mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 01:46:55 +00:00
2140a0239b
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
29 lines
759 B
YAML
29 lines
759 B
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: cm-array-example
|
|
spec:
|
|
admission: true
|
|
background: false
|
|
rules:
|
|
- context:
|
|
- configMap:
|
|
name: roles-dictionary
|
|
namespace: default
|
|
name: roles-dictionary
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
name: validate-role-annotation
|
|
validate:
|
|
deny:
|
|
conditions:
|
|
- key: '{{ request.object.metadata.annotations.role }}'
|
|
operator: NotIn
|
|
value: '{{ "roles-dictionary".data."allowed-roles" }}'
|
|
message: 'The role {{ request.object.metadata.annotations.role }} is not in
|
|
the allowed list of roles: {{ "roles-dictionary".data."allowed-roles" }}.'
|
|
failureAction: Enforce
|