mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/documentation/writing-policies-variables.md
Jim Bugwadia 2068da18a8 update docs for new features
2020-02-06 00:04:19 -08:00

1.6 KiB
Raw Blame History

documentation / Writing Policies / Variables

Variables

Sometimes it is necessary to vary the contents of a mutated or generated resource based on request data. To achieve this, variables can be used to reference attributes that are loaded in the rule processing context using a JMESPATH notation.

The policy engine will substitute any values with the format {{<JMESPATH>}} with the variable value before processing the rule.

The following data is available for use in context:

  • Resource: {{request.object}}
  • UserInfo: {{request.userInfo}}

Pre-defined Variables

Kyverno automatically creates a few useful variables:

  • serviceAccountName : the last part of a service account i.e. without the suffix system:serviceaccount:<namespace>: and stores the userName. For example, when processing a request from system:serviceaccount:nirmata:user1 Kyverno will store the value user1 in the variable serviceAccountName.

  • serviceAccountNamespace : the namespace portion of the serviceAccount. For example, when processing a request from system:serviceaccount:nirmata:user1 Kyverno will store nirmata in the variable serviceAccountNamespace.

Examples

  1. Reference a resource name (type string)

{{request.object.metadata.name}}

  1. Build name from multiple variables (type string)

"ns-owner-{{request.object.metadata.namespace}}-{{request.userInfo.username}}-binding"

  1. Reference the metadata (type object)

{{request.object.metadata}}

Read Next >> Preconditions