mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
85 lines
2.5 KiB
YAML
85 lines
2.5 KiB
YAML
apiVersion : policy.nirmata.io/v1alpha1
|
|
kind : Policy
|
|
metadata :
|
|
name : examples
|
|
spec :
|
|
# failurePolicy is optional. Defaults to stopOnError
|
|
failurePolicy: continueOnError, stopOnError
|
|
# The spec contains a list of rules. Each rule has a resource and an operation.
|
|
# Allowed operations are:
|
|
# - patch, configMapGenerator, secretGenerator
|
|
rules:
|
|
- resource:
|
|
# Allowed resource kinds:
|
|
# ConfigMap
|
|
# CronJob
|
|
# DaemonSet
|
|
# Deployment
|
|
# Endpoint
|
|
# HorizontalPodAutoscaler
|
|
# Ingress
|
|
# Job
|
|
# LimitRange
|
|
# Namespace
|
|
# NetworkPolicy
|
|
# PersistentVolumeClaim
|
|
# PodDisruptionBudget
|
|
# PodTemplate
|
|
# ResourceQuota
|
|
# Secret
|
|
# Service
|
|
# StatefulSet
|
|
kind : PodTemplateSpec
|
|
# name is optional. Either a name or selector must be specified.
|
|
name:
|
|
# selector is optional. Either a name or a selector must be specified.
|
|
selector:
|
|
matchLabels :
|
|
nirmata.io/environment.name : production
|
|
matchExpressions:
|
|
# a patch contains multiple entries of path, operation, value
|
|
# path: starts with the resource. if blank selects resource.
|
|
# operation: Add | Replace | Delete
|
|
# value: text, number, JSON string
|
|
patch :
|
|
- path : spec/terminationGracePeriodSeconds
|
|
operation : Add
|
|
value : 20
|
|
- path : spec/containers/0/imagePullPolicy
|
|
operation : Add
|
|
value : Always
|
|
- resource:
|
|
# Kind needs to be Namespace, when operation is configMapGenerator
|
|
kind: Namespace
|
|
name: foo
|
|
configMapGenerator :
|
|
name: game-config-env-file
|
|
# copyFrom is optional. If specified, must point to a valid config map
|
|
copyFrom:
|
|
namespace: some-ns
|
|
name: some-other-config-map
|
|
data:
|
|
foo: bar
|
|
app.properties: /
|
|
foo1=bar1
|
|
foo2=bar2
|
|
ui.properties: /
|
|
foo1=bar1
|
|
foo2=bar2
|
|
- resource:
|
|
# Kind needs to be Namespace, when operation is secretGenerator
|
|
kind: Namespace
|
|
name: foo
|
|
secretGenerator :
|
|
name: game-secrets
|
|
copyFrom:
|
|
namespace: some-ns
|
|
name: some-other-secrets
|
|
data: # data is optional
|
|
status:
|
|
events:
|
|
# log of applied policies. We will need a way to distingush between failed
|
|
# and succeeded operations
|
|
|
|
|
|
|