update examples and log text

2025-03-05 07:26:55 +00:00 · 2020-02-06 22:51:16 -08:00 · 2020-02-06 22:51:16 -08:00 · d4bbae6fe8
commit d4bbae6fe8
parent 207bce7dbc
3 changed files with 20 additions and 29 deletions
--- a/README.md
+++ b/README.md
@ -32,6 +32,8 @@ kind: ClusterPolicy
 metadata:
  name: check-cpu-memory
 spec:
+  # `enforce` blocks request. `audit` reports violations
+  validationFailureAction: enforce
  rules:
  - name: check-pod-resources
    match:
@ -71,17 +73,15 @@ spec:
    match:
      resources:
        kinds:
-        - Deployment
+        - Pod
    mutate:
      overlay:
        spec:
-          template:
-            spec:
-              containers:
-                # match images which end with :latest   
-                - (image): "*:latest"
-                  # set the imagePullPolicy to "Always"
-                  imagePullPolicy: "Always"
+          containers:
+            # match images which end with :latest   
+            - (image): "*:latest"
+              # set the imagePullPolicy to "Always"
+              imagePullPolicy: "Always"
 ````

 ### 3. Generating resources
@ -100,13 +100,10 @@ spec:
      resources:
        kinds:
          - Namespace
-        selector:
-          matchExpressions:
-          - {key: kafka, operator: Exists}
    generate:
      kind: ConfigMap
      name: zk-kafka-address
-      # create the resource in the new namespace
+      # generate the resource in the new namespace
      namespace: "{{request.object.metadata.name}}"
      data:
        kind: ConfigMap
--- a/documentation/writing-policies-generate.md
+++ b/documentation/writing-policies-generate.md
@ -5,8 +5,7 @@
 ```generate``` is used to create additional resources when a resource is created. This is useful to create supporting resources, such as role bindings for a new namespace.

 ## Example 1
- rule 
-Creates a ConfigMap with name `default-config` for all 
+
 ````yaml
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
@ -19,28 +18,22 @@ spec:
        resources:
          kinds: 
          - Namespace
-        selector:
-          matchLabels:
-            LabelForSelector : "namespace2"
      generate:
        kind: ConfigMap # Kind of resource 
        name: default-config # Name of the new Resource
-        namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule
+        namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
        clone:
          namespace: default
          name: config-template
-    - name: "Generate Secret"
+    - name: "Generate Secret (insecure)"
      match:
        resources:
          kinds: 
          - Namespace
-        selector:
-          matchLabels:
-            LabelForSelector : "namespace2"
      generate:
        kind: Secret
        name: mongo-creds
-        namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule
+        namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
        data:
          data:
            DB_USER: YWJyYWthZGFicmE=
@ -50,9 +43,9 @@ spec:
            purpose: mongo
 ````

-In this example, when this policy is applied, any new namespace that satisfies the label selector will receive 2 new resources after its creation:
-  * ConfigMap copied from default/config-template.
-  * Secret with values DB_USER and DB_PASSWORD, and label ```purpose: mongo```.
+In this example new namespaces will receive 2 new resources after its creation:
+  * A ConfigMap cloned from default/config-template.
+  * A Secret with values DB_USER and DB_PASSWORD, and label ```purpose: mongo```.


 ## Example 2
@ -72,7 +65,7 @@ spec:
    generate: 
      kind: NetworkPolicy
      name: deny-all-traffic
-      namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule
+      namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
      data:
        spec:
        podSelector:
@ -84,7 +77,7 @@ spec:
            policyname: "default"
 ````

-In this example, when the policy is applied, any new namespace will receive a NetworkPolicy based on the specified template that by default denies all inbound and outbound traffic.
+In this example new namespaces will receive a NetworkPolicy that default denies all inbound and outbound traffic.

 ---

--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@ -109,8 +109,9 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	// update resource
 	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv)
 	if err != nil {
-		return fmt.Errorf("failed to update namespaced polciy violation: %v", err)
+		return fmt.Errorf("failed to update namespaced policy violation: %v", err)
 	}
+
 	glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)
 	return nil
 }