update document

2025-04-08 18:15:48 +00:00 · 2019-08-21 18:47:49 -07:00 · 2019-08-21 18:47:49 -07:00 · 6f875bbac2
commit 6f875bbac2
parent 31566844bb
2 changed files with 37 additions and 5 deletions
--- a/documentation/writing-policies-validate.md
+++ b/documentation/writing-policies-validate.md
@ -101,6 +101,42 @@ spec :
                    mem)ory: "2048Mi"
 ````

+### Allow OR across overlay pattern
+In some cases one content can be defined at a different level. For example, a security context can be defined at the Pod or Container level. The validation rule should pass if one of the conditions is met. 
+`anyPattern` can be used to check on at least one of condition, it is the array of pattern, and the rule will be passed if at least one pattern is true.
+
+<small>*Note: either `pattern` or `anyPattern` is allowed in each rule, they can't be decalred in the same rule.*</small>
+
+````yaml
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-container-security-context
+spec:
+  rules:
+  - name: check-root-user
+    exclude:
+      resources:
+        namespaces: 
+        - kube-system
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Root user is not allowed. Set runAsNonRoot to true."
+      anyPattern:
+        - spec:
+            securityContext:
+              runAsNonRoot: true
+        - spec:
+            containers:
+            - name: "*"
+              securityContext:
+                runAsNonRoot: true
+````
+
+
 Additional examples are available in [examples](/examples/)


--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@ -80,10 +80,6 @@ func (ws *WebhookServer) validateOverlayPattern(policy *kyverno.Policy) *v1beta1

 // Verify if the Rule names are unique within a policy
 func (ws *WebhookServer) validateUniqueRuleName(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
-	// =======
-	// func (ws *WebhookServer) validateUniqueRuleName(rawPolicy []byte) *v1beta1.AdmissionResponse {
-	// 	var policy *kyverno.Policy
-	// >>>>>>> policyViolation
 	var ruleNames []string

 	for _, rule := range policy.Spec.Rules {
@ -101,7 +97,7 @@ func (ws *WebhookServer) validateUniqueRuleName(policy *kyverno.Policy) *v1beta1
 		ruleNames = append(ruleNames, rule.Name)
 	}

-	glog.V(3).Infof("Policy validation passed")
+	glog.V(4).Infof("Policy validation passed")
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}