mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

Merge pull request #1005 from realshuting/933_doc_update

Browse source 
Update selecting resource doc
This commit is contained in:
Jim Bugwadia 2020-07-18 14:36:37 -07:00 committed by GitHub
commit e7fa601148
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
documentation/writing-policies-match-exclude.md
View file

@ -17,11 +17,11 @@ When Kyverno receives an admission controller request, i.e. a validation or muta
The following YAML provides an example for a match clause. The following YAML provides an example for a match clause.
````yaml ````yaml
apiVersion : kyverno.io/v1 apiVersion: kyverno.io/v1
kind : ClusterPolicy kind: ClusterPolicy
metadata : metadata:
name : policy name: policy
spec : spec:
# 'enforce' to block resource request if any rules fail # 'enforce' to block resource request if any rules fail
# 'audit' to allow resource request on failure of rules, but create policy violations to report them # 'audit' to allow resource request on failure of rules, but create policy violations to report them
validationFailureAction: enforce validationFailureAction: enforce
@ -88,6 +88,41 @@ spec:
- "kube-system" - "kube-system"
```` ````
Condition checks inside the `resources` block follow the logic "**AND across types but an OR inside list types**". For example, if a rule match contains a list of kinds and a list of namespaces, the rule will be evaluated if the request contains any one (OR) of the kinds AND any one (OR) of the namespaces. Conditions inside `clusterRoles`, `roles` and `subjects` are always evaluated using a logical OR operation, as each request can only have a single instance of these values.
This is an example that select Deployment **OR** StatefulSet that has label `app=critical`.
````yaml
spec:
rules:
- name: match-critical-app
match:
resources: # AND across types but an OR inside types that take a list
kinds:
- Deployment,StatefulSet
selector:
matchLabels:
app: critical
````
The following example matches all resources with label `app=critical` excluding the resource created by clusterRole `cluster-admin` **OR** by the user `John`.
````yaml
spec:
rules:
- name: match-criticals-except-given-rbac
match:
resources:
selector:
matchLabels:
app: critical
exclude:
clusterRoles:
- cluster-admin
subjects:
- kind: User
name: John
````
--- ---
<small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small> <small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small>