apiVersion : policy.nirmata.io/v1alpha1 kind : Policy metadata : name : examples spec : # failurePolicy is optional. Defaults to stopOnError failurePolicy: continueOnError, stopOnError # The spec contains a list of rules. Each rule has a resource and an operation. # Allowed operations are: # - patch, configMapGenerator, secretGenerator rules: - resource: # Allowed resource kinds: # ConfigMap # CronJob # DaemonSet # Deployment # Endpoint # HorizontalPodAutoscaler # Ingress # Job # LimitRange # Namespace # NetworkPolicy # PersistentVolumeClaim # PodDisruptionBudget # PodTemplate # ResourceQuota # Secret # Service # StatefulSet kind : PodTemplateSpec # name is optional. Either a name or selector must be specified. name: # selector is optional. Either a name or a selector must be specified. selector: matchLabels : nirmata.io/environment.name : production matchExpressions: # a patch contains multiple entries of path, operation, value # path: starts with the resource. if blank selects resource. # operation: Add | Replace | Delete # value: text, number, JSON string patch : - path : spec/terminationGracePeriodSeconds operation : Add value : 20 - path : spec/containers/0/imagePullPolicy operation : Add value : Always - resource: # Kind needs to be Namespace, when operation is configMapGenerator kind: Namespace name: foo configMapGenerator : name: game-config-env-file # copyFrom is optional. If specified, must point to a valid config map copyFrom: namespace: some-ns name: some-other-config-map data: foo: bar app.properties: / foo1=bar1 foo2=bar2 ui.properties: / foo1=bar1 foo2=bar2 - resource: # Kind needs to be Namespace, when operation is secretGenerator kind: Namespace name: foo secretGenerator : name: game-secrets copyFrom: namespace: some-ns name: some-other-secrets data: # data is optional status: events: # log of applied policies. We will need a way to distingush between failed # and succeeded operations