mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 01:16:55 +00:00
84 lines
2.4 KiB
YAML
84 lines
2.4 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: bug-demo
|
|
annotations:
|
|
pod-policies.kyverno.io/autogen-controllers: "none"
|
|
spec:
|
|
background: false
|
|
validationFailureAction: enforce
|
|
|
|
rules:
|
|
|
|
- name: mutate1
|
|
match:
|
|
all:
|
|
- resources:
|
|
kinds:
|
|
- v1/Pod
|
|
mutate:
|
|
foreach:
|
|
- list: |-
|
|
request.object.spec.containers || `[]`
|
|
context:
|
|
- name: container_path
|
|
variable:
|
|
value: "/spec/containers/{{ elementIndex }}"
|
|
patchesJson6902: |-
|
|
{{
|
|
[
|
|
contains(['main-1','main-3','main-11'], element.name)
|
|
&&
|
|
[
|
|
{
|
|
op: 'remove',
|
|
path: join('/', [container_path, 'securityContext/capabilities/add'])
|
|
}
|
|
,
|
|
{
|
|
op: 'add',
|
|
path: join('/', [container_path, 'securityContext/capabilities/drop'])
|
|
value: ['ALL']
|
|
}
|
|
]
|
|
|| `[]`
|
|
,
|
|
|
|
contains(['main-2','main-6','main-7','main-8','main-9','main-10','main-16','main-17','main-19','main-22','main-23','main-24','main-25','main-26'], element.name)
|
|
&&
|
|
[
|
|
{
|
|
op: 'add',
|
|
path: join('/', [container_path, 'securityContext/capabilities/add'])
|
|
value: ['FOO']
|
|
}
|
|
,
|
|
{
|
|
op: 'add',
|
|
path: join('/', [container_path, 'securityContext/capabilities', 'drop'])
|
|
value: ['SYS_ADMIN']
|
|
}
|
|
]
|
|
|| `[]`
|
|
,
|
|
|
|
contains(['main-4','main-5','main-12','main-13','main-14','main-15','main-18','main-20','main-21','main-27'], element.name)
|
|
&&
|
|
[
|
|
{
|
|
op: 'add',
|
|
path: join('/', [container_path, 'securityContext/capabilities/add'])
|
|
value: ['SYS_ADMIN', 'FOO']
|
|
}
|
|
,
|
|
{
|
|
op: 'add',
|
|
path: join('/', [container_path, 'securityContext/capabilities/drop'])
|
|
value: `[]`
|
|
}
|
|
]
|
|
|| `[]`
|
|
][]
|
|
|
|
|
to_string(@)
|
|
}}
|