mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

Merge pull request #951 from realshuting/update_doc

Browse source 
Update auto-gen doc
This commit is contained in:
Jim Bugwadia 2020-06-26 17:25:40 -07:00 committed by GitHub
commit 81dc7defed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
documentation/writing-policies-autogen.md
View file

@ -2,13 +2,15 @@
# Auto Generating Rules for Pod Controllers
Note: The Auto-Gen feature is only supported for validation rules with patterns and mutation rules with overlay. Validate - Deny rules and Generate rules are not supported.
Writing policies on pods helps address all pod creation flows. However, when pod controllers are used, pod level policies result in errors not being reported when the pod controller object is created.
Kyverno solves this issue by supporting automatic generation of policy rules for pod controllers from a rule written for a pod.
This auto-generation behavior is controlled by the `pod-policies.kyverno.io/autogen-controllers` annotation.
By default, Kyverno inserts an annotation `pod-policies.kyverno.io/autogen-controllers=all`, to generate an additional rule that is applied to pod controllers: DaemonSet, Deployment, Job, StatefulSet.
By default, Kyverno inserts an annotation `pod-policies.kyverno.io/autogen-controllers=all`, to generate an additional rule that is applied to pod controllers: DaemonSet, Deployment, Job, StatefulSet.
You can change the annotation `pod-policies.kyverno.io/autogen-controllers` to customize the target pod controllers for the auto-generated rules. For example, Kyverno generates a rule for a `Deployment` if the annotation of policy is defined as `pod-policies.kyverno.io/autogen-controllers=Deployment`.