mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

update examples and log text

Browse source
This commit is contained in:
Jim Bugwadia 2020-02-06 22:51:16 -08:00
parent 207bce7dbc
commit d4bbae6fe8
3 changed files with 20 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
README.md
View file

@ -32,6 +32,8 @@ kind: ClusterPolicy
metadata: metadata:
name: check-cpu-memory name: check-cpu-memory
spec: spec:
# `enforce` blocks request. `audit` reports violations
validationFailureAction: enforce
rules: rules:
- name: check-pod-resources - name: check-pod-resources
match: match:
@ -71,17 +73,15 @@ spec:
match: match:
resources: resources:
kinds: kinds:
- Deployment - Pod
mutate: mutate:
overlay: overlay:
spec: spec:
template: containers:
spec: # match images which end with :latest
containers: - (image): "*:latest"
# match images which end with :latest # set the imagePullPolicy to "Always"
- (image): "*:latest" imagePullPolicy: "Always"
# set the imagePullPolicy to "Always"
imagePullPolicy: "Always"
```` ````
### 3. Generating resources ### 3. Generating resources
@ -100,13 +100,10 @@ spec:
resources: resources:
kinds: kinds:
- Namespace - Namespace
selector:
matchExpressions:
- {key: kafka, operator: Exists}
generate: generate:
kind: ConfigMap kind: ConfigMap
name: zk-kafka-address name: zk-kafka-address
# create the resource in the new namespace # generate the resource in the new namespace
namespace: "{{request.object.metadata.name}}" namespace: "{{request.object.metadata.name}}"
data: data:
kind: ConfigMap kind: ConfigMap

25
documentation/writing-policies-generate.md
View file

@ -5,8 +5,7 @@
```generate``` is used to create additional resources when a resource is created. This is useful to create supporting resources, such as role bindings for a new namespace. ```generate``` is used to create additional resources when a resource is created. This is useful to create supporting resources, such as role bindings for a new namespace.
## Example 1 ## Example 1
- rule
Creates a ConfigMap with name `default-config` for all
````yaml ````yaml
apiVersion: kyverno.io/v1 apiVersion: kyverno.io/v1
kind: ClusterPolicy kind: ClusterPolicy
@ -19,28 +18,22 @@ spec:
resources: resources:
kinds: kinds:
- Namespace - Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate: generate:
kind: ConfigMap # Kind of resource kind: ConfigMap # Kind of resource
name: default-config # Name of the new Resource name: default-config # Name of the new Resource
namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
clone: clone:
namespace: default namespace: default
name: config-template name: config-template
- name: "Generate Secret" - name: "Generate Secret (insecure)"
match: match:
resources: resources:
kinds: kinds:
- Namespace - Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate: generate:
kind: Secret kind: Secret
name: mongo-creds name: mongo-creds
namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
data: data:
data: data:
DB_USER: YWJyYWthZGFicmE= DB_USER: YWJyYWthZGFicmE=
@ -50,9 +43,9 @@ spec:
purpose: mongo purpose: mongo
```` ````
In this example, when this policy is applied, any new namespace that satisfies the label selector will receive 2 new resources after its creation: In this example new namespaces will receive 2 new resources after its creation:
* ConfigMap copied from default/config-template. * A ConfigMap cloned from default/config-template.
* Secret with values DB_USER and DB_PASSWORD, and label ```purpose: mongo```. * A Secret with values DB_USER and DB_PASSWORD, and label ```purpose: mongo```.
## Example 2 ## Example 2
@ -72,7 +65,7 @@ spec:
generate: generate:
kind: NetworkPolicy kind: NetworkPolicy
name: deny-all-traffic name: deny-all-traffic
namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
data: data:
spec: spec:
podSelector: podSelector:
@ -84,7 +77,7 @@ spec:
policyname: "default" policyname: "default"
```` ````
In this example, when the policy is applied, any new namespace will receive a NetworkPolicy based on the specified template that by default denies all inbound and outbound traffic. In this example new namespaces will receive a NetworkPolicy that default denies all inbound and outbound traffic.
--- ---

3
pkg/policyviolation/namespacedpv.go
View file

@ -109,8 +109,9 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
// update resource // update resource
_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv) _, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv)
if err != nil { if err != nil {
return fmt.Errorf("failed to update namespaced polciy violation: %v", err) return fmt.Errorf("failed to update namespaced policy violation: %v", err)
} }
glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec) glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)
return nil return nil
} }