init

07-advanced/02-external-data/external-data-cache.yaml

@@ -0,0 +1,105 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: external-data-cache
+  namespace: kyverno
+  labels:
+    app: kyverno-config
+data:
+  # Список разрешённых реестров (обновляется CronJob)
+  allowed-registries: |
+    registry.company.com
+    gcr.io/company-project
+    public.ecr.aws/company
+  # Список одобренных StorageClass
+  approved-storage-classes: |
+    standard-ssd
+    premium-ssd
+    backup-hdd
+  # Последнее обновление (проставляется CronJob)
+  last-updated: "2024-01-01T00:00:00Z"
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: update-policy-cache
+  namespace: kyverno
+  annotations:
+    description: >-
+      Обновляет ConfigMap external-data-cache данными из внешних API.
+      Позволяет политикам использовать актуальные данные без прямых apiCall
+      к внешним сервисам на каждый запрос.
+spec:
+  schedule: "*/10 * * * *"    # каждые 10 минут
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: policy-cache-updater
+          restartPolicy: OnFailure
+          containers:
+          - name: cache-updater
+            image: bitnami/kubectl:1.28
+            env:
+            - name: EXTERNAL_API_URL
+              value: "https://api.company.com/v1"
+            - name: CONFIGMAP_NAME
+              value: "external-data-cache"
+            - name: NAMESPACE
+              value: "kyverno"
+            command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+
+              echo "Fetching allowed registries from external API..."
+              # В реальности заменить на curl к вашему API
+              REGISTRIES=$(echo -e "registry.company.com\ngcr.io/company-project")
+
+              echo "Updating ConfigMap..."
+              kubectl patch configmap ${CONFIGMAP_NAME} \
+                -n ${NAMESPACE} \
+                --type merge \
+                -p "{\"data\":{
+                  \"allowed-registries\": \"${REGISTRIES}\",
+                  \"last-updated\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
+                }}"
+
+              echo "Cache updated successfully"
+            resources:
+              limits:
+                cpu: 100m
+                memory: 64Mi
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: policy-cache-updater
+  namespace: kyverno
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: configmap-updater
+  namespace: kyverno
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["external-data-cache"]
+  verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: policy-cache-updater
+  namespace: kyverno
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: configmap-updater
+subjects:
+- kind: ServiceAccount
+  name: policy-cache-updater
+  namespace: kyverno