106 lines
3.0 KiB
YAML
106 lines
3.0 KiB
YAML
apiVersion: v1
|
||
kind: ConfigMap
|
||
metadata:
|
||
name: external-data-cache
|
||
namespace: kyverno
|
||
labels:
|
||
app: kyverno-config
|
||
data:
|
||
# Список разрешённых реестров (обновляется CronJob)
|
||
allowed-registries: |
|
||
registry.company.com
|
||
gcr.io/company-project
|
||
public.ecr.aws/company
|
||
# Список одобренных StorageClass
|
||
approved-storage-classes: |
|
||
standard-ssd
|
||
premium-ssd
|
||
backup-hdd
|
||
# Последнее обновление (проставляется CronJob)
|
||
last-updated: "2024-01-01T00:00:00Z"
|
||
---
|
||
apiVersion: batch/v1
|
||
kind: CronJob
|
||
metadata:
|
||
name: update-policy-cache
|
||
namespace: kyverno
|
||
annotations:
|
||
description: >-
|
||
Обновляет ConfigMap external-data-cache данными из внешних API.
|
||
Позволяет политикам использовать актуальные данные без прямых apiCall
|
||
к внешним сервисам на каждый запрос.
|
||
spec:
|
||
schedule: "*/10 * * * *" # каждые 10 минут
|
||
concurrencyPolicy: Forbid
|
||
jobTemplate:
|
||
spec:
|
||
template:
|
||
spec:
|
||
serviceAccountName: policy-cache-updater
|
||
restartPolicy: OnFailure
|
||
containers:
|
||
- name: cache-updater
|
||
image: bitnami/kubectl:1.28
|
||
env:
|
||
- name: EXTERNAL_API_URL
|
||
value: "https://api.company.com/v1"
|
||
- name: CONFIGMAP_NAME
|
||
value: "external-data-cache"
|
||
- name: NAMESPACE
|
||
value: "kyverno"
|
||
command:
|
||
- /bin/bash
|
||
- -c
|
||
- |
|
||
set -e
|
||
|
||
echo "Fetching allowed registries from external API..."
|
||
# В реальности заменить на curl к вашему API
|
||
REGISTRIES=$(echo -e "registry.company.com\ngcr.io/company-project")
|
||
|
||
echo "Updating ConfigMap..."
|
||
kubectl patch configmap ${CONFIGMAP_NAME} \
|
||
-n ${NAMESPACE} \
|
||
--type merge \
|
||
-p "{\"data\":{
|
||
\"allowed-registries\": \"${REGISTRIES}\",
|
||
\"last-updated\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
|
||
}}"
|
||
|
||
echo "Cache updated successfully"
|
||
resources:
|
||
limits:
|
||
cpu: 100m
|
||
memory: 64Mi
|
||
---
|
||
apiVersion: v1
|
||
kind: ServiceAccount
|
||
metadata:
|
||
name: policy-cache-updater
|
||
namespace: kyverno
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: Role
|
||
metadata:
|
||
name: configmap-updater
|
||
namespace: kyverno
|
||
rules:
|
||
- apiGroups: [""]
|
||
resources: ["configmaps"]
|
||
resourceNames: ["external-data-cache"]
|
||
verbs: ["get", "patch", "update"]
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: RoleBinding
|
||
metadata:
|
||
name: policy-cache-updater
|
||
namespace: kyverno
|
||
roleRef:
|
||
apiGroup: rbac.authorization.k8s.io
|
||
kind: Role
|
||
name: configmap-updater
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: policy-cache-updater
|
||
namespace: kyverno
|