mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge pull request #665 from nirmata/linter_improve

Browse source 
Add doc on how to write policy to generate rule for pod controllers.
This commit is contained in:
Jim Bugwadia 2020-01-31 18:51:32 -08:00 committed by GitHub
commit ad9d82b215
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
documentation/writing-policies.md
View file

@ -131,5 +131,16 @@ Operators supported:
- Equal
- NotEqual
# Auto generating rules for pod controllers
Writing policies on pods helps address all pod creation flows, but results in errors not being reported when a pod controller object is created. Kyverno solves this issue, by automatically generating rules for pod controllers from a rule written for a pod.
This behavior is controlled by the pod-policies.kyverno.io/autogen-controllers annotation. By default, Kyverno inserts an annotation `pod-policies.kyverno.io/autogen-controllers=all`, to generate an additional rule that is applied to pod controllers: DaemonSet, Deployment, Job, StatefulSet.
Change the annotation `pod-policies.kyverno.io/autogen-controllers` to customize the applicable pod controllers of the auto-gen rule. For example, Kyverno generates the rule for `Deployment` if the annotation of policy is defined as `pod-policies.kyverno.io/autogen-controllers=Deployment`. If `name` or `labelSelector` is specified in the match / exclude block, Kyverno skips generating pod controllers rule as these filters may not be applicable to pod controllers.
To disable auto-generating rules for pod controllers, set `pod-policies.kyverno.io/autogen-controllers=none`.
---
<small>*Read Next >> [Validate](/documentation/writing-policies-validate.md)*</small>