61 lines
2.0 KiB
YAML
61 lines
2.0 KiB
YAML
apiVersion: kyverno.io/v1
|
||
kind: ClusterPolicy
|
||
metadata:
|
||
name: validate-deployment-operations
|
||
annotations:
|
||
policies.kyverno.io/title: "Разные проверки для CREATE и UPDATE"
|
||
policies.kyverno.io/category: Governance
|
||
policies.kyverno.io/severity: medium
|
||
policies.kyverno.io/subject: Deployment
|
||
policies.kyverno.io/description: >-
|
||
Демонстрирует паттерн: разные правила для CREATE и UPDATE операций.
|
||
При создании — обязательные лейблы app и team.
|
||
При обновлении — запрет смены образа на тег latest.
|
||
spec:
|
||
validationFailureAction: Enforce
|
||
background: false
|
||
rules:
|
||
- name: validate-on-create-only
|
||
match:
|
||
resources:
|
||
kinds:
|
||
- Deployment
|
||
preconditions:
|
||
any:
|
||
- key: "{{ request.operation }}"
|
||
operator: Equals
|
||
value: CREATE
|
||
validate:
|
||
message: >-
|
||
Новый Deployment '{{ request.object.metadata.name }}' должен иметь лейблы app и team.
|
||
pattern:
|
||
metadata:
|
||
labels:
|
||
app: "?*"
|
||
team: "?*"
|
||
|
||
- name: validate-image-on-update
|
||
match:
|
||
resources:
|
||
kinds:
|
||
- Deployment
|
||
preconditions:
|
||
all:
|
||
- key: "{{ request.operation }}"
|
||
operator: Equals
|
||
value: UPDATE
|
||
- key: "{{ request.object.spec.template.spec.containers[0].image }}"
|
||
operator: NotEquals
|
||
value: "{{ request.oldObject.spec.template.spec.containers[0].image }}"
|
||
validate:
|
||
message: >-
|
||
Образ изменён с '{{ request.oldObject.spec.template.spec.containers[0].image }}'
|
||
на '{{ request.object.spec.template.spec.containers[0].image }}'.
|
||
Запрещено использовать тег latest при обновлении образа.
|
||
deny:
|
||
conditions:
|
||
any:
|
||
- key: "{{ request.object.spec.template.spec.containers[0].image }}"
|
||
operator: EndsWith
|
||
value: ":latest"
|