mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Labels
|
|
policies.kyverno.io/description: This policy prevents the use of an label beginning
|
|
with a common key name (in this case "platform.das-schiff.telekom.de/owner |
|
|
owner"). This can be useful to ensure users either don't set reserved labels
|
|
or to force them to use a newer version of an label.
|
|
policies.kyverno.io/minversion: 1.3.0
|
|
policies.kyverno.io/title: Restrict Labels on Namespaces
|
|
labels:
|
|
policy.schiff.telekom.de: enforced
|
|
name: restrict-labels
|
|
spec:
|
|
admission: true
|
|
background: false
|
|
rules:
|
|
- exclude:
|
|
any:
|
|
- clusterRoles:
|
|
- cluster-admin
|
|
resources: {}
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
name: restrict-labels
|
|
validate:
|
|
message: Every namespace has to have `platform.das-schiff.telekom.de/owner`
|
|
label. It must not have value `das-schiff` which is reserved for system namespaces
|
|
pattern:
|
|
metadata:
|
|
labels:
|
|
=(schiff.telekom.de/owner): '!schiff'
|
|
platform.das-schiff.telekom.de/owner: '!das-schiff'
|
|
validationFailureAction: Enforce
|