58 lines
2.0 KiB
YAML
58 lines
2.0 KiB
YAML
apiVersion: kyverno.io/v1
|
||
kind: ClusterPolicy
|
||
metadata:
|
||
name: inject-fluent-bit-sidecar
|
||
annotations:
|
||
policies.kyverno.io/title: "Автовнедрение Fluent Bit sidecar"
|
||
policies.kyverno.io/category: Logging
|
||
policies.kyverno.io/severity: low
|
||
policies.kyverno.io/subject: Pod
|
||
policies.kyverno.io/description: >-
|
||
Автоматически добавляет Fluent Bit sidecar контейнер ко всем подам
|
||
с аннотацией logging.company.com/enabled: "true".
|
||
Подход Opt-in: разработчик явно запрашивает injection.
|
||
ЗАМЕНИТЕ образ registry.company.com на ваш внутренний реестр.
|
||
spec:
|
||
rules:
|
||
- name: inject-fluent-bit
|
||
match:
|
||
resources:
|
||
kinds:
|
||
- Pod
|
||
preconditions:
|
||
all:
|
||
# Opt-in: только поды с явной аннотацией
|
||
- key: "{{ request.object.metadata.annotations.\"logging.company.com/enabled\" }}"
|
||
operator: Equals
|
||
value: "true"
|
||
# Не добавлять если sidecar уже есть (защита от дублирования)
|
||
- key: "fluent-bit"
|
||
operator: NotIn
|
||
value: "{{ request.object.spec.containers[].name }}"
|
||
mutate:
|
||
patchStrategicMerge:
|
||
spec:
|
||
containers:
|
||
- name: fluent-bit
|
||
image: fluent/fluent-bit:2.1 # замените на внутренний реестр
|
||
resources:
|
||
limits:
|
||
cpu: 100m
|
||
memory: 128Mi
|
||
requests:
|
||
cpu: 50m
|
||
memory: 64Mi
|
||
volumeMounts:
|
||
- name: varlog
|
||
mountPath: /var/log
|
||
readOnly: true
|
||
- name: fluent-bit-config
|
||
mountPath: /fluent-bit/etc/
|
||
volumes:
|
||
- name: varlog
|
||
hostPath:
|
||
path: /var/log
|
||
- name: fluent-bit-config
|
||
configMap:
|
||
name: fluent-bit-config
|