init

05-variables/03-templates/kyverno-policies/templates/require-labels.yaml

@@ -0,0 +1,40 @@
+{{- if .Values.requiredLabels.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-standard-labels
+  annotations:
+    policies.kyverno.io/title: "Обязательные стандартные лейблы"
+    policies.kyverno.io/category: Governance
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/version: {{ .Chart.Version }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+spec:
+  validationFailureAction: {{ .Values.requiredLabels.failureAction | default .Values.global.failureAction }}
+  background: true
+  rules:
+  - name: check-required-labels
+    match:
+      resources:
+        kinds:
+        - Deployment
+        - StatefulSet
+        - DaemonSet
+    exclude:
+      resources:
+        namespaces:
+        {{- range .Values.global.excludedNamespaces }}
+        - {{ . }}
+        {{- end }}
+    validate:
+      message: >-
+        Ресурс '{{ "{{" }} request.object.metadata.name {{ "}}" }}'
+        должен иметь все обязательные лейблы:
+        {{ .Values.requiredLabels.labels | join ", " }}
+      pattern:
+        metadata:
+          labels:
+            {{- range .Values.requiredLabels.labels }}
+            {{ . }}: "?*"
+            {{- end }}
+{{- end }}