51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: add-creator-audit-annotation
|
|
annotations:
|
|
policies.kyverno.io/title: "Аннотация аудита создателя ресурса"
|
|
policies.kyverno.io/category: Governance
|
|
policies.kyverno.io/severity: low
|
|
policies.kyverno.io/subject: Deployment,StatefulSet
|
|
policies.kyverno.io/description: >-
|
|
При создании Deployment или StatefulSet автоматически добавляет
|
|
аннотации: кто создал, когда, из каких групп.
|
|
Создаёт автоматический audit trail без дополнительных инструментов.
|
|
spec:
|
|
rules:
|
|
- name: add-creator-annotation
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Deployment
|
|
- StatefulSet
|
|
preconditions:
|
|
any:
|
|
- key: "{{ request.operation }}"
|
|
operator: Equals
|
|
value: CREATE
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
annotations:
|
|
audit.company.com/created-by: "{{ request.userInfo.username }}"
|
|
audit.company.com/created-at: "{{ time_now_utc() }}"
|
|
audit.company.com/user-groups: >-
|
|
{{ request.userInfo.groups | join(', ', @) }}
|
|
|
|
- name: set-environment-labels
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
context:
|
|
- name: namespaceConfig
|
|
apiCall:
|
|
urlPath: "/api/v1/namespaces/{{ request.object.metadata.namespace }}"
|
|
jmesPath: "metadata.labels"
|
|
mutate:
|
|
patchStrategicMerge:
|
|
metadata:
|
|
labels:
|
|
+(environment): "{{ namespaceConfig.environment || 'unknown' }}"
|
|
+(team): "{{ namespaceConfig.team || 'platform' }}" |