mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

corrected message in generating resources in readme

Browse source
This commit is contained in:
NoSkillGirl 2020-05-28 12:00:24 +05:30
parent 68c431e8f0
commit 9a41457a64
1 changed files with 76 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

154
README.md
View file

@ -6,7 +6,7 @@
Kyverno is a policy engine designed for Kubernetes. Kyverno is a policy engine designed for Kubernetes.
Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources. Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources.
Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters.
@ -26,7 +26,7 @@ Policy enforcement is captured using Kubernetes events. Kyverno also reports pol
This policy requires that all pods have CPU and memory resource requests and limits: This policy requires that all pods have CPU and memory resource requests and limits:
````yaml ```yaml
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
@ -35,109 +35,108 @@ spec:
# `enforce` blocks the request. `audit` reports violations # `enforce` blocks the request. `audit` reports violations
validationFailureAction: enforce validationFailureAction: enforce
rules: rules:
- name: check-pod-resources - name: check-pod-resources
match: match:
resources: resources:
kinds: kinds:
- Pod - Pod
validate: validate:
message: "CPU and memory resource requests and limits are required" message: "CPU and memory resource requests and limits are required"
pattern: pattern:
spec: spec:
containers: containers:
# 'name: *' selects all containers in the pod # 'name: *' selects all containers in the pod
- name: "*" - name: "*"
resources: resources:
limits: limits:
# '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters. # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters.
# Using them together e.g. '?*' requires at least one character. # Using them together e.g. '?*' requires at least one character.
memory: "?*" memory: "?*"
cpu: "?*" cpu: "?*"
requests: requests:
memory: "?*" memory: "?*"
cpu: "?*" cpu: "?*"
```` ```
### 2. Mutating resources ### 2. Mutating resources
This policy sets the imagePullPolicy to Always if the image tag is latest: This policy sets the imagePullPolicy to Always if the image tag is latest:
````yaml ```yaml
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: set-image-pull-policy name: set-image-pull-policy
spec: spec:
rules: rules:
- name: set-image-pull-policy - name: set-image-pull-policy
match: match:
resources: resources:
kinds: kinds:
- Pod - Pod
mutate: mutate:
overlay: overlay:
spec: spec:
containers: containers:
# match images which end with :latest # match images which end with :latest
- (image): "*:latest" - (image): "*:latest"
# set the imagePullPolicy to "Always" # set the imagePullPolicy to "Always"
imagePullPolicy: "Always" imagePullPolicy: "Always"
```` ```
### 3. Generating resources ### 3. Generating resources
This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'. This policy sets the Zookeeper and Kafka connection strings for all namespaces.
````yaml ```yaml
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: "zk-kafka-address" name: "zk-kafka-address"
spec: spec:
rules: rules:
- name: "zk-kafka-address" - name: "zk-kafka-address"
match: match:
resources: resources:
kinds: kinds:
- Namespace - Namespace
generate: generate:
kind: ConfigMap
name: zk-kafka-address
# generate the resource in the new namespace
namespace: "{{request.object.metadata.name}}"
data:
kind: ConfigMap kind: ConfigMap
name: zk-kafka-address
# generate the resource in the new namespace
namespace: "{{request.object.metadata.name}}"
data: data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" kind: ConfigMap
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" data:
```` ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
```
### 4. More examples ### 4. More examples
Refer to a list of curated of ***[sample policies](/samples/README.md)*** that can be applied to your cluster. Refer to a list of curated of **_[sample policies](/samples/README.md)_** that can be applied to your cluster.
## Documentation ## Documentation
* [Getting Started](documentation/installation.md) - [Getting Started](documentation/installation.md)
* [Writing Policies](documentation/writing-policies.md) - [Writing Policies](documentation/writing-policies.md)
* [Selecting Resources](/documentation/writing-policies-match-exclude.md) - [Selecting Resources](/documentation/writing-policies-match-exclude.md)
* [Validate Resources](documentation/writing-policies-validate.md) - [Validate Resources](documentation/writing-policies-validate.md)
* [Mutate Resources](documentation/writing-policies-mutate.md) - [Mutate Resources](documentation/writing-policies-mutate.md)
* [Generate Resources](documentation/writing-policies-generate.md) - [Generate Resources](documentation/writing-policies-generate.md)
* [Variable Substitution](documentation/writing-policies-variables.md) - [Variable Substitution](documentation/writing-policies-variables.md)
* [Preconditions](documentation/writing-policies-preconditions.md) - [Preconditions](documentation/writing-policies-preconditions.md)
* [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md) - [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md)
* [Background Processing](documentation/writing-policies-background.md) - [Background Processing](documentation/writing-policies-background.md)
* [Testing Policies](documentation/testing-policies.md) - [Testing Policies](documentation/testing-policies.md)
* [Policy Violations](documentation/policy-violations.md) - [Policy Violations](documentation/policy-violations.md)
* [Kyverno CLI](documentation/kyverno-cli.md) - [Kyverno CLI](documentation/kyverno-cli.md)
* [Sample Policies](/samples/README.md) - [Sample Policies](/samples/README.md)
## License ## License
[Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE) [Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE)
## Alternatives ## Alternatives
### Open Policy Agent ### Open Policy Agent
@ -156,21 +155,20 @@ Refer to a list of curated of ***[sample policies](/samples/README.md)*** that c
Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations. Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations.
## Roadmap ## Roadmap
See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](https://github.com/nirmata/kyverno/issues). See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](https://github.com/nirmata/kyverno/issues).
## Getting help ## Getting help
* For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues). - For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues).
* For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno) - For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno)
## Contributing ## Contributing
Thanks for your interest in contributing! Thanks for your interest in contributing!
* Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing. - Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing.
* We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md). - We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md).
* See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation. - See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation.
* Browse through the [open issues](https://github.com/nirmata/kyverno/issues) - Browse through the [open issues](https://github.com/nirmata/kyverno/issues)