Scribd Logo
Upload

Welcome to Scribd!

  • 7

    Uploaded by

    neptyki
    7 views2 pages

    Original Title

    doc7

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views2 pages

    7

    Uploaded by

    neptyki

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    Sure!

    Let's dive into some example Kyverno policies to give you a clearer picture
    of how they are structured and what they can accomplish:

    ### 1. **Validation Policy:**


    Imagine you want to ensure that all Pods in your cluster have memory limits set:

    ```yaml
    apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata:
    name: require-memory-limits
    spec:
    validationFailureAction: enforce
    rules:
    - name: check-memory-limit
    match:
    resources:
    kinds:
    - Pod
    validate:
    message: "A memory limit is required."
    pattern:
    spec:
    containers:
    - resources:
    limits:
    memory: "?*"
    ```

    Here's a breakdown:
    - We're defining a `ClusterPolicy`.
    - The `validationFailureAction: enforce` means if the policy is violated, the
    resource will be denied.
    - The policy applies to `Pod` resources.
    - The `validate` rule ensures that there's a `memory` limit defined for every
    container in the Pod.

    ### 2. **Mutation Policy:**


    Perhaps you want to automatically add a label to every Pod that gets created:

    ```yaml
    apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata:
    name: add-pod-label
    spec:
    rules:
    - name: add-label
    match:
    resources:
    kinds:
    - Pod
    mutate:
    patchStrategicMerge:
    metadata:
    labels:
    createdBy: "kyverno"
    ```
    Here's a breakdown:
    - We're defining a `ClusterPolicy`.
    - This policy targets `Pod` resources.
    - The `mutate` rule uses `patchStrategicMerge` to add a label `createdBy: kyverno`
    to the Pod's metadata.

    ### 3. **Generation Policy:**


    You might want to ensure that every Namespace that's created also gets a specific
    RoleBinding:

    ```yaml
    apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata:
    name: generate-rolebinding
    spec:
    rules:
    - name: create-rolebinding
    match:
    resources:
    kinds:
    - Namespace
    generate:
    kind: RoleBinding
    name: default-rolebinding
    namespace: "{{request.object.metadata.name}}"
    data:
    subjects:
    - kind: Group
    name: 'system:authenticated'
    apiGroup: rbac.authorization.k8s.io
    roleRef:
    kind: Role
    name: default-role
    apiGroup: rbac.authorization.k8s.io
    ```

    Here's a breakdown:
    - We're defining a `ClusterPolicy`.
    - This policy activates when a `Namespace` is created.
    - The `generate` rule creates a `RoleBinding` named `default-rolebinding` in the
    newly created Namespace, linking it to a hypothetical `default-role` and granting
    that role to the `system:authenticated` group.

    These examples are simplistic but demonstrate the foundational concepts of Kyverno.
    In real-world scenarios, you might create more complex policies that address
    specific organizational needs.#:wq####

    You might also like