106 lines
3.0 KiB
YAML
106 lines
3.0 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: external-data-cache
|
|
namespace: kyverno
|
|
labels:
|
|
app: kyverno-config
|
|
data:
|
|
# Список разрешённых реестров (обновляется CronJob)
|
|
allowed-registries: |
|
|
registry.company.com
|
|
gcr.io/company-project
|
|
public.ecr.aws/company
|
|
# Список одобренных StorageClass
|
|
approved-storage-classes: |
|
|
standard-ssd
|
|
premium-ssd
|
|
backup-hdd
|
|
# Последнее обновление (проставляется CronJob)
|
|
last-updated: "2024-01-01T00:00:00Z"
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: update-policy-cache
|
|
namespace: kyverno
|
|
annotations:
|
|
description: >-
|
|
Обновляет ConfigMap external-data-cache данными из внешних API.
|
|
Позволяет политикам использовать актуальные данные без прямых apiCall
|
|
к внешним сервисам на каждый запрос.
|
|
spec:
|
|
schedule: "*/10 * * * *" # каждые 10 минут
|
|
concurrencyPolicy: Forbid
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
serviceAccountName: policy-cache-updater
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: cache-updater
|
|
image: bitnami/kubectl:1.28
|
|
env:
|
|
- name: EXTERNAL_API_URL
|
|
value: "https://api.company.com/v1"
|
|
- name: CONFIGMAP_NAME
|
|
value: "external-data-cache"
|
|
- name: NAMESPACE
|
|
value: "kyverno"
|
|
command:
|
|
- /bin/bash
|
|
- -c
|
|
- |
|
|
set -e
|
|
|
|
echo "Fetching allowed registries from external API..."
|
|
# В реальности заменить на curl к вашему API
|
|
REGISTRIES=$(echo -e "registry.company.com\ngcr.io/company-project")
|
|
|
|
echo "Updating ConfigMap..."
|
|
kubectl patch configmap ${CONFIGMAP_NAME} \
|
|
-n ${NAMESPACE} \
|
|
--type merge \
|
|
-p "{\"data\":{
|
|
\"allowed-registries\": \"${REGISTRIES}\",
|
|
\"last-updated\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
|
|
}}"
|
|
|
|
echo "Cache updated successfully"
|
|
resources:
|
|
limits:
|
|
cpu: 100m
|
|
memory: 64Mi
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: policy-cache-updater
|
|
namespace: kyverno
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: configmap-updater
|
|
namespace: kyverno
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
resourceNames: ["external-data-cache"]
|
|
verbs: ["get", "patch", "update"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: policy-cache-updater
|
|
namespace: kyverno
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: configmap-updater
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: policy-cache-updater
|
|
namespace: kyverno
|