mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update documentation

Browse source
This commit is contained in:
shivkumar dudhani 2019-08-21 15:49:34 -07:00
parent fe5e9b0bb1
commit ff03744958
4 changed files with 85 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
documentation/writing-policies-generate.md
View file

@ -14,12 +14,13 @@ metadata:
spec:
rules:
- name: "Basic config generator for all namespaces"
resource:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: ConfigMap
name: default-config
@ -27,12 +28,13 @@ spec:
namespace: default
name: config-template
- name: "Basic config generator for all namespaces"
resource:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: Secret
name: mongo-creds
@ -59,10 +61,11 @@ metadata:
spec:
rules:
- name: "deny-all-traffic"
resource:
kinds:
- Namespace
name: "*"
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: deny-all-traffic

48
documentation/writing-policies-mutate.md
View file

@ -18,9 +18,10 @@ metadata :
spec :
rules:
- name: "add-init-secrets"
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
mutate:
patches:
- path: "/spec/template/spec/initContainers/0/"
@ -46,9 +47,10 @@ metadata :
spec :
rules:
- name: "Remove unwanted label"
resource:
kinds:
- Secret
match:
resources:
kinds:
- Secret
mutate:
patches:
- path: "/metadata/labels/purpose"
@ -71,12 +73,13 @@ metadata :
spec :
rules:
- name: "Set hard memory limit to 2Gi"
resource:
kinds:
- Pod
selector:
matchLabels:
memory: high
match:
resources:
kinds:
- Pod
selector:
matchLabels:
memory: high
mutate:
overlay:
spec:
@ -103,9 +106,10 @@ metadata:
spec:
rules:
- name: "Add IP to subsets"
resource:
kinds :
- Endpoints
match:
resources:
kinds :
- Endpoints
mutate:
overlay:
subsets:
@ -128,9 +132,10 @@ metadata :
spec :
rules:
- name: "Set port"
resource:
kinds :
- Endpoints
match:
resources:
kinds :
- Endpoints
mutate:
overlay:
subsets:
@ -158,9 +163,10 @@ metadata :
spec :
rules:
- name: "Set port"
resource:
kinds :
- Endpoints
match:
resources:
kinds :
- Endpoints
mutate:
overlay:
subsets:

38
documentation/writing-policies-validate.md
View file

@ -44,16 +44,17 @@ metadata :
spec :
rules:
- name: check-label
resource:
# Kind specifies one or more resource types to match
kinds:
- Deployment
- StatefuleSet
- DaemonSet
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
match:
resources:
# Kind specifies one or more resource types to match
kinds:
- Deployment
- StatefuleSet
- DaemonSet
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
# Message is optional
message: "The label app is required"
@ -79,14 +80,15 @@ metadata :
spec :
rules:
- name: check-memory_requests_link_in_yaml_relative
resource:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
match:
resources:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
pattern:
spec:

37
documentation/writing-policies.md
View file

@ -17,31 +17,32 @@ spec :
# Each rule matches specific resource described by "match" field.
match:
resources:
kinds:
kinds: # Required, list of kinds
- Deployment
- StatefulSet
- DaemonSet
# A resource name is optional. Name supports wildcards * and ?
name: "*"
# A resoucre selector is optional. Selector values support wildcards * and ?
selector:
name: "mongo*" # Optional, a resource name is optional. Name supports wildcards * and ?
namespaces: # Optional, list of namespaces
- devtest2
- devtest1
selector: # Optional, a resource selector is optional. Selector values support wildcards * and ?
matchLabels:
app: mongodb
matchExpressions:
- {key: tier, operator: In, values: [database]}
# Resources that need to be excluded
# exclude:
# resources:
# kinds:
# - Deployment
# # A resource name is optional. Name supports wildcards * and ?
# name: "*"
# # A resoucre selector is optional. Selector values support wildcards * and ?
# selector:
# matchLabels:
# app: mongodb
# matchExpressions:
# - {key: tier, operator: In, values: [database]}
exclude: # Optional, resources to be excluded from evaulation
resources:
kinds:
- Daemonsets
name: "*"
namespaces:
- devtest2
selector:
matchLabels:
app: mongodb
matchExpressions:
- {key: tier, operator: In, values: [database]}
# Each rule can contain a single validate, mutate, or generate directive
...
````