mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-23 16:20:40 +00:00
4f9b07070a
* feat: enable mutating webhook for ivpol Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add objects to payload Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add chainsaw test Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: propagate policy response to admission reponse Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update chainsaw tests Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
79 lines
2.1 KiB
YAML
79 lines
2.1 KiB
YAML
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
labels:
|
|
webhook.kyverno.io/managed-by: kyverno
|
|
name: kyverno-resource-validating-webhook-cfg
|
|
webhooks:
|
|
- admissionReviewVersions:
|
|
- v1
|
|
clientConfig:
|
|
service:
|
|
name: kyverno-svc
|
|
namespace: kyverno
|
|
path: /policies/vpol/validate/fail/finegrained/disallow-privilege-escalation
|
|
port: 443
|
|
failurePolicy: Fail
|
|
matchConditions:
|
|
- expression: '!(object.kind == ''Pod'') || has(object.metadata.labels) && has(object.metadata.labels.prod)
|
|
&& object.metadata.labels.prod == ''true'''
|
|
name: check-prod-label
|
|
- expression: '!(object.kind ==''Deployment'' || object.kind ==''ReplicaSet'' ||
|
|
object.kind ==''StatefulSet'' || object.kind ==''DaemonSet'') || has(object.spec.template.metadata.labels)
|
|
&& has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod
|
|
== ''true'''
|
|
name: autogen-check-prod-label
|
|
- expression: '!(object.kind ==''CronJob'') || has(object.spec.jobTemplate.spec.template.metadata.labels)
|
|
&& has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod
|
|
== ''true'''
|
|
name: autogen-cronjobs-check-prod-label
|
|
matchPolicy: Equivalent
|
|
name: vpol.validate.kyverno.svc-fail-finegrained-disallow-privilege-escalation
|
|
namespaceSelector: {}
|
|
objectSelector: {}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- pods
|
|
scope: '*'
|
|
- apiGroups:
|
|
- apps
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- replicasets
|
|
- statefulsets
|
|
scope: '*'
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- jobs
|
|
scope: '*'
|
|
- apiGroups:
|
|
- batch
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- cronjobs
|
|
scope: '*'
|
|
sideEffects: NoneOnDryRun
|
|
timeoutSeconds: 10
|