04:19 -08:00			`clusterroles: cluster-admin`
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test 2020-01-07 15:13:57 -08:00
update docs for new features 2020-02-06 00:04:19 -08:00			`...`
add background processing documentation (#650) * add background processing documentation * update cmd line arg * CR changes 2020-02-04 14:55:12 -08:00
update docs for new features 2020-02-06 00:04:19 -08:00			````
add background processing documentation (#650) * add background processing documentation * update cmd line arg * CR changes 2020-02-04 14:55:12 -08:00
update docs for new features 2020-02-06 00:04:19 -08:00			`Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single mutate, validate, or generate child node. These actions are applied to the resource in described order: mutation, validation and then generation.`
PR fixes 2020-01-31 17:44:56 -08:00
add auto-gen markdown 2020-01-31 14:30:49 -08:00
- add validation example - update docs for validation 2019-05-22 00:09:45 -07:00			`---`
fix case and text 2020-02-06 00:16:04 -08:00			`<small>Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)</small>`