mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
ff9328809b
* add global-anchor test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add trusted-images test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add yaml-signing test Signed-off-by: Chip Zoller <chipzoller@gmail.com> * add x509-decode test Signed-off-by: Chip Zoller <chipzoller@gmail.com> Signed-off-by: Chip Zoller <chipzoller@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: validate-resources
|
|
spec:
|
|
validationFailureAction: enforce
|
|
background: false
|
|
webhookTimeoutSeconds: 30
|
|
failurePolicy: Fail
|
|
rules:
|
|
- name: validate-resources
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Deployment
|
|
- Pod
|
|
name: test*
|
|
exclude:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
namespace: kube-system
|
|
name: replicaset-controller
|
|
- resources:
|
|
kinds:
|
|
- ReplicaSet
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
namespace: kube-system
|
|
name: deployment-controller
|
|
validate:
|
|
manifests:
|
|
attestors:
|
|
- entries:
|
|
- keys:
|
|
publicKeys: |-
|
|
-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
|
|
BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
|
|
-----END PUBLIC KEY-----
|