mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 09:26:54 +00:00
c796bb765c
* fix: return policies with either audit or enforce rules from the cache Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: introduce validationFailureAction under verifyImage rules Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: add chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
79 lines
2.3 KiB
YAML
79 lines
2.3 KiB
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Best Practices
|
|
policies.kyverno.io/subject: Service
|
|
policies.kyverno.io/title: Configure Connection Draining
|
|
name: disable-connection-draining
|
|
spec:
|
|
admission: true
|
|
background: true
|
|
rules:
|
|
- context:
|
|
- name: connection_draining_check
|
|
variable:
|
|
default: empty
|
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled"
|
|
- name: nlb_check
|
|
variable:
|
|
default: "false"
|
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-type"
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Service
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
annotations:
|
|
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "false"
|
|
name: clb
|
|
preconditions:
|
|
all:
|
|
- key: '{{ request.object.spec.type }}'
|
|
operator: Equals
|
|
value: LoadBalancer
|
|
- key: '{{ connection_draining_check }}'
|
|
operator: AnyIn
|
|
value:
|
|
- "true"
|
|
- empty
|
|
- key: '{{ nlb_check }}'
|
|
operator: AnyNotIn
|
|
value:
|
|
- external
|
|
- nlb
|
|
- context:
|
|
- name: nlb_check
|
|
variable:
|
|
default: "false"
|
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-type"
|
|
- name: tg_attributes
|
|
variable:
|
|
default: "false"
|
|
jmesPath: request.object.metadata.annotations."service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Service
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
annotations:
|
|
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: deregistration_delay.connection_termination.enabled=true,deregistration_delay.timeout_seconds=0
|
|
name: nlb-no-attributes
|
|
preconditions:
|
|
all:
|
|
- key: '{{ request.object.spec.type }}'
|
|
operator: Equals
|
|
value: LoadBalancer
|
|
- key: '{{ nlb_check }}'
|
|
operator: Equals
|
|
value: external
|
|
- key: '{{ tg_attributes }}'
|
|
operator: Equals
|
|
value: "false"
|