58 lines
2.0 KiB
YAML
58 lines
2.0 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: inject-fluent-bit-sidecar
|
|
annotations:
|
|
policies.kyverno.io/title: "Автовнедрение Fluent Bit sidecar"
|
|
policies.kyverno.io/category: Logging
|
|
policies.kyverno.io/severity: low
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Автоматически добавляет Fluent Bit sidecar контейнер ко всем подам
|
|
с аннотацией logging.company.com/enabled: "true".
|
|
Подход Opt-in: разработчик явно запрашивает injection.
|
|
ЗАМЕНИТЕ образ registry.company.com на ваш внутренний реестр.
|
|
spec:
|
|
rules:
|
|
- name: inject-fluent-bit
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
preconditions:
|
|
all:
|
|
# Opt-in: только поды с явной аннотацией
|
|
- key: "{{ request.object.metadata.annotations.\"logging.company.com/enabled\" }}"
|
|
operator: Equals
|
|
value: "true"
|
|
# Не добавлять если sidecar уже есть (защита от дублирования)
|
|
- key: "fluent-bit"
|
|
operator: NotIn
|
|
value: "{{ request.object.spec.containers[].name }}"
|
|
mutate:
|
|
patchStrategicMerge:
|
|
spec:
|
|
containers:
|
|
- name: fluent-bit
|
|
image: fluent/fluent-bit:2.1 # замените на внутренний реестр
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
volumeMounts:
|
|
- name: varlog
|
|
mountPath: /var/log
|
|
readOnly: true
|
|
- name: fluent-bit-config
|
|
mountPath: /fluent-bit/etc/
|
|
volumes:
|
|
- name: varlog
|
|
hostPath:
|
|
path: /var/log
|
|
- name: fluent-bit-config
|
|
configMap:
|
|
name: fluent-bit-config
|