kyverno/test/cli/test-validating-admission-policy/with-namespaceObject-2/policy.yaml

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: "check-deployment-namespace"
spec:
  matchConstraints:
    resourceRules:
    - apiGroups:
      - apps
      apiVersions:
      - v1
      operations:
      - CREATE
      - UPDATE
      resources:
      - deployments
  validations:
  - expression: "namespaceObject.metadata.name != 'default'"
    message: "Using 'default' namespace is not allowed for pod controllers."
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "check-deployment-namespace-binding"
spec:
  policyName: "check-deployment-namespace"
  validationActions: [Deny]
  matchResources:
    objectSelector:
      matchLabels:
        app: nginx
fix: evaluate namespaceObject for VAPs in the CLI (#9978) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2024-04-19 18:20:03 +08:00			`apiVersion: admissionregistration.k8s.io/v1beta1`
			`kind: ValidatingAdmissionPolicy`
			`metadata:`
			`name: "check-deployment-namespace"`
			`spec:`
			`matchConstraints:`
			`resourceRules:`
			`- apiGroups:`
			`- apps`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`resources:`
			`- deployments`
			`validations:`
			`- expression: "namespaceObject.metadata.name != 'default'"`
			`message: "Using 'default' namespace is not allowed for pod controllers."`
			`---`
			`apiVersion: admissionregistration.k8s.io/v1beta1`
			`kind: ValidatingAdmissionPolicyBinding`
			`metadata:`
			`name: "check-deployment-namespace-binding"`
			`spec:`
			`policyName: "check-deployment-namespace"`
			`validationActions: [Deny]`
			`matchResources:`
			`objectSelector:`
			`matchLabels:`
			`app: nginx`