mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00
Code Activity
kyverno/documentation/writing-policies-generate.md
Jim Bugwadia d4e5790a66
Bugfix/update docs for deny rules (#886) 
* - support wildcards for namespaces

* do not annotate resource, unless policy is an autogen policy

* close HTTP body

* improve messages

* - update docs for deny rules
- add presentations and videos to README.md
2020-05-28 11:22:47 -07:00

89 lines
2.8 KiB
Markdown
Raw Blame History

<small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate Resources*</small>
# Generating Resources
The ```generate``` rule can used to create additional resources when a new resource is created. This is useful to create supporting resources, such as new role bindings for a new namespace.
The `generate` rule supports `match` and `exclude` blocks, like other rules. Hence, the trigger for applying this rule can be the creation of any resource and its possible to match or exclude API requests based on subjects, roles, etc.
Currently, the generate rule only triggers during an API request and does not support [background processing](/documentation/writing-policies-background.md). Keeping resources synchhronized is planned for a future release (see https://github.com/nirmata/kyverno/issues/560).
## Example 1
````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: basic-policy
spec:
rules:
- name: "Generate ConfigMap"
match:
resources:
kinds:
- Namespace
generate:
kind: ConfigMap # Kind of resource
name: default-config # Name of the new Resource
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
clone:
namespace: default
name: config-template
- name: "Generate Secret (insecure)"
match:
resources:
kinds:
- Namespace
generate:
kind: Secret
name: mongo-creds
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
data:
data:
DB_USER: YWJyYWthZGFicmE=
DB_PASSWORD: YXBwc3dvcmQ=
metadata:
labels:
purpose: mongo
````
In this example new namespaces will receive 2 new resources after its creation:
* A `ConfigMap` cloned from `default/config-template`.
* A `Secret` with values `DB_USER` and `DB_PASSWORD`, and label `purpose: mongo`.
## Example 2
````yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "default"
spec:
rules:
- name: "deny-all-traffic"
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: deny-all-traffic
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress
metadata:
labels:
policyname: "default"
````
In this example new namespaces will receive a `NetworkPolicy` that by default denies all inbound and outbound traffic.
---
<small>*Read Next >> [Variables](/documentation/writing-policies-variables.md)*</small>
View git blame Copy permalink