mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 01:46:55 +00:00
01724d63cf
* Generate request added fro update resource * synchronize flag added * documentation added for keeping resource synchronized Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
91 lines
2.9 KiB
Markdown
91 lines
2.9 KiB
Markdown
<small>*[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate Resources*</small>
|
|
|
|
# Generating Resources
|
|
|
|
The ```generate``` rule can used to create additional resources when a new resource is created. This is useful to create supporting resources, such as new role bindings for a new namespace.
|
|
|
|
The `generate` rule supports `match` and `exclude` blocks, like other rules. Hence, the trigger for applying this rule can be the creation of any resource and its possible to match or exclude API requests based on subjects, roles, etc.
|
|
|
|
Currently, the generate rule only triggers during an API request and does not support [background processing](/documentation/writing-policies-background.md). To keep resources synchronized across changes, you can use `synchronize : true`. Synchronize is disabled for the pre-existing generate policy that means User has to manually add `synchronize: true` for pre-existing generate policy
|
|
|
|
|
|
## Example 1
|
|
|
|
````yaml
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: basic-policy
|
|
spec:
|
|
rules:
|
|
- name: "Generate ConfigMap"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: ConfigMap # Kind of resource
|
|
name: default-config # Name of the new Resource
|
|
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
|
|
synchronize : true
|
|
clone:
|
|
namespace: default
|
|
name: config-template
|
|
- name: "Generate Secret (insecure)"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
generate:
|
|
kind: Secret
|
|
name: mongo-creds
|
|
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
|
|
data:
|
|
data:
|
|
DB_USER: YWJyYWthZGFicmE=
|
|
DB_PASSWORD: YXBwc3dvcmQ=
|
|
metadata:
|
|
labels:
|
|
purpose: mongo
|
|
````
|
|
|
|
In this example new namespaces will receive 2 new resources after its creation:
|
|
* A `ConfigMap` cloned from `default/config-template`.
|
|
* A `Secret` with values `DB_USER` and `DB_PASSWORD`, and label `purpose: mongo`.
|
|
|
|
|
|
## Example 2
|
|
````yaml
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: "default"
|
|
spec:
|
|
rules:
|
|
- name: "deny-all-traffic"
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
name: "*"
|
|
generate:
|
|
kind: NetworkPolicy
|
|
name: deny-all-traffic
|
|
namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule
|
|
data:
|
|
spec:
|
|
# select all pods in the namespace
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
metadata:
|
|
labels:
|
|
policyname: "default"
|
|
````
|
|
|
|
In this example new namespaces will receive a `NetworkPolicy` that by default denies all inbound and outbound traffic.
|
|
|
|
---
|
|
|
|
<small>*Read Next >> [Variables](/documentation/writing-policies-variables.md)*</small>
|
|
|