policy
This commit is contained in:
@@ -1,41 +0,0 @@
|
|||||||
apiVersion: kyverno.io/v1
|
|
||||||
kind: ClusterPolicy
|
|
||||||
metadata:
|
|
||||||
name: require-labels
|
|
||||||
annotations:
|
|
||||||
policies.kyverno.io/title: Require Labels
|
|
||||||
policies.kyverno.io/category: Best Practices
|
|
||||||
policies.kyverno.io/minversion: 1.6.0
|
|
||||||
policies.kyverno.io/severity: medium
|
|
||||||
policies.kyverno.io/subject: Pod, Label
|
|
||||||
policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
|
|
||||||
spec:
|
|
||||||
validationFailureAction: Audit
|
|
||||||
background: true
|
|
||||||
rules:
|
|
||||||
- name: check-for-labels
|
|
||||||
skipBackgroundRequests: true
|
|
||||||
exclude:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
namespaces:
|
|
||||||
- kube-system
|
|
||||||
- istio-system
|
|
||||||
- argocd
|
|
||||||
- cert-manager
|
|
||||||
- monitoring
|
|
||||||
- secrets
|
|
||||||
- kyverno
|
|
||||||
- trivy-system
|
|
||||||
match:
|
|
||||||
any:
|
|
||||||
- resources:
|
|
||||||
kinds:
|
|
||||||
- Pod
|
|
||||||
validate:
|
|
||||||
message: The label `app.kubernetes.io/name` is required.
|
|
||||||
allowExistingViolations: true
|
|
||||||
pattern:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/name: "?*"
|
|
||||||
@@ -116,12 +116,12 @@ extraDeploy:
|
|||||||
metadata:
|
metadata:
|
||||||
name: keycloak-client-registrar
|
name: keycloak-client-registrar
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: [""]
|
- apiGroups: [ "" ]
|
||||||
resources: ["secrets"]
|
resources: [ "secrets" ]
|
||||||
verbs: ["get", "list", "create", "update", "patch"]
|
verbs: [ "get", "list", "create", "update", "patch" ]
|
||||||
- apiGroups: [""]
|
- apiGroups: [ "" ]
|
||||||
resources: ["namespaces"]
|
resources: [ "namespaces" ]
|
||||||
verbs: ["get", "list"]
|
verbs: [ "get", "list" ]
|
||||||
|
|
||||||
# -- ClusterRoleBinding for the registrar ServiceAccount
|
# -- ClusterRoleBinding for the registrar ServiceAccount
|
||||||
- apiVersion: rbac.authorization.k8s.io/v1
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
@@ -158,7 +158,7 @@ extraDeploy:
|
|||||||
containers:
|
containers:
|
||||||
- name: registrar
|
- name: registrar
|
||||||
image: alpine:3.20
|
image: alpine:3.20
|
||||||
command: ["/bin/sh", "-c"]
|
command: [ "/bin/sh", "-c" ]
|
||||||
args:
|
args:
|
||||||
- |
|
- |
|
||||||
set -e
|
set -e
|
||||||
|
|||||||
Reference in New Issue
Block a user